Focus

Informational System Log Messages

Table of Contents

Informational System Log Messages

E-Log

Log Tags:

audit

Event ID	Description
api	<cmd>
cli	<cmd>
cli	<config command>
api	<config command>
gnmi	<config command>
gui-op	<config command>

auth

Event ID	Description
cas-message	(profile id:<id>)<message>
auth-fail	Time clock does not match that on KDC server at '<name>' (code: <id>)
auth-fail	User '<name>' does not exist on KDC server '<name>' (code: <id>)
auth-fail	Wrong realm: '<name>' (code: <id>)
auth-fail	Username and password do not match, preauth failed (code: <id>)
	Kerberos error: <error> (code: <id>)
auth-fail	When authenticating user "<name>", KDC Spoofing attack is detected by krb5_verify_init_creds() (krb5 error code: <id>)
auth-success	Admin <name> account has been restored - lockout timer expired.
user-password-change-success	When authenticating user '<name>' <remotehost>, a less secure authentication method <proto> is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile '<name>', vsys '<name>', Server Profile '<name>', Server Address '<ip>'
auth-fail	Certificate validation failed for user '<name>'. <error>
auth-success	Certificate validated for user '<user>'. <error> auth profile '<name>', vsys '<id>', reply message '<msg>' From: <name>.
user-password-change-success	Kerberos SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
auth-success	Kerberos SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
user-password-change-success	SAML SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
auth-success	SAML SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
user-password-change-success	CAS SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
auth-success	CAS SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
user-password-change-success	authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
auth-success	authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>.
cas-client-redirect	Client '<name>' redirected to '<url>' with auth_session_id '<id>'
cas-token-received	Received CAS token from client '<name>' from '<url>' with auth_session_id '<id>'
cas-token-parse-error	Failed to parse CAS token from client '<host>' from '<url>' with auth_session_id '<id>' : <message>
cas-token-validated	Validated CAS token from client '<name>' from '<url>' with auth_session_id '<id>' and username '<name>'
cas-mfa-info	MFA info from client '<name>' from '<url>' with auth_session_id '<id>' and username '<name>' : <info>
saml-client-redirect	Client '<name>' redirected to '<url>' for authentication profile '<profile>'
saml-idp-activity	Received SAML Assertion from '<name>' from client '<name>'
saml-signature-validated	SAML Assertion: signature is validated against IdP certificate (subject '<name>') for user '<name>'
idp-initiated-log-out-success	SAML Single Log out initiated for user '<name>' from '<name>', Auth profile: '<name>', Virtual System: '<name>', Server profile: '<name>', IdP entityID: '<id>'
sp-initiated-log-out-success	SAML Single Log out initiated for user '<name>' from '<name>', Auth profile: '<name>', Virtual System: '<name>', Server profile: '<name>', IdP entityID: '<id>'
auth-fail	Server certificate: '<name>' is invalid, its name does not match the host name '<name>'
auth-fail	Server certificate: '<name>' is invalid for server '<name>': <error>

bfd

Event ID	Description
session-state-change	BFD state changed to <name> for BFD session <name> to neighbor <name> on interface <name>. Protocol: <name>

clusterd

Event ID	Description
cluster-cfg-mode	Cluster node mode is changed.
cluster-config-p1-success	Cluster daemon configuration load phase-1 succeeded.
cluster-config-p1-abort	Cluster daemon configuration load phase-1 aborted.
cluster-config-p2-success	Cluster daemon configuration load phase-2 succeeded.
cluster-self-join	Local node joined cluster:
cluster-service-ready	Cluster service is ready.
cluster-service-up	Cluster service up:
cluster-split-brain-enter	Cluster enters split-brain mode.
cluster-split-brain-leave	Cluster left split-brain mode.
cluster-engine-start	Cluster engine will be started for:
cluster-daemon-start	Cluster daemon is ready.
cluster-daemon-exit	Cluster daemon has exited.
cluster-daemon-init	Cluster daemon is initializing.

ddns

Event ID	Description
ddns-remove	Interface <name> DDNS config for host <host> to <label> removed. Please manually remove from DDNS service provider.

