Syslog Message Format Different for Logs Received from Two Firewalls

Symptom

Syslog server receives different syslog format messages from two Palo Alto Networks firewalls. The message formats differ by one position.

The following are examples of 'raw' (before parsing) syslog messages with and without hostname enabled.

With hostname:

Tue Jan 28 13:28:22 2014: <190>Jan 28 01:28:35 PA-VM300-goran1 1,2014/01/28 01:28:35,007200001056,TRAFFIC,end,1,2014/01/28 01:28:34,192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0

Without hostname:

Tue Jan 28 13:28:25 2014: <190>Jan 28 01:28:38 1,2014/01/28 01:28:38,007200001057,TRAFFIC,end,1,2014/01/28 01:28:37,192.168.22.123,192.168.22.255,10.193.16.193,192.168.22.255,allow-all,,,netbios-dg,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:37,8721,1,138,138,3040,138,0x400000,udp,allow,243,243,0,1,2014/01/28 01:28:07,0,any,0,2076327,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,0

If a parsing mechanism on the syslog server is adjusted to parse logs from the same point (for example, from the 9th column - space is delimiter), one log will be truncated.

Cause

The firewall1 device has the 'Send Hostname in Syslog' (Device > Setup > Management > Logging and Reporting Settings) option enabled. This option instructs the firewall to include its hostname to the syslog message, which adds one more field. The firewall2 device has this option disabled, and so the syslog message has one field less than the message from firewall1.

The following are examples of syslog messages after parsing (with and without hostname enabled, respectively):

Syslog message received from firewall1

1,2014/01/28 01:28:35,007200001056,TRAFFIC,end,1,2014/01/28 01:28:34,192.168.41.30,192.168.41.255,10.193.16.193,192.168.41.255,allow-all,,,netbios-ns,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:34,8720,1,137,137,11637,137,0x400000,udp,allow,276,276,0,3,2014/01/28 01:28:02,2,any,0,2076326,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,3,0

Syslog message received from firewall2

01:28:38,007200001057,TRAFFIC,end,1,2014/01/28 01:28:37,192.168.22.123,192.168.22.255,10.193.16.193,192.168.22.255,allow-all,,,netbios-dg,vsys1,Trust,Untrust,ethernet1/1,ethernet1/2,To-Panorama,2014/01/28 01:28:37,8721,1,138,138,3040,138,0x400000,udp,allow,243,243,0,1,2014/01/28 01:28:07,0,any,0,2076327,0x0,192.168.0.0-192.168.255.255,192.168.0.0-192.168.255.255,0,1,0

Resolution

Make sure to have the  same "Send Hostname in Syslog" option setting (either enabled or disabled) on both firewalls.

owner: gbogojevic