Palo SIEM

We will also use Beat’s Filebeat Palo Alto module. They have already done the hard work of figuring out how to parse the data.

Procedure

On the Beats server, start an admin powershell session, change to the Filebeat directory, list the available modules, and enable PAN and the dashboard.

cd "C:\Program Files\Filebeat"
.\filebeat.exe modules list
.\filebeat.exe modules enable panw
.\filebeat.exe setup -e
# Or is it .\filebeat.exe setup --dashboards -e

Edit the module’s top-level config so that it listens on all addresses (note: we are using write.exe as the files come with unix-style newlines)

write.exe .\modules.d\panw.yml

panos:
    enabled: tru
    var.syslog_host: 0.0.0.0

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified May 7, 2026: Reorganised CrowdSec pages (58b8edf)