topic Re: CONFIG logs and syslog in General Topics

CONFIG logs and syslog

Sven_Lieckfeldt — Tue, 01 Sep 2015 08:48:26 GMT

Hi there,

we're shipping our logs to a centralized syslog instance. That works great for all types of logs from the PA with the exceptions of the CONFIG logs.

The CONFIG logs are submitted at all, with the problem that the interesting parts "before-change-detail" and "after-change-detail" are not delivered.

Does anyone else ship CONFIG logs and if yes, do you see the same behaviour?

Thanks for advice.

Submitted Syslog Message

2015-02-02 10:32:59	User.Info	1.2.3.4	Feb  2 10:32:59 paloalto.domain.com 1,2015/02/02 10:32:59,123444,CONFIG,0,0,2015/02/02 10:32:59,1.2.33.4,,edit,admin-name,Web,Succeeded, vsys  vsys1 rulebase security rules  one-rule-to-rule-them-all,1544,0x0

Expected Syslog Message

2015-02-02 10:32:59 User.Info 1.2.3.4 Feb 2 10:32:59 paloalto.domain.com 1,2015/02/02 10:32:59,123444,CONFIG,0,0,2015/02/02 10:32:59,1.2.33.4,,edit,admin-name,Web,Succeeded, vsys vsys1 rulebase security rules one-rule-to-rule-them-all,before-change-detail,after-change-detail,1544,0x0

Re: CONFIG logs and syslog

Lucky — Mon, 24 Aug 2015 12:18:12 GMT

Hi Sven, can you please tell me what version of PAN-OS are you running? Syslog setup has changed in ver. 7.0. Also, setting forwarding of the config logs is done via tab Device > Log Settings > Config, where you can choose to forward Configs to the pre-defined syslog profile. Now, if you aren't seeing any logs forwarded, you should really be opening the support case 🙂 Can you sniff outgoing traffic from the firewall (take tcpdump from CLI) and see if config logs are also being forwarded? I am not sure about the format question you are asking for, would have to look it up, but forwarding of config logs is simple and should work if configured as explained above. regards Luciano

Re: CONFIG logs and syslog

Sven_Lieckfeldt — Mon, 24 Aug 2015 13:22:54 GMT

Hi Luciano,

we're running PAN-OS 6.1.5. Logshipping is done via UDP; we've tried TCP with no difference in the result.

CONFIG logs are successful submitted, but a portion of the content is missing; see my sample snippets.

When you export Montior > Configuration to a csv file you have two fields called "before-change-detail" and "after-change-detail". Those two fields are missing in the syslog stream.

Update 1: Just did a tcpdump as suggested. Data is sent, but without those two fields in question.

Cheers,

Sven

Re: CONFIG logs and syslog

Lucky — Thu, 27 Aug 2015 22:08:21 GMT

Hi Sven,

sorry for quick reading. I would say that is expected behavior, per documentation found here:

https://live.paloaltonetworks.com/t5/Articles/PAN-OS-Syslog-Integration/ta-p/55323

CONFIG
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, FUTURE_USE, Host, Virtual
System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags

full description on page 14

regards

Luciano

Re: CONFIG logs and syslog

jeleong — Fri, 28 Aug 2015 00:48:11 GMT

test

Re: CONFIG logs and syslog

Sven_Lieckfeldt — Tue, 01 Sep 2015 08:47:40 GMT

Hi Luciano,

thanks for your answer and sorry for the delay in my answer. I didn't received a notification...

The article refers to PAN-OS 5, so I've double checked the version 6.1 document. And in the syslog portion it is stated that "before change detail" and "after change detail" are onyl used in the custom syslog format, not in the default one.

So I've played around with it now these two informations are submitted, more or less complete. For exmaple: An application group with many apps included would be altered in the "before change detail" but the changed value is available. So one can follow the trace...

Now it looks like this:

palotalto.domain.com 1,2015/09/01 10:38:49,S/N,CONFIG,0,2015/09/01 10:38:49,1.2.3.4,,edit,admin,Web,Succeeded, vsys  vsys1 application-group  Test-Apps,4296,0x0,Test-Apps { } ,Test-Apps [ aim-file-transfer ];

Thanks for you hint!

Re: CONFIG logs and syslog

mike406 — Mon, 20 May 2019 14:50:34 GMT

I was looking at this today and it looks like this is still the case - I'm running 8.0 code. Syslog does not contain change information. Can anyone confirm? Just want to make sure before I change the default to custom.

Re: CONFIG logs and syslog

OtakarKlier — Mon, 20 May 2019 20:27:32 GMT

Hello @mike406 ,

Mine also does not send what the actual change was to the syslog, 8.0.x.

Regards,

Re: CONFIG logs and syslog

mike406 — Mon, 20 May 2019 21:42:44 GMT

Thanks for confirming.

