Palo Alto Threat Events Not forwarded

Hi,

What log format are you using ? CEF, LEEF ?

If default isn't doing the trick, have you tried customizing as shown in the documents ?

CEF FORMAT:

CEF:0|Palo Alto Networks|PAN-OS|$sender_sw_version|$subtype|$type|$number-
of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src 
dst=$dst sourceTranslatedAddress=$natsrc 
destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser 
duser=$dstuserapp=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source 
Zone cs4=$from cs5Label=Destination Zone cs5=$to 
deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if 
cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid 
cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport 
destinationTranslatedPort=$natdport flexString1Label=Flags 
flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL 
Category cs2=$category flexString2Label=Direction flexString2=$direction
PanOSActionFlags=$actionflags externalId=$seqnocat=$threatid
fileId=$pcap_id PanOSDGl1=$dg_hier_level_1 PanOSDGl2=$dg_hier_level_2 
PanOSDGl3=$dg_hier_level_3 PanOSDGl4=$dg_hier_level_4 PanOSVsysName=$vsys_name 
dvchost=$device_namePanOSSrcUUID=$src_uuid PanOSDstUUID=$dst_uuid 
PanOSTunnelID=$tunnelid PanOSMonitorTag=$monitortag PanOSParentSessionID=$parent_session_id 
PanOSParentStartTime=$parent_start_time PanOSTunnelType=$tunnel 
PanOSThreatCategory=$thr_category PanOSContentVer=$contentver

LEEF FORMAT:

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$threatid|
ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_
time|src=$src|dst=$dst|srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|
SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from|
DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if|
LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|
srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags|proto=$proto|action=$action|
Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category|sev=$number-of-severity|Severity=$severity|
Direction=$direction|sequence=$seqno|ActionFlags=$actionflags|SourceLocation=$srcloc|
DestinationLocation=$dstloc|ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|
Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject|
DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|
DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|
vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid|
TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id|
ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category|
ContentVer=$contentver

Hi,

We are using PAN OS 8.0.13 but the document shows  pan os 7.1! 

is not a issue?

Regards

Karthikeyan

We are using CEF format