Saucepan

User Tools

Site Tools

Trace: general
paloaltonetworks:logs:syslog:general

This is an old revision of the document!

Table of Contents

System Start and Shutdown

( subtype eq general ) and ( severity eq high )
 ( eventid eq system-start ) and ( description contains 'The system is starting up.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to UI Initiated.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to CLI Initiated.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to Restarting system for new HA keysparameters.' )
( eventid eq system-shutdown ) and ( description contains 'The system is shutting down due to masterd.')

Critical

( subtype eq general ) and ( severity eq critical )
( eventid eq general ) and ( description contains 'License for feature threat will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature global-protect-gateway will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature url-filtering will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature pan-url-filtering will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'License for feature wildfire will expire on 2019/11/13' )
( eventid eq general ) and ( description contains 'Out of memory condition detected, kill process 1' )
( eventid eq general ) and ( description contains 'WildFire update job failed  for user Auto update agent' )
( eventid eq general ) and ( description contains 'Antivirus update job failed  for user Auto update agent' )
( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )
( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Cleared' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Temperature ' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Fans ' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: HA-event ' )
( eventid eq general ) and ( description contains 'Chassis Master Alarm: Power Supply ' )
( eventid eq general ) and ( description contains 'Fan #3 Speed: 5776.98 above high-limit 5750.00' )
( eventid eq general ) and ( description contains 'all: restarts exhausted, rebooting system' )
( eventid eq general ) and ( description contains 'masterd: restarts exhausted, rebooting system' )
( eventid eq general ) and ( description contains 'Content update job failed  for user Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire update job failed' )
( eventid eq general ) and ( description contains 'System software upgrade with version 9.0.5 failed' )
( eventid eq general ) and ( description contains 'Management interface in default mode(change from udev).' )
( eventid eq general ) and ( description contains 'brdagent: restarts exhausted, rebooting system' )
( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to ' )
( eventid eq general ) and ( description contains 'Failed to export config bundle on the 10 th try - giving up retry' )
( eventid eq general ) and ( description contains 'Failed exporting config bundle via ssh to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host...lost connection' )
( eventid eq general ) and ( description contains 'Failed to export traffic log - giving up retry' )
( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day)' )
( eventid eq general ) and ( description contains 'Failed exporting traffic log via ssh (last-calendar-day) to 192.168.1.1. ssh: connect to host 192.168.1.1 port 22: No route to host.' )
( eventid eq general ) and ( description contains 'The dataplane is restarting' )
( eventid eq general ) and ( description contains 'tund: Exited 4 times, must be manually recovered' )
( eventid eq general ) and ( description contains 'Base ID manager is reset' )

