Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:logs:syslog:general [2020/06/04 08:07] – created bstafford
+++ paloaltonetworks:logs:syslog:general [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+===== Useful =====
+==== Commit Description =====
+If the administrator includes a description when commiting, it can be found by filtering
+<code>( description contains 'Commit job started processing' )</code>
+The actuall output will look something like the following. (Yes, there is a space after the username).
+<code>( description contains 'Commit job started processing. Dequeue time=2020/09/03 17:31:26. JobId=85587.User: jbloggs . Commit Description: CR1234 Adding New Vital Config' )</code>
+The other data will be
+<code>( subtype eq general ) and ( severity eq informational ) and ( eventid eq general )</code>
+However, it is important to remember that if no description was included then the output will look like
+<code>( description contains 'Commit job started processing. Dequeue time=2020/09/03 17:31:26. JobId=85587.User: jbloggs' )</code>
 ===== System Start and Shutdown =====
 <code>( subtype eq general ) and ( severity eq high )</code>
@@ Line 7: / Line 18: @@
 <code>( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to Restarting system for new HA keysparameters.' )</code>
 <code>( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to masterd.')</code>
 ===== Critical ======
-<code>( subtype eq vpn ) and ( severity eq critical )</code>
+<code>( subtype eq general ) and ( severity eq critical )</code>
 <code>( eventid eq general ) and ( description contains 'License for feature threat will expire on 2019/11/13' )</code>
 <code>( eventid eq general ) and ( description contains 'License for feature global-protect-gateway will expire on 2019/11/13' )</code>
@@ Line 16: / Line 26: @@
 <code>( eventid eq general ) and ( description contains 'License for feature pan-url-filtering will expire on 2019/11/13' )</code>
 <code>( eventid eq general ) and ( description contains 'License for feature wildfire will expire on 2019/11/13' )</code>
+<code>( eventid eq general ) and ( description contains 'License for feature dns-security will expire on 2019/11/13' )</code>
+<code>( eventid eq general ) and ( description contains 'License for feature sd-wan will expire on 2019/11/13' )</code>
 <code>( eventid eq general ) and ( description contains 'Out of memory condition detected, kill process 1' )</code>
-<code>( eventid eq general ) and ( description contains 'WildFire update job failed  for user Auto update agent' )
+<code>( eventid eq general ) and ( description contains 'WildFire update job failed  for user Auto update agent' )</code>
 <code>( eventid eq general ) and ( description contains 'Antivirus update job failed  for user Auto update agent' )</code>
-<code>( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )
+<code>( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )</code>
-<code>( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )
+<code>( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )</code>
 <code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Cleared' )</code>
-<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Temperature ' )
+<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Temperature ' )</code>
-<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Fans ' )
+<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Fans ' )</code>
-<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: HA-event ' )
+<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: HA-event ' )</code>
-<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Power Supply ' )
+<code>( eventid eq general ) and ( description contains 'Chassis Master Alarm: Power Supply ' )</code>
-<code>( eventid eq general ) and ( description contains 'Fan #3 Speed: 5776.98 above high-limit 5750.00' )
+<code>( eventid eq general ) and ( description contains 'Fan #3 Speed: 5776.98 above high-limit 5750.00' )</code>
-<code>( eventid eq general ) and ( description contains 'all: restarts exhausted, rebooting system' )
+<code>( eventid eq general ) and ( description contains 'all: restarts exhausted, rebooting system' )</code>
-<code>( eventid eq general ) and ( description contains 'masterd: restarts exhausted, rebooting system' )
+<code>( eventid eq general ) and ( description contains 'masterd: restarts exhausted, rebooting system' )</code>
 <code>( eventid eq general ) and ( description contains 'Content update job failed  for user Auto update agent' )</code>
-<code>( eventid eq general ) and ( description contains 'WildFire update job failed' )
+<code>( eventid eq general ) and ( description contains 'WildFire update job failed' )</code>
 <code>( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )</code>
-<code>( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )
+<code>( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )</code>
