Palo Alto Custom Log Format

ghostdog920 — Fri, 30 Nov 2018 18:06:54 GMT

I am trying to setup a custom log format so that the before change and after change detail for a config change are included in the splunk log rather than a 0 value. I tried a CEF format, but it isn't working and it is also causing all pan:config events to be identified as pan:traps. I tried a few things unsuccessfully but wondered if anyone has any experience or examples of how to create a valid custom log that splunk can get.

On a side note, can splunk interpret CEF log events, or do i have to install one of the CEF addons? Going to need this later for my traps endpoint security manager.

Thanks in advance.

Re: Palo Alto Custom Log Format

ghostdog920 — Tue, 29 Sep 2020 22:17:14 GMT

Figured it out with some google searching help. Posting the results in case anyone else needs this.

Palo Alto Custom Log Format, Confi, All Fields
actionflags="$actionflags", admin="$admin", after-change-detail="$after-change-detail", before-change-detail="$before-change-detail", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", client="$client", cmd="$cmd", host="$host", path="$path", receive_time="$receive_time", result="$result", seqno="$seqno", serial="$serial", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, HIP Match, All Fields
actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", machinename="$machinename", matchname="$matchname", matchtype="$matchtype", receive_time="$receive_time", repeatcnt="$repeatcnt", seqno="$seqno", serial="$serial", src="$src", srcuser="$srcuser", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, Traffic, All Fields
action="$action", actionflags="$actionflags", app="$app", bytes="$bytes", bytes_received="$bytes_received", bytes_sent="$bytes_sent", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", elapsed="$elapsed", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", outbound_if="$outbound_if", packets="$packets", padding="$padding", pkts_received="$pkts_received", pkts_sent="$pkts_sent", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", start="$start", subtype="$subtype", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, Threat, All Fields
action="$action", actionflags="$actionflags", app="$app", category="$category", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", contenttype="$contenttype", direction="$direction", dport="$dport", dst="$dst", dstloc="$dstloc", dstuser="$dstuser", flags="$flags", from="$from", inbound_if="$inbound_if", logset="$logset", misc="$misc", natdport="$natdport", natdst="$natdst", natsport="$natsport", natsrc="$natsrc", number-of-severity="$number-of-severity", outbound_if="$outbound_if", proto="$proto", receive_time="$receive_time", repeatcnt="$repeatcnt", rule="$rule", seqno="$seqno", serial="$serial", sessionid="$sessionid", severity="$severity", sport="$sport", src="$src", srcloc="$srcloc", srcuser="$srcuser", subtype="$subtype", threatid="$threatid", time_generated="$time_generated", time_received="$time_received", to="$to", type="$type", vsys="$vsys"

Palo Alto Custom Log Format, System, All Fields
actionflags="$actionflags", cef-formatted-receive_time="$cef-formatted-receive_time", cef-formatted-time_generated="$cef-formatted-time_generated", eventid="$eventid", module="$module", number-of-severity="$number-of-severity", object="$object", opaque="$opaque", receive_time="$receive_time", seqno="$seqno", serial="$serial", severity="$severity", subtype="$subtype", time_generated="$time_generated", type="$type", vsys="$vsys"

Re: Palo Alto Custom Log Format

richgalloway — Tue, 04 Dec 2018 12:43:55 GMT

@ghostdog920, If your problem is resolved, please accept the answer to help future readers.

Re: Palo Alto Custom Log Format

ghostdog920 — Tue, 04 Dec 2018 13:06:56 GMT

Sorry, thanks for catching that.

Re: Palo Alto Custom Log Format

MonkeyK — Tue, 18 Dec 2018 15:05:41 GMT

ghostdog920, you listed all of the syslogs. Did you need to modify all of them?

Re: Palo Alto Custom Log Format

ghostdog920 — Tue, 18 Dec 2018 15:35:26 GMT

No I did not. but wanted to post the info in case someone else was looking for it. thanks monkeyK

topic Re: Palo Alto Custom Log Format in All Apps and Add-ons

Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format

Re: Palo Alto Custom Log Format