https://www.staffordnet.uk/ 2026-04-06T00:40:05+00:00 https://www.staffordnet.uk/ https://www.staffordnet.uk/lib/exe/fetch.php?media=favicon.ico text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:auth&rev=1669207782&do=diff Auth Syslogs ( auth_method eq Other ) can mean local DB users. Critical ( subtype eq auth ) and ( severity eq critical ) ( eventid eq auth-server-down ) and ( description contains '3 tries to bind back to binddn failed: basedn: DC=DOMAIN,DC=LOCAL ; binddn: administrator@domain.local ; bind_timelimit 30 ; ip: 10.1.1.10 ; uri: ldap://10.1.1.10:389' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:crypto&rev=1669207782&do=diff Crypto Syslogs Critical ( subtype eq crypto ) and ( severity eq critical ) ( eventid eq private-key-export ) and ( description contains 'Private key nameofcert was exported by user admin' ) ( eventid eq cert-expiry ) and ( description contains 'Shared certificate nameofcert and corresponding key have expired' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:dhcp&rev=1669207782&do=diff DHCP Syslogs Critical ( subtype eq dhcp ) and ( severity eq critical ) ( eventid eq if-clear ) and ( object eq 'ethernet1/1' ) and ( description contains 'DHCP client cleared IP address on interface:ethernet1/1 due to: All Request retries exhausted.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:dnsproxy&rev=1669207782&do=diff DNS Proxy Syslogs Informational ( subtype eq dnsproxy ) and ( severity eq informational ) ( eventid eq object-enable ) and ( object eq dnsproxyName ) and ( description contains 'Dnsproxy object:mgmt-obj was enabled.' ) ( eventid eq cache-cleared ) and ( object eq dnsproxyName ) and ( description contains 'All DNS Proxy cache entries were cleared' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:fips&rev=1669207782&do=diff FIPS Syslogs Informational ( subtype eq fips ) and ( severity eq informational ) ( eventid eq fips-selftest-integ ) and ( description contains 'Software-integrity self-tests passed.' ) ( eventid eq fips-selftest-integ ) and ( description contains 'RPMS self-tests passed.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:general&rev=1669207782&do=diff Useful Commit Description If the administrator includes a description when commiting, it can be found by filtering ( description contains 'Commit job started processing' ) The actuall output will look something like the following. (Yes, there is a space after the username). text/html 2023-02-03T11:27:25+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:globalprotect&rev=1675423645&do=diff GlobalProtect System Logs (< PAN-OS 9.1) GP Login/Logout (( eventid eq gateway-connected ) or ( eventid eq gateway-logout )) (( eventid eq gateway-connected ) or ( eventid eq gateway-logout )) and ( machinename eq GB1LT11111 ) and ( user.src eq jbloggs ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:ha&rev=1669207782&do=diff HA System Logs Critical ( subtype eq ha ) and ( severity eq critical ) Panorama ( eventid eq connect-change ) and ( description contains 'HA1 connection down' ) Firewall ( eventid eq dataplane-down ) and ( description contains 'HA Group 1: Dataplane is down: too many dataplane processes exited' ) text/html 2022-12-02T10:50:02+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:hw&rev=1669978202&do=diff Hardware Syslogs Critical ( subtype eq hw ) and ( severity eq critical ) ( eventid eq fan-fai ) and ( description contains 'Alarm on Fan #4 RPM' ) ( eventid eq bootstrap-media-detect ) and ( description contains 'Media detect failed due to internal error' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:iot&rev=1669207782&do=diff IoT Syslogs High ( subtype eq iot ) and ( severity eq high) ( eventid eq icd-ha-status ) and ( description contains 'Icd HA state is changed from 0 to 1 time: 2021-03-27 18:41:52' ) ( eventid eq icd-ha-status ) and ( description contains 'Icd HA state is changed from 1 to 0 time: 2021-03-27 18:25:43' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:lacp&rev=1669207782&do=diff LACP Syslog Critical ( subtype eq lacp ) and ( severity eq critical ) ( eventid eq unresponsive ) and ( object eq 'ethernet1/12' ) and ( description contains 'LACP interface ethernet1/12 moved out of AE-group ae2(peer is not responding to new LACP connection)' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:monitoring&rev=1669207782&do=diff Monitoring Syslogs These logs are on Panorama only. They should also exist on the firewall but they will be classed under ( subtype eq general) and ( severity eq informational ) Informational ( subtype eq monitoring) and ( severity eq informational ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:ntpd&rev=1669207782&do=diff NTP Syslog Medium ( subtype eq ntpd ) and ( severity eq medium ) ( eventid eq auth ) and ( description contains 'NTP sync to server 192.168.1.1 failed, authentication type none' ) Informational ( subtype eq ntpd ) and ( severity eq informational ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:panorama-check&rev=1669207782&do=diff Panorama Check Syslogs text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:port&rev=1669207782&do=diff Port Syslog High ( subtype eq port ) and ( severity eq high ) ( eventid eq link-change ) and ( object eq MGT ) and ( description contains 'Port MGT: Down 1Gb/s Full duplex' ) Medium I've seen this on a PA-850 that has SFP+ enabled on ports 9-12 and had a DAC SFP+ cable installed. Not sure what cause this message. text/html 2023-02-27T08:47:07+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:pppoe&rev=1677487627&do=diff PPPoE Syslog Informational ( subtype eq pppoe ) and ( severity eq informational ) ( eventid eq initiate ) and ( description contains 'PPPoE session was initiated for user:username@isp on interface:ethernet1/1' ) ( eventid eq connect ) and ( description contains 'PPPoE session was connected for user:username@isp on interface:ethernet1/1 to AC:BNG5.TGN-NYK-RA0, mac address: cc:cc:11:ee:bb:ff, session id:4, IP Address negotiated:1.2.3.4' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:raid&rev=1669207782&do=diff RAID Syslogs Critical ( subtype eq raid ) and ( severity eq critical ) ( eventid eq pair-disappeared ) and ( description contains 'Disk Pair A disappeared.' ) Medium ( subtype eq raid ) and ( severity eq medium ) ( eventid eq pair-degraded ) and ( description contains 'Disk Pair A is degraded and missing a device.