Saucepan

User Tools

Site Tools

Trace: dynamic_routing_example deploy_nios_vm install_gitolite deploy_reporting_vm install_ubuntu20.04 general
paloaltonetworks:logs:syslog:general

Table of Contents

Useful

Commit Description

If the administrator includes a description when commiting, it can be found by filtering 

( description contains 'Commit job started processing' )

The actuall output will look something like the following. (Yes, there is a space after the username). 

( description contains 'Commit job started processing. Dequeue time=2020/09/03 17:31:26. JobId=85587.User: jbloggs . Commit Description: CR1234 Adding New Vital Config' )

The other data will be 

( subtype eq general ) and ( severity eq informational ) and ( eventid eq general )

However, it is important to remember that if no description was included then the output will look like 

( description contains 'Commit job started processing. Dequeue time=2020/09/03 17:31:26. JobId=85587.User: jbloggs' )

System Start and Shutdown

( subtype eq general ) and ( severity eq high )
 ( eventid eq system-start ) and ( description contains 'The system is starting up.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to UI Initiated.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to CLI Initiated.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to Restarting system for new HA keysparameters.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to masterd.')

Critical

( subtype eq general ) and ( severity eq critical )
( eventid eq general ) and ( description contains 'License for feature threat will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature global-protect-gateway will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature url-filtering will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature pan-url-filtering will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature wildfire will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature dns-security will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature sd-wan will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'Out of memory condition detected, kill process 1' )
( eventid eq general ) and ( description contains 'WildFire update job failed  for user Auto update agent' )
( eventid eq general ) and ( description contains 'Antivirus update job failed  for user Auto update agent' )
( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )
( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Cleared' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Temperature ' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Fans ' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: HA-event ' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Power Supply ' )
( eventid eq general ) and ( description contains 'Fan #3 Speed: 5776.98 above high-limit 5750.00' )
( eventid eq general ) and ( description contains 'all: restarts exhausted, rebooting system' )
( eventid eq general ) and ( description contains 'masterd: restarts exhausted, rebooting system' )
( eventid eq general ) and ( description contains 'Content update job failed  for user Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire update job failed' )
( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )
( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )
( eventid eq general ) and ( description contains 'brdagent: restarts exhausted, rebooting system' )
( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to ' )
( eventid eq general ) and ( description contains 'Failed to export config bundle on the 10 th try - giving up retry' )
( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host...lost connection' )
( eventid eq general ) and ( description contains 'Failed to export traffic log - giving up retry' )
( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day)' )
( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day) to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host.' )
( eventid eq general ) and ( description contains 'The dataplane is restarting' )
( eventid eq general ) and ( description contains 'tund: Exited 4 times, must be manually recovered' )
( eventid eq general ) and ( description contains 'Base ID manager is reset' )

High

( subtype eq general ) and ( severity eq high )
( eventid eq general ) and ( description contains 'Dataplane under severe load' )
( eventid eq general ) and ( description contains 'No valid device certificate found' )
( eventid eq general ) and ( description contains 'Failed to check Content content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check Antivirus content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check WildFire content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check WF-Content content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check GPclient content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Disconnected from Panorama Server: 192.168.99.1. , source: 192.168.99.11' )
( eventid eq general ) and ( description contains 'Disconnected from Log collector Server: 192.168.99.1. , source: 192.168.99.11' )
( eventid eq general ) and ( description contains 'System restart requested by admin' )
( eventid eq general ) and ( description contains 'Control plane is now up' )
( eventid eq general ) and ( description contains 'Dataplane is now up' )
( eventid eq general ) and ( description contains 'Process useridd was restarted by user admin' )
( eventid eq general ) and ( description contains 'Process mgmtsrvr was restarted by user admin' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download new WildFire as another download is in progress.' )
( eventid eq general ) and ( description contains 'Fqdn Refresh job failed' )
( eventid eq general ) and ( description contains 'User admin initiated  job 62 to import configuration of device 001122334455667' )
( eventid eq general ) and ( description contains 'User bstafford initiated  job 17963 to push and commit configuration to device 001122334455667' )
( eventid eq general ) and ( description contains 'Deployment job update licenses for FW01, FW02 succeeded.' )
( eventid eq general ) and ( description contains 'Deployment job upload software to FW01 succeeded.' )
( eventid eq general ) and ( description contains 'Deployment job download system software job succeeded ' )
( eventid eq general ) and ( description contains 'Deployment job download gpclient job succeeded ' )
( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 succeeded.' )
( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 failed. Device msg:\'Failed to download PanGP-4.1.10. Download error: Couldn\'t connect to server.\'' )
( eventid eq general ) and ( description contains 'Install content on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'Install anti-virus on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'Install anti-virus on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'Install global-protect-client on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'brdagent: exiting because missed too many heartbeats' )
( eventid eq general ) and ( description contains 'Disabled applications in vsys1: appletvplus disneyplus houseparty paloalto-zero-touch-provision pkix-cmp ring ' )
( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.snmp.dbg' )
( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.system-boot[engine-boot-count]' )
( eventid eq general ) and ( description contains 'reportd: Not enough free space (1863 MB) to safely save core reportd_9.0.6_18.inuse (1460 MB), deleting' )
( eventid eq general ) and ( description contains 'elasticsearch: Not enough free space (8829 MB) to safely save core elasticsearch_8.1.10_0.inuse (41785 MB), deleting' )
( eventid eq general ) and ( description contains 'elasticsearch: exiting because service missed too many heartbeats' )

