Skip to main content
Skip table of contents

Syslog - Palo Alto Firewall

Device Details

Vendor

Palo Alto

Device Type

Next-Generation Firewall

Supported Model Name/Number

Palo Alto Series Firewall

Supported Software Version(s)

PAN-OS 9.0, PAN-OS 9.1, PAN-OS 10.0, PAN-OS 10.1.

GlobalProtect is only supported from version 9.1.3 and later. 

Collection Method

Syslog

Configurable Log Output?

Yes

Log Source Type

Syslog – Palo Alto Firewall

Log Processing Policy

LogRhythm Default v2.0

Exceptions

N/A

Additional Information

https://www.paloaltonetworks.com/documentation

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls.html

https://www.paloaltonetworks.com/network-security/next-generation-firewall

Device Configuration Checklist

Create a Server Profile for the Collecting LogRhythm System Monitor Agent (Syslog Server)

  1. From the Palo Alto Console, select the Device tab.

  2. In the left pane, expand Server Profiles.

  3. Select Syslog.

  4. Click Add and define the name of the profile, such as LR-Agents.

Add Syslog Server (LogRhythm System Monitor) to Server Profile

Use the following configuration information:

  • Name such as LR-AgentName or IP

  • IP Address or Fully Qualified Domain Name of the LogRhythm System Monitor

  • UDP or TCP Transport (dependent on the Palo Alto Firewall settings)

  • Port 514

  • Format IETF

  • Facility LOG_USER (default)

Configure Syslog Forwarding for Traffic, Threat, and Wildfire Logs

  1. In the left pane of the Objects tab, select Log Forwarding.

  2. Select Add and create a name for the Log Forwarding Profile, such as LR-Syslog.

  3. For each type and severity level, select the Syslog server profile.

Configure Syslog Forwarding for System and Config Logs

  1. In the left pane of the Device tab, select Log Settings.

  2. For each type and severity level, select the Syslog server profile.

Supported Log Messages

This is a list of LR tags used to parse the log information for each message type.

Type

Product Version

Supported Schema Fields

V 2.0 Authentication Lockout Expired

All

<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>

V 2.0 Authentication Messages

All

<vmid>, <vendorinfo>, <sip>, <login>, <object>, <policy>, <quantity>, <action>, <subject>, <result>, <objectname>, <protname>, <sname>, <smac>, <useragent>, <session>

V 2.0 Catch All (Palo Alto)

All

<vmid>, <vendorinfo>

V 2.0 Catch All: General Authentication Event

All

<vmid>, <vendorinfo>, <tag1>, <severity>, <subject>

V 2.0 Catch All: General DHCP Messages

All

<vmid>, <vendorinfo>, <severity>, <subject>, <tag1>

V 2.0 Catch All: System Messages

All

<vmid>, <vendorinfo>, <severity>, <subject>, <objectname>

V 2.0 Configuration Messages

All

<vmid>, <vendorinfo>, <sip>, <command>, <tag1>, <login>, <sessiontype>, <result>, <tag2>, <object>, <objectname>

V 2.0 Correlated Event Messages

All

<vmid>, <vendorinfo>, <sip>, <domainorigin>, <login>, <subject>, <severity>, <objectname>, <threatname>, <threatid>, <reason>

V 2.0 Data/File/Virus/Spyware Threat Messages

All

<vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <object>, <threatname>, <threatid>, <subject>, <severity>, <sender>, <recipient>, <objectname>, <group>

V 2.0 Decryption Event Messages

All

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <objectname>, <group>

V 2.0 Flood/Packet Threat Messages

All

<vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <sinterface>, <dinterface>, <protname>, <action>, <tag2>, <threatname>, <threatid>, <severity>, <objectname>, <group>

V 2.0 General Authentication Event

All

<vmid>, <severity>, <subject>, <sip>, <sessiontype>, <tag1>, <login>, <vendorinfo>, <tag2>

V 2.0 General Authentication Event (auth)

All

<vmid>, <vendorinfo>, <severity>, <sip>, <dip>, <login>, <reason>, <tag1>

V 2.0 General DHCP Messages

All

<vmid>, <vendorinfo>, <action>, <tag1>, <severity>, <subject>, <sip>, <smac>, <sname>, <dinterface>, <dip>, <objectname>

V 2.0 General DNS Signature Information

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General Dynamic DNS Messages

All

<vmid>, <vendorinfo>, <action>, <severity>, <subject>, <objectname>

V 2.0 General GlobalProtect Messages

All

<vmid>, <vendorinfo>, <action>, <tag1>, <object>, <severity>, <subject>, <sip>, <login>, <reason>, <objectname>

