Palo Alto appliances can produce either CEFcompliant or CSVformatted logs (configured via PANOS). The field naming scheme between these two methods is identical, and the most important difference between them is that CEFcompliant logs produce keyvalue pairs (i.e. field_name=field_data) containing the event data, whereas the CSVformatted ones produce comma delimited fields that only hold the value of said keys, so data order is strict and pre-determined.
There are 5 types of logs that can be generated and depending on the event type, the order of the fields changes as laid out below. The available log types are Traffic, Threat, HIP (Host Intrusion Profile) Match, Config and System.
** Note: The naming scheme below lists the fields as they appear in the PANOS management screen. When the logs are parsed only the sequence is important and not the key naming we choose. This allows us to use any naming scheme that suits us best to avoid further field manipulation.
** Note: By default, the hostname field in the header of the Syslog messages is not populated and will not appear in the Syslog messages. Having the hostname transmitted in some appliances and not in others would lead to parsing failure (wrong field positioning, log rejection, etc. depending on the filter). To include the hostname, navigate to Device > Setup > Management >
Logging and Reporting Settings and select the Send Hostname in Syslog check box.
For the field order based on each log type, listing of possible values, and meaning of each of them you can refer to PANOS Syslog Integration tech note.