High

( subtype eq general ) and ( severity eq high )
( eventid eq general ) and ( description contains 'Dataplane under severe load' )
( eventid eq general ) and ( description contains 'No valid device certificate found' )
( eventid eq general ) and ( description contains 'Failed to check Content content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check Antivirus content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check WildFire content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check WF-Content content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Failed to check GPclient content upgrade info due to generic communication error' )
( eventid eq general ) and ( description contains 'Disconnected from Panorama Server: 192.168.99.1. , source: 192.168.99.11' )
( eventid eq general ) and ( description contains 'Disconnected from Log collector Server: 192.168.99.1. , source: 192.168.99.11' )
( eventid eq general ) and ( description contains 'System restart requested by admin' )
( eventid eq general ) and ( description contains 'Control plane is now up' )
( eventid eq general ) and ( description contains 'Dataplane is now up' )
( eventid eq general ) and ( description contains 'Process useridd was restarted by user admin' )
( eventid eq general ) and ( description contains 'Process mgmtsrvr was restarted by user admin' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download new WildFire as another download is in progress.' )
( eventid eq general ) and ( description contains 'Fqdn Refresh job failed' )
( eventid eq general ) and ( description contains 'User admin initiated  job 62 to import configuration of device 001122334455667' )
( eventid eq general ) and ( description contains 'User bstafford initiated  job 17963 to push and commit configuration to device 001122334455667' )
( eventid eq general ) and ( description contains 'Deployment job update licenses for FW01, FW02 succeeded.' )
( eventid eq general ) and ( description contains 'Deployment job upload software to FW01 succeeded.' )
( eventid eq general ) and ( description contains 'Deployment job download system software job succeeded ' )
( eventid eq general ) and ( description contains 'Deployment job download gpclient job succeeded ' )
( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 succeeded.' )
( eventid eq general ) and ( description contains 'Deployment job upload global-protect-client to FW01 failed. Device msg:\'Failed to download PanGP-4.1.10. Download error: Couldn\'t connect to server.\'' )
( eventid eq general ) and ( description contains 'Install content on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'Install anti-virus on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'Install anti-virus on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'Install global-protect-client on FW01 job succeeded' )
( eventid eq general ) and ( description contains 'brdagent: exiting because missed too many heartbeats' )
( eventid eq general ) and ( description contains 'Disabled applications in vsys1: appletvplus disneyplus houseparty paloalto-zero-touch-provision pkix-cmp ring ' )
( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.snmp.dbg' )
( eventid eq general ) and ( description contains 'snmpd: exception when accessing cfg.system-boot[engine-boot-count]' )
( eventid eq general ) and ( description contains 'reportd: Not enough free space (1863 MB) to safely save core reportd_9.0.6_18.inuse (1460 MB), deleting' )
( eventid eq general ) and ( description contains 'elasticsearch: Not enough free space (8829 MB) to safely save core elasticsearch_8.1.10_0.inuse (41785 MB), deleting' )
( eventid eq general ) and ( description contains 'elasticsearch: exiting because service missed too many heartbeats' )

Medium

( subtype eq general ) and ( severity eq medium )
( eventid eq general ) and ( description contains 'Hostname changed to palo-secondary' )
( eventid eq general ) and ( description contains ' CONFIG_UPDATE_INC :  Incremental update to DP failed please try to commit force the latest config ' )
( eventid eq general ) and ( description contains 'Installed content package Content is newer than available package, skipping' )
( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid user' )
( eventid eq general ) and ( description contains 'Authorization failed for user username@domain.com via Web from 192.168.1.1 : Invalid configuration. No ado/role found username@domain.com' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download Content version 8251-6016' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download Antivirus version 3235-3746' )
( eventid eq general ) and ( description contains 'Auto update agent failed to download WildFire version 441526-444436' )
( eventid eq general ) and ( description contains 'Content package downloaded but installation could not be scheduled' )
( eventid eq general ) and ( description contains 'Installed content package Content is newer than available package, skipping' )
( eventid eq general ) and ( description contains 'FW has lost connection to panorama, no log will be forwarded' )
( eventid eq general ) and ( description contains 'FW has lost connection to log-collector, no log will be forwarded' )
( eventid eq general ) and ( description contains 'Hostname changed to PanoramaName' )
( eventid eq general ) and ( description contains 'HA state set to suspended by admin' )
( eventid eq general ) and ( description contains 'HA state set to functional by admin' )
( eventid eq general ) and ( description contains 'Incorrect old password for user admin' )
( eventid eq general ) and ( description contains 'Disk B on Log collector 001122334455 was enabled' )
( eventid eq general ) and ( description contains 'Disk A on Log collector 001122334455 was enabled' )
( eventid eq general ) and ( description contains 'Failed to upgrade Content package to version 8226-5859' )
( eventid eq general ) and ( description contains 'Failed to upgrade Antivirus package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version 444761-447671' )
( eventid eq general ) and ( description contains 'Failed to export config bundle file Panorama_20191022.tgz  to host 192.168.1.1 port 21 user PA_backup passive-mode yes, error code 28' )
( eventid eq general ) and ( description contains 'Failed to install software 9.0.5' )
( eventid eq general ) and ( description contains 'Failed to upgrade WildFire package to version 444761-447671' )
( eventid eq general ) and ( description contains 'Failed to upgrade Wildfire package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade Antivirus package to version <unknown version>' )
( eventid eq general ) and ( description contains 'Failed to upgrade Content package to version 8226-5859' )
( eventid eq general ) and ( description contains ' Failed none for admin from 192.168.1.1 port 57692 ssh2' )
( eventid eq general ) and ( description contains ' Failed password for admin from 192.168.1.1 port 50011 ssh2' )
( eventid eq general ) and ( description contains ' Failed keyboard-interactive/pam for admin from 192.168.1.1 port 50011 ssh2' )
( eventid eq general ) and ( description contains 'Generated config and committed to connected collectors in group default' )
( eventid eq general ) and ( description contains 'Generated config and committed to connected collectors in group Local-Disks' )
( eventid eq general ) and ( description contains 'Generated config and committed to connected collectors in group Local-Disks.WARNING: Panorama candidate configuration has not been committed..It is recommended to commit on Panorama before committing to managed collectors.' )
( eventid eq general ) and ( description contains 'HA state set to suspended by admin' )
( eventid eq general ) and ( description contains 'HA state set to functional by admin' )

