Error message "correlation unexpected here" during commit process.
5747
Created On 10/12/23 08:16 AM - Last Modified 09/25/24 22:09 PM
Symptom
There are several symptoms related to the "correlation" log type: Example below on the Firewall.
- When trying to add a new server profile.
- Go to Device > Server profile > Syslog.
- Add a new syslog server profile.
- Browse to "Custom Log Format" and scroll down.
- There is no "Correlation" object, instead its showing "$.Format.Correlation".
- While trying to configure it, "Malformed Request" error is seen.
- When attempting to commit the configuration after a software upgrade, and the configuration included a previously configured syslog profile. The commit on the firewall is failing with the following error:
Operation Commit
Status Completed
Result Failed
Details
Validation Error:
shared -> log-settings -> syslog -> test-syslog -> format -> correlation unexpected here
shared -> log-settings -> syslog -> test-syslog -> format is invalid
Commit failed
- While trying to edit an existing Server profile:
Environment
- Palo Alto 3400 and 5400 Platforms
- PANOS 10.2.2, 11.0.3, 11.1.2x
Cause
The 3400/5400f platforms have not been defined for correlation events under custom log format which causes the Malformed Request error.
Resolution
- The issue is fixed under PAN-255711 and PAN-203791.
- Upgrade the PAN-OS to versions 11.2.3, 11.1.5, 11.0.7, 10.2.5, 10.1.12 or higher will resolve the issue.
- Downgrade to the older version will also resolve the issue.
Additional Information
Workaround:
- Export Candidate Configuration
- Go to Panorama > Setup > Operations > Export named Panorama Configuration snapshot.
- Save the exported file to your computer.
- Edit Candidate Configuration
- Use a text editor like Notepad++ or an XML editor to open the exported candidate configuration file.
- Remove the following highlighted entries
<format>
<config>LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$result|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|src=$host|VirtualSystem=$vsys| msg=$cmd|usrName=$admin|client=$client|Result=$result| ConfigurationPath=$path|sequence=$seqno|ActionFlags=$actionflags| BeforeChangeDetail=$before-change-detail|AfterChangeDetail=$after-change-detail|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name</config>
...
<iptag>LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$event_id|x7C|cat=$type|devTime=$cef-formatted-receive_time|ReceiveTime=$receive_time|SerialNumber=$serial|Subtype=$subtype|GenerateTime=$time_generated|VirtualSystem=$vsys|src=$ip|TagName=$tag_name|EventID=$eventid|RepeatCount=$repeatcnt|TimeoutThreshold=$timeout|DataSourceName=$datasourcename|DataSource=$datasource_type|DataSourceType=$datasource_subtype|sequence=$seqno|ActionFlags=$actionflags|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|VirtualSystemID=$vsys_id</iptag>
<correlation>LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|8.0|$category|ReceiveTime=$receive_time|x7C|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|startTime=$cef-formatted-time_generated|Severity=$severity|VirtualSystem=$vsys|VirtualSystemID=$vsys_id|src=$src|SourceUser=$srcuser|msg=$evidence|DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name|ObjectName=$object_name|ObjectID=$object_id</correlation>
</format>
- Import and Load Custom Configuration
- Go to Panorama GUI Device > Setup > Operations.
- Import and load your custom Panorama candidate configuration.
- Validate and Commit Changes.