Traffic log contains multiple commas in link_switches column

Traffic log contains multiple commas in link_switches column

1331
Created On 08/10/21 01:22 AM - Last Modified 10/21/25 20:30 PM


Symptom


  • When you open the exported traffic log with using Excel or other applications which separates column with comma, you can see some columns are shifted.
  • Also if your system is forwarding traffic log via syslog or another method, syslog server will separate forwarded logs with comma, and columns are shifted.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • SD-WAN

Cause


  • Starting PAN-OS 9.1, SD-WAN feature is supported.
  • Some of SD-WAN related fields are added into traffic log. link_switches column is added since PAN-OS 9.1.
  • Link Switches (link_switches) column contains up to four link flap entries, with each entry containing the link name, link tag, link type, physical interface, timestamp, bytes read, bytes written, link health, and link flap cause.
    This field it will contain multiple commas and it will be enclosed in curly brackets.

Resolution


  1. To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs.
  2. Custom message formats can be configured under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
  3. Refer Custom Log/Event Format.

Additional Information


Traffic Log Fields (9.1)
Traffic Log Fields (10.0)
Traffic Log Fields (10.1)
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004LaOCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language