Palo Alto Networks next-generation firewalls provide real-time threat prevention, application visibility, and user-based policy enforcement. This technology pack processes Palo Alto PAN-OS 11.x logs, providing normalization and enrichment of common events of interest across all supported log types.
Supported Versions
-
PAN-OS 11.1+
Requirements
-
Graylog Server 6.1.0+ with a valid Enterprise license.
-
Palo Alto Device(s) sending logs to the Palo Alto 11.x input on the Graylog system.
Stream Configuration
This technology pack includes 1 stream. If you were previously using the Palo Alto 9.x pack with Illuminate, this pack uses the same stream:
- "Illuminate:Palo Alto Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "Palo Alto Logs"
Log Collection
Configure Palo Alto devices to send logs via TCP transport using BSD format. Refer to the Palo Alto syslog monitoring guide for device configuration. Devices must send data without custom formats for proper processing.
Log Processing
This content pack processes the following PAN-OS 11.x log types. Newer PAN-OS versions may introduce additional
fields; these are captured in placeholder fields prefixed with additional_field_
(a through x). When only an IPv6 address is present (IPv4 logged as 0.0.0.0), the IPv6 value is reassigned to
the appropriate IP field. Brief message summaries are generated for Threat and Traffic logs in place of verbose
CSV data.
-
Config - administrator configuration change events.
-
Decryption - SSL/TLS inspection events with certificate and cipher details.
-
GlobalProtect - VPN client tunnel lifecycle and authentication events.
-
HIP Match - host information profile compliance check events.
-
System - firewall system and DHCP events.
-
Threat - intrusion detection alerts including virus, spyware, vulnerability, WildFire, and URL filtering.
-
Traffic - network session start, end, and drop events.
-
User-ID - user-to-IP mapping and logout events.
GIM Categorization
GIM event type categorization is provided for the following message types:
Fields List ▼
| Message Type | gim_event_type_code | gim_event_category | gim_event_class | gim_event_subcategory | gim_event_type |
|---|---|---|---|---|---|
| GlobalProtect login (portal-auth / gateway-auth) | 100000 | authentication | authentication.logon | logon | |
| GlobalProtect login (portal-auth / gateway-auth) | 100500 | authentication | authentication.credential validation | credential validation | |
| Traffic logs | 120000 | network | network.network connection | network connection | |
| System DHCP logs (BOUND / RELEASE / RENEW) | 299999 | dhcp | dhcp.default | dhcp default event | |
| Threat logs (virus / spyware / vulnerability / wildfire / url-filtering) | 300000 | detection | detection.network_detection | ids_detection |
Field Normalization
Fields extracted and normalized for each PAN-OS 11.x log type.
Common Fields
Common Fields List ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_created | High Resolution Timestamp |
| event_uid | Sequence Number |
| event_observer_uid | Serial Number |
| event_observer_hostname | Device Name |
| vendor_subtype | Type |
| vendor_event_created | Generated Time |
| vendor_log_panorama | Action Flags |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_id | Virtual System |
| host_virtfw_hostname | Virtual System Name |
Config Log Fields
Config Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_event_created | Generated Time |
| host_ip | Host |
| host_virtfw_id | Virtual System |
| user_command | Command |
| user_name | Admin |
| vendor_signin_protocol | Client |
| vendor_event_action | Result |
| user_command_path | Configuration Path |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| vendor_audit_comment | Audit Comment |
| event_created | High Resolution Timestamp |
Decryption Log Fields
Decryption Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_log_subtype | Threat/Content Type |
| vendor_event_created | Generated Time |
| source_ip | Source Address |
| destination_ip | Destination Address |
| source_nat_ip | NAT Source IP |
| destination_nat_ip | NAT Destination IP |
| rule_name | Rule |
| user_name | Source User |
| destination_user_name | Destination User |
| application_name | Application |
| host_virtfw_id | Virtual System |
| source_zone | Source Zone |
| destination_zone | Destination Zone |
| network_interface_in | Inbound Interface |
| network_interface_out | Outbound Interface |
| vendor_logging_profile | Log Action |
| session_id | Session ID |
| event_repeat_count | Repeat Count |
| source_port | Source Port |
| destination_port | Destination Port |
| source_nat_port | NAT Source Port |
| destination_nat_port | NAT Destination Port |
| vendor_flags | Flags |
| network_transport | IP Protocol |
| vendor_event_action | Action |
| crypto_protocol_version | TLS Version |
| tls_keyxchg | Key Exchange Algorithm |
| tls_enc | Encryption Algorithm |
| tls_auth | Hash Algorithm |
| policy_name | Policy Name |
| ec_curve | Elliptic Curve |
