From 770b79b4fc3386914c408d682f960e099cbb5897 Mon Sep 17 00:00:00 2001
From: Satoaki Ooto <satoaki-ooto@freee.co.jp>
Date: Fri, 14 Oct 2022 16:38:40 +0900
Subject: [PATCH 1/4] add paloalto cef key

---
 .../plugin/config/cef_version_0_keys.yaml     | 47 +++++++++++++++++++
 1 file changed, 47 insertions(+)

diff --git a/lib/fluent/plugin/config/cef_version_0_keys.yaml b/lib/fluent/plugin/config/cef_version_0_keys.yaml
index 9f32773..1b3f5c6 100644
--- a/lib/fluent/plugin/config/cef_version_0_keys.yaml
+++ b/lib/fluent/plugin/config/cef_version_0_keys.yaml
@@ -171,3 +171,50 @@ cef_key_names_for_event_consumers:
   - sourceZoneExternalID
   - sourceZoneURI
 
+# CEF Key Names For Palo Alto
+cef_key_names_for_paloalto:
+  - PanOSPacketsReceived
+  - PanOSPacketsSent
+  - PanOSThreatCategory
+  - PanOSThreatID
+  - PanOSThreatName
+  - PanOSThreatDomain
+  - PanOSSeverity
+  - PanOSReferer
+  - PanOSURLCatList
+  - PanOSLogTimeStamp
+  - PanOSVirtualSystem
+  - PanOSEventID
+  - PanOSStage
+  - PanOSAuthMethod
+  - PanOSTunnelType
+  - PanOSSourceUserName
+  - PanOSSourceRegion
+  - PanOSEndpointDeviceName
+  - PanOSPublicIPv4
+  - PanOSPublicIPv6
+  - PanOSPrivateIPv4
+  - PanOSPrivateIPv6
+  - PanOSHostID
+  - PanOSDeviceSN
+  - PanOSGlobalProtectClientVersion
+  - PanOSEndpointOSType
+  - PanOSEndpointOSVersion
+  - PanOSCountOfRepeats
+  - PanOSQuarantineReason
+  - PanOSConnectionError
+  - PanOSDescription
+  - PanOSEventStatus
+  - PanOSGPGatewayLocation
+  - PanOSLoginDuration
+  - PanOSConnectionMethod
+  - PanOSConnectionErrorID
+  - PanOSPortal
+  - PanOSSequenceNo
+  - PanOSActionFlags
+  - PanOSTimeGeneratedHighResolution
+  - PanOSGatewaySelectionType
+  - PanOSSSLResponseTime
+  - PanOSGatewayPriority
+  - PanOSAttemptedGateways
+  - PanOSGateway=$gateway
\ No newline at end of file

From 80aba7467d135ae837cce5f57a95da42095a7935 Mon Sep 17 00:00:00 2001
From: Satoaki Ooto <satoaki-ooto@freee.co.jp>
Date: Fri, 14 Oct 2022 21:36:40 +0900
Subject: [PATCH 2/4] add 2 key

---
 lib/fluent/plugin/config/cef_version_0_keys.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/fluent/plugin/config/cef_version_0_keys.yaml b/lib/fluent/plugin/config/cef_version_0_keys.yaml
index 1b3f5c6..0ecc007 100644
--- a/lib/fluent/plugin/config/cef_version_0_keys.yaml
+++ b/lib/fluent/plugin/config/cef_version_0_keys.yaml
@@ -173,6 +173,8 @@ cef_key_names_for_event_consumers:
 
 # CEF Key Names For Palo Alto
 cef_key_names_for_paloalto:
+  - slocation
+  - dlocation
   - PanOSPacketsReceived
   - PanOSPacketsSent
   - PanOSThreatCategory

From ac56b36f8e19a7551e52788104ad197e7557b114 Mon Sep 17 00:00:00 2001
From: Satoaki Ooto <satoaki-ooto@freee.co.jp>
Date: Fri, 16 Dec 2022 21:00:00 +0900
Subject: [PATCH 3/4] add new key&update gemspec

---
 fluent-plugin-parser_cef.gemspec                 | 2 +-
 lib/fluent/plugin/config/cef_version_0_keys.yaml | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/fluent-plugin-parser_cef.gemspec b/fluent-plugin-parser_cef.gemspec
index 9658c42..2fc84aa 100644
--- a/fluent-plugin-parser_cef.gemspec
+++ b/fluent-plugin-parser_cef.gemspec
@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency "fluentd", ">= 0.14.0", "< 2"
 