Medium

( subtype eq general ) and ( severity eq medium )
( eventid eq general ) and ( description contains 'Hostname changed to palo-secondary' )
( eventid eq general ) and ( description contains ' CONFIG_UPDATE_INC :  Incremental update to DP failed please try to commit force the latest config ' )
( eventid eq general ) and ( description contains 'Installed content package Content is newer than available package, skipping' )
( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid user' )
( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid configuration. No ado/role found username@domain.com' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download Content version 8251-6016' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download Antivirus version 3235-3746' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download WildFire version 441526-444436' )
( eventid eq general ) and ( description contains 'Content package downloaded but installation could not be scheduled' )
( eventid eq general ) and ( description contains 'Installed content package Content is newer than available package, skipping' )
( eventid eq general ) and ( description contains 'FW has lost connection to panorama, no log will be forwarded' )
( eventid eq general ) and ( description contains 'FW has lost connection to log-collector, no log will be forwarded' )
( eventid eq general ) and ( description contains 'Hostname changed to PanoramaName' )
( eventid eq general ) and ( description contains 'HA state set to suspended by admin' )
( eventid eq general ) and ( description contains 'HA state set to functional by admin' )
( eventid eq general ) and ( description contains 'Incorrect old password for user admin' )
( eventid eq general ) and ( description contains 'Disk B on Log collector 001122334455 was enabled' )
( eventid eq general ) and ( description contains 'Disk A on Log collector 001122334455 was enabled' )
( eventid eq general ) and ( description contains 'Failed to upgrade Content package to version 8226-5859' )
( eventid eq general ) and ( description contains 'Failed to upgrade Antivirus package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version 444761-447671' )
( eventid eq general ) and ( description contains 'Failed to export config bundle file Panorama_20191022.tgz  to host 192.168.1.1 port 21 user PA_backup passive-mode yes, error code 28' )
( eventid eq general ) and ( description contains 'Failed to install software 9.0.5' )
( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version 444761-447671' )
( eventid eq general ) and ( description contains 'Failed to upgrade Wildfire package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade Antivirus package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade Content package to version 8226-5859' )
( eventid eq general ) and ( description contains ' Failed none for admin from 192.168.1.1 port 57692 ssh2' )
( eventid eq general ) and ( description contains ' Failed password for admin from 192.168.1.1 port 50011 ssh2' )
( eventid eq general ) and ( description contains ' Failed keyboard-interactive/pam for admin from 192.168.1.1 port 50011 ssh2' )
( eventid eq general ) and ( description contains 'Generated config and committed to connected collectors in group default' )
( eventid eq general ) and ( description contains 'Generated config and committed to connected collectors in group Local-Disks' )
( eventid eq general ) and ( description contains 'Generated config and committed to connected collectors in group Local-Disks.WARNING: Panorama candidate configuration has not been committed..It is recommended to commit on Panorama before committing to managed collectors.' )
( eventid eq general ) and ( description contains 'HA state set to suspended by admin' )
( eventid eq general ) and ( description contains 'HA state set to functional by admin' )
( eventid eq general ) and ( description contains 'Failed to email PDF reports to \'username1@example.com\' \'username2@example.com\' \'username3@example.com\' for email profile exn-email-server' )
( eventid eq general ) and ( description contains 'mail send: response timed-out' )
( eventid eq general ) and ( description contains 'mail send: Socket timeout. host=mail.example.com' )
( eventid eq general ) and ( description contains 'Configuration partition has exceeded 90 percent of the capacity' )