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:ras&rev=1669207782&do=diff RAS Syslog Informational ( subtype eq ras ) and ( severity eq informational ) ( eventid eq rasmgr-config-p1-success ) and ( description contains 'RASMGR daemon configuration load phase-1 succeeded.' ) ( eventid eq rasmgr-config-p2-success ) and ( description contains 'RASMGR daemon configuration load phase-2 succeeded.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:routing&rev=1669207782&do=diff Routing System Logs Critical ( subtype eq routing ) and ( severity eq critical ) ( eventid eq path-monitor-failure ) and ( object eq default ) and ( description contains 'Path monitoring failed for static route destination 10.0.0.0/8 with next hop 0.0.0.0. Route removed.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:rtsig&rev=1669207782&do=diff RTSIG Syslogs These logs are for the connection between PAN-OS and the DNS Security cloud service. Medium ( subtype eq rtsig ) and ( severity eq medium ) ( eventid eq cloud-fail-refused ) and ( object eq dns-signature ) and ( description contains 'dns-signature cloud service connection refused.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:satd&rev=1669207782&do=diff SATD Syslog Informational ( subtype eq satd ) and ( severity eq informational ) ( eventid eq satd-config-p1-success ) and ( description contains 'SATD daemon configuration load phase-1 succeeded.' ) ( eventid eq satd-config-p2-success ) and ( description contains 'SATD daemon configuration load phase-2 succeeded.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:ssh&rev=1669207782&do=diff SSH Syslog Medium ( subtype eq ssh ) and ( severity eq medium ) ( eventid eq ssh-session-establishment-failed ) and ( description contains 'Protocol major versions differ for 192.168.1.1: SSH-2.0-OpenSSH_12.1 vs. SSH-1.5-Nmap-SSH1-Hostkey.' ) ( eventid eq ssh-session-establishment-failed ) and ( description contains 'Protocol major versions differ for 192.168.1.1: SSH-2.0-OpenSSH_12.1 vs. SSH-1.5-NmapNSE_1.0.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:sslmgr&rev=1669207782&do=diff SSLMGR Syslog Informational ( subtype eq sslmgr ) and ( severity eq informational ) ( eventid eq sslmgr-config-p1-success ) and ( description contains 'SSLMGR daemon configuration load phase-1 succeeded.' ) ( eventid eq sslmgr-config-p2-success ) and ( description contains 'SSLMGR daemon configuration load phase-2 succeeded.' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:summary&rev=1669207782&do=diff Syslog Summary PAN-OS has the following syslog types * ( subtype neq general ) * ( subtype neq dnsproxy ) * ( subtype neq sslmgr ) * ( subtype neq satd ) * ( subtype neq ras ) * ( subtype neq vpn ) * ( subtype neq routing ) * ( subtype neq url-filtering ) * ( subtype neq auth ) * ( subtype neq text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:syslog&rev=1669207782&do=diff Syslog Sylogs High ( subtype eq syslog ) and ( severity eq high ) ( eventid eq syslog-conn-status ) and ( description contains 'Syslog connection failed to server[\'AF_INET.192.168.1.1:514.\']' ) ( eventid eq syslog-conn-status ) and ( description contains 'Syslog connection established to server[\'AF_INET.192.168.1.1:5515.\']' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:tls&rev=1669207782&do=diff TLS Syslog High PAN let WF cert expire 12th April 2020. ( subtype eq tls ) and ( severity eq high ) ( eventid eq tls-X509-validation-failed ) and ( description contains ' Public Cloud Server certificate validation failed. Dest Addr: eu-panos.wildfire.paloaltonetworks.com, Reason: certificate has expired' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:url-filtering&rev=1669207782&do=diff URL Filtering Syslog Medium ( subtype eq url-filtering ) and ( severity eq medium ) ( eventid eq url-cloud-connection-failure ) and ( description contains 'CURL ERROR: bind failed with errno 124: Address family not supported by protocol' ) ( eventid eq url-cloud-connection-failure ) and ( description contains 'CURL ERROR: bind failed with errno 97: Address family not supported by protocol' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:userid&rev=1669207782&do=diff User-ID Syslogs Critical ( subtype eq userid ) and ( severity eq critical ) ( eventid eq registered-ip-max-platform-limit-exceeded ) and ( description contains 'max registered-ip for the platform reached (1000)' ) High ( subtype eq userid ) and ( severity eq high ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:vpn&rev=1669207782&do=diff VPN Syslog Messages ( subtype eq vpn ) Critical ( subtype eq vpn ) and ( severity eq critical ) ( eventid eq tunnel-status-up ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is down' ) ( eventid eq tunnel-status-down ) and ( object eq IPSEC_TUN_NAME ) and ( description contains 'Tunnel IPSEC_TUN_NAME is down' ) text/html 2022-11-23T12:49:42+00:00 Anonymous (anonymous@undisclosed.example.com) https://www.staffordnet.uk/doku.php?id=paloaltonetworks:logs:syslog:wildfire&rev=1669207782&do=diff WildFire Syslogs Critical This happened when Palo Alto Networks let their wildfire certificate expire in early 2020. ( subtype eq wildfire ) and ( severity eq critical ) ( eventid eq wildfire-auth-failed ) and ( description contains 'Validation of Local client certificate failed resulting in error 58, Problem with the local SSL certificate' )