Low

( subtype eq general ) and ( severity eq low )
( eventid eq general ) and ( description contains 'Dataplane under severe load' )
( eventid eq general ) and ( description contains 'Password changed for user admin' )

Informational

( subtype eq general ) and ( severity eq informational )

If you want to alert when commits happen, you can do the following or use (from Configuration) - ( cmd eq commit ) and ( result eq Submitted ) 

( eventid eq general ) and ( description contains 'Commit job started' )
( eventid eq general ) and ( description contains 'Commit job enqueued' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: interface 1/9, Metric: rx-pps-multicast, Value: 1' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: throughput, Value: 291' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 012233445566, Object: N/A, Metric: mp-mem, Value: 11' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: packets-per-sec-transmit, Value: 1399' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: packets-per-sec-receive, Value: 1414' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: tx-pps-unicast, Value: 1399' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: rx-pps-unicast, Value: 1414' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: rx-bit-rate, Value: 865209' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: interface 1/1, Metric: tx-bit-rate, Value: 833736' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: s1 dp0, Metric: pps, Value: 4906' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: s1 dp0, Metric: cps, Value: 48' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: s1 dp0, Metric: dp-cpu, Value: 3' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: logging-rate, Value: 49' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: pps, Value: 4906' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: cps, Value: 48' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: throughput, Value: 26635' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: sessions, Value: 2174' )
( eventid eq general ) and ( description contains 'Deviating device: fw01, Serial: 001122334455, Object: N/A, Metric: mp-mem, Value: 44' )
( eventid eq general ) and ( description contains 'Connection to Update server closed: , source: 10.2.2.21' )
( eventid eq general ) and ( description contains 'Connection to Update server: updates.paloaltonetworks.com completed successfully, initiated by 172.23.67.244' )
( eventid eq general ) and ( description contains 'VPN Disable mode = off' )
( eventid eq general ) and ( description contains 'FqdnRefresh job started processing. Dequeue time=2020/05/09 08:33:43. Job Id=796.   ' )
( eventid eq general ) and ( description contains 'FqdnRefresh job enqueued. Enqueue time=2020/05/09 08:33:43. JobId=796.  . Type: Full' )
( eventid eq general ) and ( description contains 'Auto update agent found no new Content updates' )
( eventid eq general ) and ( description contains 'Auto update agent found no new Antivirus updates' )
( eventid eq general ) and ( description contains 'Connection to Update server:  completed successfully, initiated by 172.23.67.251' )
( eventid eq general ) and ( description contains 'Packet buffer congestion is 23113/24576 (94%)(alert threshold is 50%).' )
( eventid eq general ) and ( description contains 'Content image transferred from peer' )
( eventid eq general ) and ( description contains 'Content job enqueued. Enqueue time=2020/05/09 00:37:37. JobId=20733.  . Type: Full' )
( eventid eq general ) and ( description contains 'Content job started processing. Dequeue time=2020/05/09 00:37:37. Job Id=20733.   ' )
( eventid eq general ) and ( description contains 'Content package upgraded from version 8268-6073 to 8269-6074 by Auto update agent' )
( eventid eq general ) and ( description contains 'Content update job succeeded  for user Auto update agent' )
