02-09-2023 02:45 PM
If you log into the GUI, go to the GlobalProtect logs, and then export a sample, the first line of the CSV is a header containing all the field names. The header and fields should match the syslogs. Most are relatively self-explanatory. The DG Hierarchy fields are device groups used in Panorama. Checking around, it looks like many of these are documented in the 10.x/11.x versions of the PAN-OS Administrator's Guide.
Domain, Receive Time,Serial #, Type,Threat/Content Type, Config Version, Generate Time, Virtual System, Event ID, stage, auth_method, tunnel_type, Source User, srcregion, machinename, public_ip, public_ipv6, private_ip, private_ipv6, hostid, serialnumber, client_ver, client_os, client_os_ver, Repeat Count, reason, error, Description, status, location, login_duration, connect_method, error_code, portal, Sequence Number, Action Flags, DG Hierarchy Level 1, DG Hierarchy Level 2, DG Hierarchy Level 3, DG Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID
Now weirdness.... That is only 9 fields different than what you listed. Comparing your CSV to mine, yours has 6 additional fields between Action Flags and DG Heirarchy Level 1; one of which contains a datetime stamp with millisecond resolution and timezone offset, and five blank fields. The rest of the fields match mine if those are removed. The PA does not have any millisecond timestamps in logs of that form that I am aware of. That makes me suspect those additional 6 fields are something added onto the record by your syslog receiver (the first being the receive time on SIEM, then SIEM logging/notes, then the additional fields from the PA syslog not in the parser added after?).
