08-24-2015 05:02 AM - edited 09-01-2015 01:48 AM
Hi there,
we're shipping our logs to a centralized syslog instance. That works great for all types of logs from the PA with the exceptions of the CONFIG logs.
The CONFIG logs are submitted at all, with the problem that the interesting parts "before-change-detail" and "after-change-detail" are not delivered.
Does anyone else ship CONFIG logs and if yes, do you see the same behaviour?
Thanks for advice.
Submitted Syslog Message
2015-02-02 10:32:59 User.Info 1.2.3.4 Feb 2 10:32:59 paloalto.domain.com 1,2015/02/02 10:32:59,123444,CONFIG,0,0,2015/02/02 10:32:59,1.2.33.4,,edit,admin-name,Web,Succeeded, vsys vsys1 rulebase security rules one-rule-to-rule-them-all,1544,0x0
Expected Syslog Message
2015-02-02 10:32:59 User.Info 1.2.3.4 Feb 2 10:32:59 paloalto.domain.com 1,2015/02/02 10:32:59,123444,CONFIG,0,0,2015/02/02 10:32:59,1.2.33.4,,edit,admin-name,Web,Succeeded, vsys vsys1 rulebase security rules one-rule-to-rule-them-all,before-change-detail,after-change-detail,1544,0x0
08-24-2015 05:18 AM
08-24-2015 05:58 AM - edited 08-24-2015 06:22 AM
Hi Luciano,
we're running PAN-OS 6.1.5. Logshipping is done via UDP; we've tried TCP with no difference in the result.
CONFIG logs are successful submitted, but a portion of the content is missing; see my sample snippets.
When you export Montior > Configuration to a csv file you have two fields called "before-change-detail" and "after-change-detail". Those two fields are missing in the syslog stream.
Update 1: Just did a tcpdump as suggested. Data is sent, but without those two fields in question.
Cheers,
Sven
08-27-2015 03:08 PM
Hi Sven,
sorry for quick reading. I would say that is expected behavior, per documentation found here:
https://live.paloaltonetworks.com/t5/Articles/PAN-OS-Syslog-Integration/ta-p/55323
CONFIG
FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, FUTURE_USE, Host, Virtual
System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags
full description on page 14
regards
Luciano
09-01-2015 01:46 AM - edited 09-01-2015 01:47 AM
Hi Luciano,
thanks for your answer and sorry for the delay in my answer. I didn't received a notification...
The article refers to PAN-OS 5, so I've double checked the version 6.1 document. And in the syslog portion it is stated that "before change detail" and "after change detail" are onyl used in the custom syslog format, not in the default one.
So I've played around with it now these two informations are submitted, more or less complete. For exmaple: An application group with many apps included would be altered in the "before change detail" but the changed value is available. So one can follow the trace...
Now it looks like this:
palotalto.domain.com 1,2015/09/01 10:38:49,S/N,CONFIG,0,2015/09/01 10:38:49,1.2.3.4,,edit,admin,Web,Succeeded, vsys vsys1 application-group Test-Apps,4296,0x0,Test-Apps { } ,Test-Apps [ aim-file-transfer ];
Thanks for you hint!
05-20-2019 07:50 AM
I was looking at this today and it looks like this is still the case - I'm running 8.0 code. Syslog does not contain change information. Can anyone confirm? Just want to make sure before I change the default to custom.
05-20-2019 02:42 PM
Thanks for confirming.
09-15-2020 11:06 AM
Any update on this? I am running to the same issue where I add custom fields in Config on Palo.
I still see no value in Splunk result after_change_detail and before_change_detail
09-15-2020 11:09 AM
Any update on this? I am running to the same issue where I add custom fields in Config on Palo.
I still see no value in Splunk result after_change_detail and before_change_detail
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
