PAN-OS Syslog Integration

Tech Note

Revision K ©2011, Palo Alto Networks, Inc.

.......................................................................................................................................................................................15 Sending the Device Hostname in the Syslog Messages ...........6 Flags Field ............................................................................................................................................................................................................................13 Descriptions ..................................................................................................................................Contents Log Formats ........................................................................16 Escape Sequences........................................................................................16 Custom Log/Event Format ....................................................................................................................11 Descriptions ................................................................................................................................10 Direction Field .......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................9 Action Field...............................6 Descriptions ..................................................................................................................................................................................16 Syslog Facility ...........................................................................5 Action Field.............................................6 THREAT .................................7 Subtype Field ...............................................................................................................................................................................................................................................................................................................................................................................................................................................................16 Syslog Severity.....................................................17 [2] ©2011..................................................................................................................................................................................................................................12 CONFIG.........................13 SYSTEM ................................................................................................................3 Subtype Field ....................... Palo Alto Networks...........................................................................11 HIP Type Field ......................................................................................................................................................... Inc.................................................................................................................................................................................................................................................................................................................................................................................................................................................9 ThreatID Field ...............................................................................................................................................................................3 TRAFFIC ............................................................................3 Descriptions ......................................................................................................................................10 HIP MATCH .........................................................................................................................................................................................................................................15 Descriptions ................................................................... ..

Descriptions Note: The Field column shows the full name of the field and the field name as it appears in PAN-OS. Session ID. NAT Destination IP. Values are traffic. Bytes Received. FUTURE_USE. config. Field Receive Time (receive_time) Serial Number (serial) Type (type) Subtype (subtype) Generated Time (time_generated) Source IP (src) Destination IP (dst) NAT Source IP (natsrc) NAT Destination IP (natdst) Rule Name (rule) Meaning Time the log was received at the management plane Serial number of the device that generated the log Specifies type of log. drop. All are formatted as comma-separated value (CSV) strings. host information profile (HIP) match. NAT Destination Port. threat. end. Inc. Destination User. Log Forwarding Profile. FUTURE_USE. Action. Repeat Count. NAT Source IP. the post-NAT Destination IP address Name of the rule that the session matched [3] ©2011. Receive Time. FUTURE_USE. Destination IP. Destination Zone. Packets Received. Serial Number. and system. Packets Sent. config. Bytes. . Bytes Sent. Source IP. threat. FUTURE_USE. useful information in them. Application. See Subtype Field table for meaning of each value. Source Zone. Protocol. Start Time. the post-NAT Source IP address If Destination NAT performed. NAT Source Port. and deny. Elapsed Time. The fields flagged as FUTURE_USE do not currently have predictable. Subtype. Action Flags. Packets. Generated Time. Source User. Source Port. Egress Interface. Ingress Interface. Virtual System. Below are the field definitions for each log type. system and hip-match. Destination Location. Subtype of traffic log. Rule Name. Destination Port. TRAFFIC FUTURE_USE. Type. Time the log was generated on the data plane Original session source IP address Original session destination IP address If Source NAT performed. Flags. Category. Source Location. Palo Alto Networks. Sequence Number.Log Formats There are five log types that PAN-OS can generate: traffic. Values are start.

Palo Alto Networks. [4] ©2011. Destination IP. and Subtype seen within 5 seconds. IP protocol associated with the session Action taken for the session. Values are allow or deny. This field can be decoded by AND-ing the values with the logged value. Used for ICMP only. Inc. . See Action Field table. Application.Field Source User (srcuser) Destination User (dstuser) Application (app) Virtual System (vsys) Source Zone (from) Destination Zone (to) Ingress Interface (inbound_if) Egress Interface (outbound_if) Log Forwarding Profile (logset) Session ID (sessionid) Repeat Count (repeatcnt) Source Port (sport) Destination Port (dport) NAT Source Port (natsport) NAT Destination Port (natdport) Flags (flags) Protocol (proto) Action (action) Meaning User name of the user that initiated the session User name of the user to which the session was destined Application associated with the session Virtual System associated with the session Zone the session was sourced from Zone the session was destined to Interface that the session was sourced form Interface that the session was destined to Log Forwarding Profile that was applied to the session An internal numerical identifier applied to each session Number of sessions with same Source IP. See Flags Field table for meaning of each value. Source port utilized by the session Destination port utilized by the session Post-NAT source port Post-NAT destination port 32 bit field that provides details on session.

