panos-parser(): parsing PAN-OS log messages

The PAN-OS (a short version of Palo Alto Networks Operating System) parser can parse log messages originating from Palo Alto Networks devices. Even though these messages completely comply to the RFC standards, their MESSAGE part is not a plain text. Instead, the MESSAGE part contains a data structure that requires additional parsing.

The panos-parser() of AxoSyslog solves this problem, and can separate PAN-OS log messages to name-value pairs.

For details on using value-pairs in AxoSyslog, see Structuring macros, metadata, and other value-pairs.

Prerequisites

Version 3.29 of AxoSyslog or later.

Note
Most Linux distributions feature AxoSyslog versions earlier than version 3.29. For up-to-date binaries, visit the syslog-ng third-party binaries page.
PAN-OS log messages from Palo Alto Networks devices.

Limitations

The panos-parser() only works on AxoSyslog version 3.29 or later.

Configuration

You can include the panos-parser() in your AxoSyslog configuration like this:

   parser p_parser{
        panos-parser();
    };

To use this parser, the scl.conf file must be included in your AxoSyslog configuration:

   @include "scl.conf"

The panos-parser() is a reusable configuration snippet configured to parse Palo Alto Networks PAN-OS log messages. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of this configuration snippet on GitHub.

Message format parsed by panos-parser()

PAN-OS parser options

Last modified July 31, 2023: Makes parsers chapter subsections alphabetic (b5cce39)