02-09-2023 12:49 PM
v
I am building a parser for our SIEM for GlobalProtect and have found something odd. The GlobalProtect logs have 12 more fields than the PanOS Administrators Guide labels. What are the additional 12 fields called?
This is a GlobalProtect Log :
1,2023/02/09 10:25:54,REDACTED,GLOBALPROTECT,0,2562,2023/02/09 10:25:54,vsys1,portal-auth,login,saml,,REDACTED,US,,REDACTED,0.0.0.0,0.0.0.0,0.0.0.0,,,Browser,any,,1,,,,success,,0,,0,REDACTED,REDACTED,0x0,2023-02-09T10:25:54.892-10:00,,,,,,0,0,0,0,,REDACTED,1
And these are the field descriptions from the PAN-OS Administrators Guide (for PAN-OS versions 9.1.3 and later.
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Stage, Authentication Method, Tunnel Type, Source User, Source Region, Machine Name, Public IP, Public IPv6, Private IP, Private IPv6, Host ID, Serial Number, Client Version, Client OS, Client OS Version, Repeat Count, Reason, Error, Description, Status, Location, Login Duration, Connect Method, Error Code, Portal, Sequence Number, Action Flags
02-09-2023 02:45 PM
If you log into the GUI, go to the GlobalProtect logs, and then export a sample, the first line of the CSV is a header containing all the field names. The header and fields should match the syslogs. Most are relatively self-explanatory. The DG Hierarchy fields are device groups used in Panorama. Checking around, it looks like many of these are documented in the 10.x/11.x versions of the PAN-OS Administrator's Guide.
Domain, Receive Time,Serial #, Type,Threat/Content Type, Config Version, Generate Time, Virtual System, Event ID, stage, auth_method, tunnel_type, Source User, srcregion, machinename, public_ip, public_ipv6, private_ip, private_ipv6, hostid, serialnumber, client_ver, client_os, client_os_ver, Repeat Count, reason, error, Description, status, location, login_duration, connect_method, error_code, portal, Sequence Number, Action Flags, DG Hierarchy Level 1, DG Hierarchy Level 2, DG Hierarchy Level 3, DG Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID
Now weirdness.... That is only 9 fields different than what you listed. Comparing your CSV to mine, yours has 6 additional fields between Action Flags and DG Heirarchy Level 1; one of which contains a datetime stamp with millisecond resolution and timezone offset, and five blank fields. The rest of the fields match mine if those are removed. The PA does not have any millisecond timestamps in logs of that form that I am aware of. That makes me suspect those additional 6 fields are something added onto the record by your syslog receiver (the first being the receive time on SIEM, then SIEM logging/notes, then the additional fields from the PA syslog not in the parser added after?).
02-09-2023 02:45 PM
If you log into the GUI, go to the GlobalProtect logs, and then export a sample, the first line of the CSV is a header containing all the field names. The header and fields should match the syslogs. Most are relatively self-explanatory. The DG Hierarchy fields are device groups used in Panorama. Checking around, it looks like many of these are documented in the 10.x/11.x versions of the PAN-OS Administrator's Guide.
Domain, Receive Time,Serial #, Type,Threat/Content Type, Config Version, Generate Time, Virtual System, Event ID, stage, auth_method, tunnel_type, Source User, srcregion, machinename, public_ip, public_ipv6, private_ip, private_ipv6, hostid, serialnumber, client_ver, client_os, client_os_ver, Repeat Count, reason, error, Description, status, location, login_duration, connect_method, error_code, portal, Sequence Number, Action Flags, DG Hierarchy Level 1, DG Hierarchy Level 2, DG Hierarchy Level 3, DG Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID
Now weirdness.... That is only 9 fields different than what you listed. Comparing your CSV to mine, yours has 6 additional fields between Action Flags and DG Heirarchy Level 1; one of which contains a datetime stamp with millisecond resolution and timezone offset, and five blank fields. The rest of the fields match mine if those are removed. The PA does not have any millisecond timestamps in logs of that form that I am aware of. That makes me suspect those additional 6 fields are something added onto the record by your syslog receiver (the first being the receive time on SIEM, then SIEM logging/notes, then the additional fields from the PA syslog not in the parser added after?).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
