Palo Alto PA Series Sample event message

Use these sample event messages to verify a successful integration with QRadar®.

Important: Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.

Palo Alto PA Series sample message when you use the Syslog protocol

Sample 1: The following sample event message shows PAN-OS events for a trojan threat event.

<180>May  6 16:43:53 paloalto.paseries.test LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|8.1.6|trojan/PDF.gen.eiez(268198686)|ReceiveTime=2019/05/06 16:43:53|SerialNumber=001801010877|cat=THREAT|Subtype=virus|devTime=May 06 2019 11:13:53 GMT|src=10.2.75.41|dst=192.168.178.180|srcPostNAT=192.168.68.141|dstPostNAT=192.168.178.180|RuleName=Test-1|usrName=qradar\\user1|SourceUser=qradar\\user1|DestinationUser=|Application=web-browsing|VirtualSystem=vsys1|SourceZone=INSIDE-ZN|DestinationZone=OUTSIDE-ZN|IngressInterface=ethernet1/1|EgressInterface=ethernet1/3|LogForwardingProfile=testForwarder|SessionID=3012|RepeatCount=1|srcPort=63508|dstPort=80|srcPostNATPort=31539|dstPostNATPort=80|Flags=0x406000|proto=tcp|action=alert|Miscellaneous=\"qradar.example.test/du/uploads/08052018_UG_FAQ.pdf\"|ThreatID=trojan/PDF.gen.eiez(268198686)|URLCategory=educational-institutions|sev=3|Severity=medium|Direction=server-to-client|sequence=486021038|ActionFlags=0xa000000000000000|SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=testPlace|ContentType=|PCAP_ID=0|FileDigest=|Cloud=|URLIndex=5|RequestMethod=|Subject=|DeviceGroupHierarchyL1=12|DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|DeviceGroupHierarchyL4=0|vSrcName=|DeviceName=testName|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=|TunnelType=N/A|ThreatCategory=pdf|ContentVer=Antivirus-2969-3479
Table 1. Highlighted fields in the sample event
QRadar field name Highlighted payload fields
Event ID

The Event ID value is 268198686.

Note: Usually the Event ID field from the LEEF header is used. However, for certain event types, more LEEF fields or custom fields such as Subtype, and action might be used to form a unique event ID.
Category

PA Series Threat

Note: The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category.
Device Time devTime
Source IP src
Destination IP dst
Source Port srcPort
Destination Port dstPort
Post NAT Source IP srcPostNAT
Post NAT Destination IP dstPostNAT
Post NAT Soure Port srcPostNATPort
Post NAT Destination Port dstPostNATPort
Protocol proto

Sample 2: The following sample event message shows a Prisma event where a session is allowed by a policy.

<14>1 2021-10-26T13:56:21.887Z paloalto.paseries.test logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Prisma Access|2.1|allow|    |TimeReceived=2021-10-26T13:56:20.000000Z   DeviceSN=no-serial  cat=traffic SubType=start   ConfigVersion=10.0  devTime=2021-10-26T13:56:17.000000Z src=192.168.21.100  dst=172.16.0.3  srcPostNAT=172.16.0.4   dstPostNAT=172.16.0.5   Rule=CG-RN-Guest-to-Internet    usrName=    DestinationUser=    Application=web-browsing    VirtualLocation=vsys1   FromZone=FromZone   ToZone=untrust  InboundInterface=tunnel.101 OutboundInterface=ethernet1/1   LogSetting=to-Cortex-Data-Lake  SessionID=49934 RepeatCount=1   srcPort=59532   dstPort=80  sr=49718    dstPostNATPort=80   proto=tcp   Bytes=374   srcBytes=300    dstBytes=74 totalPackets=4  SessionStartTime=2021-10-26T13:56:15.000000Z    SessionDuration=0   URLCategory=any SequenceNo=13336648 SourceLocation=192.168.0.0-192.168.255.255  DestinationLocation=CA  srcPackets=3    dstPackets=1    SessionEndReason=n-a    DGHierarchyLevel1=62    DGHierarchyLevel2=38    DGHierarchyLevel3=53    DGHierarchyLevel4=0 VirtualSystemName=  DeviceName=DeviceName   ActionSource=from-policy    SourceUUID= DestinationUUID=    IMSI=0  IMEI=   ParentSessionID=0   ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A  EndpointAssociationID=0 ChunksTotal=0   ChunksSent=0    ChunksReceived=0    RuleUUID=00000000-0000-0000-0000-000000000000   HTTP2Connection=0   LinkChangeCount=0   SDWANPolicyName=    LinkSwitches=   SDWANCluster=   SDWANDeviceType=    SDWANClusterType=   SDWANSite=  DynamicUserGroupName=   X-Forwarded-ForIP=  SourceDeviceCategory=   SourceDeviceProfile=    SourceDeviceModel=  SourceDeviceVendor= SourceDeviceOSFamily=   SourceDeviceOSVersion=  SourceDeviceHost=   SourceDeviceMac=    DestinationDeviceCategory=  DestinationDeviceProfile=   DestinationDeviceModel= DestinationDeviceVendor=    DestinationDeviceOSFamily=  DestinationDeviceOSVersion= DestinationDeviceHost=  DestinationDeviceMac=   ContainerID=    ContainerNameSpace= ContainerName=  SourceEDL=  DestinationEDL= GPHostID=   EndpointSerialNumber=   SourceDynamicAddressGroup=  DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution=2021-10-26T13:56:17.911000Z NSSAINetworkSliceType=  NSSAINetworkSliceDifferentiator=    devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
Table 2. Highlighted fields in the sample event
QRadar field name Highlighted payload fields
Event ID The Event ID value is allow.
Event Category

