Palo Alto Networks WildFire Submission Log
Records file submissions to WildFire cloud-based malware analysis service, including verdicts (benign, malware, grayware, phishing), file hashes, and threat intelligence data
Quick Facts
Default Path (Linux)
Syslog receiver (e.g., /var/log/paloalto/wildfire.log)Docker
/var/log/pan/wildfire.logDefault Format
CSV (Comma-Separated Values)
JSON Native
No
Rotation
Configurable via syslog server or Panorama retention policies
Log Example
Default format: CSV Format (Syslog)
Example Log Entrylog
1,2026/01/02 14:30:45,007654321012,WILDFIRE,wildfire,2560,2026/01/02 14:30:45,192.168.1.100,203.0.113.50,0.0.0.0,0.0.0.0,Malware-Analysis,corp\jsmith,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-Logs,2026/01/02 14:30:45,12345,1,54321,443,0,0,0x400000,tcp,alert,suspicious-file.exe,any,malware,client-to-server,987654321,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,application/x-msdownload,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,malware,high,Trojan.Gen.2,PE32 executable,1048576,wildfire.paloaltonetworks.com,PA-3260Structure:
Comma-separated values with file submission details and verdictsPaths by Platform
Syslog Server
/var/log/paloalto/wildfire.logAvailable Formats
CSV Format (Syslog)
Default
Example:
1,2026/01/02 14:30:45,007654321012,WILDFIRE,wildfire,2560,2026/01/02 14:30:45,192.168.1.100,203.0.113.50,0.0.0.0,0.0.0.0,Malware-Analysis,corp\jsmith,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-Logs,2026/01/02 14:30:45,12345,1,54321,443,0,0,0x400000,tcp,alert,suspicious-file.exe,any,malware,client-to-server,987654321,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,application/x-msdownload,e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,malware,high,Trojan.Gen.2,PE32 executable,1048576,wildfire.paloaltonetworks.com,PA-3260Structure:
Comma-separated values with file submission details and verdictsCEF Format
Example:
CEF:0|Palo Alto Networks|PAN-OS|11.0.0|WILDFIRE|wildfire|8|src=192.168.1.100 dst=203.0.113.50 app=web-browsing cs1=Malware-Analysis cs1Label=Rule fileHash=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 fname=suspicious-file.exe cs2=malware cs2Label=VerdictStructure:
Common Event Format for SIEM integrationFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
receive_time | datetime | Time the log was received at the management plane | 2026/01/02 14:30:45 |
serial | string | Serial number of the firewall that generated the log | 007654321012 |
type | string | Log type identifier (always WILDFIRE) | WILDFIRE |
subtype | string | Subtype of WildFire log | wildfire |
src | ip | IP address of the client that sent the file | 192.168.1.100 |
dst | ip | IP address of the server the file was retrieved from | 203.0.113.50 |
srcuser | string | Username associated with the session | corp\jsmith |
filename | string | Name of the submitted file | suspicious-file.exe |
filehash | string | SHA-256 hash of the submitted file | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
verdict | string | WildFire analysis verdict | malware |
severity | string | Severity level based on verdict | high |
malware_name | string | Name/family of the detected malware (if applicable) | Trojan.Gen.2 |
filetype | string | Type of file analyzed | PE32 executable |
filesize | integer (bytes) | Size of the submitted file in bytes | 1048576 |
content_type | string | MIME type of the file | application/x-msdownload |
