Pretty weird situation here. Bringing in multiple palo alto syslog sources, all going to the same main syslog directory, then divvied up by host name, so /var/log/syslog/PaloAlto/host1/host1-PaloAlto.log, etc.
Host 1 is showing the correct date in the event that matches the log
May have figured this out. Had another app, Splunk_TA_paloalto, adjusting the max_timestamp_lookahead to 44 (without the time prefix), which seems to be in the middle of the day in the date string. Have changed that to 50 and pushed it out. Crossing fingers.