PA Series Traffic

Note: The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category.
Device Time devTime
Source IP src
Destination IP dst
Source Port srcPort
Destination Port dstPort
Post NAT Source IP srcPostNAT
Post NAT Destination IP dstPostNAT
Post NAT Soure Port sr
Post NAT Destination Port dstPostNATPort
Protocol proto

Palo Alto PA Series sample message when you use the TLS Syslog protocol

The following sample event message shows Next Generation Firewall events for version 10.1.

<14>1 2021-08-09T14:00:26.364Z paloalto.paseries.test logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop-all| |TimeReceived=2021-08-09T14:00:25.000000Z DeviceSN=001011000011111 cat=gtp SubType=end ConfigVersion=10.1 devTime=2021-08-09T14:00:22.000000Z src=fc00:0:e426:5678:b202:b3ff:fe1e:8329 dst=fc00:5678:90aa:cc33:f202:b3ff:fe1e:8329 srcPostNAT=10.5.5.5 dstPostNAT=192.168.178.180 Rule=allow-all-employees usrName=paloaltonetwork\testUser DestinationUser=paloaltonetwork\tUser Application=adobe-cq VirtualLocation=aaaa1 FromZone=corporate ToZone=corporate InboundInterface=ethernet1/1 OutboundInterface=ethernet1/3 LogSetting=rs-logging SessionID=1111111 RepeatCount=1 srcPort=10273 dstPort=27624 srcPostNATPort=26615 dstPostNATPort=6501 proto=tcp TunnelEventType=51 MobileSubscriberISDN= AccessPointName= RadioAccessTechnology=11 TunnelMessageType=0 MobileIP= TunnelEndpointID1=0 TunnelEndpointID2=0 TunnelInterface=0 TunnelCauseCode=0 VendorSeverity=Unused MobileCountryCode=0 MobileNetworkCode=0 MobileAreaCode=0 MobileBaseStationCode=0 TunnelEventCode=0 SequenceNo=1111111111111111111 SourceLocation=NB DestinationLocation=saint john DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-VM IMSI=28 IMEI=datacenter ParentSessionID=1111111 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=tunnel Bytes=741493 srcBytes=277595 dstBytes=463898 totalPackets=1183 srcPackets=554 dstPackets=629 PacketsDroppedMax=58 PacketsDroppedProtocol=34 PacketsDroppedStrict=171 PacketsDroppedTunnel=773 TunnelSessionsCreated=537 TunnelSessionsClosed=206 SessionEndReason=unknown ActionSource=unknown startTime=2021-08-09T13:59:51.000000Z SessionDuration=35 TunnelInspectionRule=gtp TunnelRemoteUserIP= TunnelRemoteIMSIID=0 RuleUUID=11a111aa-1a11-1a1a-11a1-1a11a11111a1 DynamicUserGroupName=dynug-4 ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-08-09T14:00:22.079000Z NSSAINetworkSliceDifferentiator=0 NSSAINetworkSliceType=0 ProtocolDataUnitsessionID=0 devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
Table 3. Highlighted fields in the sample event
QRadar field name Highlighted payload fields
Event ID

drop-all (LEEF header Event ID field)

Note: Usually the Event ID field from the LEEF header is used. However, for certain event types, more LEEF fields or custom fields such as Subtype, and action might be used to form a unique event ID.
Category

PA Series GTP

Note: The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category.
Device Time devTime
Source IPv6 src
Destination IPv6 dst
Source Port SrcPort
Destination Port dstPort
Post NAT Source IP srcPostNAT
Post NAT Destination IP dstPostNAT
Post NAT Soure Port srcPostNATPort
Post NAT Destination Port dstPostNATPort
Protocol tcp
Username

usrName

Tip: If a username contains the domain as part of its value, the domain portion is removed and only the actual username portion is used.