Palo Alto Networks firewalls can forward various log types to an external server, with each type containing a set of standard fields. These logs are formatted as a comma-separated value (CSV) string, where a comma acts as the delimiter. This formatting facilitates parsing for syslog ingestion. The standard fields for each log type—such as Traffic, Threat, URL, WildFire, and System logs—are designed to provide detailed event information. Fields tagged with FUTURE_USE are currently reserved and are not useful for immediate syslog analysis.

Each log is assigned a severity level to indicate the urgency and importance of the event. These levels range from Critical, for events that require immediate attention, to Informational, for general, low-priority logs. Other levels include High, Medium, and Low, each signifying a different degree of concern. These levels are crucial for prioritizing event investigation and response.

For specialized log forwarding, firewalls support custom formats, allowing administrators to select and arrange specific fields. To prevent misinterpretation of commas within a field, escape sequences are used. For example, a backslash (\) can be used to escape a comma, ensuring it's treated as part of the data rather than a delimiter. These features provide flexibility and ensure data integrity during syslog ingestion and analysis.