https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598588#M119057 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1278321707">@SoloSigma</a>&nbsp;wrote:<BR /> <P>On my Ubuntu Server I receive syslogs, that may look like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;14&gt;Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0</LI-CODE> <P>I understand that there are different log types that can be sent, including</P> <UL> <LI>Config</LI> <LI>System</LI> <LI>Threat</LI> <LI>Traffic</LI> <LI>URL</LI> <LI>Data</LI> <LI>WildFire</LI> <LI>Tunnel</LI> <LI>Authentication</LI> <LI>User-ID</LI> <LI>HIP Match</LI> <LI>Globalprotect</LI> <LI>Iptag</LI> <LI>Decryption</LI> </UL> <P>&nbsp;</P> <P>Are there any documentation that shows me how the different log types are constructed?<BR />I need it in order to create a Regex that will convert syslog into JSON format.</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>Maybe this is what you're looking for?&nbsp; The LEEF fields?<BR /><BR /><A href="https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-leef-fields" target="_blank">https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-leef-fields</A></P> <P>&nbsp;</P> Mon, 23 Sep 2024 20:16:34 GMT Brandon_Wertz 2024-09-23T20:16:34Z https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598573#M119053 <P>On my Ubuntu Server I receive syslogs, that may look like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;14&gt;Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0</LI-CODE> <P>I understand that there are different log types that can be sent, including</P> <UL> <LI>Config</LI> <LI>System</LI> <LI>Threat</LI> <LI>Traffic</LI> <LI>URL</LI> <LI>Data</LI> <LI>WildFire</LI> <LI>Tunnel</LI> <LI>Authentication</LI> <LI>User-ID</LI> <LI>HIP Match</LI> <LI>Globalprotect</LI> <LI>Iptag</LI> <LI>Decryption</LI> </UL> <P>&nbsp;</P> <P>Are there any documentation that shows me how the different log types are constructed?<BR />I need it in order to create a Regex that will convert syslog into JSON format.</P> <P>&nbsp;</P> Mon, 23 Sep 2024 18:06:14 GMT https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598573#M119053 SoloSigma 2024-09-23T18:06:14Z https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598583#M119054 <P>Hello,</P> <P>Your SIEM might already be able to do this? I dont have an example that I can share, but its along similar lines of comma separated values. You could setup a simple syslog server to capture a few logs of each and then base it from there?</P> <P>&nbsp;</P> <P>Here is what is shows in the help file of hte two different types of syslogs the firewall can send.</P> <P>&nbsp;</P> <P>Select the value that maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see<SPAN>&nbsp;</SPAN><SPAN class="xref"><A href="https://tools.ietf.org/html/rfc3164" target="external_window">RFC 3164</A></SPAN><SPAN>&nbsp;(BSD format) or&nbsp;</SPAN><SPAN class="xref"><A href="https://tools.ietf.org/html/rfc5424" target="external_window">RFC 5424</A></SPAN><SPAN>&nbsp;(IETF format).</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Just a few thoughts.</P> Mon, 23 Sep 2024 19:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598583#M119054 OtakarKlier 2024-09-23T19:52:56Z https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598588#M119057 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1278321707">@SoloSigma</a>&nbsp;wrote:<BR /> <P>On my Ubuntu Server I receive syslogs, that may look like this:</P> <P>&nbsp;</P> <LI-CODE lang="markup">&lt;14&gt;Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0</LI-CODE> <P>I understand that there are different log types that can be sent, including</P> <UL> <LI>Config</LI> <LI>System</LI> <LI>Threat</LI> <LI>Traffic</LI> <LI>URL</LI> <LI>Data</LI> <LI>WildFire</LI> <LI>Tunnel</LI> <LI>Authentication</LI> <LI>User-ID</LI> <LI>HIP Match</LI> <LI>Globalprotect</LI> <LI>Iptag</LI> <LI>Decryption</LI> </UL> <P>&nbsp;</P> <P>Are there any documentation that shows me how the different log types are constructed?<BR />I need it in order to create a Regex that will convert syslog into JSON format.</P> <P>&nbsp;</P> <HR /></BLOCKQUOTE> <P>Maybe this is what you're looking for?&nbsp; The LEEF fields?<BR /><BR /><A href="https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-leef-fields" target="_blank">https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-leef-fields</A></P> <P>&nbsp;</P> Mon, 23 Sep 2024 20:16:34 GMT https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598588#M119057 Brandon_Wertz 2024-09-23T20:16:34Z https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598616#M119063 <P>My SIEM tool is <A href="http://LimaCharlie.io" target="_self">LimaCharlie</A>, and it does not parse Palo Alto logs out of the box. Because of this I will have to create some Regex to convert Syslogs to JSON format.</P> Tue, 24 Sep 2024 06:22:34 GMT https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598616#M119063 SoloSigma 2024-09-24T06:22:34Z https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598640#M119064 <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields#id83052cb2-4798-4f9c-abf8-e0b929ce7a3b" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields#id83052cb2-4798-4f9c-abf8-e0b929ce7a3b</A></P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields#idbe18d2d4-9eb8-4966-bec8-df3a6de70e66" target="_blank">https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields#idbe18d2d4-9eb8-4966-bec8-df3a6de70e66</A></P> <P>&nbsp;</P> Tue, 24 Sep 2024 12:26:37 GMT https://live.paloaltonetworks.com/t5/general-topics/where-is-the-documentation-that-describes-syslog-log-types/m-p/598640#M119064 Raido_Rattameister 2024-09-24T12:26:37Z