topic Re: Unknown additional fields in GlobalProtect logs in General Topics

Unknown additional fields in GlobalProtect logs

oahuliam — Thu, 09 Feb 2023 20:49:16 GMT

I am building a parser for our SIEM for GlobalProtect and have found something odd. The GlobalProtect logs have 12 more fields than the PanOS Administrators Guide labels. What are the additional 12 fields called?

This is a GlobalProtect Log :

1,2023/02/09 10:25:54,REDACTED,GLOBALPROTECT,0,2562,2023/02/09 10:25:54,vsys1,portal-auth,login,saml,,REDACTED,US,,REDACTED,0.0.0.0,0.0.0.0,0.0.0.0,,,Browser,any,,1,,,,success,,0,,0,REDACTED,REDACTED,0x0,2023-02-09T10:25:54.892-10:00,,,,,,0,0,0,0,,REDACTED,1

And these are the field descriptions from the PAN-OS Administrators Guide (for PAN-OS versions 9.1.3 and later.

Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Stage, Authentication Method, Tunnel Type, Source User, Source Region, Machine Name, Public IP, Public IPv6, Private IP, Private IPv6, Host ID, Serial Number, Client Version, Client OS, Client OS Version, Repeat Count, Reason, Error, Description, Status, Location, Login Duration, Connect Method, Error Code, Portal, Sequence Number, Action Flags

Re: Unknown additional fields in GlobalProtect logs

Adrian_Jensen — Thu, 09 Feb 2023 22:45:49 GMT

If you log into the GUI, go to the GlobalProtect logs, and then export a sample, the first line of the CSV is a header containing all the field names. The header and fields should match the syslogs. Most are relatively self-explanatory. The DG Hierarchy fields are device groups used in Panorama. Checking around, it looks like many of these are documented in the 10.x/11.x versions of the PAN-OS Administrator's Guide.

Domain, Receive Time,Serial #, Type,Threat/Content Type, Config Version, Generate Time, Virtual System, Event ID, stage, auth_method, tunnel_type, Source User, srcregion, machinename, public_ip, public_ipv6, private_ip, private_ipv6, hostid, serialnumber, client_ver, client_os, client_os_ver, Repeat Count, reason, error, Description, status, location, login_duration, connect_method, error_code, portal, Sequence Number, Action Flags, DG Hierarchy Level 1, DG Hierarchy Level 2, DG Hierarchy Level 3, DG Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID

Now weirdness.... That is only 9 fields different than what you listed. Comparing your CSV to mine, yours has 6 additional fields between Action Flags and DG Heirarchy Level 1; one of which contains a datetime stamp with millisecond resolution and timezone offset, and five blank fields. The rest of the fields match mine if those are removed. The PA does not have any millisecond timestamps in logs of that form that I am aware of. That makes me suspect those additional 6 fields are something added onto the record by your syslog receiver (the first being the receive time on SIEM, then SIEM logging/notes, then the additional fields from the PA syslog not in the parser added after?).

Re: Unknown additional fields in GlobalProtect logs

oahuliam — Fri, 10 Feb 2023 23:55:34 GMT

Mahalo, Adrian!