debug

Event ID	Description
packet-diag-log	Packet-diag logging has been enabled
packet-diag-log	Packet-diag logging has been disabled

dhcp

Event ID	Description
if-update-ok	DHCP <desc>: interface <name>, dhcp server: <name>
if-release-trigger	DHCP <name>: interface <name>, ip <ip> netmask <mask> dhcp server: <name>
if-renew-trigger	DHCP <name>: interface <name>, ip <ip> netmask <mask> dhcp server: <name>
if-update-fail	DHCP client could not clear IP address on interface:<name> due to: Error in updating interface/route table
if-update-fail	DHCP client could not obtain IP address on interface:<name> due to: Error in updating interface/route table
if-update-fail	DHCP client could not obtain IP address on interface:<name> due to: Error in updating interface/route table after HA sync from peer
if-release-trigger	<dhcp_log_event>
if-renew-trigger	<dhcp_log_event>
if-update-ok	<dhcp_log_event>
if-rcv-nak	<dhcp_log_event>
if-duplicate-ip-intf	<dhcp_log_event>
if-duplicate-ip-remote	<dhcp_log_event>
if-update-fail	DHCP client could not obtain IP address on interface:<name> due to: Error in updating interface/route table
if-update-fail	DHCP client could not clear IP address on interface:<name> due to: Error in updating interface/route table
relay-on	DHCP relay on
relay6-on	DHCPv6 relay on
lease-end	DHCP lease ended
lease-start	DHCP lease started
server-auto-probe-off	DHCP server auto-probe finished
server-auto-probe-on	DHCP server auto-probe finished
server-on	DHCP server auto-probe finished
if-inherit	DHCP server on interface: <name> inherited following values from dynamic interface: <name>: <server>
if-update-fail	DHCP client could not obtain IP address on interface index:<num> due to: Error in updating interface/route table

dns-security

Event ID	Description
PAN_ELOG_EVENT_DNSSEC_CACHE_SUCCESS	DNS signature initialization from file storage successful.

dnsproxy

Event ID	Description
if-add	Interface <name> added to DNS proxy object:<obj>
if-del	Interface <name> deleted from DNS proxy object:<obj>
if-inherit	DNS Proxy object: <name> inherited following values from dynamic interface: <name>: Primary DNS: <name> Secondary DNS: <name>
cache-cleared	All DNS Proxy cache entries were cleared
object-enable	Dnsproxy object:<name> was enabled.
object-enable	Dnsproxy object:<name> was disabled.

dynamic-updates

Event ID	Description
palo-alto-networks-message	<message>

fips

Event ID	Description
fips-selftest	FIPS Mode Self-test <description> ..... failed
fips-selftest	FIPS-CC Mode Self-test <description> ..... failed
fips-selftest	FIPS Mode Enabled Successfully

general

Event ID	Description
general	Retrieved CRL from "<name>" with crl_next_update = <name>
general	Slot s<num>: Application Pod '<namespace> : <name>:<interface>' using interfaces eth<num< and eth<num>
general	Slot s<num>: Application Pod '<namespace> : <name>:<interface>' releasing interfaces eth<num< and eth<num>
general	Machine Learning engine for <name> started
general	Reconnect to MLAV cloud, enable all machine Learning engines
general	<type> job was successfully reverted. Completion time=<time>. JobId=<id>. User: <name>
wf-real-time-enabled	WildFire Real-time feature enabled
general	Evtmgr: Client=<id>[<devid>] msg=<msg> code=<num> socket <num>
general	Request made to <name> server is successful

Event ID	Description
fan-removed	Fan Tray #<num> removed
fan-inserted	Fan Tray #<num> inserted
ps-inserted	Power Supply #<num> inserted
Thermal Failure	I2C Failure: Forcing the fan controler to run at maximum speed.\n"Setting the node [force] to pan_true\n
Thermal Failure	I2C connection restored. Forcing fans to revert their normal speed.\n"Setting the node [force] to pan_false\n
Thermal Failure	I2C connection restored. Forcing fans to revert their normal speed.\n"Setting the node [force] to pan_false\n
slot-up	Slot <id> (<model>) detects Session Distribution Policy is no longer ingress-slot. Enabling DPC.
bootstrap-success	Bootstrap successfully completed "sw-version: <version>; app-version: <version>; threat-version: <version>
bootstrap-media-prep-success	<username>: Successfully prepared USB using bundle <file>

ipv6nd

Event ID	Description
duplicated-IPv6-address-found	IPv6 address <address> on interface <name> is duplicate.

lacp

Event ID	Description
lacp-up	LACP interface <name> moved into AE-group <name>.

lldp

Event ID	Description
mib changed	Update: LLDP Update: Sent update for TLV <name> on local interface: <index>
mib changed	Update: Received change on local interface <name>

monitoring

Event ID	Description
deviating-device	Deviating device: <name>, Serial: <serial>, Object: <name> <nest>, Metric: <name>, Value: <value>

