mzpqnxow · March 15, 2018 15:46
diff --git a/100-logstash-pan-label.conf b/100-logstash-pan-label.conf
 #
 # Palo Alto (annoingly) emits logs that have fields like this
 #
 # cn1Label: Session
 # cn1: 12345
 # cn2Label: Direction
 # cn2: Out
 # ...
 #
 # The following config for logstash is a way to fix it into:
 #
 # Session: 12345
 # Direction: out
 #
 # There may be a cleaner way to do this but this works just fine
 #
 # Prerequisites:
 #  * You must have the Palo Alto event in a container called [pan_event]
 #
 # (C) 2018, [email protected], 3-clause BSD license
 #
 # https://github.com/mzpqnxow
 #

 filter {
    if "paloalto" in [tags] {

        if "" in [pan_event][cn1Label] {
            mutate {
                 rename => { "[pan_event][cn1]" => "pan_event.%{[pan_event][cn1Label]}" }
                 remove_field => [ "[pan_event][cn1Label]" ]
            }
        }

        if "" in [pan_event][cn2Label] {
            mutate {
                 rename => { "[pan_event][cn2]" => "pan_event.%{[pan_event][cn2Label]}" }
                 remove_field => [ "[pan_event][cn2Label]" ]
            }
        }

        if "" in [pan_event][cn3Label] {
            mutate {
                 rename => { "[pan_event][cn3]" => "pan_event.%{[pan_event][cn3Label]}" }
                 remove_field => [ "[pan_event][cn3Label]" ]
            }
        }

        if "" in [pan_event][cn4Label] {
            mutate {
                 rename => { "[pan_event][cn4]" => "pan_event.%{[pan_event][cn4Label]}" }
                 remove_field => [ "[pan_event][cn4Label]" ]
            }
        }

        if "" in [pan_event][cs1Label] {
            mutate {
                 rename => { "[pan_event][cs1]" => "pan_event.%{[pan_event][cs1Label]}" }
                 remove_field => [ "[pan_event][cs1Label]" ]
            }
        }

        if "" in [pan_event][cs2Label] {
            mutate {
                 rename => { "[pan_event][cs2]" => "pan_event.%{[pan_event][cs2Label]}" }
                 remove_field => [ "[pan_event][cs2Label]" ]
            }
        }

        if "" in [pan_event][cs3Label] {
            mutate {
                 rename => { "[pan_event][cs3]" => "pan_event.%{[pan_event][cs3Label]}" }
                 remove_field => [ "[pan_event][cs3Label]" ]
            }
        }

        if "" in [pan_event][cs3Label] {
            mutate {
                 rename => { "[pan_event][cs3]" => "pan_event.%{[pan_event][cs3Label]}" }
                 remove_field => [ "[pan_event][cs3Label]" ]
            }
        }

        if "" in [pan_event][cs4Label] {
            mutate {
                 rename => { "[pan_event][cs4]" => "pan_event.%{[pan_event][cs4Label]}" }
                 remove_field => [ "[pan_event][cs4Label]" ]
            }
        }

        if "" in [pan_event][cs5Label] {
            mutate {
                 rename => { "[pan_event][cs5]" => "pan_event.%{[pan_event][cs5Label]}" }
                 remove_field => [ "[pan_event][cs5Label]" ]
            }
        }

        if "" in [pan_event][cs6Label] {
            mutate {
                 rename => { "[pan_event][cs6]" => "pan_event.%{[pan_event][cs6Label]}" }
                 remove_field => [ "[pan_event][cs6Label]" ]
            }
        }

    }
 }
	#
	# Palo Alto (annoingly) emits logs that have fields like this
	#
	# cn1Label: Session
	# cn1: 12345
	# cn2Label: Direction
	# cn2: Out
	# ...
	#
	# The following config for logstash is a way to fix it into:
	#
	# Session: 12345
	# Direction: out
	#
	# There may be a cleaner way to do this but this works just fine
	#
	# Prerequisites:
	# * You must have the Palo Alto event in a container called [pan_event]
	#
	# (C) 2018, [email protected], 3-clause BSD license
	#
	# https://github.com/mzpqnxow
	#

	filter {
	if "paloalto" in [tags] {

	if "" in [pan_event][cn1Label] {
	mutate {
	rename => { "[pan_event][cn1]" => "pan_event.%{[pan_event][cn1Label]}" }
	remove_field => [ "[pan_event][cn1Label]" ]
	}
	}

	if "" in [pan_event][cn2Label] {
	mutate {
	rename => { "[pan_event][cn2]" => "pan_event.%{[pan_event][cn2Label]}" }
	remove_field => [ "[pan_event][cn2Label]" ]
	}
	}

	if "" in [pan_event][cn3Label] {
	mutate {
	rename => { "[pan_event][cn3]" => "pan_event.%{[pan_event][cn3Label]}" }
	remove_field => [ "[pan_event][cn3Label]" ]
	}
	}

	if "" in [pan_event][cn4Label] {
	mutate {
	rename => { "[pan_event][cn4]" => "pan_event.%{[pan_event][cn4Label]}" }
	remove_field => [ "[pan_event][cn4Label]" ]
	}
	}

	if "" in [pan_event][cs1Label] {
	mutate {
	rename => { "[pan_event][cs1]" => "pan_event.%{[pan_event][cs1Label]}" }
	remove_field => [ "[pan_event][cs1Label]" ]
	}
	}

	if "" in [pan_event][cs2Label] {
	mutate {
	rename => { "[pan_event][cs2]" => "pan_event.%{[pan_event][cs2Label]}" }
	remove_field => [ "[pan_event][cs2Label]" ]
	}
	}

	if "" in [pan_event][cs3Label] {
	mutate {
	rename => { "[pan_event][cs3]" => "pan_event.%{[pan_event][cs3Label]}" }
	remove_field => [ "[pan_event][cs3Label]" ]
	}
	}

	if "" in [pan_event][cs3Label] {
	mutate {
	rename => { "[pan_event][cs3]" => "pan_event.%{[pan_event][cs3Label]}" }
	remove_field => [ "[pan_event][cs3Label]" ]
	}
	}

	if "" in [pan_event][cs4Label] {
	mutate {
	rename => { "[pan_event][cs4]" => "pan_event.%{[pan_event][cs4Label]}" }
	remove_field => [ "[pan_event][cs4Label]" ]
	}
	}

	if "" in [pan_event][cs5Label] {
	mutate {
	rename => { "[pan_event][cs5]" => "pan_event.%{[pan_event][cs5Label]}" }
	remove_field => [ "[pan_event][cs5Label]" ]
	}
	}

	if "" in [pan_event][cs6Label] {
	mutate {
	rename => { "[pan_event][cs6]" => "pan_event.%{[pan_event][cs6Label]}" }
	remove_field => [ "[pan_event][cs6Label]" ]
	}
	}

	}
	}