Tech Note Articles

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

PAN-OS Syslog Integration

by panagent on ‎12-15-2011 03:44 PM (26,784 Views)

There are five log types that PAN-OS can generate: traffic, threat, host information profile (HIP) match, config, and system. All are formatted as comma-separated value (CSV) strings. This document describes the fields for each log type. The fields flagged as FUTURE_USE do not currently have predictable, useful information in them.

The syslog field descriptions in this document is now integrated into the on-device help system. Navigate to Device > Server Profiles > Syslog and click the Help icon, or search help for "Custom Syslog Field Descriptions".

owner: jfitz

Comments
by User_333
on ‎02-27-2012 04:56 AM

Thx for this Documentation which leads me to the follow question:

You solution is very general, but what will happen if I use the Microsoft Radios Server for this 802.1X authentication? I would expect (but don't know for sure) that the Logs will be in the Security-Log. So, the usual User-ID Agent should be able to do all the USER<->IP mappings.

by kkondo
on ‎03-25-2012 06:56 PM

"$fmt" always shows "0"

Description should be $opaque, not $fmt.

Please update the document

by
on ‎07-24-2012 11:12 AM

The security log in Windows doesn't tell us the client IP of the RADIUS authentication, which is why the Agent can't pick it up.

by TCSPM
on ‎12-05-2012 01:21 PM

Is there a more up to date version of this document.  The configs for the custom log formats in the document "PAN-OS 4.1 CEF Configuration Guide" specify fields that are not listed in this document; such as:

$CEF-Formated-Recieve_Time 

$fmt

by SRA
on ‎12-11-2012 03:55 PM

The $CEF-formatted fields are only available for use in custom log formats, not in the default log format documented in this guide. Refer to the section on 'Custom Syslog Field Descriptions' in the Administrator's Guide or click on the help icon in the custom log format dialog on the firewall to get details on these.

The $fmt field was published in error and has been removed from this document. It is replaced by the $opaque field. The CEF guides will be updated/refreshed with this information as well.

by u16939
on ‎12-18-2012 03:26 PM

I see there is a way to export the logs to a syslog server, has anyone ever sent them to a Qradar siem? Is it possible to send the syslog "live" from a PAN device to Qradar? If so how is that set up?

by SRA
on ‎12-18-2012 04:07 PM

Yes, you can send the firewall logs in their default format to Qradar. You would configure a Syslog server profile, and use it in Log settings (for System, Config, HIP logs) and in Log forwarding (for Threat and Traffic logs).

by mikand
on ‎02-15-2013 01:24 AM

The reference in this document to CEF information, https://live.paloaltonetworks.com/docs/DOC-2775 , seems to have been deleted on the PA-site.

by sesco
on ‎02-15-2013 09:00 AM

I fixed the links and posted a new PDF. We now have a 4.0 and 4.1 version of the CEF docs and deleted 2775 and did not update the links in the syslog doc.

Here are the links that I put in the syslog doc:

https://live.paloaltonetworks.com/docs/DOC-2834 for PAN-OS 4.0

https://live.paloaltonetworks.com/docs/DOC-2835 for PAN-OS-4.1


Thank you very much for the feedback!

by ericgearhart
on ‎02-21-2013 05:44 PM

We are successfully sending logs from several PAN devices to QRadar... we built custom event properties for some of the log data that comes across that wasn't parsed by the default QRadar PAN DSM

by lcurtis
on ‎11-12-2013 10:25 AM

Is this document current for PAN OS 5.0, is there any changes in the format we need to be aware of? If there is could we get an update that covers the changes.

by sesco
on ‎11-12-2013 11:15 AM

Yes, if you search the PDF for 5.0.0, you will see the updates that were made for that release.

by rhermes
on ‎01-10-2014 03:04 PM

Now that 6.0 Beta is out, when can we expect to see an update for 6.0?

by mvaidyanathan
on ‎01-10-2014 04:08 PM

The information from this tech note is integrated and updated for 6.0 and will be available in the Palo Alto Networks Administrator's Guide. Please stay tuned for the release announcement; the guide will be posted when 6.0 is released.

by jholmes
on ‎05-07-2014 08:40 AM

Any updates to this document now that PAN-OS v6 is out and has had 2 updated releases?

I am actively working on an integration with a MSSP provider and need this update for PAN-OS 6

by david3
on ‎05-07-2014 08:51 AM

I'm using PAN-OS Administrator's Guide 6.0 (English) starting on PDF page 278 (document page number 236) for the update.  The section title is "Parse the Field Description in Logs"

by jholmes
on ‎05-07-2014 09:03 AM

David3,  thank you sir.  This is the info I was looking for.

by pjospeh
on ‎08-12-2014 05:38 PM

My customer said that he doesn't traffic logs in the custome log format. Is there a way I can simply remove that option from his syslog profile?

by mt.103
on ‎05-11-2016 07:06 PM

According with Miscellaneous(misc) field, is a File name when the subtype is "spyware" and "vulnerability" as same as subtype "virus"?

 

by grchew
on ‎06-23-2016 09:55 AM

You need to have your eth or service route IP addresses as static, not DHCP.   We had it set to DHCP in AWS environment.  changing to static made this work cleanly. 

by RamBista1
on ‎03-17-2017 05:01 PM

Any of the links in this document works. Any update please? 

Register now
Ask Questions Get Answers Join the Live Community
Contributors