0 and above.0 on all models except the PA-4000 series. Each log type has a unique number space. Number of bytes in the server-to-client direction of the session. Available in PAN-OS 4.1. Number of server-to-client packets for the session.0 on all models except the PA-4000 series.0.Field Bytes (bytes) Bytes Sent (bytes_sent) Bytes Received (bytes_received) Packets (packets) Start Time (start) Elapsed Time (elapsed) Category (category) Sequence Number (seqno) Action Flags (actionflags) Source Location (srcloc) Destination Location (dstloc) Packets Sent (pkts_sent) Packets Received (pkts_received) Meaning Number of total bytes (transmit and receive) for the session Number of bytes in the client-to-server direction of the session. Available from PANOS 4. Available in PAN-OS 4. Available from PAN-OS 4. Available from PAN-OS 4.1. Available from PANOS 4.1.0 and above. Source country or Internal region for private addresses.0. Number of total packets (transmit and receive) for the session Time of session start Elapsed time of the session URL category associated with the session (if applicable) A 64bit log entry identifier incremented sequentially.0.0 on all models except the PA-4000 series. Number of client-to-server packets for the session.0 on all models except the PA-4000 series.0. . Subtype Field Value Start End Drop Meaning session started session ended session dropped before application is identified and there is no rule to allow session [5] ©2011. Inc.1. Available from PAN-OS 4.0 and above. Destination country or Internal region for private addresses. Palo Alto Networks. Maximum length is 32 bytes. A bit field indicating if the log was forwarded to Panorama.0. Maximum length is 32 bytes. Available in PAN-OS 4.

Generated Time. Action Flags. Session ID. Palo Alto Networks. Destination Zone. FUTURE_USE. NAT Source IP. Subtype. Destination Location. FUTURE_USE. Source Zone.Value Deny Meaning session denied after application is identified and there is a rule to block or no rule to allow the session Action Field Value Allow Deny Meaning session was allowed by policy session was denied by policy Flags Field Value 0x80000000 0x02000000 0x01000000 0x00800000 0x00400000 0x00200000 0x00080000 0x00040000 0x00008000 Meaning session has a packet capture (PCAP) IPv6 session SSL session was decrypted (SSL Proxy) session was denied via URL filtering session has a NAT translation performed (NAT) user information for the session was captured via the captive portal (Captive Portal) X-Forwarded-For value from a proxy is in the source user field log corresponds to a transaction within a http proxy session (Proxy Transaction) session is a container page access (Container Page) THREAT FUTURE_USE. Type. Sequence Number. Source IP. Action. Application. NAT Destination IP. Log Forwarding Profile. Flags. NAT Destination Port. Ingress Interface. Serial Number. Inc. Repeat Count. Protocol. . Rule Name. Destination User. Source Port. Egress Interface. Miscellaneous. FUTURE_USE. Virtual System. Receive Time. Direction. Severity. NAT Source Port. Source Location. Threat ID. Source User. Content Type [6] ©2011. Destination IP. Category. Destination Port.