Re: CONFIG logs and syslog

Abdulmunem — Tue, 15 Sep 2020 18:06:49 GMT

Any update on this? I am running to the same issue where I add custom fields in Config on Palo.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields.html

I still see no value in Splunk result after_change_detail and before_change_detail

Re: CONFIG logs and syslog

Abdulmunem — Tue, 15 Sep 2020 18:09:29 GMT

Any update on this? I am running to the same issue where I add custom fields in Config on Palo.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields.html

I still see no value in Splunk result after_change_detail and before_change_detail

Re: CONFIG logs and syslog

bgooch — Fri, 11 Apr 2025 16:28:50 GMT

Did you ever find a resolution to this? We're running into an issue where the syslog-ng server isn't seeing the before_change_detail and after_change_detail fields.

Re: CONFIG logs and syslog

OtakarKlier — Fri, 11 Apr 2025 17:02:47 GMT

Hello,

What format are you sending the logs from the PAN to the syslog server? Its possible the SIEM is not able to parse the log correctly.

Regards,

Re: CONFIG logs and syslog

bgooch — Fri, 11 Apr 2025 17:09:11 GMT

We've tried the default, but apparently that doesn't contain the before_change_detail and after_change_detail fields. So then we've moved over to doing a custom format where we click the field name on the left hand side for each field we want to include, and syslog-ng still sees a 0 value for those fields. We've also tried to click each field name on the left and separate them with commas hoping that it's a parsing issue, and that also is not working.

Re: CONFIG logs and syslog

bgooch — Fri, 11 Apr 2025 18:07:20 GMT

This should work for you in the custom log field. I found this documented from another user on a Splunk forum and it worked for us after tooling around with it for way too long. Previously, we were sending logs over to syslog-ng and the before_change_detail and after_change_detail fields were 0.

https://community.splunk.com/t5/All-Apps-and-Add-ons/Palo-Alto-Custom-Log-Format/m-p/416101

Palo Alto Custom Log Format, Config, All Fields

actionflags="$actionflags", admin="$admin", after-change-detail="$after-change-detail", before-change-detail="$before-change-detail", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", client="$client", cmd="$cmd", host="$host", path="$path", receive_time="$receive_time", result="$result", seqno="$seqno", serial="$serial", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, HIP Match, All Fields
actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", machinename="$machinename", matchname="$matchname", matchtype="$matchtype", receive_time="$receive_time", repeatcnt="$repeatcnt", seqno="$seqno", serial="$serial", src="$src", srcuser="$srcuser", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, Traffic, All Fields
action="$action", actionflags="$actionflags", app="$app", bytes="$bytes", bytes_received="$bytes_received", bytes_sent="$bytes_sent", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", elapsed="$elapsed", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", outbound_if="$outbound_if", packets="$packets", padding="$padding", pkts_received="$pkts_received", pkts_sent="$pkts_sent", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", start="$start", subtype="$subtype", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, Threat, All Fields
action="$action", actionflags="$actionflags", app="$app", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", contenttype="$contenttype", direction="$direction", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", misc="$misc", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", number-of-severity="$number-of-severity", outbound_if="$outbound_if", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", severity="$severity", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", subtype="$subtype", threatid="$threatid", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, System, All Fields
actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", eventid="$eventid", module="$module", number-of-severity="$number-of-severity", object="$object", opaque="$opaque", receive_time="$receive_time", seqno="$seqno", serial="$serial", severity="$severity", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Re: CONFIG logs and syslog

bgooch — Fri, 11 Apr 2025 18:08:45 GMT

Fixed - see reply above.

Palo Alto Custom Log Format, Config, All Fields

Palo Alto Custom Log Format, HIP Match, All Fields

actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", machinename="$machinename", matchname="$matchname", matchtype="$matchtype", receive_time="$receive_time", repeatcnt="$repeatcnt", seqno="$seqno", serial="$serial", src="$src", srcuser="$srcuser", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, Traffic, All Fields

action="$action", actionflags="$actionflags", app="$app", bytes="$bytes", bytes_received="$bytes_received", bytes_sent="$bytes_sent", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", elapsed="$elapsed", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", outbound_if="$outbound_if", packets="$packets", padding="$padding", pkts_received="$pkts_received", pkts_sent="$pkts_sent", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", start="$start", subtype="$subtype", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, Threat, All Fields

action="$action", actionflags="$actionflags", app="$app", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", contenttype="$contenttype", direction="$direction", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", misc="$misc", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", number-of-severity="$number-of-severity", outbound_if="$outbound_if", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", severity="$severity", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", subtype="$subtype", threatid="$threatid", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, System, All Fields

actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", eventid="$eventid", module="$module", number-of-severity="$number-of-severity", object="$object", opaque="$opaque", receive_time="$receive_time", seqno="$seqno", serial="$serial", severity="$severity", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Re: CONFIG logs and syslog

fwmike2 — Mon, 21 Apr 2025 18:57:06 GMT

@bgooch what version of code are you using?
On 10.2.10, configuring a custom log format which includes $before-change-detail and $after-change-detail does not yield field values with details.

I opened NSFR-I-28389 for this in 2019.

Re: CONFIG logs and syslog

bgooch — Tue, 22 Apr 2025 13:13:04 GMT

My customer is on 11.1.6-h1 at the moment.