Format Syslog Messages in Common Event Format (CEF)
To be able to send syslogs in CEF format from Palo Alto Networks firewalls, you must create a custom Syslog Server Profile and define CEF field mappings for each log type.
Note
Perform the following procedures in the Palo Alto Networks Panorama application.
Step 1: Create a Syslog Server Profile:
Log into Panorama with admin privileges and navigate to Device > Server Profiles > Syslog.
Click Add, and do the following:
In the Name field, enter a descriptive name, such as Illumio-CEF-Logs.
In the Server field, set the server value to your syslog receiver's IP address.
Set the value of the Transport value to TCP.
Set the value of the Port field to 514.
Step 2: Define the Syslog Format:
Under the Format section, select Custom Format.
Paste in the CEF Format text that you copied from the Add Log Exporter pane within Illumio Console.
Note
Note the following about the CEF Format text:
The CEF header value (
CEF:0|...|defines the vendor, product, and version.The fields following the header (such as
src=, dst=and so forth) map PAN-OS variables to CEF fields.
Step 3: Apply the Custom Profile to Log Forwarding:
Navigate to Objects > Log Forwarding and click Add.
Select the new Syslog Server Profile that you created.
Set Traffic as the log type to send in CEF format.
Click Commit to save the configuration and start forwarding logs in CEF format.
Note the following information:
CEF format is not preconfigured for Palo Alto Networks, so you must configure it manually. See Configure Syslog Monitoring.
Each log type (Traffic, Threat, URL, System, and so on) might require a different mapping depending on the use case. This integration only uses the Traffic log type.
Custom tokens, such as %SRC%, %DST%, and %THREATNAME%, are used to populate CEF fields dynamically.
If you copy and paste, the format might include unintended characters.