vulnerability. system and hip-match. and data. threat. Inc. Time the log was generated on the data plane Original session source IP address Original session destination IP address If Source NAT performed. . virus. Palo Alto Networks. scan. config.Descriptions Note: The Field column shows the full name of the field and the field name as it appears in PAN-OS. Values are traffic. the post-NAT Source IP address If Destination NAT performed. spyware. Field Receive Time (receive_time) Serial Number (serial) Type (type) Subtype (subtype) Generated Time (time_generated) Source IP (src) Destination IP (dst) NAT Source IP (natsrc) NAT Destination IP (natdst) Rule Name (rule) Source User (srcuser) Destination User (dstuser) Application (app) Virtual System (vsys) Source Zone (from) Destination Zone (to) Ingress Interface (inbound_if) Meaning Time the log was received at the management plane Serial number of the device that generated the log Specifies type of log. file. Subtype of threat log. Values are URL. flood. the post-NAT Destination IP address Name of the rule that the session matched User name of the user that initiated the session User name of the user to which the session was destined Application associated with the session Virtual System associated with the session Zone the session was sourced from Zone the session was destined to Interface that the session was sourced form [7] ©2011.

Values are informational. it is variable length with a maximum of 1023 characters. Palo Alto Networks identifier for the threat. critical Indicates the direction of the attack. and File name when the subtype is virus. See Action Field table below for meaning of each value. Palo Alto Networks. For other subtypes the value is ‘any’ Severity associated with the threat. It is a description string followed by a numerical identifier in parenthesis for some Subtypes.0. medium. Inc. Source port utilized by the session Destination port utilized by the session Post-NAT source port Post-NAT destination port 32 bit field that provides details on the session. The actual URI when the subtype is URL.Field Egress Interface (outbound_if) Log Forwarding Profile (logset) Session ID (sessionid) Repeat Count (repeatcnt) Source Port (sport) Destination Port (dport) NAT Source Port (natsport) NAT Destination Port (natdport) Flags (flags) Protocol (proto) Action (action) Miscellaneous (misc) Threat ID (threatid) Category (category) Severity (severity) Direction (direction) Meaning Interface that the session was destined to Log Forwarding Profile that was applied to the session An internal numerical identifier applied to each session Number of logs with same Source IP. drop-all-packets. high. Destination IP. From version 4. ‘client-to-server’ or ‘server-to-client’ [8] ©2011. Values are alert. . Provides URL Category for URL Subtype. reset-both. and Threat ID seen within 5 seconds.0. drop. Applies to all Subtypes except URL. reset-server. See Flags Field table for meaning of each value. block-url. allow. low. IP protocol associated with the session Action taken for the session. deny. Length is 63 characters in PAN-OS versions before 4. File name or file type when the subtype is file. resetclient.

but drops all packets [9] ©2011.0 and above.0. Destination country or Internal region for private addresses. Available in PAN-OS 4.0.0 and above. Maximum length 32 bytes. Inc.0.0 and above.0 and above. Each log type has a unique number space.0. A bit field indicating if the log was forwarded to Panorama. Available in PAN-OS 4. Available in PAN-OS 4. Applicable only when Subtype is URL. Maximum length is 32 bytes. Subtype Field Value url virus spyware vulnerability file scan flood data Meaning URL filtering log virus detection spyware detection vulnerability exploit detection file type log scan detected via Zone Protection Profile flood detected via Zone Protection Profile data pattern detected from Data Filtering Profile Action Field Value alert allow deny drop drop-all-packets Meaning threat or URL detected but not blocked flood detection alert flood detection mechanism activated and deny traffic based on configuration threat detected and associated session was dropped threat detected and session remains. Available in PAN-OS 4.0.Field Sequence Number (seqno) Action Flags (actionflags) Source Location (srcloc) Destination Location (dstloc) Content Type (contenttype) Meaning A 64bit log entry identifier incremented sequentially.0 and above. Source country or Internal region for private addresses. Content type of the HTTP response data. . Available in PAN-OS 4. Maximum length is 32 bytes. Palo Alto Networks.

