https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48678#M35845 <HTML><HEAD></HEAD><BODY><P>Heads-up to everybody: in version 4.x of PANOS, they have decided to make the following changes in their syslog format:</P><P></P><P>1. In the Miscellaneous field of the Threat Log syslog, where the URL a user visits is reported, the URL data used to be placed between double quotes. This makes sense because a URL may contain a comma, which is also the separator of the syslog fields. Now, only URLs that contain commas are quoted, and those that don't are not.</P><P></P><P>2. The username in all logs, when it comes from the AD user agent, used to be in the format domain\username. It's now domain\\username (double backslash).</P><P></P><P>Tech support confirms that these changes are not bugs, but expected behavior by design. They were apparently made without first notifying their syslog integration partners (<A href="https://live.paloaltonetworks.com/docs/DOC-1418">https://live.paloaltonetworks.com/docs/DOC-1418</A>), or bothering to document them in any release notes. This of course affects integration with SIEM (security information and event management) tools that clients like us use to parse, correlate and report on syslog data for different devices, severely impeding our ability to monitor network traffic.</P><P></P><P>Please be aware of this if you export PAN syslogs to other devices.</P></BODY></HTML> Tue, 24 May 2011 12:45:11 GMT ahopkins 2011-05-24T12:45:11Z https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48678#M35845 <HTML><HEAD></HEAD><BODY><P>Heads-up to everybody: in version 4.x of PANOS, they have decided to make the following changes in their syslog format:</P><P></P><P>1. In the Miscellaneous field of the Threat Log syslog, where the URL a user visits is reported, the URL data used to be placed between double quotes. This makes sense because a URL may contain a comma, which is also the separator of the syslog fields. Now, only URLs that contain commas are quoted, and those that don't are not.</P><P></P><P>2. The username in all logs, when it comes from the AD user agent, used to be in the format domain\username. It's now domain\\username (double backslash).</P><P></P><P>Tech support confirms that these changes are not bugs, but expected behavior by design. They were apparently made without first notifying their syslog integration partners (<A href="https://live.paloaltonetworks.com/docs/DOC-1418">https://live.paloaltonetworks.com/docs/DOC-1418</A>), or bothering to document them in any release notes. This of course affects integration with SIEM (security information and event management) tools that clients like us use to parse, correlate and report on syslog data for different devices, severely impeding our ability to monitor network traffic.</P><P></P><P>Please be aware of this if you export PAN syslogs to other devices.</P></BODY></HTML> Tue, 24 May 2011 12:45:11 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48678#M35845 ahopkins 2011-05-24T12:45:11Z https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48679#M35846 <HTML><HEAD></HEAD><BODY><P>Thanks for this information.</P><P>Does anyone know if syslog integration partners are now notified about this change and if they implemented it on new versions (especially syslog-ng <img id="smileywink" class="emoticon emoticon-smileywink" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" />)</P><P></P><P>Best Regards</P></BODY></HTML> Wed, 28 Sep 2011 08:11:56 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48679#M35846 Duplem 2011-09-28T08:11:56Z https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48680#M35847 <HTML><HEAD></HEAD><BODY><P>@eduplaa: </P><P></P><P>You would need to contact the relevant partner to see if they have already adapted their product to read the 4.0 PAN-OS log format changes.</P><P></P><P>Syslog Integration Partner list is here:</P><P></P><P><A class="active_link" href="https://live.paloaltonetworks.com/docs/DOC-1418">https://live.paloaltonetworks.com/docs/DOC-1418</A></P><P></P><P>-Benjamin</P></BODY></HTML> Wed, 28 Sep 2011 21:53:24 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-undocumented-change-in-syslog-format/m-p/48680#M35847 bpappas 2011-09-28T21:53:24Z