| root_status | Root Status |
| chain_status | Chain Status |
| proxy_type | Proxy Type |
| crypto_certificate_serial_number | Certificate Serial Number |
| crypto_certificate_activation_time | Certificate Start Date |
| crypto_certificate_expiration_time | Certificate End Date |
| crypto_certificate_version | Certificate Version |
| cert_size | Certificate Size |
| crypto_certificate_issuer | Issuer Subject Common Name |
| cn | Subject Common Name |
| root_cn | Root Subject Common Name |
| sni | Server Name Indication |
| event_error_description | Error |
| container_id | Container ID |
| container_namespace | POD Namespace |
| container_name | POD Name |
| vendor_src_edl | Source External Dynamic List |
| vendor_dst_edl | Destination External Dynamic List |
| vendor_src_dag | Source Dynamic Address Group |
| vendor_dst_dag | Destination Dynamic Address Group |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| host_virtfw_uid | Virtual System ID |
| source_category | Source Device Category |
| vendor_source_profile | Source Device Profile |
| source_device_model | Source Device Model |
| source_device_vendor | Source Device Vendor |
| source_os_name | Source Device OS Family |
| source_os_version | Source Device OS Version |
| source_hostname | Source Hostname |
| source_mac | Source Mac Address |
| destination_category | Destination Device Category |
| vendor_destination_profile | Destination Device Profile |
| destination_device_model | Destination Device Model |
| destination_device_vendor | Destination Device Vendor |
| destination_os_name | Destination Device OS Family |
| destination_os_version | Destination Device OS Version |
| destination_hostname | Destination Hostname |
| destination_mac | Destination Mac Address |
| application_subcategory | Application Subcategory |
| application_category | Application Category |
| application_technology | Application Technology |
| application_risk | Application Risk |
| application_characteristic | Application Characteristic |
| application_container | Application Container |
| application_is_saas | Application SaaS |
| application_sanctioned_state | Application Sanctioned State |
| cluster_name | Cluster Name |
| flow_type | Flow Type |
| event_created | High Resolution Timestamp |
GlobalProtect Log Fields
GlobalProtect Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_log_subtype | Threat/Content Type |
| vendor_event_created | Generated Time |
| host_virtfw_id | Virtual System |
| vendor_event_name | Event ID |
| vendor_tunnel_stage | Stage |
| vendor_auth_method | Authentication Method |
| network_tunnel_type | Tunnel Type |
| user_name | Source User |
| vendor_source_region | Source Region |
| source_hostname | Machine Name (hostname) |
| source_ip | Public IP |
| source_ipv6 | Public IPv6 |
| source_nat_ip | Private IP |
| source_nat_ipv6 | Private IPv6 |
| vendor_gp_hostid | Host ID |
| source_id | Serial Number (client) |
| vendor_gp_client_version | Client Version |
| source_os_name | Client OS |
| source_os_version | Client OS Version |
| event_repeat_count | Repeat Count |
| vendor_gp_reason | Reason |
| event_error_description | Error |
| vendor_gp_error_extended | Description |
| vendor_event_outcome | Status |
| vendor_gp_location_name | Location |
| network_tunnel_duration | Login Duration |
| vendor_gp_connect_method | Connect Method |
| event_error_code | Error Code |
| destination_hostname | Portal |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| event_created | High Resolution Timestamp |
| vendor_selection_type | Selection Type |
| application_response_time | Response Time |
| vendor_gateway_priority | Priority |
| vendor_attempted_gateways | Attempted Gateways |
| vendor_gateway | Gateway |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| host_virtfw_uid | Virtual System ID |
| cluster_name | Cluster Name |
HIP Match Log Fields
HIP Match Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_log_subtype | Threat/Content Type |
| vendor_event_created | Generated Time |
| user_name | Source User |
| host_virtfw_id | Virtual System |
| host_hostname | Machine Name |
| host_type | Operating System |
| host_ip | Source Address |
| vendor_hipmatch_name | HIP |
| event_repeat_count | Repeat Count |
| vendor_hipmatch_type | HIP Type |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| host_virtfw_uid | Virtual System ID |
| host_ipv6 | IPv6 Source Address |
| vendor_gp_hostid | Host ID |
| host_id | User Device Serial Number |
| source_mac | Device MAC Address |
| event_created | High Resolution Timestamp |
| cluster_name | Cluster Name |
System Log Fields
System Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_event_created | Generated Time |
| host_virtfw_id | Virtual System |
| vendor_event_name | Event ID |
| vendor_event_object | Object |
| vendor_module | Module |
| event_severity | Severity |
| message | Description |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| event_created | High Resolution Timestamp |
Threat Log Fields