-  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "bundler", "~> 2.3"
   spec.add_development_dependency "rake"
   spec.add_development_dependency "rspec", "~> 3.0"
   spec.add_development_dependency "rspec-core"
diff --git a/lib/fluent/plugin/config/cef_version_0_keys.yaml b/lib/fluent/plugin/config/cef_version_0_keys.yaml
index 0ecc007..5babbcd 100644
--- a/lib/fluent/plugin/config/cef_version_0_keys.yaml
+++ b/lib/fluent/plugin/config/cef_version_0_keys.yaml
@@ -219,4 +219,5 @@ cef_key_names_for_paloalto:
   - PanOSSSLResponseTime
   - PanOSGatewayPriority
   - PanOSAttemptedGateways
-  - PanOSGateway=$gateway
\ No newline at end of file
+  - PanOSGateway
+  - PanOSEndpointDeviceSN

From 87ba9b15276652f612717b9b208784a4b4946711 Mon Sep 17 00:00:00 2001
From: Satoaki Ooto <satoaki-ooto@freee.co.jp>
Date: Mon, 14 Aug 2023 21:48:23 +0900
Subject: [PATCH 4/4] add rspec test for Palo Alto Networks

---
 spec/fluent/plugin/parser_cef_spec.rb | 65 +++++++++++++++++++++++++++
 spec/spec_helper.rb                   |  2 +-
 2 files changed, 66 insertions(+), 1 deletion(-)

diff --git a/spec/fluent/plugin/parser_cef_spec.rb b/spec/fluent/plugin/parser_cef_spec.rb
index b1fba33..d390caf 100644
--- a/spec/fluent/plugin/parser_cef_spec.rb
+++ b/spec/fluent/plugin/parser_cef_spec.rb
@@ -373,5 +373,70 @@ def create_driver(conf=DEFAULT_CONFIGURE)
           "dpt" => "80",
           "msg" => "\xe3\x2e\x2e\x2e".scrub('?') }]}
     end
+    context "syslog message is BASIC Log for Palo Alto FW" do
+      let (:config) {%[
+        log_utc_offset  +09:00
+      ]}
+      let (:text) { "Jan 1 00:00:00 Paloalto - CEF:0|Palo Alto Networks|PAN-OS|10.1.8|TRAFFIC|end|0|" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Jan 1 00:00:00 +09:00").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Jan 1 00:00:00",
+          "syslog_hostname" => "Paloalto",
+          "syslog_tag" => "-",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Palo Alto Networks",
+          "cef_device_product" => "PAN-OS",
+          "cef_device_version" => "10.1.8",
+          "cef_device_event_class_id" => "TRAFFIC",
+          "cef_name" => "end",
+          "cef_severity" => "0",
+          }
+        ]
+      }
+    end
+    context "syslog message is FW traffic Log for Palo Alto FW" do
+      let (:config) {%[
+        log_utc_offset  +09:00
+      ]}
+      let (:text) { "Jan 1 00:00:00 Paloalto - CEF:0|Palo Alto Networks|PAN-OS|10.1.7|TRAFFIC|start|0|deviceExternalId=000000000000001 PanOSPacketsReceived=0 PanOSPacketsSent=1" }
+      subject do
+        allow(Fluent::Engine).to receive(:now).and_return(Fluent::EventTime.now)
+        @timestamp = Time.parse("Jan 1 00:00:00 +09:00").to_i
+        @test_driver = create_driver(config)
+        parsed = nil
+        @test_driver.instance.parse(text) do |time, record|
+          parsed = [time, record]
+        end
+        parsed
+      end
+      it { is_expected.to eq [
+        @timestamp, {
+          "syslog_timestamp" => "Jan 1 00:00:00",
+          "syslog_hostname" => "Paloalto",
+          "syslog_tag" => "-",
+          "cef_version" => "0",
+          "cef_device_vendor" => "Palo Alto Networks",
+          "cef_device_product" => "PAN-OS",
+          "cef_device_version" => "10.1.7",
+          "cef_device_event_class_id" => "TRAFFIC",
+          "cef_name" => "start",
+          "cef_severity" => "0",
+          "deviceExternalId" => "000000000000001",
+          "PanOSPacketsReceived" => "0",
+          "PanOSPacketsSent" => "1",
+          }
+        ]
+      }
+    end
   end
 end
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 702204b..9d6251e 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -32,6 +32,7 @@
   # rspec-expectations config goes here. You can use an alternate
   # assertion/expectation library such as wrong or the stdlib/minitest
   # assertions if you prefer.
+  config.example_status_persistence_file_path = "spec/result.txt"
   config.expect_with :rspec do |expectations|
     # This option will default to `true` in RSpec 4. It makes the `description`
     # and `failure_message` of custom matchers include text for helper methods
@@ -113,4 +114,3 @@
   Kernel.srand config.seed
 =end
 end
-