Huge time difference or data discrepancy seen between the log generated in firewall to log received in the syslog server that uses CEF custom log format

Huge time difference or data discrepancy seen between the log generated in firewall to log received in the syslog server that uses CEF custom log format

8446
Created On 07/10/24 02:56 AM - Last Modified 07/12/24 09:10 AM


Symptom


Traffic/Threat logs are configured to be forwarded to an external syslog server.
Syslog server is properly configured in the firewall using custom log format CEF.image.png
image.png
The CEF custom format was taken from:

PAN-OS 10.0 CEF Configuration Guide

Resulting logs received by the syslog server has a huge time difference/discrepancy in the End Time and Agent Receipt Time. (5 hr difference in this case).

image.png

Cause


CEF custom log format taken (copy/paste) from the below site may have some line breaks.
PAN-OS 10.0 CEF Configuration Guide
image.png
In the example above, the Threat custom log format should not contain any line breaks. If we copy/paste the text into notepad*, it should be one long line instead of having multiple line breaks like below (broken into 27 line in this case):
image.png
*In notepad, ensure that you have "word wrap" turned off in order to see if there are multiple lines.

If the custom log format contains multiple line breaks, the syslog server would interpret a single log as multiple logs causing discrepancy and chaos. This can also cause the timestamp fields to overlap.
 

Resolution


Modify the custom log format and remove the line breaks so it will be a single long line before pasting into the firewall config.
image.png
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TowpCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language