( eventid eq general ) and ( description contains 'Content update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'Content version 8269-6074 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'Content image transferred from peer' )
( eventid eq general ) and ( description contains 'Antivirus job enqueued. Enqueue time=2020/05/08 12:23:36. JobId=755.  . Type: Full' )
( eventid eq general ) and ( description contains 'Antivirus job started processing. Dequeue time=2020/05/08 12:26:09. Job Id=757.   ' )
( eventid eq general ) and ( description contains 'Antivirus package upgraded from version 3341-3852 to 3342-3853 by Auto update agent' )
( eventid eq general ) and ( description contains 'Antivirus update job succeeded  for user Auto update agent' )
( eventid eq general ) and ( description contains 'Antivirus update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'Antivirus version 3344-3855 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire version 452278-455211 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire job enqueued. Enqueue time=2020/05/09 07:50:11. JobId=20761.  . Type: Full' )
( eventid eq general ) and ( description contains 'WildFire job started processing. Dequeue time=2020/05/09 07:50:11. Job Id=20761.   ' )
( eventid eq general ) and ( description contains 'Installed WildFire package: panupv2-all-wildfire-452278-455211.tgz' )
( eventid eq general ) and ( description contains 'WildFire package upgraded from version 452267-455200 to 452278-455211 by Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire update job succeeded  for user Auto update agent' )
( eventid eq general ) and ( description contains 'WildFire version 452627-455560 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'Global protect update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'GlobalProtect data file version 1584366641 downloaded' )
( eventid eq general ) and ( description contains 'GlobalProtect data file version 1584366641 installed' )
( eventid eq general ) and ( description contains 'GlobalProtect job enqueued. Enqueue time=2020/04/24 00:46:20. JobId=4915.  . Type: Full' )
( eventid eq general ) and ( description contains 'GlobalProtect job started processing. Dequeue time=2020/04/24 00:46:20. Job Id=4915.   ' )
( eventid eq general ) and ( description contains 'GPclient version 86-182 downloaded by Auto update agent' )
( eventid eq general ) and ( description contains 'GlobalProtectClientlessVPN package upgraded from version 0 to 86-182 by admin' )
( eventid eq general ) and ( description contains 'Installed all-gp package: panup-all-gp-86-182.tgz' )
( eventid eq general ) and ( description contains 'Installed antivirus package: panup-all-antivirus-3342-3853.tgz' )
( eventid eq general ) and ( description contains 'Installed apps package: panupv2-all-apps-8269-6074.tgz' )
( eventid eq general ) and ( description contains 'Installed cms software version 8.1.14' )
( eventid eq general ) and ( description contains 'Installed contents package: panupv2-all-contents-8267-6070.tgz' )
( eventid eq general ) and ( description contains 'Installed gpclient software version 5.1.3' )
( eventid eq general ) and ( description contains 'Installed panos software version 8.1.14' )
( eventid eq general ) and ( description contains ' Accepted keyboard-interactive/pam for admin from 192.168.1.1 port 49038 ssh2' )
( eventid eq general ) and ( description contains ' Accepted password for admin from 192.168.1.1 port 52672 ssh2' )
( eventid eq general ) and ( description contains ' Accepted publickey for admin from 192.168.1.1 port 57668 ssh2: RSA c1:ee:ee:ee:ee:ee:73:83:20:83:75:a1:5e:55:ee:13' )
( eventid eq general ) and ( description contains ' Accepted publickey for ha-ssh-private-account from 192.168.1.1 port 45976 ssh2: RSA 5d:70:ee:ee:ee:ee:ee:b0:dd:64:ee:e4:57:ee:93:31' )
( eventid eq general ) and ( description contains ' LOGIN ON ttyS0 BY admin' )
( eventid eq general ) and ( description contains '012233445566 connected' )
( eventid eq general ) and ( description contains 'API key sent by peer is successfully set' )