 <code>( eventid eq general ) and ( description contains 'brdagent: restarts exhausted, rebooting system' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to ' )
+<code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to ' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed to export config bundle on the 10 th try - giving up retry' )
+<code>( eventid eq general ) and ( description contains 'Failed to export config bundle on the 10 th try - giving up retry' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host...lost connection' )
+<code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host...lost connection' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed to export traffic log - giving up retry' )
+<code>( eventid eq general ) and ( description contains 'Failed to export traffic log - giving up retry' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day)' )
+<code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day)' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day) to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host.' )
+<code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day) to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host.' )</code>
 <code>( eventid eq general ) and ( description contains 'The dataplane is restarting' )</code>
 <code>( eventid eq general ) and ( description contains 'tund: Exited 4 times, must be manually recovered' )</code>
@@ Line 46: / Line 58: @@
 ===== High ======
-<code>( subtype eq vpn ) and ( severity eq high )</code>
+<code>( subtype eq general ) and ( severity eq high )</code>
 <code>( eventid eq general ) and ( description contains 'Dataplane under severe load' )</code>
 <code>( eventid eq general ) and ( description contains 'No valid device certificate found' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to check Content content upgrade info due to generic communication error' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to check Antivirus content upgrade info due to generic communication error' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed to check WildFire content upgrade info due to generic communication error' )
+<code>( eventid eq general ) and ( description contains 'Failed to check WildFire content upgrade info due to generic communication error' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed to check WF-Content content upgrade info due to generic communication error' )
+<code>( eventid eq general ) and ( description contains 'Failed to check WF-Content content upgrade info due to generic communication error' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to check GPclient content upgrade info due to generic communication error' )</code>
 <code>( eventid eq general ) and ( description contains 'Disconnected from Panorama Server: 192.168.99.1. , source: 192.168.99.11' )</code>
 <code>( eventid eq general ) and ( description contains 'Disconnected from Log collector Server: 192.168.99.1. , source: 192.168.99.11' )</code>
 <code>( eventid eq general ) and ( description contains 'System restart requested by admin' )</code>
-<code>( eventid eq general ) and ( description contains 'Control plane is now up' )
+<code>( eventid eq general ) and ( description contains 'Control plane is now up' )</code>
 <code>( eventid eq general ) and ( description contains 'Dataplane is now up' )</code>
-<code>( eventid eq general ) and ( description contains 'Process useridd was restarted by user admin' )
+<code>( eventid eq general ) and ( description contains 'Process useridd was restarted by user admin' )</code>
-<code>( eventid eq general ) and ( description contains 'Process mgmtsrvr was restarted by user admin' )
+<code>( eventid eq general ) and ( description contains 'Process mgmtsrvr was restarted by user admin' )</code>
-<code>( eventid eq general ) and ( description contains 'Auto update agent failed to download new WildFire as another download is in progress.' )
+<code>( eventid eq general ) and ( description contains 'Auto update agent failed to download new WildFire as another download is in progress.' )</code>
-<code>( eventid eq general ) and ( description contains 'Fqdn Refresh job failed' )
+<code>( eventid eq general ) and ( description contains 'Fqdn Refresh job failed' )</code>
-<code>( eventid eq general ) and ( description contains 'User admin initiated  job 62 to import configuration of device 001122334455667' )
+<code>( eventid eq general ) and ( description contains 'User admin initiated  job 62 to import configuration of device 001122334455667' )</code>
-<code>( eventid eq general ) and ( description contains 'User bstafford initiated  job 17963 to push and commit configuration to device 001122334455667' )
+<code>( eventid eq general ) and ( description contains 'User bstafford initiated  job 17963 to push and commit configuration to device 001122334455667' )</code>
 <code>( eventid eq general ) and ( description contains 'Deployment job update licenses for FW01, FW02 succeeded.' )</code>
