Palo Alto PA Series Sample event message
Use these sample event messages to verify a successful integration with QRadar.
Important: Due to formatting issues, paste the message format into a text editor and
then remove any carriage return or line feed characters.
Palo Alto PA Series sample message when you use the Syslog protocol
Sample 1: The following sample event message shows PAN-OS events for a trojan threat event.
<180>May 6 16:43:53 paloalto.paseries.test LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|8.1.6|trojan/PDF.gen.eiez(268198686)|ReceiveTime=2019/05/06 16:43:53|SerialNumber=001801010877|cat=THREAT|Subtype=virus|devTime=May 06 2019 11:13:53 GMT|src=10.2.75.41|dst=192.168.178.180|srcPostNAT=192.168.68.141|dstPostNAT=192.168.178.180|RuleName=Test-1|usrName=qradar\\user1|SourceUser=qradar\\user1|DestinationUser=|Application=web-browsing|VirtualSystem=vsys1|SourceZone=INSIDE-ZN|DestinationZone=OUTSIDE-ZN|IngressInterface=ethernet1/1|EgressInterface=ethernet1/3|LogForwardingProfile=testForwarder|SessionID=3012|RepeatCount=1|srcPort=63508|dstPort=80|srcPostNATPort=31539|dstPostNATPort=80|Flags=0x406000|proto=tcp|action=alert|Miscellaneous=\"qradar.example.test/du/uploads/08052018_UG_FAQ.pdf\"|ThreatID=trojan/PDF.gen.eiez(268198686)|URLCategory=educational-institutions|sev=3|Severity=medium|Direction=server-to-client|sequence=486021038|ActionFlags=0xa000000000000000|SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=testPlace|ContentType=|PCAP_ID=0|FileDigest=|Cloud=|URLIndex=5|RequestMethod=|Subject=|DeviceGroupHierarchyL1=12|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|DeviceGroupHierarchyL4=0|vSrcName=|DeviceName=testName|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/A|ThreatCategory=pdf|ContentVer=Antivirus-2969-3479
QRadar field name | Highlighted payload fields |
---|---|
Event ID |
The Event ID value is 268198686. Note: Usually the Event ID field from the LEEF header is used. However, for certain event types,
more LEEF fields or custom fields such as Subtype, and
action might be used to form a unique event ID.
|
Category |
PA Series Threat Note: The value of the cat field is not used directly as the
Category of the event. The value of this field is used to determine a
predefined set of category values. For certain event types, more LEEF fields or custom fields can be
used to form a unique event Category.
|
Device Time | devTime |
Source IP | src |
Destination IP | dst |
Source Port | srcPort |
Destination Port | dstPort |
Post NAT Source IP | srcPostNAT |
Post NAT Destination IP | dstPostNAT |
Post NAT Soure Port | srcPostNATPort |
Post NAT Destination Port | dstPostNATPort |
Protocol | proto |
Sample 2: The following sample event message shows a Prisma event where a session is allowed by a policy.
<14>1 2021-10-26T13:56:21.887Z paloalto.paseries.test logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Prisma Access|2.1|allow| |TimeReceived=2021-10-26T13:56:20.000000Z DeviceSN=no-serial cat=traffic SubType=start ConfigVersion=10.0 devTime=2021-10-26T13:56:17.000000Z src=192.168.21.100 dst=172.16.0.3 srcPostNAT=172.16.0.4 dstPostNAT=172.16.0.5 Rule=CG-RN-Guest-to-Internet usrName= DestinationUser= Application=web-browsing VirtualLocation=vsys1 FromZone=FromZone ToZone=untrust InboundInterface=tunnel.101 OutboundInterface=ethernet1/1 LogSetting=to-Cortex-Data-Lake SessionID=49934 RepeatCount=1 srcPort=59532 dstPort=80 sr=49718 dstPostNATPort=80 proto=tcp Bytes=374 srcBytes=300 dstBytes=74 totalPackets=4 SessionStartTime=2021-10-26T13:56:15.000000Z SessionDuration=0 URLCategory=any SequenceNo=13336648 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=CA srcPackets=3 dstPackets=1 SessionEndReason=n-a DGHierarchyLevel1=62 DGHierarchyLevel2=38 DGHierarchyLevel3=53 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=DeviceName ActionSource=from-policy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=00000000-0000-0000-0000-000000000000 HTTP2Connection=0 LinkChangeCount=0 SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution=2021-10-26T13:56:17.911000Z NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
QRadar field name | Highlighted payload fields |
---|---|
Event ID | The Event ID value is allow. |
Event Category |
PA Series Traffic Note: The value of the cat field is not used directly as the
Category of the event. The value of this field is used to determine a
predefined set of category values. For certain event types, more LEEF fields or custom fields can be
used to form a unique event Category.
