No, Palo Alto does not support syslog logging for Cortex XDR. Only the API method is supported and it doesn't tell you much. There is zero CIM mapping for compliance. 

Cortex XDR · GitBook (paloaltonetworks.com)

Example Data: 

{
   alert_categories: [
     Impact
   ]
   alert_count: 1
   alerts_grouping_status: Disabled
   assigned_user_mail: null
   assigned_user_pretty_name: null
   creation_time: 1653682350413
   critical_severity_alert_count: 0
   description: 'Sensitive account password reset attempt' generated by XDR Analytics BIOC detected on host <HOST> involving user <USER>
   detection_time: null
   high_severity_alert_count: 0
   host_count: 1
   hosts: [
     <HOST>:<GUID>
   ]
   incident_id: XXXX
   incident_name: null
   incident_sources: [
     XDR Analytics BIOC
   ]
   low_severity_alert_count: 1
   manual_description: null
   manual_score: null
   manual_severity: null
   med_severity_alert_count: 0
   mitre_tactics_ids_and_names: [
     TA0040 - Impact
   ]
   mitre_techniques_ids_and_names: [
     T1531 - Account Access Removal
   ]
   modification_time: 1653683107818
   notes: null
   rule_based_score: null
   severity: low
   starred: false
   status: new
   user_count: 1
   users: [
     <USER>
   ]
   wildfire_hits: 0
   xdr_url: https://<COMPNAY>.xdr.<REGION>.paloaltonetworks.com/incident-view?caseId=xxxxx
}

Thanks for getting back to me - per the PAN documentation (https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs), it looks like alerts can be sent to a syslog receiver. It's disappointing that you can't get those using an input within the PAN TA.

Thanks!

@splunk_w_ro , 

Don't get me wrong, you can send them to a syslog receiver, you'll just need to write your own parsing from the pan::log SourceType which is owned by the PAN_TA which creates a really nasty problem of needing to do the changes everytime the PAN_TA is updated.