Skip to content

[Issue]: Audit Log Parsing #1440

New issue
New issue
Open
Open
[Issue]: Audit Log Parsing#1440
Labels
Team:ExperienceIssues owned by the Experience Docs TeamTeam:IngestIssues owned by the Ingest Docs Team
@jameswiggins

Description

@jameswiggins
jameswiggins
opened on May 20, 2025

Type of issue

None

What documentation page is affected

https://www.elastic.co/docs/reference/integrations/panw/

What happened?

I have a multitude of firewalls sending me logs across different companies and versions of PA. For some reason all of their audit type logs match this grok pattern:

^%{DATA} - - - - %{FIELD:observer.serial_number},%{TIMESTAMP:_temp_.generated_time},%{FIELD:panw.panos.type},%{GREEDYDATA:message}$

instead of the two patterns listed in the grok processor of the logs-panw.panos-5.2.1 pipeline.

Can this pattern be added to the patterns in the grok processor of logs-panw.panos-5.2.1 pipeline?

I had to modify a "managed" pipeline (which I received a warning about) in order to get my audit logs to parse correctly

Additional info

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:ExperienceIssues owned by the Experience Docs TeamTeam:IngestIssues owned by the Ingest Docs Team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions