Palo Alto Networks Threat Log
Records security threats detected by the firewall including viruses, spyware, vulnerability exploits, command-and-control traffic, and malicious URLs
Quick Facts
Default Path (Linux)
Syslog receiver (e.g., /var/log/paloalto/threat.log)Docker
/var/log/pan/threat.logDefault Format
CSV (Comma-Separated Values)
JSON Native
No
Rotation
Configurable via syslog server or Panorama retention policies
Log Example
Default format: CSV Format (Syslog)
Example Log Entrylog
1,2026/01/02 14:23:45,007654321012,THREAT,vulnerability,2560,2026/01/02 14:23:45,192.168.1.50,203.0.113.100,0.0.0.0,0.0.0.0,Block-Threats,domain\jdoe,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-to-Panorama,2026/01/02 14:23:45,54321,1,52000,80,0,0,0x400000,tcp,alert,"Apache Struts Remote Code Execution Vulnerability",Palo Alto Networks - Known Vulnerabilities,informational,client-to-server,123456789,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,critical,high,41756,0,,0,,PA-3260,from-policy,,,0,,0,,N/A,0,0,0,0Structure:
Comma-separated values with threat-specific fieldsPaths by Platform
Syslog Server
/var/log/paloalto/threat.logAvailable Formats
CSV Format (Syslog)
Default
Example:
1,2026/01/02 14:23:45,007654321012,THREAT,vulnerability,2560,2026/01/02 14:23:45,192.168.1.50,203.0.113.100,0.0.0.0,0.0.0.0,Block-Threats,domain\jdoe,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-to-Panorama,2026/01/02 14:23:45,54321,1,52000,80,0,0,0x400000,tcp,alert,"Apache Struts Remote Code Execution Vulnerability",Palo Alto Networks - Known Vulnerabilities,informational,client-to-server,123456789,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,critical,high,41756,0,,0,,PA-3260,from-policy,,,0,,0,,N/A,0,0,0,0Structure:
Comma-separated values with threat-specific fieldsCEF Format
Example:
CEF:0|Palo Alto Networks|PAN-OS|11.0.0|THREAT|vulnerability|8|src=192.168.1.50 dst=203.0.113.100 spt=52000 dpt=80 proto=tcp act=alert cs1=Block-Threats cs1Label=Rule cs2=Apache Struts Remote Code Execution Vulnerability cs2Label=ThreatName cn1=41756 cn1Label=ThreatIDStructure:
Common Event Format for SIEM integrationFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
receive_time | datetime | Time the log was received at the management plane | 2026/01/02 14:23:45 |
serial | string | Serial number of the firewall | 007654321012 |
type | string | Log type (always THREAT for threat logs) | THREAT |
subtype | string | Threat log subtype indicating the threat category | vulnerability |
time_generated | datetime | Time the log was generated on the dataplane | 2026/01/02 14:23:45 |
src | ip | Source IP address of the threat | 192.168.1.50 |
dst | ip | Destination IP address | 203.0.113.100 |
natsrc | ip | Post-NAT source IP address | 198.51.100.10 |
natdst | ip | Post-NAT destination IP address | 203.0.113.100 |
rule | string | Security policy rule name that matched | Block-Threats |
srcuser | string | Source user (from User-ID) | domain\jdoe |
dstuser | string | Destination user | |
app | string | Application identified by App-ID | web-browsing |
vsys | string | Virtual system name | vsys1 |
from | string | Source security zone | trust |
to | string | Destination security zone | untrust |
inbound_if | string | Inbound interface | ethernet1/2 |
outbound_if | string | Outbound interface | ethernet1/1 |
sessionid | integer | Unique session identifier | 54321 |
sport | integer | Source port | 52000 |
dport | integer | Destination port | 80 |
proto | string | IP protocol | tcp |
action | string | Action taken on the threat | alert |
threatname | string | Name of the detected threat or signature | Apache Struts Remote Code Execution Vulnerability |
threat_category | string | Threat category for URL filtering or threat prevention | Palo Alto Networks - Known Vulnerabilities |
severity | string | Severity level of the threat | critical |
direction | string | Direction of the attack | client-to-server |
threatid | integer | Unique threat ID from threat database | 41756 |
pcap_id | integer | Packet capture ID if capture was triggered | 0 |
filedigest | string | SHA256 hash of the file (for file-based threats) | a1b2c3d4e5f6... |
cloud | string | WildFire cloud where file was analyzed | wildfire.paloaltonetworks.com |
url_idx | string | URL or filename that triggered the threat | /admin/struts/execute.action |
contenttype | string | Content type of the file or data | application/x-java-archive |
device_name | string | Firewall hostname | PA-3260 |
file_url | string | URL from which file was downloaded | http://malicious.com/payload.exe |
