Palo Example

We will use the Beat’s Filebeat syslog module. There is a Palo Alo module, but it includes a lot more data than we need and is best reserved for a SIEM project. We did however, steal the a few field mapping details from it for this config.

# This filebeat config accepts TRAFFIC and SYSTEM syslog messages from a Palo Alto, 
# tags and parses them 
filebeat.inputs:
  - type: syslog
    protocol.udp:
      host: ':9000' # This is an arbitrary port. The normal port for syslog is UDP 512
processors:
    # The message field will have "TRAFFIC" for  netflow logs and we can 
    # extract the details with a CSV decoder and array extractor
  - if:
      contains:
        message: ',TRAFFIC,'
    then:
      - add_tags:
          tags: netflow
      - decode_csv_fields:
          fields:
            message: csv
      - extract_array:
          field: csv
          overwrite_keys: true
          omit_empty: true
          fail_on_error: false
          mappings:
            source.ip: 7
            destination.ip: 8
            source.nat.ip: 9
            network.application: 14
            source.port: 24
            destination.port: 25
            source.nat.port: 26
      # Drop the original fields now that we've parsed them out
      - drop_fields:
          fields:
            - csv
            - message
    # The message field will have "SYSTEM,dhcp" for dhcp logs and we can 
    # do a similar process to above
    else:
      - if:
          contains:
            message: ',SYSTEM,dhcp'
        then:
          - add_tags:
              tags: dhcp
          - decode_csv_fields:
              fields:
                message: csv
          - extract_array:
              field: csv
              overwrite_keys: true
              omit_empty: true
              fail_on_error: false
              mappings:
                message: 14
          # The DHCP info can be further pulled apart using space as a delimiter
          - decode_csv_fields:
              fields:
                message: csv2
              separator: ' '
          - extract_array:
              field: csv2
              overwrite_keys: true
              omit_empty: true
              fail_on_error: false
              mappings:
                source.ip: 4
                source.mac: 7
                hostname: 10
          # After parsing we can drop the original fields
          - drop_fields:
              fields:
                - csv
                - csv2
  - drop_fields:
      fields:
        - agent.ephemeral_id
        - agent.hostname
        - agent.id
        - agent.type
        - agent.version
        - ecs.version
        - host.name
        - event.severity
        - input.type
        - hostname
        - log.source.address
        - syslog.facility
        - syslog.facility_label
        - syslog.priority
        - syslog.priority_label
        - syslog.severity_label
      ignore_missing: true
filebeat.config.modules:
  path: '${path.config}/modules.d/*.yml'
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 1
output.elasticsearch:
  hosts:
    - 'localhost:9200'

Note: This is cleaned up with a YAML pretty-fier. It’s possible that it’s done something that needs reverted in practice

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 7, 2026: Reorganised CrowdSec pages (58b8edf)