Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:logs:syslog:general [2020/06/04 08:10] – bstafford
+++ paloaltonetworks:logs:syslog:general [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
-( subtype eq general ) and ( eventid neq general ) and ( eventid neq system-shutdown ) and ( eventid neq system-start )</code>
+===== Useful =====
+==== Commit Description =====
+If the administrator includes a description when commiting, it can be found by filtering
+<code>( description contains 'Commit job started processing' )</code>
+The actuall output will look something like the following. (Yes, there is a space after the username).
+<code>( description contains 'Commit job started processing. Dequeue time=2020/09/03 17:31:26. JobId=85587.User: jbloggs . Commit Description: CR1234 Adding New Vital Config' )</code>
+The other data will be
+<code>( subtype eq general ) and ( severity eq informational ) and ( eventid eq general )</code>
+However, it is important to remember that if no description was included then the output will look like
+<code>( description contains 'Commit job started processing. Dequeue time=2020/09/03 17:31:26. JobId=85587.User: jbloggs' )</code>
 ===== System Start and Shutdown =====
@@ Line 11: / Line 18: @@
 <code>( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to Restarting system for new HA keysparameters.' )</code>
 <code>( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to masterd.')</code>
 ===== Critical ======
-<code>( subtype eq vpn ) and ( severity eq critical )</code>
+<code>( subtype eq general ) and ( severity eq critical )</code>
 <code>( eventid eq general ) and ( description contains 'License for feature threat will expire on 2019/11/13' )</code>
 <code>( eventid eq general ) and ( description contains 'License for feature global-protect-gateway will expire on 2019/11/13' )</code>
@@ Line 20: / Line 26: @@
 <code>( eventid eq general ) and ( description contains 'License for feature pan-url-filtering will expire on 2019/11/13' )</code>
 <code>( eventid eq general ) and ( description contains 'License for feature wildfire will expire on 2019/11/13' )</code>
+<code>( eventid eq general ) and ( description contains 'License for feature dns-security will expire on 2019/11/13' )</code>
+<code>( eventid eq general ) and ( description contains 'License for feature sd-wan will expire on 2019/11/13' )</code>
 <code>( eventid eq general ) and ( description contains 'Out of memory condition detected, kill process 1' )</code>
 <code>( eventid eq general ) and ( description contains 'WildFire update job failed  for user Auto update agent' )</code>
@@ Line 40: / Line 48: @@
 <code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to ' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to export config bundle on the 10 th try - giving up retry' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host...lost connection' )
+<code>( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host...lost connection' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed to export traffic log - giving up retry' )</code>
 <code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day)' )</code>
-<code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day) to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host.' )
+<code>( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day) to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host.' )</code>
 <code>( eventid eq general ) and ( description contains 'The dataplane is restarting' )</code>
 <code>( eventid eq general ) and ( description contains 'tund: Exited 4 times, must be manually recovered' )</code>
@@ Line 50: / Line 58: @@
 ===== High ======
-<code>( subtype eq vpn ) and ( severity eq high )</code>
+<code>( subtype eq general ) and ( severity eq high )</code>
 <code>( eventid eq general ) and ( description contains 'Dataplane under severe load' )</code>
 <code>( eventid eq general ) and ( description contains 'No valid device certificate found' )</code>
@@ Line 67: / Line 75: @@
 <code>( eventid eq general ) and ( description contains 'Auto update agent failed to download new WildFire as another download is in progress.' )</code>
 <code>( eventid eq general ) and ( description contains 'Fqdn Refresh job failed' )</code>
-<code>( eventid eq general ) and ( description contains 'User admin initiated  job 62 to import configuration of device 001122334455667' )
+<code>( eventid eq general ) and ( description contains 'User admin initiated  job 62 to import configuration of device 001122334455667' )</code>
 <code>( eventid eq general ) and ( description contains 'User bstafford initiated  job 17963 to push and commit configuration to device 001122334455667' )</code>
 <code>( eventid eq general ) and ( description contains 'Deployment job update licenses for FW01, FW02 succeeded.' )</code>
@@ Line 89: / Line 97: @@
 ===== Medium ======
-<code>( subtype eq vpn ) and ( severity eq medium )</code>
+<code>( subtype eq general ) and ( severity eq medium )</code>
 <code>( eventid eq general ) and ( description contains 'Hostname changed to palo-secondary' )</code>
 <code>( eventid eq general ) and ( description contains ' CONFIG_UPDATE_INC :  Incremental update to DP failed please try to commit force the latest config ' )</code>
@@ Line 126: / Line 134: @@
 <code>( eventid eq general ) and ( description contains 'HA state set to suspended by admin' )</code>
 <code>( eventid eq general ) and ( description contains 'HA state set to functional by admin' )</code>
+<code>( eventid eq general ) and ( description contains 'Failed to email PDF reports to \'username1@example.com\' \'username2@example.com\' \'username3@example.com\' for email profile exn-email-server' )</code>
+<code>( eventid eq general ) and ( description contains 'mail send: response timed-out' )</code>
+<code>( eventid eq general ) and ( description contains 'mail send: Socket timeout. host=mail.example.com' )</code>
+<code>( eventid eq general ) and ( description contains 'Configuration partition has exceeded 90 percent of the capacity' )</code>
 ===== Low ======
-<code>( subtype eq vpn ) and ( severity eq low )</code>
+<code>( subtype eq general ) and ( severity eq low )</code>
 <code>( eventid eq general ) and ( description contains 'Dataplane under severe load' )</code>
 <code>( eventid eq general ) and ( description contains 'Password changed for user admin' )</code>
@@ Line 137: / Line 148: @@
 ===== Informational ======
-<code>( subtype eq vpn ) and ( severity eq informational )</code>
+<code>( subtype eq general ) and ( severity eq informational )</code>
-// If you want to alert when commits happen, you can do the following or use (from Configuration) - ( cmd eq commit ) and ( result eq Submitted )</code>
+If you want to alert when commits happen, you can do the following or use (from Configuration) - ''( cmd eq commit ) and ( result eq Submitted )''
 <code>( eventid eq general ) and ( description contains 'Commit job started' )</code>
 <code>( eventid eq general ) and ( description contains 'Commit job enqueued' )</code>
@@ Line 307: / Line 318: @@
 <code>( eventid eq general ) and ( description contains 'running configuration synchronized with HA peer by admin' )</code>
 <code>( eventid eq general ) and ( description contains 'Session for user svc_ossec via CLI from 192.168.1.1 timed out' )</code>
-<code>( eventid eq general ) and ( description contains 'Succeeded exporting config bundle via ssh to 192.168.1.1. This system is for the use of authorized users only.     ..Individuals using this computer system without authority,..or in excess of their authority, are subject to having   ..all of their activities on this system monitored and     ..recorded by system personnel.....In the course of monitoring individuals improperly using ..this system, or in the course of system maintenance, the ..activities of authorized users may also be monitored.....Anyone ' )</code>
+<code>( eventid eq general ) and ( description contains 'Succeeded exporting config bundle via ssh to 192.168.1.1' )</code>
 <code>( eventid eq general ) and ( description contains 'Succeeded exporting traffic log via ssh (last-calendar-day) to 192.168.1.1' )</code>
 <code>( eventid eq general ) and ( description contains 'Succeeded marking traffic log as exported' )</code>
@@ Line 336: / Line 347: @@
 <code>( eventid eq general ) and ( description contains 'VPN Disable mode = off' )</code>
 <code>( eventid eq general ) and ( description contains 'WildFire update job succeeded  for user admin' )</code>
+<code>( eventid eq general ) and ( description contains 'Log type system cleared by user admin ' )</code>