app | string | Application used to transfer the file | web-browsing |
from | string | Source security zone | trust |
to | string | Destination security zone | untrust |
rule | string | Name of the security policy rule that matched | Malware-Analysis |
reportid | string | Unique identifier for the WildFire analysis report | 987654321 |
cloud | string | WildFire cloud region used for analysis | wildfire.paloaltonetworks.com |
device_name | string | Hostname of the firewall | PA-3260 |
Parsing Patterns
Grok Patterns
csv:
%{INT:future_use1},%{TIMESTAMP_ISO8601:receive_time},%{DATA:serial},%{WORD:type},%{WORD:subtype},%{INT:future_use2},%{TIMESTAMP_ISO8601:time_generated},%{IP:src},%{IP:dst},%{IP:natsrc},%{IP:natdst},%{DATA:rule},%{DATA:srcuser},%{DATA:dstuser},%{DATA:app},%{DATA:vsys},%{DATA:from},%{DATA:to},%{DATA:inbound_if},%{DATA:outbound_if},%{DATA:log_action},%{TIMESTAMP_ISO8601:time_logged},%{INT:sessionid},%{DATA},%{INT:sport},%{INT:dport},%{DATA},%{DATA},%{DATA:flags},%{WORD:proto},%{WORD:action},%{DATA:filename},%{DATA:category},%{DATA:verdict},%{DATA:direction},%{DATA:reportid},%{DATA},%{DATA:src_location},%{DATA:dst_location},%{DATA},%{DATA:content_type},%{DATA:filehash},%{DATA},%{DATA:severity},%{DATA:malware_name},%{DATA:filetype},%{INT:filesize},%{DATA:cloud},%{DATA:device_name}Regular Expressions
csv:
^(?P<future_use1>\d+),(?P<receive_time>[^,]+),(?P<serial>[^,]+),(?P<type>WILDFIRE),(?P<subtype>wildfire),(?P<future_use2>\d+),(?P<time_generated>[^,]+),(?P<src>[^,]+),(?P<dst>[^,]+),(?P<natsrc>[^,]+),(?P<natdst>[^,]+),(?P<rule>[^,]*),(?P<srcuser>[^,]*),(?P<dstuser>[^,]*),(?P<app>[^,]+),(?P<vsys>[^,]+),(?P<from>[^,]+),(?P<to>[^,]+).*?,(?P<filename>[^,]+),(?P<category>[^,]*),(?P<verdict>[^,]+),(?P<direction>[^,]+),(?P<reportid>[^,]+).*?,(?P<content_type>[^,]+),(?P<filehash>[a-f0-9]{64}),.*?,(?P<severity>[^,]+),(?P<malware_name>[^,]*),(?P<filetype>[^,]+),(?P<filesize>\d+),(?P<cloud>[^,]+),(?P<device_name>[^,]+)Collector Configurations
splunkyaml
1# Splunk TA for Palo Alto Networks WildFire2[pan:wildfire]3TIME_FORMAT = %Y/%m/%d %H:%M:%S4TIME_PREFIX = ^[^,]*,5MAX_TIMESTAMP_LOOKAHEAD = 446SHOULD_LINEMERGE = false7TRUNCATE = 819289# Search for malware verdicts10index=pan_logs sourcetype="pan:wildfire" verdict="malware"11| stats count by src, srcuser, filename, filehash, malware_name, severityConfiguration
Enable Logging
Enable WildFire analysis and logging
# CLI commands to enable WildFire
configure
set deviceconfig setting wildfire file-size-limit 10
set deviceconfig setting wildfire report-grayware-file yes
set profiles file-blocking <profile> rules <rule> action alert
set profiles file-blocking <profile> rules <rule> wildfire-analysis public-cloud
commitLog To Syslog
Configure WildFire log forwarding to syslog
# Configure syslog server profile
set shared log-settings syslog <server-name> server <ip-address> port 514 format BSD
set shared log-settings profiles <profile> match-list <entry> send-to-panorama yes
set shared log-settings profiles <profile> match-list <entry> log-type wildfire
commitUse Cases
WildFire submission monitoring
Track file submissions and analysis completion rates
filename
verdict
filetype
filesize
GROUP BY verdict | STATS countAnalysis latency tracking
Monitor WildFire analysis response times
receive_time
verdict
cloud
Troubleshooting
Tested On
v11.1.0 on PAN-OS
admin - 2026-01-02
v10.2.4 on PAN-OS
admin - 2026-01-02
Last updated: 2026-01-02 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!