topic Header Fields for Syslog for Rapid7 in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/header-fields-for-syslog-for-rapid7/m-p/1239668#M6380 <P>I'm troubleshooting an issue with Rapid7 ingestion of our logs from our Palo Alto firewalls into what they call an "IDS log."&nbsp; We need to write a custom parser to properly parse the source data, but that means we need the headers for all of the fields so that we can translate them into Rapid7's lingo.&nbsp; It seems like this "IDS log" is a combination of several logs we have on the Palo Alto side, like threat, data filtering, etc.<BR /><BR />Here is an example:</P> <P><BR />"source_data": "&lt;11&gt;Oct 7 12:36:53 fwl-msn-01.internal.unityhealth.com 1,2025/10/07 12:36:52,026701021417,THREAT,vulnerability,2818,2025/10/07 12:36:52,10.190.112.25,10.190.2.15,0.0.0.0,0.0.0.0,TEMP VPN Access catch-all-inbound,gina.young@quartzbenefits.com,,ms-ds-smbv3,vsys1,msn-gp-vpn,msn-inside,tunnel.1,ae5,default,2025/10/07 12:36:53,710977,1,61797,445,0,0,0x80002000,tcp,reset-both,,SMB: User Password Brute Force Attempt(40004),any,high,client-to-server,7553832199328033667,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,,,1152921504606891123,,,0,,,,,,,,0,0,0,0,0,,fwl-msn-01,,,,,0,,0,,N/A,brute-force,AppThreat-9027-9675,0x0,0,4294967295,,,311967b4-3f80-4811-9817-336dc84dd2df,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2025-10-07T12:36:53.080-05:00,,,,storage-backup,business-systems,client-server,3,"able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",ms-ds-smb,untunneled,no,no,,,NonProxyTraffic,,false,0,0,,,,0",</P> <P>&nbsp;</P> <P>Has anyone else run into this or knows where I might find documentation so that I can match up each of these fields to what it is?</P> Wed, 08 Oct 2025 15:23:49 GMT K.Graves221717 2025-10-08T15:23:49Z Header Fields for Syslog for Rapid7 https://live.paloaltonetworks.com/t5/next-generation-firewall/header-fields-for-syslog-for-rapid7/m-p/1239668#M6380 <P>I'm troubleshooting an issue with Rapid7 ingestion of our logs from our Palo Alto firewalls into what they call an "IDS log."&nbsp; We need to write a custom parser to properly parse the source data, but that means we need the headers for all of the fields so that we can translate them into Rapid7's lingo.&nbsp; It seems like this "IDS log" is a combination of several logs we have on the Palo Alto side, like threat, data filtering, etc.<BR /><BR />Here is an example:</P> <P><BR />"source_data": "&lt;11&gt;Oct 7 12:36:53 fwl-msn-01.internal.unityhealth.com 1,2025/10/07 12:36:52,026701021417,THREAT,vulnerability,2818,2025/10/07 12:36:52,10.190.112.25,10.190.2.15,0.0.0.0,0.0.0.0,TEMP VPN Access catch-all-inbound,gina.young@quartzbenefits.com,,ms-ds-smbv3,vsys1,msn-gp-vpn,msn-inside,tunnel.1,ae5,default,2025/10/07 12:36:53,710977,1,61797,445,0,0,0x80002000,tcp,reset-both,,SMB: User Password Brute Force Attempt(40004),any,high,client-to-server,7553832199328033667,0x0,10.0.0.0-10.255.255.255,10.0.0.0-10.255.255.255,,,1152921504606891123,,,0,,,,,,,,0,0,0,0,0,,fwl-msn-01,,,,,0,,0,,N/A,brute-force,AppThreat-9027-9675,0x0,0,4294967295,,,311967b4-3f80-4811-9817-336dc84dd2df,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,2025-10-07T12:36:53.080-05:00,,,,storage-backup,business-systems,client-server,3,"able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",ms-ds-smb,untunneled,no,no,,,NonProxyTraffic,,false,0,0,,,,0",</P> <P>&nbsp;</P> <P>Has anyone else run into this or knows where I might find documentation so that I can match up each of these fields to what it is?</P> Wed, 08 Oct 2025 15:23:49 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/header-fields-for-syslog-for-rapid7/m-p/1239668#M6380 K.Graves221717 2025-10-08T15:23:49Z