( eventid eq general ) and ( description contains 'Auto update agent found no new WildFire updates' )
( eventid eq general ) and ( description contains 'AutoCom job enqueued. Enqueue time=2020/04/24 09:12:27. JobId=1.  . Type: Full' )
( eventid eq general ) and ( description contains 'AutoCom job started processing. Dequeue time=2020/04/24 09:12:27. Job Id=1.   ' )
( eventid eq general ) and ( description contains 'Autocommit job succeeded  ' )
( eventid eq general ) and ( description contains 'Candidate configuration loaded from running-config.xml by admin' )
( eventid eq general ) and ( description contains 'Candidate configuration partially loaded from named-file.xml by admin from xpath /config/devices/entry[@name=\'localhost.localdomain\']/vsys/entry[@name=\'vsys1\']/log-settings/profiles to xpath /config/devices/entry[@name=\'localhost.localdomain\']/device-group/entry[@name=\'Core\']/log-settings/profiles' )
( eventid eq general ) and ( description contains 'Candidate configuration reverted by admin. Changes reverted: changes to configuration by administrators: admin.Changes to shared configuration' )
( eventid eq general ) and ( description contains 'candidate configuration synchronized with HA peer by admin' )
( eventid eq general ) and ( description contains 'Certificate \'nameofcert\' imported into candidate configuration by admin' )
( eventid eq general ) and ( description contains 'Certificate and key pair \'nameofcert\' generated by admin' )
( eventid eq general ) and ( description contains 'Commit job started processing. Dequeue time=2020/04/24 17:52:04. JobId=19559.User: admin  ' )
( eventid eq general ) and ( description contains 'Commit job failed . Completion time=2020/04/24 14:01:41. JobId=18851. User:admin - schema verification failed' )
( eventid eq general ) and ( description contains 'Commit job cancelled . Completion time=2020/02/18 17:07:03. JobId=4669. User:admin' )
( eventid eq general ) and ( description contains 'CommitAll job enqueued for internet. Enqueue time=2020/05/07 14:40:40. JobId=20625. User: admin' )
( eventid eq general ) and ( description contains 'CommitAll job enqueued. Enqueue time=2020/05/07 11:35:08. JobId=698. User: admin. Type: Full' )
( eventid eq general ) and ( description contains 'CommitAll job succeeded. Completion time=2020/05/07 14:42:38. JobId=710. User:admin' )
( eventid eq general ) and ( description contains 'CommitAll job started processing. Dequeue time=2020/05/07 14:40:40. JobId=20625.User: admin  ' )
( eventid eq general ) and ( description contains 'CommitAll job failed . Completion time=2020/02/28 15:43:37. JobId=60371. User:admin' )
( eventid eq general ) and ( description contains 'CommitAll job failed. Completion time=2020/04/24 11:49:35. JobId=18231. User:admin' )
( eventid eq general ) and ( description contains 'CommitAndPush job enqueued. Enqueue time=2020/05/07 11:37:52. JobId=20578. User: admin. Type: Partial' )
( eventid eq general ) and ( description contains 'CommitAndPush job started processing. Dequeue time=2020/05/07 11:34:55. JobId=20565.User: admin  ' )
( eventid eq general ) and ( description contains 'CommitAndPush job succeeded. Completion time=2020/05/07 14:40:40. JobId=20615. User:admin' )
( eventid eq general ) and ( description contains 'Config bundle export file PanoramaName_20200506.tgz send  to host 172.23.8.22 port 21 user admin passive-mode yes' )
( eventid eq general ) and ( description contains 'Config installed' )
( eventid eq general ) and ( description contains 'Validate job enqueued. Enqueue time=2020/04/22 15:45:55. JobId=1072. User: admin. Type: Full' )
( eventid eq general ) and ( description contains 'Validate job started processing. Dequeue time=2020/04/22 15:45:55. Job Id=1072. User: admin ' )
( eventid eq general ) and ( description contains 'Validate job started processing. Dequeue time=2020/04/22 15:46:35. Job Id=1073. User: admin ' )