V 2.0 General HA Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General Logical Link Discovery Protocol

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General Monitoring Events

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General NTPD Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General Path-Based Forwarding Messages

All

<vmid>, <vendorinfo>, <action>, <tag1>, <object>, <severity>, <subject>, <objectname>

V 2.0 General Port Message

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dinterface>, <status>, <tag1>, <objectname>

V 2.0 General Remote Access Manager Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General Routing Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General SAML Message

All

<vmid>, <vendorinfo>, <result>, <tag1>, <object>, <severity>, <subject>, <login>, <sip>, <reason>, <objectname>

V 2.0 General Satellite Connection Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General SSL Manager Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General System Event

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General URL-Filtering System Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 General User Profile System Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <dip>, <dport>, <dname>, <sip>, <status>, <quantity>, <objectname>

V 2.0 General VPN Status Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <sip>, <sport>, <dip>, <dport>, <objectname>

V 2.0 General Wildfire System Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 GlobalProtect 9.1.3 & Later Status Messages

All

<vmid>, <vendorinfo>, <sip>, <sname>, <snatip>, <login>, <domainorigin>, <process>, <subject>, <serialnumber>, <version>, <action>, <result>, <reason>, <status>, <duration>, <quantity>

V 2.0 GlobalProtect Status Messages

All

<vmid>, <vendorinfo>, <action>, <status>, <tag1>, <domainorigin>, <login>, <sname>, <sip>, <snatip>, <serialnumber>, <version>, <quantity>, <reason>, <responsecode>, <subject>, <result>, <tag2>, <seconds>, <objectname>

V 2.0 GTP Log Messages

All

<vmid>, <severity>, <vendorinfo>, <sip>, <dip>, <sport>, <dport>, <sinterface>, <dinterface>, <protname>, <subject>, <session>, <object>, <objectname>, <group>, <policy>, <action>, <command>, <tag1>

V 2.0 Host Profile Messages

All

<vmid>, <vendorinfo>, <domainorigin>, <login>, <sname>, <sip>, <object>, <quantity>, <objecttype>, <objectname>, <serialnumber>, <smac>

V 2.0 IP Tag Messages

All

<vmid>, <vendorinfo>, <dip>, <subject>, <action>, <quantity>, <object>, <objecttype>, <objectname>

V 2.0 Scan Threat Messages

All

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <threatname>, <threatid>, <severity>, <objectname>, <group>

V 2.0 SCTP Messages

All

<vmid>, <sip>, <dip>, <policy>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <protname>, <action>, <tag1>, <objectname>, <severity>, <subject>, <reason>, <packetsout>, <packetsin>

V 2.0 Traffic Messages

All

<severity>, <vmid>, <vendorinfo>, <tag1>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <object>, <sinterface>, <dinterface>, <session>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag2>, <bytesin>, <bytesout>, <seconds>, <subject>, <packetsin>, <packetsout>, <reason>, <objecttype>, <objectname>, <group>

V 2.0 URL Threat Messages

All

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <sessiontype>, <protname>, <action>, <tag1>, <url>, <subject>, <severity>, <useragent>, <objectname>, <group>

V 2.0 User ID Messages

All

<vmid>, <action>, <tag1>, <sip>, <domainorigin>, <login>, <quantity>, <subject>, <objectname>

V 2.0 Vulnerability Threat Messages

All

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <subject>, <severity>, <objectname>, <group>

V 2.0 Wildfire Threat Messages

All

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <result>, <tag2>, <severity>, <hash>, <objecttype>, <sender>, <subject>, <recipient>, <objectname>, <group>

V 2.0 Wildfire-Virus Threat Messages

All

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname>, <group>

V 2.0 General SDWAN Messages

All

<vmid>, <vendorinfo>, <action>, <object>, <severity>, <subject>, <objectname>

V 2.0 Threat ML-Virus Messages

<vmid>, <vendorinfo>, <sip>, <dip>, <snatip>, <dnatip>, <policy>, <domainorigin>, <login>, <domainimpacted>, <account>, <sinterface>, <dinterface>, <session>, <quantity>, <sport>, <dport>, <snatport>, <dnatport>, <protname>, <action>, <tag1>, <object>, <threatname>, <threatid>, <severity>, <sender>, <subject>, <recipient>, <objectname>, <group>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.591.0

Syslog – Palo Alto Firewall

Policy: LogRhythm Default v2.0

A new optimized log processing policy for Syslog – Palo Alto Firewall.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.