Low

( subtype eq general ) and ( severity eq low )
( eventid eq general ) and ( description contains 'Dataplane under severe load' )
( eventid eq general ) and ( description contains 'Password changed for user admin' )

Informational

( subtype eq general ) and ( severity eq informational )

If you want to alert when commits happen, you can do the following or use (from Configuration) - ( cmd eq commit ) and ( result eq Submitted ) 

( eventid eq general ) and ( description contains 'Commit job started' )
( eventid eq general ) and ( description contains 'Commit job enqueued' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: interface 1/9, Metric: rx-pps-multicast, Value: 1' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: throughput, Value: 291' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: mp-mem, Value: 11' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: packets-per-sec-transmit, Value: 1399' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: packets-per-sec-receive, Value: 1414' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: tx-pps-unicast, Value: 1399' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: rx-pps-unicast, Value: 1414' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: rx-bit-rate, Value: 865209' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: tx-bit-rate, Value: 833736' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: s1 dp0, Metric: pps, Value: 4906' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: s1 dp0, Metric: cps, Value: 48' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: s1 dp0, Metric: dp-cpu, Value: 3' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: logging-rate, Value: 49' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: pps, Value: 4906' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: cps, Value: 48' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: throughput, Value: 26635' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: sessions, Value: 2174' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: mp-mem, Value: 44' )
( eventid eq general ) and ( description contains 'Connection to Update server closed: , source: 10.2.2.21' )
( eventid eq general ) and ( description contains 'Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 172.23.67.244' )
( eventid eq general ) and ( description contains 'VPN Disable mode = off' )
( eventid eq general ) and ( description contains 'FqdnRefresh job started processing. Dequeue time=2020/05/09 08:33:43. Job Id=796.   ' )
( eventid eq general ) and ( description contains 'FqdnRefresh job enqueued. Enqueue time=2020/05/09 08:33:43. JobId=796.  . Type: Full' )
( eventid eq general ) and ( description contains 'Auto update agent found no new Content updates' )
( eventid eq general ) and ( description contains 'Auto update agent found no new Antivirus updates' )
( eventid eq general ) and ( description contains 'Connection to Update server:  completed successfully, initiated by 172.23.67.251' )
( eventid eq general ) and ( description contains 'Packet buffer congestion is 23113/24576 (94%)(alert threshold is 50%).' )
( eventid eq general ) and ( description contains 'Content image transferred from peer' )
( eventid eq general ) and ( description contains 'Content job enqueued. Enqueue time=2020/05/09 00:37:37. JobId=20733.  . Type: Full' )
( eventid eq general ) and ( description contains 'Content job started processing. Dequeue time=2020/05/09 00:37:37. Job Id=20733.   ' )
( eventid eq general ) and ( description contains 'Content package upgraded from version 8268-6073 to 8269-6074 by Auto update agent' )
( eventid eq general ) and ( description contains 'Content update job succeeded  for user Auto update agent' )
( eventid eq general ) and ( description contains 'Content update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'Content version 8269-6074 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'Content image transferred from peer' )
( eventid eq general ) and ( description contains 'Antivirus job enqueued. Enqueue time=2020/05/08 12:23:36. JobId=755.  . Type: Full' )
( eventid eq general ) and ( description contains 'Antivirus job started processing. Dequeue time=2020/05/08 12:26:09. Job Id=757.   ' )
( eventid eq general ) and ( description contains 'Antivirus package upgraded from version 3341-3852 to 3342-3853 by Auto update agent' )
( eventid eq general ) and ( description contains 'Antivirus update job succeeded  for user Auto update agent' )