N/A

Event ID	Description
N/A	Create audit logs
N/A	test file

nat

Event ID	Description
fqdn-add	Vsys <id> NAT rule <name> FQDN <key> add IP entry <ip>
fqdn-del	Vsys <id> NAT rule <name> FQDN <key> delete IP entry <ip>

ntpd

Event ID	Description
sync	NTP sync to server <address>
time-learn	NTP time learnt from <time>; New time is: <time> and old time was <time>
restart	NTP restart synchronization performed
time-learn	NTP time learnt; New time is: <time>

panorama-check

Event ID	Description
panorama-check-test	JobId=<id>: <message>
panorama-check-skip	JobId=<id>: Skipping connection checks for <name>/<name> since the IP was changed.
panorama-check-skip	JobId=<id>: Skipping connection check for <name> since the panorama is not actively connected.
panorama-check-auto-revert	<type> job was successfully reverted. Completion time=<time>. JobId=<id>. User: <name>

pbf

Event ID	Description
nh-up	Vsys <id> PBF rule <name> nexthop is UP
nh-down	Vsys <id> PBF rule <name> nexthop is DOWN
nh-down	Vsys <id> PBF rule <name> is Bypassed
nh-up	Vsys <id> PBF rule <name> is Normal
pbf-fqdn-change	Vsys <id> PBF rule <name> nexthop FQDN <key> IPv4 is changed "from <ip> to <ip>
pbf-fqdn-change	Vsys <id> PBF rule <name> nexthop FQDN <key> IPv6 is changed "from <ip> to <ip>

port

Event ID	Description
link-change	Port HSCI: Up <type> duplex
link-change	Port HSCI: Down <type> duplex
link-change	Port HA1-b: Up <type> duplex
link-change	Port HA1-b: Down <type> duplex
link-change	Port HA2: Up <type> duplex
link-change	Port HA2: Down <type> duplex
sdwan-link-change	Port <port>: Up <type> duplex
link-change	Port <port>: Down <type> duplex
sdwan-link-change	ethernet<num>/<num>: Up <type> duplex
link-change	ethernet<num>/<num>: Down <type> duplex
sdwan-link-change	Port <port>: MAC Up
link-change	Port <port>: MAC Down
nonsupp-forced	ethernet<num>/<num>: trying to force mode <type> not supported, using autoneg
link-change	Port MGT: Up <type>
link-change	Port <interface>: Up <type>
link-change	Port <interface>: Down <type>

pppoe

Event ID	Description
connect-fail	PPPoE session failed to connect for user:<name> on interface:<name>. Reason: <reason>
connect	PPPoE session was connected for user:<name> on interface:<name> to AC:<name>, mac address: <mac>, session id:<id>, IP Address negotiated: <ip>
if-update-fail	PPPoE session connected for user:<name> on interface:<name> but updating interface/routing table failed.
connect-fail	PPPoE session failed to connect for user:<name> on interface:<name>. Reason: No PPPoE Offer received
initiate	PPPoE session was initiated for user:<name> on interface:<name>
connect-fail	PPPoE session failed to connect for user:<name> on interface:<name>. Reason: No PPPoE Confirm received
terminate	PPPoE session was terminated for user:<name> on interface:<name> to AC:<name>, mac address: <mac>, session id:<id>
terminate	PPPoE session was terminated for user:<name> on interface:<name> to AC:<name>, mac address: <mac>, session id:<id>

ras

Event ID	Description
rasmgr-config-p1-success	RASMGR daemon configuration load phase-1 succeeded.
rasmgr-config-p1-abort	RASMGR daemon configuration load phase-1 aborted.
rasmgr-config-p2-success	RASMGR daemon configuration load phase-2 succeeded.
rasmgr-ha-full-sync-done	RASMGR daemon sync all user info to HA peer exit.
rasmgr-ha-full-sync-done	RASMGR daemon sync all user info to HA peer exit.
rasmgr-flow-full-sync-start	RASMGR daemon sync all user info to Flow started.
rasmgr-daemon-exit	RASMGR daemon has exited.
rasmgr-daemon-init	RASMGR daemon is initializing.
rasmgr-daemon-start	RASMGR daemon is ready.

