Where is the documentation that describes Syslog Log types formats for Palo Alto Firewalls?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Where is the documentation that describes Syslog Log types formats for Palo Alto Firewalls?

L1 Bithead

On my Ubuntu Server I receive syslogs, that may look like this:

 

<14>Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0

I understand that there are different log types that can be sent, including

  • Config
  • System
  • Threat
  • Traffic
  • URL
  • Data
  • WildFire
  • Tunnel
  • Authentication
  • User-ID
  • HIP Match
  • Globalprotect
  • Iptag
  • Decryption

 

Are there any documentation that shows me how the different log types are constructed?
I need it in order to create a Regex that will convert syslog into JSON format.

 

1 accepted solution

Accepted Solutions
4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

Your SIEM might already be able to do this? I dont have an example that I can share, but its along similar lines of comma separated values. You could setup a simple syslog server to capture a few logs of each and then base it from there?

 

Here is what is shows in the help file of hte two different types of syslogs the firewall can send.

 

Select the value that maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 3164 (BSD format) or RFC 5424 (IETF format).

 

 

Just a few thoughts.

L6 Presenter

@SoloSigma wrote:

On my Ubuntu Server I receive syslogs, that may look like this:

 

<14>Sep 23 20:01:11 PA-440 1,2024/09/23 20:01:11,021201133296,TRAFFIC,end,2561,2024/09/23 20:01:11,10.10.10.103,20.190.177.21,192.168.10.20,22.120.127.11,rule1,,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,LFP LimaCharlie FW,2024/09/23 20:01:11,121977,1,60637,443,39335,443,0x40041c,tcp,allow,23588,6260,17328,30,2024/09/23 20:00:56,1,any,,7408146363088945002,0x0,10.0.0.0-10.255.255.255,France,,13,17,tcp-fin,0,0,0,0,,PA-440,from-policy,,,0,,0,,N/A,0,0,0,0,a6854971-45bb-499a-86fd-30008807b6e1,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2024-09-23T20:01:11.522+02:00,,,encrypted-tunnel,networking,browser-based,4,"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,ssl,no,no,0

I understand that there are different log types that can be sent, including

  • Config
  • System
  • Threat
  • Traffic
  • URL
  • Data
  • WildFire
  • Tunnel
  • Authentication
  • User-ID
  • HIP Match
  • Globalprotect
  • Iptag
  • Decryption

 

Are there any documentation that shows me how the different log types are constructed?
I need it in order to create a Regex that will convert syslog into JSON format.

 


Maybe this is what you're looking for?  The LEEF fields?

https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-...

 

L1 Bithead

My SIEM tool is LimaCharlie, and it does not parse Palo Alto logs out of the box. Because of this I will have to create some Regex to convert Syslogs to JSON format.

Cyber Elite
Cyber Elite
  • 1 accepted solution
  • 1175 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!