Palo Alto appliances can produce either CEF­compliant or CSV­formatted logs (configured via PAN­OS). The field naming scheme between these two methods is identical, and the most important difference between them is that CEF­compliant logs produce key­value pairs (i.e. field_name=field_data) containing the event data, whereas the CSV­formatted ones produce comma delimited fields that only hold the value of said keys, so data order is strict and pre-determined.

There are 5 types of logs that can be generated and depending on the event type, the order of the fields changes as laid out below. The available log types are Traffic, Threat, HIP (Host Intrusion Profile) Match, Config and System.

** Note: The naming scheme below lists the fields as they appear in the PAN­OS management screen. When the logs are parsed only the sequence is important and not the key naming we choose. This allows us to use any naming scheme that suits us best to avoid further field manipulation.

** Note: By default, the hostname field in the header of the Syslog messages is not populated and will not appear in the Syslog messages. Having the hostname transmitted in some appliances and not in others would lead to parsing failure (wrong field positioning, log rejection, etc. depending on the filter). To include the hostname, navigate to Device > Setup > Management >
Logging and Reporting Settings and select the Send Hostname in Syslog check box.

• In PAN­OS 5.0, the device’s FQDN is used when both hostname and domain are configured in the Management > General Settings section or just the hostname when the domain is not configured.
• In PAN­OS 4.1 and earlier, the device’s management IP address appears in the hostname field of the Syslog header.

For the field order based on each log type, listing of possible values, and meaning of each of them you can refer to PAN­OS Syslog Integration tech note.