A Palo Alto Networks firewall separates values in its syslog messages with a comma as the default setting. Unomaly needs parameters separated with a space, which is the RFC standard. PAN-OS can easily be configured with custom syslog format for each of its logs. Below are examples of CLI commands with formatting for the different logs used at existing customers.


Configure custom formats

The custom formats are easily configure in the PAN-OS GUI should you prefer an alternate order of parameters. Take note that altering the format after the learning process will require re-learning with the new format.

set shared log-settings syslog UNOMALY_syslog server unomaly port 514
set shared log-settings syslog UNOMALY_syslog server unomaly server 192.168.99.199
set shared log-settings syslog UNOMALY_syslog server unomaly facility LOG_USER

System Log

set shared log-settings syslog UNOMALY_syslog format system "$actionflags $cef-formatted-receive_time $cef-formatted-time_generated $config_ver $domain $eventid $id $module $number-of-severity $object $opaque $receive_time $seqno $serial $severity $subtype $time_generated $type"

Threat Log

set shared log-settings syslog UNOMALY_syslog format threat "$action $actionflags $app $category $cef-formatted-receive_time $cef-formatted-time_generated $config_ver $contenttype $cpadding $direction $domain $dport $dstloc $dstuser $flags $from $inbound_if $logset $misc $natdport $natdst $natsrc $number-of-severity $outbound_if $receive_time $proto $repeatcnt $rule $seqno $serial $sessionid $severity $sport $src $srcloc $srcuser $subtype $threatid $time_generated $time_received $to $type"

Traffic Log

set shared log-settings syslog UNOMALY_syslog format traffic "$action $actionflags $cef-formatted-receive_time $cef-formatted-time_generated $serial  $app $type $subtype $bytes $category $proto $from $to $port $dport $srcloc $dstloc $inbound_if $outbound_if $rule $sessionid $pkts_received $pkts_sent $bytes"