Heads-up to everybody: in version 4.x of PANOS, they have decided to make the following changes in their syslog format:
1. In the Miscellaneous field of the Threat Log syslog, where the URL a user visits is reported, the URL data used to be placed between double quotes. This makes sense because a URL may contain a comma, which is also the separator of the syslog fields. Now, only URLs that contain commas are quoted, and those that don't are not.
2. The username in all logs, when it comes from the AD user agent, used to be in the format domain\username. It's now domain\\username (double backslash).
Tech support confirms that these changes are not bugs, but expected behavior by design. They were apparently made without first notifying their syslog integration partners (https://live.paloaltonetworks.com/docs/DOC-1418), or bothering to document them in any release notes. This of course affects integration with SIEM (security information and event management) tools that clients like us use to parse, correlate and report on syslog data for different devices, severely impeding our ability to monitor network traffic.
Please be aware of this if you export PAN syslogs to other devices.
Thanks for this information.
Does anyone know if syslog integration partners are now notified about this change and if they implemented it on new versions (especially syslog-ng :smileywink:)
You would need to contact the relevant partner to see if they have already adapted their product to read the 4.0 PAN-OS log format changes.
Syslog Integration Partner list is here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!