( eventid eq general ) and ( description contains 'Validate job succeeded. Completion time=2020/04/24 16:20:28. JobId=19. User:admin. Validate parameters: force=false,  device_network=false, shared_object=false. Vsys to validate:( count: 0).' )
( eventid eq general ) and ( description contains 'Validate job failed. Completion time=2020/04/24 10:57:11. JobId=7. User:admin.  Validate parameters: force=false,  device_network=false, shared_object=false. Vsys to validate:( count: 0)..' )
( eventid eq general ) and ( description contains 'ValidateAll job enqueued. Enqueue time=2020/04/24 16:20:11. JobId=19. User: admin. Type: Full' )
( eventid eq general ) and ( description contains 'ValidateAll job started processing. Dequeue time=2020/04/24 16:20:11. Job Id=30. User: admin ' )
( eventid eq general ) and ( description contains 'Panorama push device-group dg-name template t-name with merge-with-candidate-cfg include-template  flags set.JobId=706.User=admin. Dequeue time=2020/05/07 14:40:41.' )
( eventid eq general ) and ( description contains 'Panorama push template t-name with merge-with-candidate-cfg   flags set.JobId=32.User=admin. Dequeue time=2020/04/24 17:30:24.' )
( eventid eq general ) and ( description contains 'Panorama push to device:012233445566 for device-group: dg-name and template:t-name succeeded. JobId=20625' )
( eventid eq general ) and ( description contains 'Partial Commit for JobId=17783 by User: admin are: changes to configuration by administrators: admin.Changes to configuration in Panorama. Enqueue TIme=2020/04/23 16:23:44.' )
( eventid eq general ) and ( description contains 'Partial CommitAndPush for JobId=20590 by User: admin are: changes to configuration by administrators: admin.Changes to device-group configuration: (internet). Enqueue TIme=2020/05/07 11:41:45.' )
( eventid eq general ) and ( description contains 'Partial Validate for JobId=2270 by User: admin are: changes to configuration by administrators: admin.Changes to configuration in device and network. Enqueue TIme=2020/01/08 14:44:46.' )
( eventid eq general ) and ( description contains 'Configuration file filename.xml deleted by admin' )
( eventid eq general ) and ( description contains 'Configuration from filename.xml loaded by admin.' )
( eventid eq general ) and ( description contains 'Connected to Log Collector. ' )
( eventid eq general ) and ( description contains 'Connected to Log Collector. . Port:0, initiated by  Port:0' )
( eventid eq general ) and ( description contains 'Connected to Panorama Server. 192.168.1.1 Port:3978, initiated by 192.168.1.11 Port:59678' )
( eventid eq general ) and ( description contains 'Connection to Update server closed: , source: 192.168.1.1' )
( eventid eq general ) and ( description contains 'Connection to Update server closed: updates.paloaltonetworks.com, source: 192.168.1.1' )
( eventid eq general ) and ( description contains 'Correlation object 6012 added' )
( eventid eq general ) and ( description contains 'Debug filter pcap RX deleted by admin' )
( eventid eq general ) and ( description contains 'Deployment job update licenses for FW01, FW02 succeeded.' )
( eventid eq general ) and ( description contains 'Device certificate expires in 15 or less days' )
( eventid eq general ) and ( description contains 'Download error: Couldn\'t connect to server.' )
( eventid eq general ) and ( description contains 'EDL(EDL-Team-Cymru-Bogons-IPv6) Entry not referenced by a rule' )
( eventid eq general ) and ( description contains 'EDLRefresh job started processing. Dequeue time=2020/05/09 10:00:18. Job Id=10815.   ' )( description contains 'EDL(EDL-Team-Cymru-Bogons-IPv4) Refresh timer was cancelled due to a commit job' )
( eventid eq general ) and ( description contains 'Failed to connect to address: 192.168.1.1 port: 3978, conn id: lr-cms0-def' )
