Skip to main content

Palo Alto Networks

The Palo Alto Networks Matano managed log source lets you ingest your Palo Alto Networks Firewall logs. It supports parsing logs in the Palo Alto Networks PAN-OS Syslog Format.


Use the managed log source by specifying the managed.type property in your log_source as PANW.

name: panw

type: PANW

Then create tables for each of the Palo Alto Networks logs you want to ingest. For example, if you want to ingest PANW Traffic logs, as well as GlobalProtect logs, create table files like so:

└── log_sources/
└── panw/
└── log_source.yml
└── tables/
└── traffic.yml
└── globalprotect.yml
└── ...
# log_sources/panw/tables/traffic.yml
name: traffic
# log_sources/panw/tables/globalprotect.yml
name: globalprotect

For a complete reference on configuring log sources, including extending the table schema, see Log source configuration.


The Palo Alto Networks managed log source supports the following tables:

  • traffic
  • globalprotect


Palo Alto Networks Firewall log data is normalized to ECS fields. You can view the complete mappings to see the full schemas.