( eventid eq general ) and ( description contains 'Antivirus update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'Antivirus version 3344-3855 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire version 452278-455211 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire job enqueued. Enqueue time=2020/05/09 07:50:11. JobId=20761.  . Type: Full' )
( eventid eq general ) and ( description contains 'WildFire job started processing. Dequeue time=2020/05/09 07:50:11. Job Id=20761.   ' )
( eventid eq general ) and ( description contains 'Installed WildFire package: panupv2-all-wildfire-452278-455211.tgz' )
( eventid eq general ) and ( description contains 'WildFire package upgraded from version 452267-455200 to 452278-455211 by Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire update job succeeded  for user Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire version 452627-455560 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'Global protect update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'GlobalProtect data file version 1584366641 downloaded' )
( eventid eq general ) and ( description contains 'GlobalProtect data file version 1584366641 installed' )
( eventid eq general ) and ( description contains 'GlobalProtect job enqueued. Enqueue time=2020/04/24 00:46:20. JobId=4915.  . Type: Full' )
( eventid eq general ) and ( description contains 'GlobalProtect job started processing. Dequeue time=2020/04/24 00:46:20. Job Id=4915.   ' )
( eventid eq general ) and ( description contains 'GPclient version 86-182 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'GlobalProtectClientlessVPN package upgraded from version 0 to 86-182 by admin' )
( eventid eq general ) and ( description contains 'Installed all-gp package: panup-all-gp-86-182.tgz' )
( eventid eq general ) and ( description contains 'Installed antivirus package: panup-all-antivirus-3342-3853.tgz' )
( eventid eq general ) and ( description contains 'Installed apps package: panupv2-all-apps-8269-6074.tgz' )
( eventid eq general ) and ( description contains 'Installed cms software version 8.1.14' )
( eventid eq general ) and ( description contains 'Installed contents package: panupv2-all-contents-8267-6070.tgz' )
( eventid eq general ) and ( description contains 'Installed gpclient software version 5.1.3' )
( eventid eq general ) and ( description contains 'Installed panos software version 8.1.14' )
( eventid eq general ) and ( description contains ' Accepted keyboard-interactive/pam for admin from 192.168.1.1 port 49038 ssh2' )
( eventid eq general ) and ( description contains ' Accepted password for admin from 192.168.1.1 port 52672 ssh2' )
( eventid eq general ) and ( description contains ' Accepted publickey for admin from 192.168.1.1 port 57668 ssh2: RSA c1:ee:ee:ee:ee:ee:73:83:20:83:75:a1:5e:55:ee:13' )
( eventid eq general ) and ( description contains ' Accepted publickey for ha-ssh-private-account from 192.168.1.1 port 45976 ssh2: RSA 5d:70:ee:ee:ee:ee:ee:b0:dd:64:ee:e4:57:ee:93:31' )
( eventid eq general ) and ( description contains ' LOGIN ON ttyS0 BY admin' )
( eventid eq general ) and ( description contains '012233445566 connected' )
( eventid eq general ) and ( description contains 'API key sent by peer is successfully set' )
( eventid eq general ) and ( description contains 'Auto update agent found no new WildFire updates' )
( eventid eq general ) and ( description contains 'AutoCom job enqueued. Enqueue time=2020/04/24 09:12:27. JobId=1.  . Type: Full' )
( eventid eq general ) and ( description contains 'AutoCom job started processing. Dequeue time=2020/04/24 09:12:27. Job Id=1.   ' )
( eventid eq general ) and ( description contains 'Autocommit job succeeded  ' )
( eventid eq general ) and ( description contains 'Candidate configuration loaded from running-config.xml by admin' )
( eventid eq general ) and ( description contains 'Candidate configuration partially loaded from named-file.xml by admin from xpath /config/devices/entry[@name=\'localhost.localdomain\']/vsys/entry[@name=\'vsys1\']/log-settings/profiles to xpath /config/devices/entry[@name=\'localhost.localdomain\']/device-group/entry[@name=\'Core\']/log-settings/profiles' )
( eventid eq general ) and ( description contains 'Candidate configuration reverted by admin. Changes reverted: changes to configuration by administrators: admin.Changes to shared configuration' )
( eventid eq general ) and ( description contains 'candidate configuration synchronized with HA peer by admin' )
( eventid eq general ) and ( description contains 'Certificate \'nameofcert\' imported into candidate configuration by admin' )
( eventid eq general ) and ( description contains 'Certificate and key pair \'nameofcert\' generated by admin' )