( eventid eq general ) and ( description contains 'Failed to connect to inter-logger-agent # 0 Server: 192.168.1.1 Port: 28270 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to connect to log collector Server: 192.168.1.1Port: 3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to connect to Panorama Server: 192.168.1.1 Port: 3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to connect to Panorama Server: 192.168.1.1 Port: 3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to establish SSL connection to lcs agent Server: 192.168.1.1 Port:3978 Retry: 0' )
( eventid eq general ) and ( description contains 'Failed to establish SSL connection to Panorama Server: 192.168.1.1 Port:3978 Retry: 42000' )
( eventid eq general ) and ( description contains 'HA-Sync job enqueued. Enqueue time=2020/04/24 17:19:42. JobId=24.  . Type: Full' )
( eventid eq general ) and ( description contains 'HA-Sync job started processing. Dequeue time=2020/04/24 17:19:42. Job Id=24.   ' )
( eventid eq general ) and ( description contains 'HA-Sync job succeeded. Completion time=2020/04/24 17:20:14. JobId=40. ' )
( eventid eq general ) and ( description contains 'HA sync failed for deactivate token file' )
( eventid eq general ) and ( description contains 'configuration sync\'d with HA peer' )
( eventid eq general ) and ( description contains 'Import of certificate \'name-of-certificate\' by admin failed. Mismatched public and private keys.' )
( eventid eq general ) and ( description contains 'Inter logger agent on 012233445566-inter-lc connected' )
( eventid eq general ) and ( description contains 'Key pair \'name-of-certificate\' imported into candidate configuration by admin' )
( eventid eq general ) and ( description contains 'lcs agent on 012233445566-log-collection connected' )
( eventid eq general ) and ( description contains 'lcs agent on 012233445566-log-collection connected' )
( eventid eq general ) and ( description contains 'localhost.localdomain connected' )
( eventid eq general ) and ( description contains 'Log redundancy is enabled for Log collector group default' )
( eventid eq general ) and ( description contains 'Log type system cleared by user admin ' )
( eventid eq general ) and ( description contains 'Management server shutting down' )
( eventid eq general ) and ( description contains 'Management server started. Running version 8.1.14' )
( eventid eq general ) and ( description contains 'Name resolution takes too long, disable name for report' )
( eventid eq general ) and ( description contains 'Name resolution takes too long, disable name for the report' )
( eventid eq general ) and ( description contains 'Name resolution takes too long, disable name for the report Top users' )
( eventid eq general ) and ( description contains 'Panorama licensed capacity (devices): 25' )
( eventid eq general ) and ( description contains 'Plugin vm_series-1.0.11 installed.' )
( eventid eq general ) and ( description contains 'Power Supply #1 (left) is not present on startup' )
( eventid eq general ) and ( description contains 'Power Supply #1 is not present on startup' )
( eventid eq general ) and ( description contains 'Power Supply #2 (right) is not present on startup' )
( eventid eq general ) and ( description contains 'Power Supply #2 is not present on startup' )
( eventid eq general ) and ( description contains 'Received conflicting ARP on interface ae2.11 indicating duplicate IP 192.168.1.1, sender mac cc:cc:bb:aa:ff:11' )
( eventid eq general ) and ( description contains 'Redistribution (MS Auto from:1 to:2) done' )
( eventid eq general ) and ( description contains 'Redistribution (MS Auto from:1 to:2) started' )
( eventid eq general ) and ( description contains 'Request made to  AutoFocus server is successful . ' )
( eventid eq general ) and ( description contains 'Request made to  AutoFocus server is successful . ' )
( eventid eq general ) and ( description contains 'Request made to  PublicCloud server is successful . ' )
( eventid eq general ) and ( description contains 'Residual commit job snapshots were found. Will be cleared.' )
( eventid eq general ) and ( description contains 'running configuration synchronized with HA peer by admin' )
