Firewall (FW)

IDPS firewall

Workload location

Hardware
Audit log source

Palo Alto Firewall
Audited operations

Log in to Web UI and show settings

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity message

A subset of the message value. For example,

admin

Target

(Fields and values that call the API)

 message

For example,

"message":"012501009150,2022/11/22 12:03:54,audit,2561,gui-op,admin,\"<show><system><setting><multi-vsys/></setting></system></show>\",success"

Action

(Fields containing the performed operation)

 message

A subset of the message value. For example,

gui-op,admin,\"<show><system><setting><multi-vsys/></setting></system></show>\"

Event timestamp time

For example,

"time": "2022-11-22T12:03:55-08:00"

Source of action host

For example,

"host":"10.251.72.101"

Outcome Not applicable Not applicable
Other fields Not applicable Not applicable

Example log

{  "pri": "14",  "time": "2022-11-22T12:03:55-08:00",  "host": "10.251.72.101",  "ident": "-",  "pid": "-",  "msgid": "-",  "extradata": "-",  "message": "012501009150,2022/11/22 12:03:54,audit,2561,gui-op,admin,\"<show><system><setting><multi-vsys/></setting></system></show>\",success",  "_gdch_cluster": "root-admin",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-6lgds",  "_gdch_service_name": "panw_audit_logs" }

Commit job changes

Fields in the log entry that contain audit information
Audit metadata Audit field name Value
User or service identity message

A subset of the message value. For example,

admin

Target

(Fields and values that call the API)

 message

For example,

"message":"1,2022/11/22 12:11:33,012501009150,CONFIG,0,2561,2022/11/22 12:11:33,10.251.72.79,,commit,admin,Web,Submitted,,7168767370163388448,0x0,0,0,0,0,,zb-aa-fw01,0,,0,2022-11-22T12:11:34.635-08:00"

Action

(Fields containing the performed operation)

 message

A subset of the message value. For example,

Web,Submitted

Event timestamp time

For example,

"time": "2022-11-22T12:11:34-08:00"

Source of action host

For example,

"host":"10.251.72.101"

Outcome Not applicable Not applicable
Other fields Not applicable Not applicable

Example log

{  "pri": "14",  "time": "2022-11-22T12:11:34-08:00",  "host": "10.251.72.101",  "ident": "-",  "pid": "-",  "msgid": "-",  "extradata": "-",  "message": "1,2022/11/22 12:11:33,012501009150,CONFIG,0,2561,2022/11/22 12:11:33,10.251.72.79,,commit,admin,Web,Submitted,,7168767370163388448,0x0,0,0,0,0,,zb-aa-fw01,0,,0,2022-11-22T12:11:34.635-08:00",  "_gdch_cluster": "root-admin",  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-6lgds",  "_gdch_service_name": "panw_audit_logs" }