File: //usr/share/filebeat/module/panw/panos/ingest/globalprotect.yml
---
description: Pipeline for PanOS Global Protect Logs
processors:
- set:
field: source.ip
value: "{{_temp_.private_ipv6}}"
if: (ctx.source?.ip == null || ctx.source?.ip == "0.0.0.0") && ctx._temp_?.private_ipv6 != null && ctx._temp_?.private_ipv6 != "0.0.0.0"
- set:
field: source.nat.ip
value: "{{_temp_.public_ipv6}}"
if: (ctx.source?.nat?.ip == null || ctx.source?.nat?.ip == "0.0.0.0") && ctx._temp_?.public_ipv6 != null && ctx._temp_?.public_ipv6 != "0.0.0.0"
- grok:
field: _temp_.srcuser
ignore_missing: true
patterns:
- '%{HOSTNAME:source.user.domain}\\%{USERNAME:source.user.name}'
- '%{USERNAME:source.user.name}@%{HOSTNAME:source.user.domain}'
- '%{USERNAME:source.user.name}'
if: ctx?._temp_?.srcuser != null
- set:
field: network.type
value: 'ipv4'
if: 'ctx.network?.type == null && ctx.source?.ip != null && ctx.source.ip.contains(".")'
- set:
field: network.type
value: 'ipv6'
if: 'ctx.network?.type == null && ctx.source?.ip != null && ctx.source.ip.contains(":")'
on_failure:
- append:
field: error.message
value: >-
error in Global Protect pipeline:
error in [{{_ingest.on_failure_processor_type}}] processor{{#_ingest.on_failure_processor_tag}}
with tag [{{_ingest.on_failure_processor_tag }}]{{/_ingest.on_failure_processor_tag}}
{{ _ingest.on_failure_message }}