 <code>( eventid eq general ) and ( description contains 'Deployment job upload software to FW01 succeeded.' )</code>
-<code>( eventid eq general ) and ( description contains 'Deployment job download system software job succeeded ' )
+<code>( eventid eq general ) and ( description contains 'Deployment job download system software job succeeded ' )</code>
-<code>( eventid eq general ) and ( description contains 'Deployment job download gpclient job succeeded ' )
+<code>( eventid eq general ) and ( description contains 'Deployment job download gpclient job succeeded ' )</code>
-<code>( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 succeeded.' )
+<code>( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 succeeded.' )</code>
 <code>( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 failed. Device msg:\'Failed to download PanGP-4.1.10. Download error: Couldn\'t connect to server.\'' )</code>
-<code>( eventid eq general ) and ( description contains 'Install content on FW01 job succeeded' )
+<code>( eventid eq general ) and ( description contains 'Install content on FW01 job succeeded' )</code>
 <code>( eventid eq general ) and ( description contains 'Install anti-virus on FW01 job succeeded' )</code>
 <code>( eventid eq general ) and ( description contains 'Install anti-virus on FW01 job succeeded' )</code>
-<code>( eventid eq general ) and ( description contains 'Install global-protect-client on FW01 job succeeded' )
+<code>( eventid eq general ) and ( description contains 'Install global-protect-client on FW01 job succeeded' )</code>
 <code>( eventid eq general ) and ( description contains 'brdagent: exiting because missed too many heartbeats' )</code>
-<code>( eventid eq general ) and ( description contains 'Disabled applications in vsys1: appletvplus disneyplus houseparty paloalto-zero-touch-provision pkix-cmp ring ' )
+<code>( eventid eq general ) and ( description contains 'Disabled applications in vsys1: appletvplus disneyplus houseparty paloalto-zero-touch-provision pkix-cmp ring ' )</code>
-<code>( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.snmp.dbg' )
+<code>( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.snmp.dbg' )</code>
 <code>( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.system-boot[engine-boot-count]' )</code>
 <code>( eventid eq general ) and ( description contains 'reportd: Not enough free space (1863 MB) to safely save core reportd_9.0.6_18.inuse (1460 MB), deleting' )</code>
-<code>( eventid eq general ) and ( description contains 'elasticsearch: Not enough free space (8829 MB) to safely save core elasticsearch_8.1.10_0.inuse (41785 MB), deleting' )
+<code>( eventid eq general ) and ( description contains 'elasticsearch: Not enough free space (8829 MB) to safely save core elasticsearch_8.1.10_0.inuse (41785 MB), deleting' )</code>
 <code>( eventid eq general ) and ( description contains 'elasticsearch: exiting because service missed too many heartbeats' )</code>
 ===== Medium ======
-<code>( subtype eq vpn ) and ( severity eq medium )</code>
+<code>( subtype eq general ) and ( severity eq medium )</code>
 <code>( eventid eq general ) and ( description contains 'Hostname changed to palo-secondary' )</code>
 <code>( eventid eq general ) and ( description contains ' CONFIG_UPDATE_INC :  Incremental update to DP failed please try to commit force the latest config ' )</code>
 <code>( eventid eq general ) and ( description contains 'Installed content package Content is newer than available package, skipping' )</code>
-<code>( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid user' )
+<code>( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid user' )</code>
 <code>( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid configuration. No ado/role found username@domain.com' )</code>
 <code>( eventid eq general ) and ( description contains 'Auto update agent failed to download Content version 8251-6016' )</code>
 <code>( eventid eq general ) and ( description contains 'Auto update agent failed to download Antivirus version 3235-3746' )</code>
-<code>( eventid eq general ) and ( description contains 'Auto update agent failed to download WildFire version 441526-444436' )
+<code>( eventid eq general ) and ( description contains 'Auto update agent failed to download WildFire version 441526-444436' )</code>
-<code>( eventid eq general ) and ( description contains 'Content package downloaded but installation could not be scheduled' )
+<code>( eventid eq general ) and ( description contains 'Content package downloaded but installation could not be scheduled' )</code>
 <code>( eventid eq general ) and ( description contains 'Installed content package Content is newer than available package, skipping' )</code>
 <code>( eventid eq general ) and ( description contains 'FW has lost connection to panorama, no log will be forwarded' )</code>
@@ Line 104: / Line 116: @@
 <code>( eventid eq general ) and ( description contains 'Disk B on Log collector 001122334455 was enabled' )</code>
