Hi @Pras ,
I would suggest you to validate your Data Logs format. I had issues with copy-pasting from this PDF file - there were some non-printable characters when copy from the PDF. I would suggest you to paste format into text editor and check enable "show all characters" (I personally prefer NotePad++.
We don't forward data logs to Sentinel (yet), but below is what we have in our FWs (without any extra chars)
CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction PanOSActionFlags=$actionflags externalId=$seqno cat=$threatid fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name dvchost=$device_name PanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel PanOSThreatCategory=$thr_category PanOSContentVer=$contentver PanOSAssocID=$assoc_id PanOSPPID=$ppid PanOSHTTPHeader=$http_headers PanOSRuleUUID=$rule_uuid
I don't expect FW being "dropping" the logs, for me it is more likely for the Azure to drop them because they are failing to match the CEF format. On the CEF collector there is regex pattern which if not matched log will not be forwarded to Sentinel.
You could try to run a packet capture on the firewall to confirm that Data Filtering logs. You can use the tcpdump https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CleECAS and filter based on syslog collector address.
Note that there is no way to capture only data filtering logs, so depending on your traffic your capture could filled up with traffic logs. So you could consider doing this when there is less traffic and if possible to trigger data filtering log, so to be sure that there is such event during the capture.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!