{"name":"Palo Alto Traffic Content Pack","description":"Syslog listens on port 10001 (UDP)  \n\nExtractors are all Split & Index for PanOS 8.1","category":"Firewalls","inputs":[{"id":"5bbeaa8baa8afc1d15f96804","title":"Palo Alto","configuration":{"expand_structured_data":false,"recv_buffer_size":262144,"port":10001,"override_source":null,"force_rdns":false,"allow_override_date":true,"bind_address":"0.0.0.0","store_full_message":false},"static_fields":{},"type":"org.graylog2.inputs.syslog.udp.SyslogUDPInput","global":false,"extractors":[{"title":"System - Hostname","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"hostname","source_field":"message","configuration":{"index":1,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"System - Receive Date","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"receive_date_time","source_field":"message","configuration":{"index":2,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"System - Serial Number","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"serial_number","source_field":"message","configuration":{"index":3,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"System - Log Type","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"log_type","source_field":"message","configuration":{"index":4,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"System - Log Subtype","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"log_subtype","source_field":"message","configuration":{"index":5,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"System - Log Time Generated","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"time_generated","source_field":"message","configuration":{"index":7,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Destination IP","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_dst_ip","source_field":"message","configuration":{"index":9,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - NAT Source IP","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_nat_src_ip","source_field":"message","configuration":{"index":10,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Source IP","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_src_ip","source_field":"message","configuration":{"index":8,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - FIrewall Rule","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"firewall_rule","source_field":"message","configuration":{"index":12,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Application","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"application","source_field":"message","configuration":{"index":15,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Source Zone","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_src_zone","source_field":"message","configuration":{"index":17,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Destination Zone","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_dst_zone","source_field":"message","configuration":{"index":18,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Ingress Interface","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"ingress_interface","source_field":"message","configuration":{"index":19,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Egress Interface","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"egress_interface","source_field":"message","configuration":{"index":20,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Session ID","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_id","source_field":"message","configuration":{"index":23,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Repeat Count (5 seconds)","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"repeat_count","source_field":"message","configuration":{"index":24,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Source Port","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_src_port","source_field":"message","configuration":{"index":25,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Destination Port","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_dst_port","source_field":"message","configuration":{"index":26,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - NAT Source Port","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_nat_src_port","source_field":"message","configuration":{"index":27,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - NAT Destination Port","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_nat_dst_port","source_field":"message","configuration":{"index":28,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Flags","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_flags","source_field":"message","configuration":{"index":29,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - IP Protocol","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_ip_proto","source_field":"message","configuration":{"index":30,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Action","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"action","source_field":"message","configuration":{"index":31,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Total Bytes","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_total_bytes","source_field":"message","configuration":{"index":32,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Bytes Sent","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_bytes_sent","source_field":"message","configuration":{"index":33,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Bytes Received","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_bytes_received","source_field":"message","configuration":{"index":34,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Total Packets","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_total_packets","source_field":"message","configuration":{"index":35,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Start Time","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_start_time","source_field":"message","configuration":{"index":36,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Elapsed Time (Seconds)","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_elapsed_time_sec","source_field":"message","configuration":{"index":37,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - URL Category","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"url_category","source_field":"message","configuration":{"index":38,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Source Country","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"source_country","source_field":"message","configuration":{"index":42,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Destination Country","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"destination_country","source_field":"message","configuration":{"index":43,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Packets Sent","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"pkts_sent","source_field":"message","configuration":{"index":45,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Packets Received","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"pkts_received","source_field":"message","configuration":{"index":46,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - End Reason","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"session_end_reason","source_field":"message","configuration":{"index":47,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0},{"title":"Session - Action Source","type":"SPLIT_AND_INDEX","cursor_strategy":"COPY","target_field":"action_source","source_field":"message","configuration":{"index":54,"split_by":","},"converters":[],"condition_type":"NONE","condition_value":"","order":0}]}],"streams":[{"id":"5bbeac3daa8afc1d15f969ec","title":"Palo Alto Traffic","description":"Firewall Traffic Messages","disabled":false,"matching_type":"AND","stream_rules":[{"type":"EXACT","field":"source","value":"USWINUTM1.lan.mynetdot.com","inverted":false,"description":""}],"outputs":[],"default_stream":false}],"outputs":[],"dashboards":[{"title":"Firewall Traffic - Last 1 Day","description":"Firewall Traffic - Last 1 Day","dashboard_widgets":[{"description":"Log Message Generated","type":"STREAM_SEARCH_RESULT_COUNT","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"lower_is_better":false,"stream_id":"5bbeac3daa8afc1d15f969ec","trend":false,"query":""},"col":1,"row":1,"height":1,"width":1},{"description":"Top Destination Countries","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"destination_country","stream_id":"5bbeac3daa8afc1d15f969ec","query":"","show_data_table":true,"show_pie_chart":true},"col":4,"row":1,"height":3,"width":2},{"description":"Top URL Categories","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"url_category","stream_id":"5bbeac3daa8afc1d15f969ec","query":"","show_data_table":true,"show_pie_chart":true},"col":2,"row":1,"height":3,"width":1},{"description":"Top Firewall Rules","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"firewall_rule","stream_id":"5bbeac3daa8afc1d15f969ec","query":"","show_data_table":true,"show_pie_chart":true},"col":1,"row":4,"height":2,"width":5},{"description":"Top Applications","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"application","stream_id":"5bbeac3daa8afc1d15f969ec","query":"","show_data_table":true,"show_pie_chart":true},"col":1,"row":2,"height":2,"width":1},{"description":"Top Firewall Actions","type":"QUICKVALUES","cache_time":10,"configuration":{"timerange":{"type":"relative","range":86400},"field":"action","stream_id":"5bbeac3daa8afc1d15f969ec","query":"","show_data_table":true,"show_pie_chart":true},"col":3,"row":1,"height":3,"width":1}]}],"grok_patterns":[],"lookup_tables":[],"lookup_caches":[],"lookup_data_adapters":[]}