|
Device Time | devTime |
Source IP | src |
Destination IP | dst |
Source Port | srcPort |
Destination Port | dstPort |
Post NAT Source IP | srcPostNAT |
Post NAT Destination IP | dstPostNAT |
Post NAT Soure Port | sr |
Post NAT Destination Port | dstPostNATPort |
Protocol | proto |
Palo Alto PA Series sample message when you use the TLS Syslog protocol
The following sample event message shows Next Generation Firewall events for version 10.1.
<14>1 2021-08-09T14:00:26.364Z paloalto.paseries.test logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop-all| |TimeReceived=2021-08-09T14:00:25.000000Z DeviceSN=001011000011111 cat=gtp SubType=end ConfigVersion=10.1 devTime=2021-08-09T14:00:22.000000Z src=fc00:0:e426:5678:b202:b3ff:fe1e:8329 dst=fc00:5678:90aa:cc33:f202:b3ff:fe1e:8329 srcPostNAT=10.5.5.5 dstPostNAT=192.168.178.180 Rule=allow-all-employees usrName=paloaltonetwork\testUser DestinationUser=paloaltonetwork\tUser Application=adobe-cq VirtualLocation=aaaa1 FromZone=corporate ToZone=corporate InboundInterface=ethernet1/1 OutboundInterface=ethernet1/3 LogSetting=rs-logging SessionID=1111111 RepeatCount=1 srcPort=10273 dstPort=27624 srcPostNATPort=26615 dstPostNATPort=6501 proto=tcp TunnelEventType=51 MobileSubscriberISDN= AccessPointName= RadioAccessTechnology=11 TunnelMessageType=0 MobileIP= TunnelEndpointID1=0 TunnelEndpointID2=0 TunnelInterface=0 TunnelCauseCode=0 VendorSeverity=Unused MobileCountryCode=0 MobileNetworkCode=0 MobileAreaCode=0 MobileBaseStationCode=0 TunnelEventCode=0 SequenceNo=1111111111111111111 SourceLocation=NB DestinationLocation=saint john DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-VM IMSI=28 IMEI=datacenter ParentSessionID=1111111 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=tunnel Bytes=741493 srcBytes=277595 dstBytes=463898 totalPackets=1183 srcPackets=554 dstPackets=629 PacketsDroppedMax=58 PacketsDroppedProtocol=34 PacketsDroppedStrict=171 PacketsDroppedTunnel=773 TunnelSessionsCreated=537 TunnelSessionsClosed=206 SessionEndReason=unknown ActionSource=unknown startTime=2021-08-09T13:59:51.000000Z SessionDuration=35 TunnelInspectionRule=gtp TunnelRemoteUserIP= TunnelRemoteIMSIID=0 RuleUUID=11a111aa-1a11-1a1a-11a1-1a11a11111a1 DynamicUserGroupName=dynug-4 ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-08-09T14:00:22.079000Z NSSAINetworkSliceDifferentiator=0 NSSAINetworkSliceType=0 ProtocolDataUnitsessionID=0 devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
QRadar field name | Highlighted payload fields |
---|---|
Event ID |
drop-all (LEEF header Event ID field) Note: Usually the Event ID field from the LEEF header is used. However, for
certain event types, more LEEF fields or custom fields such as Subtype, and
action might be used to form a unique event ID.
|
Category |
PA Series GTP Note: The value of the cat field is not used directly as the
Category of the event. The value of this field is used to determine a
predefined set of category values. For certain event types, more LEEF fields or custom fields can be
used to form a unique event Category.
|
Device Time | devTime |
Source IPv6 | src |
Destination IPv6 | dst |
Source Port | SrcPort |
Destination Port | dstPort |
Post NAT Source IP | srcPostNAT |
Post NAT Destination IP | dstPostNAT |
Post NAT Soure Port | srcPostNATPort |
Post NAT Destination Port | dstPostNATPort |
Protocol | tcp |
Username |
usrName Tip: If a username contains the domain as part of its value, the domain portion is
removed and only the actual username portion is used.
|