Warning: undocumented change in syslog format

Reply
Highlighted
L2 Linker

Warning: undocumented change in syslog format

Heads-up to everybody: in version 4.x of PANOS, they have decided to make the following changes in their syslog format:

1. In the Miscellaneous field of the Threat Log syslog, where the URL a user visits is reported, the URL data used to be placed between double quotes. This makes sense because a URL may contain a comma, which is also the separator of the syslog fields. Now, only URLs that contain commas are quoted, and those that don't are not.

2. The username in all logs, when it comes from the AD user agent, used to be in the format domain\username. It's now domain\\username (double backslash).

Tech support confirms that these changes are not bugs, but expected behavior by design. They were apparently made without first notifying their syslog integration partners (https://live.paloaltonetworks.com/docs/DOC-1418), or bothering to document them in any release notes. This of course affects integration with SIEM (security information and event management) tools that clients like us use to parse, correlate and report on syslog data for different devices, severely impeding our ability to monitor network traffic.

Please be aware of this if you export PAN syslogs to other devices.

Tags (2)
L2 Linker

Re: Warning: undocumented change in syslog format

Thanks for this information.

Does anyone know if syslog integration partners are now notified about this change and if they implemented it on new versions (especially syslog-ng :smileywink:)

Best Regards

L6 Presenter

Re: Warning: undocumented change in syslog format

@eduplaa:

You would need to contact the relevant partner to see if they have already adapted their product to read the 4.0 PAN-OS log format changes.

Syslog Integration Partner list is here:

https://live.paloaltonetworks.com/docs/DOC-1418

-Benjamin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!