resctrl

Event ID	Description
mem-usage-normal	Memory usage is normal

routing

Event ID	Description
routed-OSPF-stop-helper-mode	OSPF stopped helper mode for a restarting neighbor. Restarting neighbor router ID <name> neighbor IP address <ip>. Reason: <reason>
routed-ECMP	ECMP maximum path changed to <num> in virtual router <name>.
routed-ECMP	ECMP enabled in virtual router <name>.
routed-ECMP	ECMP disabled in virtual router <name>.
routed-config-p1-success	Route daemon configuration load phase-1 succeeded.
routed-config-p2-success	Route daemon configuration load phase-2 succeeded.
routed-static-fqdn-changed	Routed static fqdn mapping is changed
routed-bgp-fqdn-changed	Routed BGP fqdn mapping is changed
routed-ECMP	ECMP maximum path changed to <num> in logical router <name>.
routed-ECMP	ECMP enabled in logical router <name>.
routed-ECMP	ECMP disabled in logical router <name>.
routed-ECMP	ECMP load balancing algorithm changed to <name> in logical router <name>.
routed-ECMP	ECMP symmetric return enabled in logical router <name>.
routed-ECMP	ECMP symmetric return disabled in logical router <name>.
routed-ECMP	ECMP strict source path enabled in logical router <name>.
routed-ECMP	ECMP strict source path disabled in logical router <name>.
routed-fib-sync-peer-backup	FIB HA sync started when peer device becomes passive.
routed-fib-sync-self-master	FIB HA sync started when local device becomes master.
routed-fib-sync-peer-backup	FIB HA sync started when peer device becomes passive.
routed-fib-sync-self-master	FIB HA sync started when local device becomes master.
routed-daemon-init	Route daemon is initializing.
routed-daemon-start	Route daemon is ready.
routed-daemon-exit	Route daemon has exited.
routed-BGP-refresh-sent	ROUTE REFRESH message sent to a BGP peer.
routed-BGP-ribin-recalc	An RIB-In is being recalculated as a result of changed import policy.
routed-BGP-peer-enter-established	BGP peer session enters established state.
routed-BGP-peer-mp-extension-negotiate	BGP peer MP extension negotiation.
routed-IGMP-wrong-version	Wrong IGMP query version
routed-OSPF-neighbor-full	OSPF full adjacency established with neighbor.
routed-OSPF-neighbor-2dir	OSPF two-way communication established with neighbor.
routed-OSPF-neighbor-full	OSPF full adjacency established with neighbor.
routed-OSPF-start-graceful-restart	OSPF started graceful restart.
routed-OSPF-stopped-graceful-restart	OSPF stopped graceful restart.
routed-OSPF-start-helper_node	OSPF started helper mode for a restarting neighbor.
routed-OSPF-not-help	OSPF did not help a restarting neighbor.
routed-OSPF-start-graceful-restart	OSPF started graceful restart.
routed-PIM-new-dr-elected	PIM elected a new DR
routed-PIM-neighbor-discovered	PIM discovered a new neighbor
routed-PIM-neighbor-disappeared	PIM neighbor disappeared
routed-RIP-peer-add	RIP peer discovered.

satd

Event ID	Description
satd-config-p1-success	SATD daemon configuration load phase-1 succeeded.
satd-config-p1-abort	SATD daemon configuration load phase-1 aborted.
satd-config-p2-success	SATD daemon configuration load phase-2 succeeded.
satd-portal-connect-started	GlobalProtect Satellite connection to portal started.
satd-gateway-connect-started	GlobalProtect Satellite connection to gateway started.
satd-flow-full-sync-start	SATD daemon sync all gateway infos to Flow started.
satd-ha-full-sync-done	SATD daemon sync all gateway infos to HA peer exit.
satd-daemon-init	SATD daemon is initializing.
satd-daemon-start	SATD daemon is ready.
satd-daemon-exit	SATD daemon has exited.

sched-push

Event ID	Description
sched-skip	Push schedule <name> skipped on passive panorama
sched-exec	Push schedule <name> kicked in. <num> jobs scheduled. Jobids: <ids>

sdwan

Event ID	Description
sdwan-vif-status-up	<vif> start with state UP. FW is Active
sdwan-vif-status-up	<vif> start with state UP. FW is Non-Active
sdwan-vif-status-up	<vif> is up
sdwan-vif-status-down	<vif> is down

ssh

Event ID	Description
ssh-default-hostkey-changed	Default MGMT SSH host key set to ECDSA key of length <length>.
ssh-default-hostkey-changed	Default MGMT SSH host key set to RSA key of length <length>
ssh-default-hostkey-changed	Default MGMT SSH host key set to all.
ssh-default-hostkey-changed	Default HA SSH host key set to ECDSA key of length <length>.
ssh-default-hostkey-changed	Default HA SSH host key set to RSA key of length <length>.
ssh-default-hostkey-changed	Error occurred while setting default host key for HA of type ECDSA and of length <length>
ssh-default-hostkey-changed	Error occurred while setting default host key for MGMT of type ECDSA and of length <length>
ssh-default-hostkey-changed	Error occurred while setting default host key for HA of type RSA and of length <length>
ssh-default-hostkey-changed	Error occurred while setting default host key for MGMT of type RSA and of length <length>
ssh-hostkey-regenerated	SSH host key for HA of type ECDSA and of length <num> generated
ssh-hostkey-regenerated	SSH host key for MGMT of type ECDSA and of length <num> generated
ssh-hostkey-regenerated	SSH host key for HA of type RSA and of length <num> generated
ssh-hostkey-regenerated	SSH host key for MGMT of type RSA and of length <num> generated
ssh-session-rekey-params-changed	New Rekeying parameters for MGMT SSH set.
ssh-session-rekey-params-changed	New Rekeying parameters for HA SSH set.
ssh-session-rekey-params-changed	Error occurred while setting rekeying parameters for MGMT SSH.
ssh-session-rekey-params-changed	Error occurred while setting rekeying parameters for HA SSH.
ssh-ciphers-changed	Ciphers set to default for MGMT SSH.
ssh-ciphers-changed	Ciphers set to default for HA SSH.
ssh-ciphers-changed	Error occurred while setting ciphers for MGMT SSH.
ssh-ciphers-changed	Error occurred while setting ciphers for HA SSH.
ssh-macs-changed	Macs set to default for MGMT SSH.
ssh-macs-changed	Macs set to default for HA SSH.
ssh-macs-changed	Error occurred while setting macs for MGMT SSH.
ssh-macs-changed	Error occurred while setting macs for HA SSH.
ssh-kexs-changed	Kexs set to default for MGMT SSH.
ssh-kexs-changed	Kexs set to default for HA SSH.
ssh-kexs-changed	Error occurred while setting kexs for MGMT SSH.
ssh-kexs-changed	Error occurred while setting kexs for HA SSH.