( eventid eq general ) and ( description contains 'Session for user svc_ossec via CLI from 192.168.1.1 timed out' )
( eventid eq general ) and ( description contains 'Succeeded exporting config bundle via ssh to 192.168.1.1. This system is for the use of authorized users only.     ..Individuals using this computer system without authority,..or in excess of their authority, are subject to having   ..all of their activities on this system monitored and     ..recorded by system personnel.....In the course of monitoring individuals improperly using ..this system, or in the course of system maintenance, the ..activities of authorized users may also be monitored.....Anyone ' )
( eventid eq general ) and ( description contains 'Succeeded exporting traffic log via ssh (last-calendar-day) to 192.168.1.1' )
( eventid eq general ) and ( description contains 'Succeeded marking traffic log as exported' )
( eventid eq general ) and ( description contains 'Successfully connect to address: 192.168.1.1 port: 3978, conn id: lr-192.168.1.1-def' )
( eventid eq general ) and ( description contains 'Successfully fetched device certificate from Palo Alto Networks' )
( eventid eq general ) and ( description contains 'Successfully generated Panorama server certificate' )
( eventid eq general ) and ( description contains 'synchronized candidate configuration from HA peer and local candidate configuration' )
( eventid eq general ) and ( description contains 'synchronized running configuration from HA peer and local candidate configuration' )
( eventid eq general ) and ( description contains 'The primary user attribute has been changed in one of the group-mapping configuration' )
( eventid eq general ) and ( description contains 'The rule hit counter for name-of-rule in vsys1 security rulebase with 105 hits, last hit at Tue Mar 10 14:11:29 2020 and first hit at Tue Mar 10 14:09:56 2020 was reset by user:admin ' )
( eventid eq general ) and ( description contains 'User admin accessed Monitor tab' )
( eventid eq general ) and ( description contains 'User admin exported the objects/addresses configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the objects/address-groups configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the objects/service-groups configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the objects/services configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin exported the policies/security-rulebase/pre-rules configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin logged in via Web from 192.168.1.1 using https' )
( eventid eq general ) and ( description contains 'User admin executes config audit' )
( eventid eq general ) and ( description contains 'User admin logged in via Panorama from 192.168.1.1 using http over an SSL connection' )
( eventid eq general ) and ( description contains 'User admin logged out via Panorama from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin logged out via Web from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin exported the panorama/managed-devices/summary configuration data via the UI to a CSV file.' )
( eventid eq general ) and ( description contains 'User admin logged out via CLI from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin failed authentication from 192.168.1.1' )
( eventid eq general ) and ( description contains 'User admin logged in via CLI from 192.168.1.1' )
( eventid eq general ) and ( description contains 'VM Appliance license is fetched and installed. Restarting pan services due to capacity change.' )
( eventid eq general ) and ( description contains 'VM Appliance license is installed.' )
( eventid eq general ) and ( description contains 'VPN Disable mode = off' )
( eventid eq general ) and ( description contains 'WildFire update job succeeded  for user admin' )
( eventid eq general ) and ( description contains 'Log type system cleared by user admin ' )
paloaltonetworks/logs/syslog/general.1593591961.txt.gz · Last modified: (external edit)