Syslog - Palo Alto Cortex Data Lake CEF
Device Details
| Device Name | Syslog - Palo Alto Cortex Data Lake CEF |
|---|---|
| Vendor | Palo Alto |
| Device Type | Palo Alto Cortex Data Lake |
| Supported Model Name/Number | N/A |
| Supported Software Version | N/A |
| Collection Method | Syslog |
| Configurable Log Output | No |
| Log Source Type | Syslog - Palo Alto Cortex Data Lake CEF |
| Log Processing Policy | LogRhythm Default V 2.0 |
| Exceptions | N/A |
| Additional Information | https://docs.paloaltonetworks.com/cortex/cortex-data-lake/log-forwarding-schema-reference |
Supported Log Messages
(List of LR tags used to parse the log information for each message type)
| Type | Product Version | Supported Schema Fields |
|---|---|---|
Authentication Event | N/A | <vmid>, <severity>, <serialnumber>, <domainorigin>, <login>, <sip>, <dip>, <policy>, <result>, <protname>, <sname>, <smac>, <useragent , <session> |
| Configuration Messages | N/A | <vmid>, <severity>, <serialnumber>, <domainorigin>, <login>, <vendorinfo>, <sip>, <command>, <account>, <process>, <result>, <object> |
Decryption Event Messages | N/A | <vmid>, <command>, <severity>, <sip>, <dip>, <snatip>, <dnatip>, <login>, <account>, <dinterface>, <sinterface>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <policy>, <sname>, <smac>, <dname>, <dmac>, <domainimpacted>, <domainorigin> |
| File Threat Messages | N/A | <vmid>, <serialnumber>, <severity>, <subject>, <domainimpacted>, <account>, <objecttype>, <domainorigin>, <login>, <threatname>, <sip>, <dip>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <tag1>, <action>, <object>, <hash>, <group>, <sname>, <smac>, <dname>, <dmac>, <reason> |
| General System Event | N/A | <vmid>, <severity>, <serialnumber>, <result>, <status>, <dip>, <domainimpacted>, <account>, <vendorinfo>, <action>, <object>, <subject> |
GlobalProtect Status Messages | N/A | <vmid>, <severity>, <tag1>, <status>, <login>, <sname>, <sip>, <snatip>, <reason>, <vendorinfo>, <tag2>, <result>, <seconds>, <serialnumber>, <domainorigin>, <domainimpacted>, <account> |
Host Profile Messages | N/A | <vmid>, <severity>, <serialnumber>, <domainorigin>, <domainimpacted>, <login>, <account>, <sname>, <dname>, <sip>, <dip>, <object>, <quantity>, <objecttype>, <smac> |
IP Tag Messages | N/A | <vmid>, <severity>, <serialnumber>, <sip>, <dip>, <subject>, <action>, <quantity>, <object>, <objecttype> |
SCTP Messages | N/A | <vmid>, <severity>, <serialnumber>, <dmac>, <domainimpacted>, <account>, <reason>, <smac>, <domainorigin>, <login>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <tag1>, <action>, <subject>, <packetsin>, <packetsout> |
| Threat Event | N/A | <tag1>, <vmid>, <severity>, <serialnumber>, <domainimpacted>, <account>, <command>, <domainorigin>, <login>, <subject>, <snatip>, <dnatip>, <sinterface>, <dinterface>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <tag2>, <action>, <object>, <threatid>, <threatname>, <hash>, <objecttype>, <sender>, <recipient>, <sname>, <smac>, <dname>, <dmac> |
Traffic Messages | N/A | <vmid>, <tag1>, <command>, <severity>, <serialnumber>, <domainimpacted>, <account>, <domainorigin>, <login>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <object>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <bytesin>, <bytesout>, <seconds>, <packetsin>, <packetsout>, <reason>, <subject>, <sname>, <smac>, <dname>, <dmac> |
URL Threat Messages | N/A | <vmid>, <severity>, <serialnumber>, <domainimpacted>, <account>, <domainorigin>, <login>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <tag1>, <action>, <url>, <subject>, <useragent>, <command>, <sname>, <smac>, <dname>, <dmac> |
User ID Messages | N/A | <vmid>, <severity>, <action>, <serialnumber>, <domainimpacted>, <account>, <sip>, <dip>, <object>, <sport>, <dport>, <subject> |
| Catch All : Level 1 | N/A | <tag1>, <severity> |
Revision History
| KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| N/A | Syslog - Palo Alto Cortex Data Lake CEF | New Device Documentation | N/A |