sslmgr

Event ID	Description
ca-session-establishment-success	Destination address <addr>, Destination port <num>, Source address <addr>, Source port <num>
ca-session-establishment-failed	Failed to get CRL %s
ca-session-establishment-failed	Key Usage cRLSign check failed for CRL <name>
ca-session-establishment-success	"Successfully get CRL <name>
ca-session-establishment-success	CRL request to <name> succeeded
ca-session-establishment-success	OCSP request to "<host>" succeeded. \nDestination address: <addr>, Destination port: <port>, Source address: <addr>, Source port <port> \n
ca-session-establishment-failed	OCSP request to "<host>" failed. \nDestination address: <addr>, Destination port: <port>, Source address: <addr>, Source port <port> \n
ca-session-establishment-failed	<open_ssl_error>
sslmgr-ha-not-full-sync	SSLMGR daemon not sync to HA peer.
sslmgr-ha-not-full-sync	SSLMGR daemon not sync to HA peer.
sslmgr-ha-not-full-sync	SSLMGR daemon not sync to HA peer.
sslmgr-cert-ocsp-verify-failed	SSLMGR certificate ocsp verification failed.
sslmgr-config-p1-success	SSLMGR daemon configuration load phase-1 succeeded.
sslmgr-config-p2-success	SSLMGR daemon configuration load phase-2 succeeded.
sslmgr-daemon-start	SSLMGR daemon is ready.
sslmgr-satellite-info-deleted	SSLMGR satellite info deleted
sslmgr-cert-status-deleted	SSLMGR certificate status deleted.
sslmgr-cert-status-revoked	SSLMGR certificate status revoked.
sslmgr-satellite-info-deleted	SSLMGR satellite info deleted
sslmgr-cert-status-revoked	SSLMGR certificate status revoked.
sslmgr-scep-ca-cert-failed	SSLMGR import SCEP CA certificate failed.
sslmgr-scep-cert-failed	SSLMGR generate SCEP certificate failed.
sslmgr-scep-cert-failed	SSLMGR generate SCEP certificate failed.
sslmgr-scep-cert-failed	SSLMGR generate SCEP certificate failed.
sslmgr-satellite-info-updated	SSLMGR satellite info updated
sslmgr-cert-gen-failed	SSLMGR generate certificate failed.
sslmgr-ha-full-sync	SSLMGR daemon sync to HA peer.
sslmgr-ha-full-sync	SSLMGR daemon sync to HA peer.
sslmgr-ha-full-sync	SSLMGR daemon sync to HA peer.
ca-session-establishment-success	Destination address <addr>, Destination port <port>, Source address <addr>, Source port <port>

syslog

Event ID	Description
syslog-conn-status	<syslog-ng message>

tls

Event ID	Description
panos-auth-success	<name> Server CN: <name> - [<name>] Connection Successfully established.
tls-session-disconnected	Device <name> disconnected from the server
panorama-auth-success	<reason> PAN-OS ver: <version> Panorama ver:<version> Client IP: <ip> Server IP: <ip> Client CN: <name>
panorama-auth-success	<reason> WildFire ver: <version> Panorama ver:<version> Client IP: <ip> Server IP: <ip> Client CN: <name>
certificate-renewal	Client Certificate expiry is under 30 days. Fetch a new certificate from the scep server

