This extension is only required if if logs are being sent in the standard log format. Navigate to the admin panel and click on " Extensions" and confirm that the "Palo Alto Networks LEEF to Standard log" extension is NOT installed. If you are receiving "NA" in the column then there is an issue with the parser. The columned returned should have values in them. SELECT "PANW-type", "PANW-subtype", "PANW-category", "PANW-filename", "PANW-threatid", "PANW-vendor-action" from events WHERE "PANW-type"='THREAT' Check that custom properties are correctĬonfirm each field is being parsed by running this search in the "Log Activity" tab of QRadar.
If LEEF exist in the payload, then there may be an issue with the custom properties.Ģ. NOTE: M ake sure you are using LEEF format for PAN-OS v7.0-v8.0+
PALO ALTO NETWORKS VPN TROUBLESHOOTING HOW TO
Refer to the getting started guide on how to send logs in LEEF format. By default QRadar expects logs to be in LEEF format. If LEEF does not exist in the payload then you have setup log forwarding with standard log format. Refer to the getting started guide on how to setup log forwarding from the Firewall/Panorama.ĭouble check that the log contains the word LEEF in the payload. SELECT UTF8(payload) FROM events WHERE devicetype=206Ĭheck log forwarding configurations in the Firewall/Panorama. Check to see if logs are being forwarded properlyĬonfirm you are receiving LEEF log format in QRadar, navigate to the “Log Activity” tab of QRadar and create an advanced search: