panos-parser(): parsing PAN-OS log messages

The PAN-OS (a short version of Palo Alto Networks Operating System) parser can parse log messages originating from Palo Alto Networks devices. Even though these messages completely comply to the RFC standards, their `MESSAGE` part is not a plain text. Instead, the `MESSAGE` part contains a data structure that requires additional parsing.

The panos-parser() of syslog-ng OSE solves this problem, and can separate PAN-OS log messages to name-value pairs.

For details on using value-pairs in syslog-ng OSE, see Structuring macros, metadata, and other value-pairs.

Prerequisites

• Version 3.29 of syslog-ng OSE or later.

  NOTE: Most Linux distributions feature syslog-ng OSE versions earlier than version 3.29. For up-to-date binaries, visit the syslog-ng Open Source Edition installation packages page.

• PAN-OS log messages from Palo Alto Networks devices.

Limitations

The panos-parser() only works on syslog-ng OSE version 3.29 or later.

Configuration

You can include the panos-parser() in your syslog-ng OSE configuration like this:

parser p_parser{
    panos-parser();
};

To use this parser, the scl.conf file must be included in your syslog-ng OSE configuration:

@include "scl.conf"

The panos-parser() is a reusable configuration snippet configured to parse Palo Alto Networks PAN-OS log messages. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of the PAN-OS configuration snippet on GitHub.