https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260897#M73956 <P><SPAN>This is not helping</SPAN></P> Tue, 14 May 2019 11:24:30 GMT karthikeyanB 2019-05-14T11:24:30Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260695#M73896 <P>Hi all,</P><P>&nbsp;</P><P><SPAN>We are unable to capture below logs in syslog, but in Firewall it appears to be forwarding it to Syslog. Logs are being forwarded, but some fields are empty.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.png" style="width: 597px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19986i99E9502E2DDF5A43/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.png" alt="fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="w13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19987iFC15323C9507E34F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="w13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png" alt="w13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png" /></span></SPAN></P> Mon, 13 May 2019 10:09:18 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260695#M73896 karthikeyanB 2019-05-13T10:09:18Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260720#M73902 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>,</P> <P>&nbsp;</P> <P>As your screenshot indicates you have quite some custom entries.</P> <P>You might want to look into customizing the log format :</P> <P>&nbsp;</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/custom-logevent-format.html#" target="_blank" rel="noopener">Custom-logevent-format</A></P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Mon, 13 May 2019 10:59:19 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260720#M73902 kiwi 2019-05-13T10:59:19Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260896#M73955 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/105432">@karthikeyanB</a>&nbsp;wrote:<BR /><P>Hi all,</P><P>&nbsp;</P><P><SPAN>We are unable to capture below logs in syslog, but in Firewall it appears to be forwarding it to Syslog. Logs are being forwarded, but some fields are empty.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.png" style="width: 597px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19986i99E9502E2DDF5A43/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.png" alt="fDqJ6iXKsNJ6GvFv4WlNrTArmuy3jwqbHw.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="w13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/19987iFC15323C9507E34F/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="w13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png" alt="w13H2cciKexNWwjLWBA3Cj7L3hxAWer2qA.png" /></span></SPAN></P><HR /></BLOCKQUOTE><P><BR />This is not helping</P> Tue, 14 May 2019 11:23:15 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260896#M73955 karthikeyanB 2019-05-14T11:23:15Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260897#M73956 <P><SPAN>This is not helping</SPAN></P> Tue, 14 May 2019 11:24:30 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260897#M73956 karthikeyanB 2019-05-14T11:24:30Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260902#M73958 <P>Hi,</P> <P>&nbsp;</P> <P>What log format are you using ? CEF, LEEF ?</P> <P>&nbsp;</P> <P>If default isn't doing the trick, have you tried customizing as shown in the documents ?</P> <P>&nbsp;</P> <P>CEF FORMAT:</P> <P>&nbsp;</P> <PRE>CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-<BR />of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src <BR />dst=$dst sourceTranslatedAddress=$natsrc <BR />destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser <BR />duser=$dstuserapp=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source <BR />Zone cs4=$from cs5Label=Destination Zone cs5=$to <BR />deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if <BR />cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid <BR />cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport <BR />destinationTranslatedPort=$natdport flexString1Label=Flags <BR />flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL <BR />Category cs2=$category flexString2Label=Direction flexString2=$direction<BR />PanOSActionFlags=$actionflags externalId=$seqnocat=$threatid<BR />fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 <BR />PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name <BR />dvchost=$device_namePanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid <BR />PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id <BR />PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel <BR />PanOSThreatCategory=$thr_category PanOSContentVer=$contentver</PRE> <P><SPAN style="left: 682.517px; top: 1112.68px; font-size: 15px; font-family: monospace; transform: scaleX(1);">&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN style="left: 682.517px; top: 1112.68px; font-size: 15px; font-family: monospace; transform: scaleX(1);">LEEF FORMAT:</SPAN></P> <PRE><CODE>LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid| ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_ time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser| SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport| srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity| Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc| DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver</CODE></PRE> <P><LI-WRAPPER></LI-WRAPPER></P> <DIV data-extension-version="1.0.4">&nbsp;</DIV> <DIV data-extension-version="1.0.4"><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGsCAK" target="_blank" rel="noopener">Configuring PAN-OS 7.1 Gateways to Generate Logs in LEEF Format</A></DIV> <DIV data-extension-version="1.0.4">&nbsp;</DIV> <DIV data-extension-version="1.0.4">Cheers !</DIV> <DIV data-extension-version="1.0.4">-Kiwi.</DIV> Tue, 14 May 2019 12:59:29 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260902#M73958 kiwi 2019-05-14T12:59:29Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260908#M73962 <P>Hi,</P><P>&nbsp;</P><P>We are using PAN OS 8.0.13 but the document shows&nbsp; pan os 7.1!&nbsp;</P><P>&nbsp;</P><P>is not a issue?</P><P>&nbsp;</P><P>Regards</P><P>Karthikeyan</P> Tue, 14 May 2019 13:27:56 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260908#M73962 karthikeyanB 2019-05-14T13:27:56Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260909#M73963 <P>Hi,</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEcCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEcCAK</A></P><P>&nbsp;</P><P>i found the above kb article for 8.0.X is that ok !</P><P>&nbsp;</P><P>Best Regards</P><P>Karthikeyan Balamurugan</P><P>&nbsp;</P> Tue, 14 May 2019 13:32:38 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/260909#M73963 karthikeyanB 2019-05-14T13:32:38Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/261042#M73998 <P><SPAN>We are using CEF format</SPAN></P> Wed, 15 May 2019 05:44:28 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-threat-events-not-forwarded/m-p/261042#M73998 karthikeyanB 2019-05-15T05:44:28Z