How to change syslog timestamp format

BankRespublika — Mon, 18 Sep 2017 12:35:12 GMT

Hi,

We are using syslog forwarding to SIEM system from our PA. Logs were in this format:

1,2017/09/06 23:59:59,007100001147,TRAFFIC,end,0,2017/09/06 23:59:59,X.X.X.X,Y.Y.Y.Y,0.0.0.0,0.0.0.0,Firewall To NTP,test\paloalto,,dns,vsys1,Inside,Inside,ethernet1/1,ethernet1/1,Q-Radar,2017/09/06 23:59:59,79361,1,42407,53,0,0,0x4064,udp,allow,409,176,233,4,2017/09/06 23:59:29,0,any,0,6849234946,0x0,172.16.0.0-172.31.255.255,172.16.0.0-172.31.255.255,0,2,2,aged-out,0,0,0,0,,PA-VM,from-policy

But now the log timestamp was changed and looks like this:

Sep 12 09:22:13 X.X.X.X 1 2017-09-12T09:22:14+04:00 X.X.X.X - - - - 1,2017/09/12 09:22:13,007100001147,TRAFFIC,start,0,2017/09/12 09:22:13,Y.Y.Y.Y,157.240.9.23,0.0.0.0,0.0.0.0,Internet Access For Mrktd,test\user1,,facebook-base,vsys1,Inside,Outside,ethernet1/1,ethernet1/3,Q-Radar,2017/09/12 09:22:13,3539,1,4378,443,0,0,0x4000,tcp,allow,763,697,66,4,2017/09/12 09:22:14,0,social-networking,0,6936146804,0x0,172.16.0.0-172.31.255.255,US,0,3,1,n/a,0,0,0,0,,PA-VM,from-policy

As you noticed this entry was added to logs : Sep 12 09:22:13 X.X.X.X 1 2017-09-12T09:22:14+04:00 X.X.X.X - - - -

Maybe you know what was the reason of this?

It will be great if you help us to remove this entry from logs.

Re: How to change syslog timestamp format

kiwi — Tue, 19 Sep 2017 09:41:23 GMT

Hi @BankRespublika,

I can't say why the entry was added... I don't know the reason why it was added.

You can however customize the log entries.

Depending on your PAN-OS version you can find the CEF configuration guide here :

https://www.paloaltonetworks.com/documentation/misc/cef.html

For example Traffic Log on PAN-OS 8.0 :

These custom formats include all the fields, in a similar order, that the default format of the syslogs display.

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst 
sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst 
cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app 
cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from 
cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if 
deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset 
cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport 
sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport 
flexString1Label=Flags flexString1=$flags proto=$proto act=$action
flexNumber1Label=Total bytesflexNumber1=$bytes in=$bytes_sent 
out=$bytes_received cn2Label=Packets cn2=$packets 
PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formatted-time_generated cn3Label=Elapsed time in seconds cn3=$elapsed 
cs2Label=URL Category cs2=$category externalId=$seqno
reason=$session_end_reason PanOSDGl1=$dg_hier_level_1
PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 
PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name
cat=$action_source PanOSActionFlags=$actionflags PanOS SrcUUID=$src_uuid
PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag
PanOSParentSessionID=$parent_session_id 
PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel

I hope this helps,

Cheers !

-Kiwi

topic Re: How to change syslog timestamp format in General Topics

How to change syslog timestamp format

Re: How to change syslog timestamp format