https://live.paloaltonetworks.com/t5/general-topics/error-in-cef-format-for-threat-logs/m-p/363532#M88374 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44251">@MarcelST</a> ,</P> <P>&nbsp;</P> <P>Thanks for the heads up.&nbsp; I've requested a review of the DOC with your information.</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 17 Nov 2020 13:40:51 GMT kiwi 2020-11-17T13:40:51Z https://live.paloaltonetworks.com/t5/general-topics/error-in-cef-format-for-threat-logs/m-p/363257#M88345 <P>The following guide provides the parsing for&nbsp;CEF-style Log Formats for PAN-OS 9.1:</P><P><A href="https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-91-cef-configuration-guide.pdf" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cef/pan-os-91-cef-configuration-guide.pdf</A></P><P>&nbsp;</P><P>We have been using this for a while, but because now we have a 2nd source of logs (PRISMA) aside from Panorama, we just found out the parsing suggested for "Threat" log is not correct in our opinion, and that was causing some issues on our SIEM use-cases.</P><P>&nbsp;</P><P>In short, this field is wrong and should be replaced by <FONT color="#339966"><STRONG>$subtype</STRONG></FONT>:</P><P>&nbsp;</P><P>Threat CEF:0|Palo Alto<BR />Networks|PAN-OS|$sender_sw_version|<FONT color="#FF0000"><STRONG>$threatid</STRONG></FONT>|$type|$number-of-severity|rt=$cef-formatted-receive_time<BR />deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc<BR />destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app<BR />cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to<BR />deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset<BR />cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport<BR />destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action<BR />request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction<BR />PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1<BR />PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4<BR />PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid<BR />PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id<BR />PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category<BR />PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers<BR />PanOSURLCatList=$url_category_list PanOSRuleUUID=$rule_uuid PanOSHTTP2Con=$http2_connection<BR />PanDynamicUsrgrp=$dynusergroup_name</P><P>&nbsp;</P><P>&nbsp;</P><UL><LI>How can we get this fixed in the document?</LI><LI>Additionally, is it possible to get the document updated with PAN-OS 10 in <A href="https://docs.paloaltonetworks.com/resources/cef" target="_self">here</A>?</LI></UL> Mon, 16 Nov 2020 10:27:16 GMT https://live.paloaltonetworks.com/t5/general-topics/error-in-cef-format-for-threat-logs/m-p/363257#M88345 MarcelST 2020-11-16T10:27:16Z https://live.paloaltonetworks.com/t5/general-topics/error-in-cef-format-for-threat-logs/m-p/363532#M88374 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/44251">@MarcelST</a> ,</P> <P>&nbsp;</P> <P>Thanks for the heads up.&nbsp; I've requested a review of the DOC with your information.</P> <P>&nbsp;</P> <P>Cheers !</P> <P>-Kiwi.</P> <DIV id="ConnectiveDocSignExtentionInstalled" data-extension-version="1.0.4">&nbsp;</DIV> Tue, 17 Nov 2020 13:40:51 GMT https://live.paloaltonetworks.com/t5/general-topics/error-in-cef-format-for-threat-logs/m-p/363532#M88374 kiwi 2020-11-17T13:40:51Z