[10] ©2011. Palo Alto Networks.Value reset-client reset-server reset-both block-url Meaning threat detected and a TCP RST is sent to the client threat detected and a TCP RST is sent to the server threat detected and a TCP RST is sent to both the client and the server a URL request was blocked because it matched a URL category that was set to be blocked ThreatID Field Value 8000 – 8099 8500 – 8599 9999 10000 – 19999 20000 – 29999 30000 – 44999 52000 – 52999 60000 – 69999 100000 – 4000000 Meaning scan detection flood detection URL filtering log sypware phone home detection spyware download detection vulnerability exploit detection filetype detection data filtering detection virus detection Direction Field Value 0 1 Meaning direction of the threat is client to server direction of the threat is server to client Starting with PAN-OS 3. . the direction field will contain either “client-to-server” or “server-to-client” to directly indicate the direction of the attack.1. Inc.

HIP Type. Available in PAN-OS 4. Source User. HIP. Machine name. Virtual System.0. FUTURE_USE. system and hip-match. Source Address. Each log type has a unique number space.0 and above. Serial Number. Subtype of hip-match log. User name of the Source user Virtual System associated with the HIP Match log Name of the Users machine IP address of the source user Name of the HIP Object or Profile. Inc. threat.0. Repeat Count. FUTURE_USE. config. Type. Action Flags HIP Match logs are generated in PAN-OS 4. Subtype. FUTURE_USE. Receive Time. [11] ©2011. Values are traffic.HIP MATCH FUTURE_USE. A bit field indicating if the log was forwarded to Panorama. Palo Alto Networks.0. FUTURE_USE. . Unused. Number of times the HIP profile matched Specifies whether the HIP field represents a HIP Object or a HIP Profile. Available in PAN-OS 4. Descriptions Note: The Field column shows the full name of the field and the field name as it appears in PAN-OS. Field Receive Time (receive_time) Serial Number (serial) Type (type) Subtype (subtype) Source User (srcuser) Virtual System (vsys) Machine Name (machinename) Source Address (src) HIP (matchname) Repeat Count (repeatcnt) HIP Type (matchtype) Sequence Number (seqno) Action Flags (actionflags) Meaning Time the log was received at the management plane Serial number of the device that generated the log Specifies type of log.0 and above. Sequence Number.0 and above. A 64bit log entry identifier incremented sequentially.

Palo Alto Networks. . Inc.HIP Type Field Value object profile Meaning The HIP field is a HIP Object The HIP field in a HIP Profile [12] ©2011.

Command performed by the Admin. Values are Web and CLI. A 64bit log entry identifier incremented sequentially. Serial Number. Values are traffic. FUTURE_USE. Client. edit. config. Values are add. set.CONFIG FUTURE_USE. Sequence Number. Command. Palo Alto Networks. Host name or IP address of the client machine Virtual System associated with the configuration log. [13] ©2011. Result. Inc. Host. Receive Time. rename. . threat. Configuration Path. Result of the configuration action. Virtual System. A bit field indicating if the log was forwarded to Panorama. commit. Subtype. clone. Available in PAN-OS 4. and Unauthorized.0. delete. Unused. validate. Type. system and hip-match.0 and above. Each log type has a unique number space. Action Flags Descriptions Note: The Field column shows the full name of the field and the field name as it appears in PAN-OS. FUTURE_USE.0. Values are Submitted. Succeeded. Subtype of the Config log. User name of the Administrator performing the configuration Client used by the Admin. Available in PAN-OS 4. Admin. Failed.0 and above. Configuration Path (path) Sequence Number (seqno) Action Flags (actionflags) The path of the configuration command issued. Up to 512 bytes in length. Field Receive Time (receive_time) Serial Number (serial) Type (type) Subtype (subtype) Host (host) Virtual System (vsys) Command (cmd) Admin (admin) Client (client) Result (result) Meaning Time the log was received at the management plane Serial number of the device that generated the log Specifies type of log. move.

Inc. .[14] ©2011. Palo Alto Networks.

