Firewall (FW)

IDPS firewall

Workload location	Hardware
Audit log source	Palo Alto Firewall
Audited operations	Log in to Web UI and show settings Commit job changes

Log in to Web UI and show settings

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`message`	A subset of the `message` value. For example, `admin`
Target (Fields and values that call the API)	`message`	For example, `"message":"012501009150,2022/11/22 12:03:54,audit,2561,gui-op,admin,\"<show><system><setting><multi-vsys/></setting></system></show>\",success"`
Action (Fields containing the performed operation)	`message`	A subset of the `message` value. For example, `gui-op,admin,\"<show><system><setting><multi-vsys/></setting></system></show>\"`
Event timestamp	`time`	For example, `"time": "2022-11-22T12:03:55-08:00"`
Source of action	`host`	For example, `"host":"10.251.72.101"`
Outcome	Not applicable	Not applicable
Other fields	Not applicable	Not applicable

Example log

{
  "pri": "14",
  "time": "2022-11-22T12:03:55-08:00",
  "host": "10.251.72.101",
  "ident": "-",
  "pid": "-",
  "msgid": "-",
  "extradata": "-",
  "message": "012501009150,2022/11/22 12:03:54,audit,2561,gui-op,admin,\"<show><system><setting><multi-vsys/></setting></system></show>\",success",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-6lgds",
  "_gdch_service_name": "panw_audit_logs"
}

Commit job changes

Fields in the log entry that contain audit information
Audit metadata	Audit field name	Value
User or service identity	`message`	A subset of the `message` value. For example, `admin`
Target (Fields and values that call the API)	`message`	For example, `"message":"1,2022/11/22 12:11:33,012501009150,CONFIG,0,2561,2022/11/22 12:11:33,10.251.72.79,,commit,admin,Web,Submitted,,7168767370163388448,0x0,0,0,0,0,,zb-aa-fw01,0,,0,2022-11-22T12:11:34.635-08:00"`
Action (Fields containing the performed operation)	`message`	A subset of the `message` value. For example, `Web,Submitted`
Event timestamp	`time`	For example, `"time": "2022-11-22T12:11:34-08:00"`
Source of action	`host`	For example, `"host":"10.251.72.101"`
Outcome	Not applicable	Not applicable
Other fields	Not applicable	Not applicable

Example log

{
  "pri": "14",
  "time": "2022-11-22T12:11:34-08:00",
  "host": "10.251.72.101",
  "ident": "-",
  "pid": "-",
  "msgid": "-",
  "extradata": "-",
  "message": "1,2022/11/22 12:11:33,012501009150,CONFIG,0,2561,2022/11/22 12:11:33,10.251.72.79,,commit,admin,Web,Submitted,,7168767370163388448,0x0,0,0,0,0,,zb-aa-fw01,0,,0,2022-11-22T12:11:34.635-08:00",
  "_gdch_cluster": "root-admin",
  "_gdch_fluentbit_pod": "anthos-audit-logs-forwarder-6lgds",
  "_gdch_service_name": "panw_audit_logs"
}