( eventid eq general ) and ( description contains 'Commit job started processing. Dequeue time=2020/04/24 17:52:04. JobId=19559.User: admin  ' )
( eventid eq general ) and ( description contains 'Commit job failed . Completion time=2020/04/24 14:01:41. JobId=18851. User:admin - schema verification failed' )
( eventid eq general ) and ( description contains 'Commit job cancelled . Completion time=2020/02/18 17:07:03. JobId=4669. User:admin' )
( eventid eq general ) and ( description contains 'CommitAll job enqueued for internet. Enqueue time=2020/05/07 14:40:40. JobId=20625. User: admin' )
( eventid eq general ) and ( description contains 'CommitAll job enqueued. Enqueue time=2020/05/07 11:35:08. JobId=698. User: admin. Type: Full' )
( eventid eq general ) and ( description contains 'CommitAll job succeeded. Completion time=2020/05/07 14:42:38. JobId=710. User:admin' )
( eventid eq general ) and ( description contains 'CommitAll job started processing. Dequeue time=2020/05/07 14:40:40. JobId=20625.User: admin  ' )
( eventid eq general ) and ( description contains 'CommitAll job failed . Completion time=2020/02/28 15:43:37. JobId=60371. User:admin' )
( eventid eq general ) and ( description contains 'CommitAll job failed. Completion time=2020/04/24 11:49:35. JobId=18231. User:admin' )
( eventid eq general ) and ( description contains 'CommitAndPush job enqueued. Enqueue time=2020/05/07 11:37:52. JobId=20578. User: admin. Type: Partial' )
( eventid eq general ) and ( description contains 'CommitAndPush job started processing. Dequeue time=2020/05/07 11:34:55. JobId=20565.User: admin  ' )
( eventid eq general ) and ( description contains 'CommitAndPush job succeeded. Completion time=2020/05/07 14:40:40. JobId=20615. User:admin' )
( eventid eq general ) and ( description contains 'Config bundle export file PanoramaName_20200506.tgz send  to host 172.23.8.22 port 21 user admin passive-mode yes' )
( eventid eq general ) and ( description contains 'Config installed' )
( eventid eq general ) and ( description contains 'Validate job enqueued. Enqueue time=2020/04/22 15:45:55. JobId=1072. User: admin. Type: Full' )
( eventid eq general ) and ( description contains 'Validate job started processing. Dequeue time=2020/04/22 15:45:55. Job Id=1072. User: admin ' )
( eventid eq general ) and ( description contains 'Validate job started processing. Dequeue time=2020/04/22 15:46:35. Job Id=1073. User: admin ' )
( eventid eq general ) and ( description contains 'Validate job succeeded. Completion time=2020/04/24 16:20:28. JobId=19. User:admin. Validate parameters: force=false,  device_network=false, shared_object=false. Vsys to validate:( count: 0).' )
( eventid eq general ) and ( description contains 'Validate job failed. Completion time=2020/04/24 10:57:11. JobId=7. User:admin.  Validate parameters: force=false,  device_network=false, shared_object=false. Vsys to validate:( count: 0)..' )
( eventid eq general ) and ( description contains 'ValidateAll job enqueued. Enqueue time=2020/04/24 16:20:11. JobId=19. User: admin. Type: Full' )
( eventid eq general ) and ( description contains 'ValidateAll job started processing. Dequeue time=2020/04/24 16:20:11. Job Id=30. User: admin ' )
( eventid eq general ) and ( description contains 'Panorama push device-group dg-name template t-name with merge-with-candidate-cfg include-template  flags set.JobId=706.User=admin. Dequeue time=2020/05/07 14:40:41.' )
( eventid eq general ) and ( description contains 'Panorama push template t-name with merge-with-candidate-cfg   flags set.JobId=32.User=admin. Dequeue time=2020/04/24 17:30:24.' )
( eventid eq general ) and ( description contains 'Panorama push to device:012233445566 for device-group: dg-name and template:t-name succeeded. JobId=20625' )
( eventid eq general ) and ( description contains 'Partial Commit for JobId=17783 by User: admin are: changes to configuration by administrators: admin.Changes to configuration in Panorama. Enqueue TIme=2020/04/23 16:23:44.' )
( eventid eq general ) and ( description contains 'Partial CommitAndPush for JobId=20590 by User: admin are: changes to configuration by administrators: admin.Changes to device-group configuration: (internet). Enqueue TIme=2020/05/07 11:41:45.' )
( eventid eq general ) and ( description contains 'Partial Validate for JobId=2270 by User: admin are: changes to configuration by administrators: admin.Changes to configuration in device and network. Enqueue TIme=2020/01/08 14:44:46.' )
( eventid eq general ) and ( description contains 'Configuration file filename.xml deleted by admin' )
