Forwarding Palo Alto Cortex Data Lake (Next Generation Firewall) LEEF events to IBM QRadar

To send Palo Alto Cortex Data Lake events to QRadar®, you must add a TLS Syslog log source in QRadar and configure Cortex Data Lake to forward logs to a Syslog server.


  1. Add a log source in QRadar by using the TLS Syslog protocol. For more information, see TLS Syslog log source parameters for Palo Alto PA Series.
    Important: If your log source is dedicated only to Cortex Data Lake events, then you must disable Use as a Gateway Log Source and set the DSM type to Palo Alto PA Series. If the log source is shared with multiple integrations, and you already enabled Use as a Gateway Log Source, then the Log Source Identifier must use the following regex structure:
    <Log Source Identifier>=stream-logfwd.*?logforwarder
  2. Forward logs from Cortex Data Lake to QRadar. For more information, see your Palo Alto documentation (
    • When forwarding logs from Cortex Data Lake, choose the LEEF log format.
    • You must enable the cat and EventStatus/Status fields in Palo Alto. The EventStatus/Status field is required to parse Global Protect events in QRadar.