url-filtering

Event ID	Description
failed-to-lock-update	Failed to lock URL database update process! Maybe another instance is running.
download-url-database-success	Brightcloud URL database was downloaded successfully
revert-url-database-success	URL filtering database was reverted from version <ver> to version <ver>
url-database-is-latest	URL filtering database version <ver> is already the latest version
failed-to-lock-download	Failed to lock URL database update process. Another instance may be running.
download-url-database-success	PAN-DB was downloaded successfully
load-success	Intial PAN-DB activated successfully
failed-to-lock-download	PAN-DB download: Failed.
downloading-url-database	Downloading full BrightCloud URL database. This can take a long while.
downloading-url-database	Downloading full BrightCloud URL database. This can take a long while.
proxy-connection-failure	Failed to connect to proxy server. "Please check if proxy user name and password are "correct.
receive-data-failure	Cannot receive data from '<server>:<port>' to download BrightCloud URL database
proxy-connection-failure	Failed to connect to proxy server. "Please check if proxy user name and password are correct.
proxy-connection-failure	Cannot connect to proxy server '<server>:<port>' to download BrightCloud URL database
proxy-connection-failure	Cannot connect to proxy server '<server>:<port>' to download BrightCloud URL database
connection-success	Connected to Brightcloud update server <name>
cloud-election	CLOUD ELECTION: <name> IP: <ip> was elected, measured alive test <num>.
url-engine-stopped	PAN-DB engine stopped.
url-engine-starts	PAN-DB engine started.
url-engine-stopped	URL filtering engine stopped...
ha-sync-failure	Failed to sync the URL with HA peer.
starts-from-empty-seed	Starting with an empty SEED.
starts-from-backup-seed	Starting with backup seed.
starts-from-empty-seed	Starting with an empty SEED.
ha-sync-success	Successfully synced PAN-DB to peer.
ha-sync-success	PAN-DB sync with HA started at <seconds>.
url-backup-seed-success	Backup of PAN-DB finished successfully.
upgrade-url-database-success	PAN-DB was upgraded to version <version>.
ha-sync-success	URL vendor matches and is set to 'PAN-DB'.
ha-sync-failure	Not synching file to peer because mode is not Active-Passive (<mode>).
ha-sync-failure	No synching file to peer because local state is not Active (<mode>).
ha-sync-failure	Not accepting file from peer local state is not Passive (<mode>).
ha-sync-failure	No synching file to peer because peer state is not Passive (<mode>).

userid

Event ID	Description
connect-agent	Redistribution Agent <name>(vsys<id>): connected to <host>, status <status>, version <num>
connect-client	CMS Redistribution Client is connected to global collector: <devid> vsys <id>
connect-client	Redistribution Client is connected to collector <name>: <client>, vsys <id>
connect-ldap-sever	ldap cfg <name> connected to server <server>
connect-ldap-sever	ldap cfg <name> connected to server <server>
connect-agent	<agent> <name>(vsys<id>): connected to <name>, status <status>, version <version>
connect-client	User-ID Client is connected to collector <name>: "IP <ip> port <num> vsys <num>
disconnect-client	User-ID Client is disconnected from collector <name>: "IP <ip> port <num> vsys_id <num>
disconnect-client	User-ID Client is disconnected from collector <name>: "IP <ip> port <num> vsys_id <num>
connect-client	User-ID Client is connected to collector <name>:<conn_id> vsys_id <id>
disconnect-client	User-ID Client is disconnected from collector <name>:<conn_id> vsys_id <id>
connect-agent	<agent_desc> <name>(vsys<id>): connected to <name>, version <id>
agent-read-log-error	<name> failed <num> time(s)
agent-get-domain-error	<name> please check pan-agent log file for actual incorrect DC IP address(es)
agent-get-groups-error	<name> failed <num> time(s)
agent-get-config-error	<name> failed <num> time(s)
agent-get-users-error	<name> failed <num> time(s)
agent-no-domain	<name> failed <num> time(s)
disconnect-syslog	User-ID Syslog Proxy: Client <name>: disconnected <addr>
connect-syslog	User-ID Syslog Proxy: Client <name>(vsys<id>): connected <addr>
disconnect-syslog	User-ID Syslog Proxy: Client <name>: disconnected <addr>
disconnect-syslog	User-ID Syslog Proxy: Client <name>: disconnected <addr>
connect-agent	Pan-TS-Agent <name> disconnected: IP <ip> port <num> vsys<num>
disconnect-agent	PAN-Agent <name> disconnected: IP <ip> port <num> vsys<id>
agent-status-failure	Failed to get status <num> times, connection may be down or protocol mismatch between device and pan-agent
disconnect-agent	User-ID-Agent <name> disconnected: IP <ip> port <num> vsys<id>
disconnect-agent	User-ID-Agent <name> disconnected: <conn_str> vsys<id>
agent-event	User-ID-Agent <name> event: <type>, name <name>, status <status>, vsys<id>
agent-status-failure	Failed to get status <num> times, connection may be down or protocol mismatch between device and pan-agent
connect-server-monitor	Please change server monitor(<name>) Transport Protocol from WMI to WinRM for better performance
connect-server-monitor	User-ID server monitor <name>(vsys<id>): connected to <host>
connect-server-monitor	Server monitor <name>(vsys<id>) is connected
connect-vm-info-source	vm-info-source <name>(vsys<id>): Connected to <host>, status <status>
connect-vm-info-source	vm-info-source <name>(vsys<id>): Connected to <host>, status <status>
connect-vm-info-source	vm-info-source <name>(vsys<id>): connected to <host>, status <status>, version <version>
disconnect-vm-info-source	vm-info-source <name>(vsys<id>): disconnected to <host>, status <status>, version <version>

