Feature palo alto 11x

[Nithin-Kasam]

Description

Added new input palo alto v11 to pull PAN OS 11 logs which contains some schema changes and additions.

Motivation and Context

This input contains base parsing of logs,then parsing will happen through illuminate for better parsing.

How Has This Been Tested?

1. Generated logs by setting up palo alto virtual machine and pulled those logs to graylog.
2. Added Junit test cases

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Refactoring (non-breaking change)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.

[ryan-carroll-graylog]

@danotorrey @kingzacko1 the Loginsoft team has set up a palo alto test instance on their VPN to test this with.

Muthu has shared the credentials and connection/setup instructions for us to use, which I put into a 1password entry under Palo Alto 11x Input testing.

[ryan-carroll-graylog]

Thanks for getting this PR up @Nithin-Kasam! The code is looking good, I've just added a few minor comments.

I'm working to get set up to test this then I'll circle back to finish reviewing.

[ryan-carroll-graylog]

I would leave off the part about Illuminate so users know this input can be used without it.

Suggested change

	message="Added new Palo Alto version 11 input to ingest PAN OS 11 logs and parse via illuminate."
	message="Added new Palo Alto version 11 input to ingest PAN OS 11 logs."

[ryan-carroll-graylog]

I think this can be dropped since we're just calling the superclass method.

Suggested change

	@Override
	public void launch(InputBuffer buffer) throws MisfireException {
	super.launch(buffer);
	}

[ryan-carroll-graylog]

FYI @danotorrey @kingzacko1 for testing this I threw together a branch off the python log generator repo with the logs provided by Muthu. The main branch is also has a wealth of other PAN logs that can be used too: https://github.com/Graylog2/generate-gl-data/pull/49

[ryan-carroll-graylog]

@Nithin-Kasam just a heads up I pushed 2 small changes we discussed with the content team to help with eventual parsing and log handling:

• Renamed the EVENT_LOG_NAME field to VENDOR_SUBTYPE for consistency with other newer inputs
• Updated the codec to pass along the raw message and some default field values in the case where the Java PaloAltoParser is unable to parse the message

We are hoping to finalize review of this this week.

[danotorrey]

Nice work @Nithin-Kasam! This is looking good to me. I have requested a few smaller changes. @kingzacko1 and I are working on testing this out and will report back with the results.

[danotorrey]

I pushed up fixes for my PR comments. The rest LGTM. I am good with merging once the smoke test is successful.

[ryan-carroll-graylog]

Looks good and tests successfully!

[ryan-carroll-graylog]

Looks good and tests successfully with the latest!