sender | string | Email sender (for email-based threats) | attacker@malicious.com |
recipient | string | Email recipient (for email-based threats) | victim@company.com |
subject | string | Email subject (for email-based threats) | Invoice Attached |
reportid | integer | WildFire report ID | 123456789 |
Parsing Patterns
Grok Patterns
csv:
%{INT:future_use1},%{TIMESTAMP_ISO8601:receive_time},%{DATA:serial},%{WORD:type},%{WORD:subtype},%{INT:future_use2},%{TIMESTAMP_ISO8601:time_generated},%{IP:src},%{IP:dst},%{IP:natsrc},%{IP:natdst},%{DATA:rule},%{DATA:srcuser},%{DATA:dstuser},%{DATA:app},%{DATA:vsys},%{DATA:from},%{DATA:to},%{DATA:inbound_if},%{DATA:outbound_if},%{DATA:log_action},%{TIMESTAMP_ISO8601:time_logged},%{INT:sessionid},%{INT:repeat},%{INT:sport},%{INT:dport},%{INT:natsport},%{INT:natdport},%{DATA:flags},%{WORD:proto},%{WORD:action},%{DATA:threatname},%{DATA:threat_category},%{WORD:severity},%{DATA:direction},%{INT:seqno},%{DATA:action_flags},%{DATA:srcloc},%{DATA:dstloc}Regular Expressions
csv:
^(?P<future_use1>\d+),(?P<receive_time>[^,]+),(?P<serial>[^,]+),(?P<type>THREAT),(?P<subtype>[^,]+),(?P<future_use2>\d+),(?P<time_generated>[^,]+),(?P<src>[^,]+),(?P<dst>[^,]+),(?P<natsrc>[^,]+),(?P<natdst>[^,]+),(?P<rule>[^,]*),(?P<srcuser>[^,]*),(?P<dstuser>[^,]*),(?P<app>[^,]+),(?P<vsys>[^,]+),(?P<from>[^,]+),(?P<to>[^,]+),(?P<inbound_if>[^,]+),(?P<outbound_if>[^,]+),(?P<log_action>[^,]*),(?P<time_logged>[^,]+),(?P<sessionid>\d+),(?P<repeat>\d+),(?P<sport>\d+),(?P<dport>\d+),(?P<natsport>\d+),(?P<natdport>\d+),(?P<flags>[^,]*),(?P<proto>[^,]+),(?P<action>[^,]+),(?P<threatname>[^,]*),(?P<threat_category>[^,]*),(?P<severity>[^,]*)Collector Configurations
splunkyaml
1# Splunk TA for Palo Alto Networks2[pan:threat]3TIME_FORMAT = %Y/%m/%d %H:%M:%S4TIME_PREFIX = ^[^,]*,5MAX_TIMESTAMP_LOOKAHEAD = 446SHOULD_LINEMERGE = false7TRUNCATE = 81928pulldown_type = true910# props.conf for syslog input11[source::udp:514]12TRANSFORMS-pan_threat = pan_threat13sourcetype = pan:threat1415# High severity threat alerts16[pan:threat]17EVAL-severity_score = case(severity=="critical",5,severity=="high",4,severity=="medium",3,severity=="low",2,severity=="informational",1,true(),0)Configuration
Enable Logging
Enable threat logging in security profiles
# Configure Antivirus Profile
set profiles virus <profile-name> decoder <type> action alert
set profiles virus <profile-name> mlav-engine-filebased-enabled yes
# Configure Anti-Spyware Profile
set profiles spyware <profile-name> rules <rule-name> severity critical action alert
set profiles spyware <profile-name> botnet-domains lists default-paloalto-dns action sinkhole
# Configure Vulnerability Protection Profile
set profiles vulnerability <profile-name> rules <rule-name> severity critical action reset-both
# Apply profiles to security rules
set rulebase security rules <rule-name> profile-setting profiles virus <av-profile>
set rulebase security rules <rule-name> profile-setting profiles spyware <as-profile>
set rulebase security rules <rule-name> profile-setting profiles vulnerability <vp-profile>Ensure threat prevention license is active
Log To Syslog
Configure syslog forwarding for threat logs
# Create log forwarding profile for threats
set shared log-settings profiles <profile-name> match-list <match-name> log-type threat
set shared log-settings profiles <profile-name> match-list <match-name> filter "All Logs"
set shared log-settings profiles <profile-name> match-list <match-name> send-syslog <syslog-profile>
# Forward only critical/high severity
set shared log-settings profiles <profile-name> match-list critical-threats log-type threat
set shared log-settings profiles <profile-name> match-list critical-threats filter "(severity eq critical) or (severity eq high)"
set shared log-settings profiles <profile-name> match-list critical-threats send-syslog <syslog-profile>Use Cases
Threat volume monitoring
Track daily threat detection rates and trends
subtype
severity
time_generated
GROUP BY time_bucket(1h), severity | STATS count()Top attacked hosts
Identify internal hosts receiving the most threats
dst
threatname
severity
GROUP BY dst | STATS count() | SORT count DESC | LIMIT 10Threat prevention effectiveness
Measure block vs alert ratio
action
subtype
GROUP BY action | STATS count() as total | EVAL block_rate = blocked/totalTroubleshooting
Tested On
v11.1.0 on PAN-OS
admin - 2026-01-02
v10.2.4 on PAN-OS
admin - 2026-01-02
Last updated: 2026-01-02 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!