Event ID	Description
dvf-init-succeed	VMware dvfilter init succeeded

vpn

Event ID	Description
vpnctl-ike-rekey-event	[<name>]: <davici_name>:<value,
vpnctl-child-updown-event	[<name>]: <davici_name>:<value,
vpnctl-child-rekey-event	[<name>]: <davici_name>:<value,
vpnctl-ike-updown-event	connction failed, peer <remote_host>, retry <conn_try>
keymgr-daemon-init	KEYMGR daemon is initializing.
keymgr-daemon-start	KEYMGR daemon is ready.
keymgr-daemon-exit	KEYMGR daemon has exited.
keymgr-flow-full-sync-done	KEYMGR sync all IPSec SA to Flow exit.
ike-fqdn-change	IKE fqdn mapping is changed
ike-config-p1-success	IKE daemon configuration load phase-1 succeeded.
ike-config-p1-abort	IKE daemon configuration load phase-1 aborted.
ike-config-p2-success	IKE daemon configuration load phase-2 succeeded.
ike-nego-p1-fail-psk	IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.
ike-nego-p1-fail-psk	IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.
ike-nego-p1-fail-common	IKE phase-1 negotiation is failed_COMM
ike-nego-p1-fail-common	IKE phase-1 negotiation is failed_COMM
ike-nego-p1-fail-common	IKE phase-1 negotiation is failed_COMM
ikev2-nego-child-ts-bad	IKEv2 child SA negotiation failed when processing traffic selector.
ikev2-nego-child-ts-bad	IKEv2 child SA negotiation failed when processing traffic selector.
ikev2-send-p1-delete	IKEv2 IKE SA delete message sent to peer.
ike-nego-p1-fail-common	IKE phase-1 negotiation is failed_COMM
ikev2-nego-use-v1	IKEv1 is used in IKEv2 preferred mode.
ike-nego-p2-stale-p1	Deleting a possible stale phase-1 SA.
ike-nego-p1-start	IKE phase-1 negotiation is started
ike-nego-p1-fail	IKE phase-1 negotiation is failed
ike-nego-p1-succ	IKE phase-1 negotiation is succeeded
ike-nego-p1-delete	IKE phase-1 SA is deleted
ike-nego-p1-expire	IKE phase-1 SA is expired
ike-nego-p2-start	IKE phase-2 negotiation is started
ike-nego-p2-fail	IKE phase-2 negotiation is failed
ike-nego-p2-succ	IKE phase-2 negotiation is succeeded
ipsec-key-install	IPSec key installed.
ipsec-key-delete	IPSec key deleted.
ipsec-key-expire	IPSec key lifetime expired.
ike-nego-p2-proxy-id-bad	IKE phase-2 negotiation failed when processing proxy ID.
ike-nego-p2-proxy-id-bad	IKE phase-2 negotiation failed when processing proxy ID.
ike-nego-p2-no-p1	IKE phase-2 negotiation request received but no phase-1 SA is found.
ike-nego-p2-p1-not-ready	IKE phase-2 negotiation request received but no active phase-1 SA is available.
ike-nego-p2-proposal-bad	IKE phase-2 negotiation failed when processing SA payload.
ike-nego-p1-fail-common	IKE phase-1 negotiation is failed_COMM
ike-nego-p1-psk-idtype	IKE phase-1 negotiation is failed. When pre-shared key is used
ike-nego-p1-fail-psk	IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.
ike-nego-p1-fail-psk	IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.
ike-recv-notify	IKE protocol notification message received:
ike-recv-p1-delete	IKE protocol phase-1 SA delete message received from peer.
ike-recv-p2-delete	IKE protocol IPSec SA delete message received from peer.
ike-send-p1-delete	IKE protocol phase-1 SA delete message sent to peer.
ike-send-p2-delete	IKE protocol IPSec SA delete message sent to peer.
ike-send-notify	IKE protocol notification message sent:
ike-send-notify	IKE protocol notification message sent:
ike-send-notify	IKE protocol notification message sent:
ike-nego-p2-dup-rekey	duplicate phase-2 rekey request detected
ike-nego-p1-cert-succ	IKE certificate authentication succeeded.
ike-nego-p1-fail-psk	IKE phase-1 negotiation is failed likely due to pre-shared key mismatch.
ikev2-nego-cert-succ	IKEv2 certificate authentication succeeded.
ikev2-nego-fail-psk	IKEv2 SA negotiation is failed likely due to pre-shared key mismatch.
ikev2-send-p2-delete	IKEv2 IPSec SA delete message sent to peer.
ikev2-nego-child-fail	IKEv2 child SA negotiation is failed
ikev2-nego-child-fail	IKEv2 child SA negotiation is failed
ikev2-nego-child-fail	IKEv2 child SA negotiation is failed
ikev2-nego-child-fail	IKEv2 child SA negotiation is failed
ikev2-nego-stale-p2	Deleting a possible stale IKEv2 child SA.
ikev2-nego-fail-common	IKEv2 SA negotiation is failed.
ike-recv-notify	IKE protocol notification message received:
ikev2-recv-p1-delete	IKEv2 IKE SA delete message received from peer.
ikev2-recv-p2-delete	IKEv2 IPSec SA delete message received from peer.
ikev2-nego-ike-fail	IKEv2 IKE SA negotiation is failed
ikev2-nego-ike-start	IKEv2 IKE SA negotiation is started
ikev2-nego-ike-fail	IKEv2 IKE SA negotiation is failed
ikev2-nego-ike-succ	IKEv2 IKE SA negotiation is succeeded
ikev2-nego-ike-delete	IKEv2 IKE SA is deleted
ikev2-nego-ike-expire	IKEv2 IKE SA is expired
ikev2-nego-child-start	IKEv2 child SA negotiation is started
ikev2-nego-child-fail	IKEv2 child SA negotiation is failed
ikev2-nego-child-succ	IKEv2 child SA negotiation is succeeded
ipsec-key-install	IPSec key installed.
ipsec-key-delete	IPSec key deleted.
ipsec-key-expire	IPSec key lifetime expired.
ikev2-nego-use-v1	IKEv1 is used in IKEv2 preferred mode.
ike-daemon-init	IKE daemon is initializing.
ike-daemon-start	IKE daemon is ready.
ike-daemon-exit	IKE daemon has exited.

