Format Syslog Messages in Common Event Format (CEF)
To be able to send syslogs in CEF format from Palo Alto Networks firewalls, you must create a custom Syslog Server Profile and define CEF field mappings for each log type.
Note
Perform the following procedures in the Palo Alto Networks Panorama application.
Step 1: Create a Syslog Server Profile.
See Configure Syslog Forwarding to External Destinations.
Step 2: Define the Syslog Format:
See the documentation about how to define the syslog format on the Palo Alto Networks documentation site.
Step 3: Apply the Custom Profile to Log Forwarding:
See Configure Log Forwarding to Panorama.
Note the following information:
CEF format is not preconfigured for Palo Alto Networks, so you must configure it manually. See Configure Syslog Monitoring.
Each log type (Traffic, Threat, URL, System, and so on) might require a different mapping depending on the use case. This integration only uses the Traffic log type.
Custom tokens, such as %SRC%, %DST%, and %THREATNAME%, are used to populate CEF fields dynamically.
If you copy and paste, the format might include unintended characters.