Working on this again, still no change in behavior.
Does anyone know if this has been addressed in any 9.1 or 10.x releases?
The log format changes based on if Default logging or Custom Format is used, so the sourcetype isn't set correctly (Splunk).
DEFAULT (sourcetype is set to pan:config, this is correct and working, but no before/after change detail)
<14>Aug 15 14:06:53 PA-1 1,2022/08/15 14:06:53,016201015409,CONFIG,0,0,2022/08/15 14:06:53,192.168.1.10,,edit,adminacct,Web,Succeeded, vsys vsys1 address configlog_testobj,24838,0x0,0,0,0,0,,PA-AMA-Pri,0,
CUSTOM FORMAT (sourcetype is set to pan:log, the before/after change detail is present, but the sourcetype is wrong) <14>Aug 15 14:18:57 PA-1 0x0 adminacct "configlog_testobj { description ""test change 90""; } " "configlog_testobj { description ""test change 80""; } " Aug 15 2022 19:18:57 GMT Aug 15 2022 19:18:57 GMT Web edit PA-AMA-Pri 192.168.1.10 vsys vsys1 address configlog_testobj 2022/08/15 14:18:57 Succeeded 9.1.12-h3 24843 016201015409 0 2022/08/15 14:18:57 CONFIG
... View more