( eventid eq general ) and ( description contains 'Configuration from filename.xml loaded by admin.' )
( eventid eq general ) and ( description contains 'Connected to Log Collector. ' )
( eventid eq general ) and ( description contains 'Connected to Log Collector. . Port:0, initiated by  Port:0' )
( eventid eq general ) and ( description contains 'Connected to Panorama Server. 192.168.1.1 Port:3978, initiated by 192.168.1.11 Port:59678' )
( eventid eq general ) and ( description contains 'Connection to Update server closed: , source: 192.168.1.1' )
( eventid eq general ) and ( description contains 'Connection to Update server closed: updates.paloaltonetworks.com, source: 192.168.1.1' )
( eventid eq general ) and ( description contains 'Correlation object 6012 added' )
( eventid eq general ) and ( description contains 'Debug filter pcap RX deleted by admin' )
( eventid eq general ) and ( description contains 'Deployment job update licenses for FW01, FW02 succeeded.' )
( eventid eq general ) and ( description contains 'Device certificate expires in 15 or less days' )
( eventid eq general ) and ( description contains 'Download error: Couldn\'t connect to server.' )
( eventid eq general ) and ( description contains 'EDL(EDL-Team-Cymru-Bogons-IPv6) Entry not referenced by a rule' )
( eventid eq general ) and ( description contains 'EDLRefresh job started processing. Dequeue time=2020/05/09 10:00:18. Job Id=10815.   ' )( description contains 'EDL(EDL-Team-Cymru-Bogons-IPv4) Refresh timer was cancelled due to a commit job' )
( eventid eq general ) and ( description contains 'Failed to connect to address: 192.168.1.1 port: 3978, conn id: lr-cms0-def' )
( eventid eq general ) and ( description contains 'Failed to connect to inter-logger-agent # 0 Server: 192.168.1.1 Port: 28270 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to connect to log collector Server: 192.168.1.1Port: 3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to connect to Panorama Server: 192.168.1.1 Port: 3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to connect to Panorama Server: 192.168.1.1 Port: 3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to establish SSL connection to lcs agent Server: 192.168.1.1 Port:3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to establish SSL connection to Panorama Server: 192.168.1.1 Port:3978 Retry: 42000' )
( eventid eq general ) and ( description contains 'HA-Sync job enqueued. Enqueue time=2020/04/24 17:19:42. JobId=24.  . Type: Full' )
( eventid eq general ) and ( description contains 'HA-Sync job started processing. Dequeue time=2020/04/24 17:19:42. Job Id=24.   ' )
( eventid eq general ) and ( description contains 'HA-Sync job succeeded. Completion time=2020/04/24 17:20:14. JobId=40. ' )
( eventid eq general ) and ( description contains 'HA sync failed for deactivate token file' )
( eventid eq general ) and ( description contains 'configuration sync\'d with HA peer' )
( eventid eq general ) and ( description contains 'Import of certificate \'name-of-certificate\' by admin failed. Mismatched public and private keys.' )
( eventid eq general ) and ( description contains 'Inter logger agent on 012233445566-inter-lc connected' )
( eventid eq general ) and ( description contains 'Key pair \'name-of-certificate\' imported into candidate configuration by admin' )
( eventid eq general ) and ( description contains 'lcs agent on 012233445566-log-collection connected' )
( eventid eq general ) and ( description contains 'lcs agent on 012233445566-log-collection connected' )
( eventid eq general ) and ( description contains 'localhost.localdomain connected' )
( eventid eq general ) and ( description contains 'Log redundancy is enabled for Log collector group default' )
( eventid eq general ) and ( description contains 'Log type system cleared by user admin ' )
( eventid eq general ) and ( description contains 'Management server shutting down' )
( eventid eq general ) and ( description contains 'Management server started. Running version 8.1.14' )
( eventid eq general ) and ( description contains 'Name resolution takes too long, disable name for report' )
( eventid eq general ) and ( description contains 'Name resolution takes too long, disable name for the report' )
( eventid eq general ) and ( description contains 'Name resolution takes too long, disable name for the report Top users' )
( eventid eq general ) and ( description contains 'Panorama licensed capacity (devices): 25' )
( eventid eq general ) and ( description contains 'Plugin vm_series-1.0.11 installed.' )
( eventid eq general ) and ( description contains 'Power Supply #1 (left) is not present on startup' )