Threat Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_log_subtype | Threat/Content Type |
| vendor_event_created | Generated Time |
| source_ip | Source Address |
| destination_ip | Destination Address |
| source_nat_ip | NAT Source IP |
| destination_nat_ip | NAT Destination IP |
| rule_name | Rule Name |
| source_user_name | Source User |
| destination_user_name | Destination User |
| application_name | Application |
| host_virtfw_id | Virtual System |
| source_zone | Source Zone |
| destination_zone | Destination Zone |
| network_interface_in | Inbound Interface |
| network_interface_out | Outbound Interface |
| vendor_logging_profile | Log Action |
| session_id | Session ID |
| event_repeat_count | Repeat Count |
| source_port | Source Port |
| destination_port | Destination Port |
| source_nat_port | NAT Source Port |
| destination_nat_port | NAT Destination Port |
| vendor_flags | Flags |
| network_transport | IP Protocol |
| vendor_event_action | Action |
| alert_indicator | URL/Filename |
| alert_signature | Threat ID |
| event_category | Category |
| vendor_alert_severity | Severity |
| vendor_alert_direction | Direction |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| source_location_name | Source Location |
| destination_location_name | Destination Location |
| http_content_type | Content Type |
| vendor_pcap_id | PCAP ID |
| vendor_wildfire_hash | File Digest |
| vendor_cloud_hostname | Cloud |
| vendor_url_index | URL Index |
| http_user_agent_name | User Agent |
| file_type | File Type |
| http_xff | X-Forwarded-For |
| http_referrer | Referer |
| source_user_email | Sender |
| email_subject | Subject |
| target_user_email | Recipient |
| vendor_wildfire_report_id | Report ID |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| source_vsys_uuid | Source VM UUID |
| destination_vsys_uuid | Destination VM UUID |
| http_method | HTTP Method |
| vendor_tunnel_id | Tunnel ID/IMSI |
| vendor_monitor_tag | Monitor Tag/IMEI |
| vendor_parent_session_id | Parent Session ID |
| vendor_parent_start_time | Parent Start Time |
| network_tunnel_type | Tunnel Type |
| vendor_threat_category | Threat Category |
| alert_definitions_version | Content Version |
| policy_uid | Rule UUID |
| vendor_dynusergroup_name | Dynamic User Group Name |
| http_xff_address | XFF Address |
| source_category | Source Device Category |
| vendor_source_profile | Source Device Profile |
| source_device_model | Source Device Model |
| source_device_vendor | Source Device Vendor |
| source_os_name | Source Device OS Family |
| source_os_version | Source Device OS Version |
| source_hostname | Source Hostname |
| source_mac | Source MAC Address |
| destination_category | Destination Device Category |
| vendor_destination_profile | Destination Device Profile |
| destination_device_model | Destination Device Model |
| destination_device_vendor | Destination Device Vendor |
| destination_os_name | Destination Device OS Family |
| destination_os_version | Destination Device OS Version |
| destination_hostname | Destination Hostname |
| destination_mac | Destination MAC Address |
| container_id | Container ID |
| container_namespace | POD Namespace |
| container_name | POD Name |
| vendor_src_edl | Source External Dynamic List |
| vendor_dst_edl | Destination External Dynamic List |
| vendor_src_dag | Source Dynamic Address Group |
| vendor_dst_dag | Destination Dynamic Address Group |
| event_created | High Resolution Timestamp |
| vendor_event_outcome_reason | Reason |
| application_subcategory | Application Subcategory |
| application_category | Application Category |
| application_technology | Application Technology |
| application_risk_level | Application Risk |
| application_characteristic | Application Characteristic |
| application_container | Application Container |
| application_is_saas | Application SaaS |
| application_sanctioned_state | Application Sanctioned State |
| cluster_name | Cluster Name |
| flow_type | Flow Type |
Traffic Log Fields
Traffic Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_event_created | Generated Time |
| source_ip | Source Address |
| destination_ip | Destination Address |
| source_nat_ip | NAT Source IP |
| destination_nat_ip | NAT Destination IP |
| rule_name | Rule Name |
| user_name | Source User |
| destination_user_name | Destination User |
| application_name | Application |
| host_virtfw_id | Virtual System |
| source_zone | Source Zone |
| destination_zone | Destination Zone |
| network_interface_in | Inbound Interface |
| network_interface_out | Outbound Interface |
| vendor_logging_profile | Log Action |
| session_id | Session ID |
| event_repeat_count | Repeat Count |
| source_port | Source Port |
| destination_port | Destination Port |
| source_nat_port | NAT Source Port |
| destination_nat_port | NAT Destination Port |
| vendor_flags | Flags |
| network_transport | IP Protocol |
| vendor_event_action | Action |
| network_bytes | Bytes |
| source_bytes_sent | Bytes Sent |