Inc. vpn. Length is up to 512 bytes. port. hw. ras. Sequence Number. global-protect.0. low. FUTURE_USE. upgrade. ha. FUTURE_USE. FUTURE_USE. Module. routing. dnsproxy. ntpd. Available in PAN-OS 4. [15] ©2011. Action Flags Descriptions Note: The Field column shows the full name of the field and the field name as it appears in PAN-OS. auth. . threat. Values are informational. Virtual System. sslvpn. pppoe. Event ID. A 64bit log entry identifier incremented sequentially. Severity associated with the event. Each log type has a unique number space. Values are crypto. Palo Alto Networks.0. Subtype. Receive Time. Values are general. Severity. config. critical Detailed description of the event.SYSTEM FUTURE_USE. high. chassis. Type. ha. A bit field indicating if the log was forwarded to Panorama.0 and above. system and hip-match. Values are traffic. dhcp. It provides additional information about the sub-system generating the log. medium. FUTURE_USE. Refers to the system daemon generating the log. Available in PAN-OS 4. management. Virtual System associated with the system event String showing the name of the event Name of the object associated with the system log. general. Subtype of the system log. pbf. Description. dos.0 and above. Object. Serial Number. This field is valid only when the value of the Subtype field is general. Field Receive Time (receive_time) Serial Number (serial) Type (type) Subtype (subtype) Virtual System (vsys) Event ID (eventid) Object (object) Module (module) Severity (severity) Description (fmt) Sequence Number (seqno) Action Flags (actionflags) Meaning Time the log was received at the management plane Serial number of the device that generated the log Specifies type of log.

0 and above. The available facilities are: user. This feature can be leveraged to achieve ArcSight Common Event Format (CEF) compliant log formatting. Log customization can facilitate and trivialize the integration with external log parsing systems. Inc. Custom Key:Value attribute pairs can be added. [16] ©2011. local1. Palo Alto Networks. To include this. Custom log format is available in PAN-OS 4. the messages do not include the device hostname in the header. Multiple syslog settings can be configured and referenced by the various log forwarding function if desired. local2. and local7. Syslog Severity The syslog severity is set based on the log type and contents.Sending the Device Hostname in the Syslog Messages There are two options for the syslog format when sent from the device. local3. local0. Custom message formats can be configured under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format. Syslog Facility The syslog facility can be configured within the system when setting the syslog destination.paloaltonetworks. see https://live. . Log Type/Severity TRAFFIC CONFIG THREAT/SYSTEM – Informational THREAT/SYSTEM – Low THREAT/SYSTEM – Medium THREAT/SYSTEM – High THREAT/SYSTEM – Critical Syslog Severity INFO INFO INFO NOTICE WARNING ERROR CRITICAL Custom Log/Event Format Palo Alto Networks provides an interface for completely customizing the log message format that can be sent from Palo Alto Networks Next Generation Firewalls. make sure it is configured on the Setup screen on the Device tab in the web interface. By default.0.com/docs/DOC-1770 for more information. local6. local5. local4.

0. PAN-OS 4. The double quotes avoid confusing any commas that may appear in this field for the comma used as a delimiter in CSV. will be escaped by preceding it with a backslash. . Palo Alto Networks. Furthermore. Further. This field contains either a URL or a file name.Escape Sequences Pre-PAN-OS 4. Inc. [17] ©2011. The Misc field in threat log will always be enclosed in double-quotes to maintain backward compatibility.4 and after: Any field that contains a comma or a double-quote will be enclosed in double quotes.0: The Miscellaneous field in Threat Log is always enclosed in double quotes. or backslash appearing in any of the fields.0. a double-quote appearing inside a field will be escaped by preceding it with another double-quote.0.0: Any field that contains a comma will be enclosed in double quotes. comma. a double-quote. PAN-OS 4.

Sign up to vote on this title
UsefulNot useful