After upgrade to PAN-OS 10.1.5, syslog contains unexpected value in several fields.

After upgrade to PAN-OS 10.1.5, syslog contains unexpected value in several fields.

6491
Created On 05/26/22 08:44 AM - Last Modified 06/25/25 02:21 AM


Symptom


  • After upgrade to PAN-OS 10.1.5, syslog contains unexpected value in several fields.
  • This issue happens in Threat type log, including URL Filtering, WildFire Submission log.
  • Exported CSV log is also affected.
  • The following fields have unexpected value. 
    Source Dynamic Address Group
Cloud
X-Forwarded-For
Referer
Sender
Subject
Recipient
file_url
HTTP Headers
URL Category List
Destination Dynamic Address Group
Justification
  • In this syslog entry, "computer-and-internet-info,low-risk" is recorded in the field. 
    May 12 19:28:56 PA-VM 1,2022/05/12 19:28:56,00XXXXXXXXXXXX,THREAT,virus,2561,
2022/05/12 19:28:56,172.16.1.1,89.238.73.97,10.1.1.38,89.238.73.97,Trust-to-Untrust,,,web-browsing,vsys1,L3-Trust,L3-Untrust,ethernet1/6,ethernet1/3,log-forwarding,
2022/05/12 19:28:56,143,1,41916,443,53156,443,0x1402000,tcp,reset-server,"secure.eicar.org/eicar.com",Eicar Test File(100000),computer-and-internet-info,medium,server-to-client,7096783645267984433,0x0,172.16.0.0-172.31.255.255,
Germany,,,0,,"computer-and-internet-info,low-risk",1,,,"computer-and-internet-info,low-risk","computer-and-internet-info,low-risk","computer-and-internet-info,low-risk",
"computer-and-internet-info,low-risk","computer-and-internet-info,low-risk",0,0,0,0,0,,PA-VM,"computer-and-internet-info,low-risk",,,,0,,0,,N/A,js,Antivirus-0-0,0x0,0,4294967295,
"computer-and-internet-info,low-risk","computer-and-internet-info,low-risk",6203a7f4-d76f-4dcb-9c07-1de7b171f633,0,,,,,,,,,,,,,,,,,,,,,,,,,,,"computer-and-internet-info,low-risk",
"computer-and-internet-info,low-risk",0,2022-05-12T19:28:56.588+09:00,,"computer-and-internet-info,low-risk",,internet-utility,general-internet,browser-based,4,
"used-by-malware,able-to-transfer-file,has-known-vulnerability,tunnel-other-application,pervasive-use",,web-browsing,no,no


Environment


  • Palo Alto Firewall
  • PAN-OS 10.1.5, 10.1.5-h1 and 10.1.5-h2

Cause


  1. The issue is hitting to PAN-193579. It caused the existing value in the buffer to be copied into the log output.
  2. It has been fixed in PAN-OS 10.1.6.

Resolution


Upgrade PAN-OS to 10.1.6.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYehCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language