 <code>( eventid eq general ) and ( description contains 'Disk A on Log collector 001122334455 was enabled' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed to upgrade Content package to version 8226-5859' )
+<code>( eventid eq general ) and ( description contains 'Failed to upgrade Content package to version 8226-5859' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to upgrade Antivirus package to version <unknown version>' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version <unknown version>' )</code>
@@ Line 122: / Line 134: @@
 <code>( eventid eq general ) and ( description contains 'HA state set to suspended by admin' )</code>
 <code>( eventid eq general ) and ( description contains 'HA state set to functional by admin' )</code>
+<code>( eventid eq general ) and ( description contains 'Failed to email PDF reports to \'username1@example.com\' \'username2@example.com\' \'username3@example.com\' for email profile exn-email-server' )</code>
+<code>( eventid eq general ) and ( description contains 'mail send: response timed-out' )</code>
+<code>( eventid eq general ) and ( description contains 'mail send: Socket timeout. host=mail.example.com' )</code>
+<code>( eventid eq general ) and ( description contains 'Configuration partition has exceeded 90 percent of the capacity' )</code>
 ===== Low ======
-<code>( subtype eq vpn ) and ( severity eq low )</code>
+<code>( subtype eq general ) and ( severity eq low )</code>
 <code>( eventid eq general ) and ( description contains 'Dataplane under severe load' )</code>
 <code>( eventid eq general ) and ( description contains 'Password changed for user admin' )</code>
@@ Line 133: / Line 148: @@
 ===== Informational ======
-<code>( subtype eq vpn ) and ( severity eq informational )</code>
+<code>( subtype eq general ) and ( severity eq informational )</code>
-// If you want to alert when commits happen, you can do the following or use (from Configuration) - ( cmd eq commit ) and ( result eq Submitted )</code>
+If you want to alert when commits happen, you can do the following or use (from Configuration) - ''( cmd eq commit ) and ( result eq Submitted )''
-<code>( eventid eq general ) and ( description contains 'Commit job started' )
+<code>( eventid eq general ) and ( description contains 'Commit job started' )</code>
 <code>( eventid eq general ) and ( description contains 'Commit job enqueued' )</code>
 <code>( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: interface 1/9, Metric: rx-pps-multicast, Value: 1' )</code>
-<code>( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: throughput, Value: 291' )
+<code>( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: throughput, Value: 291' )</code>
 <code>( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: mp-mem, Value: 11' )</code>
 <code>( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: packets-per-sec-transmit, Value: 1399' )</code>
@@ Line 165: / Line 180: @@
 <code>( eventid eq general ) and ( description contains 'Auto update agent found no new Content updates' )</code>
 <code>( eventid eq general ) and ( description contains 'Auto update agent found no new Antivirus updates' )</code>
-<code>( eventid eq general ) and ( description contains 'Connection to Update server:  completed successfully, initiated by 172.23.67.251' )
+<code>( eventid eq general ) and ( description contains 'Connection to Update server:  completed successfully, initiated by 172.23.67.251' )</code>
@@ Line 303: / Line 318: @@
 <code>( eventid eq general ) and ( description contains 'running configuration synchronized with HA peer by admin' )</code>
 <code>( eventid eq general ) and ( description contains 'Session for user svc_ossec via CLI from 192.168.1.1 timed out' )</code>
-<code>( eventid eq general ) and ( description contains 'Succeeded exporting config bundle via ssh to 192.168.1.1. This system is for the use of authorized users only.     ..Individuals using this computer system without authority,..or in excess of their authority, are subject to having   ..all of their activities on this system monitored and     ..recorded by system personnel.....In the course of monitoring individuals improperly using ..this system, or in the course of system maintenance, the ..activities of authorized users may also be monitored.....Anyone ' )</code>
+<code>( eventid eq general ) and ( description contains 'Succeeded exporting config bundle via ssh to 192.168.1.1' )</code>
 <code>( eventid eq general ) and ( description contains 'Succeeded exporting traffic log via ssh (last-calendar-day) to 192.168.1.1' )</code>
 <code>( eventid eq general ) and ( description contains 'Succeeded marking traffic log as exported' )</code>
@@ Line 332: / Line 347: @@
 <code>( eventid eq general ) and ( description contains 'VPN Disable mode = off' )</code>
 <code>( eventid eq general ) and ( description contains 'WildFire update job succeeded  for user admin' )</code>
+<code>( eventid eq general ) and ( description contains 'Log type system cleared by user admin ' )</code>