Palo Alto Networks

The Palo Alto Networks Matano managed log source lets you ingest your Palo Alto Networks Firewall logs. It supports parsing logs in the Palo Alto Networks PAN-OS Syslog Format.

Usage

Use the managed log source by specifying the managed.type property in your log_source as PANW.

name: panw

managed:
  type: PANW

Then create tables for each of the Palo Alto Networks logs you want to ingest. For example, if you want to ingest PANW Traffic logs, as well as GlobalProtect logs, create table files like so:

my-matano-dir/
└── log_sources/
    └── panw/
        └── log_source.yml
        └── tables/
            └── traffic.yml
            └── globalprotect.yml
            └── ...

# log_sources/panw/tables/traffic.yml
name: traffic

# log_sources/panw/tables/globalprotect.yml
name: globalprotect

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.

Tables

The Palo Alto Networks managed log source supports the following tables:

traffic
globalprotect

Schema

Palo Alto Networks Firewall log data is normalized to ECS fields. You can view the complete mappings to see the full schemas.

Usage​

Tables​

Schema​

Usage

Tables

Schema