| destination_bytes_sent | Bytes Received |
| network_packets | Packets |
| event_start | Start Time |
| event_duration | Elapsed Time |
| http_uri_category | Category |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| source_location_name | Source Country |
| destination_location_name | Destination Country |
| source_packets_sent | Packets Sent |
| destination_packets_sent | Packets Received |
| vendor_session_end_reason | Session End Reason |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| vendor_event_description | Action Source |
| source_vsys_uuid | Source VM UUID |
| destination_vsys_uuid | Destination VM UUID |
| rule_uuid | Rule UUID |
| hs_stage_c2f | Stage for Client to Firewall |
| hs_stage_f2s | Stage for Firewall to Server |
| crypto_protocol_version | TLS Version |
| tls_keyxchg | Key Exchange Algorithm |
| tls_enc | Encryption Algorithm |
| tls_auth | Hash Algorithm |
| policy_name | Policy Name |
| ec_curve | Elliptic Curve |
| root_status | Root Status |
| chain_status | Chain Status |
| proxy_type | Proxy Type |
| crypto_certificate_serial_number | Certificate Serial Number |
| crypto_certificate_version | Certificate Version |
| cert_size | Certificate Size |
| crypto_certificate_issuer | Issuer Subject Common Name |
| cn | Subject Common Name |
| root_cn | Root Subject Common Name |
| sni | Server Name Indication |
| event_error_description | Error |
| container_id | Container ID |
| container_namespace | POD Namespace |
| container_name | POD Name |
| vendor_src_edl | Source External Dynamic List |
| vendor_dst_edl | Destination External Dynamic List |
| vendor_src_dag | Source Dynamic Address Group |
| vendor_dst_dag | Destination Dynamic Address Group |
| event_created | High Res Timestamp |
| source_category | Source Device Category |
| vendor_source_profile | Source Device Profile |
| source_device_model | Source Device Model |
| source_device_vendor | Source Device Vendor |
| source_os_name | Source Device OS Family |
| source_os_version | Source Device OS Version |
| source_hostname | Source Hostname |
| source_mac | Source Mac Address |
| destination_category | Destination Device Category |
| vendor_destination_profile | Destination Device Profile |
| destination_device_model | Destination Device Model |
| destination_device_vendor | Destination Device Vendor |
| destination_os_name | Destination Device OS Family |
| destination_os_version | Destination Device OS Version |
| destination_hostname | Destination Hostname |
| destination_mac | Destination Mac Address |
| application_subcategory | Application Subcategory |
| application_category | Application Category |
| application_technology | Application Technology |
| application_risk | Application Risk |
| application_characteristic | Application Characteristic |
| application_container | Application Container |
| application_is_saas | Application SaaS |
| application_sanctioned_state | Application Sanctioned State |
| cluster_name | Cluster Name |
| flow_type | Flow Type |
User-ID Log Fields
User-ID Logs Fields ▼
| Illuminate Field | Vendor Field |
|---|---|
| event_received_time | Receive Time |
| event_observer_uid | Serial Number |
| vendor_subtype | Type |
| vendor_log_subtype | Threat/Content Type |
| vendor_event_created | Generated Time |
| host_virtfw_id | Virtual System |
| source_ip | Source IP |
| user_name | User |
| vendor_datasource_name | Data Source Name |
| vendor_event_name | Event ID |
| event_repeat_count | Repeat Count |
| vendor_timeout | Time Out Threshold |
| source_port | Source Port |
| destination_port | Destination Port |
| vendor_datasource | Data Source |
| vendor_datasource_type | Data Source Type |
| event_uid | Sequence Number |
| vendor_log_panorama | Action Flags |
| vendor_dev_group_level_1 | Device Group Hierarchy Level 1 |
| vendor_dev_group_level_2 | Device Group Hierarchy Level 2 |
| vendor_dev_group_level_3 | Device Group Hierarchy Level 3 |
| vendor_dev_group_level_4 | Device Group Hierarchy Level 4 |
| host_virtfw_hostname | Virtual System Name |
| event_observer_hostname | Device Name |
| host_virtfw_uid | Virtual System ID |
| vendor_factor_type | Factor Type |
| vendor_factor_completion_time | Factor Completion Time |
| vendor_factor_number | Factor Number |
| vendor_user_group_flags | User Group Flags |
| tag_name | Tag Name |
| event_created | High Resolution Timestamp |
| origin_data_source | Origin Data Source |
| cluster_name | Cluster Name |
Enrichments
Illuminate enriches events with data to make working with events easier.
application_risk
Some Palo Alto logs include a numeric risk-scoring value, assigned to the field application_risk_level for logged applications, on a scale of 1 (lowest) to 5
(highest). Illuminate also adds the field application_risk_score, which provides a text value that reflects the rating of the numeric risk score.
Palo Alto 11 Spotlight Content Pack
This spotlight offers a dashboard with 6 tabs:
Overview
Traffic
Threat
GlobalProtect
URL Filtering
Decryption