( eventid eq general ) and ( description contains 'Power Supply #1 is not present on startup' )
( eventid eq general ) and ( description contains 'Power Supply #2 (right) is not present on startup' )
( eventid eq general ) and ( description contains 'Power Supply #2 is not present on startup' )
( eventid eq general ) and ( description contains 'Received conflicting ARP on interface ae2.11 indicating duplicate IP 192.168.1.1, sender mac cc:cc:bb:aa:ff:11' )
( eventid eq general ) and ( description contains 'Redistribution (MS Auto from:1 to:2) done' )
( eventid eq general ) and ( description contains 'Redistribution (MS Auto from:1 to:2) started' )
( eventid eq general ) and ( description contains 'Request made to  AutoFocus server is successful . ' )
( eventid eq general ) and ( description contains 'Request made to  AutoFocus server is successful . ' )
( eventid eq general ) and ( description contains 'Request made to  PublicCloud server is successful . ' )
( eventid eq general ) and ( description contains 'Residual commit job snapshots were found. Will be cleared.' )
( eventid eq general ) and ( description contains 'running configuration synchronized with HA peer by admin' )
( eventid eq general ) and ( description contains 'Session for user svc_ossec via CLI from 192.168.1.1 timed out' )
( eventid eq general ) and ( description contains 'Succeeded exporting config bundle via ssh to 192.168.1.1' )
( eventid eq general ) and ( description contains 'Succeeded exporting traffic log via ssh (last-calendar-day) to 192.168.1.1' )
( eventid eq general ) and ( description contains 'Succeeded marking traffic log as exported' )
( eventid eq general ) and ( description contains 'Successfully connect to address: 192.168.1.1 port: 3978, conn id: lr-192.168.1.1-def' )
( eventid eq general ) and ( description contains 'Successfully fetched device certificate from Palo Alto Networks' )
( eventid eq general ) and ( description contains 'Successfully generated Panorama server certificate' )
( eventid eq general ) and ( description contains 'synchronized candidate configuration from HA peer and local candidate configuration' )
( eventid eq general ) and ( description contains 'synchronized running configuration from HA peer and local candidate configuration' )
( eventid eq general ) and ( description contains 'The primary user attribute has been changed in one of the group-mapping configuration' )
( eventid eq general ) and ( description contains 'The rule hit counter for name-of-rule in vsys1 security rulebase with 105 hits, last hit at Tue Mar 10 14:11:29 2020 and first hit at Tue Mar 10 14:09:56 2020 was reset by user:admin ' )
( eventid eq general ) and ( description contains 'User admin accessed Monitor tab' )
( eventid eq general ) and ( description contains 'User admin exported the objects/addresses configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the objects/address-groups configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the objects/service-groups configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the objects/services configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the policies/security-rulebase/pre-rules configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin logged in via Web from 192.168.1.1 using https' )
( eventid eq general ) and ( description contains 'User admin executes config audit' )
( eventid eq general ) and ( description contains 'User admin logged in via Panorama from 192.168.1.1 using http over an SSL connection' )
( eventid eq general ) and ( description contains 'User admin logged out via Panorama from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin logged out via Web from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin exported the panorama/managed-devices/summary configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin logged out via CLI from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin failed authentication from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin logged in via CLI from 192.168.1.1' )
( eventid eq general ) and ( description contains 'VM Appliance license is fetched and installed. Restarting pan services due to capacity change.' )
( eventid eq general ) and ( description contains 'VM Appliance license is installed.' )
( eventid eq general ) and ( description contains 'VPN Disable mode = off' )
( eventid eq general ) and ( description contains 'WildFire update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'Log type system cleared by user admin ' )
paloaltonetworks/logs/syslog/general.txt · Last modified: by 127.0.0.1