wildfire

Event ID	Description
wildfire-no-policy	WildFire <name> channel disabled. No active WildFire analysis profile to <name> channel.
wildfire-auth-failed	Failed to verify SSL peer's certificate with the certificate authority

wildfire-appliance

Event ID	Description
cluster-mode-change	Cluster mode changed to stand_alone
cluster-mode-change	Cluster mode changed to controller
cluster-mode-change	Cluster mode changed to worker
cluster-mode-change	Cluster mode changed to unknown
cluster-engine-role	Cluster engine started as controller.

Slog

Fan Tray is missing, system will power down in <num> seconds if not replaced.
<entry> is not present on startup
Freeing slot <id>, uid <id> with Force
Freeing slot <id>, uid <id> with Non-force
Get registration with uid <id> sw_ver <version> slot <id> dp_ip <ip>
Allocated slot %d for uid <uid> <id>
Device certificate expires in 15 or less days
Successfully fetched device certificate from Palo Alto Networks
Logd failed to send disconnect to configd for (<id>)
Logd blocking customerid (<id>)
Logd Unblocking customerid (<id>)
Logd failed to send disconnect to configd for (<name>)]
Trigger AddrObjRefresh commit for group-mapping
Purged mongdb data size (<num> recs) to bring "data size below limit <num>
GlobalProtect data file version <version> downloaded from peer device
Name resolution takes too long disable name lookup for report <name>
Name resolution takes too long disable name for the report <name>
The primary user attribute has been changed in one of the group-mapping configuration
Captive Portal Client certificate validation failed from <host>. no certificate.
Captive Portal Client certificate validation failed from <host<. Certificate does not belong to the Cert Profile chain
Captive Portal Client certificate verification for OSCP/CRL failed from <host>.
Captive Portal Client certificate is not yet active from <host>.
Captive Portal Client certificate has expired from <host>.
Captive Portal client certificate authentication successful from <host>
<type> authentication succeeded for user: <name> on <host> vsys<id>
<type> renew from session cookie for user: <user> on <addr> vsys<id>
<type> NTLM authentication failed for user: <user> on <addr> vsys<id>
<type> NTLM authentication succeeded for user: <user> on <addr> vsys<id>
<type> authentication failed (INVALID) for user: <user> on <ip> vsys<id>
<type> authentication failed for user: <name> on <ip> vsys<id>
<type> authentication succeeded for user: <name> on <ip> vsys<id>
Logd received error response code from http service (<num>) msg size <num> customerid <id> logtype <name> num_rec <num>
Logdb downgrade started on <serial> slot <id>.
Logdb downgrade completed on <serial> slot <id> in <num> days <num> hours <num> minutes <num> secs.
Logdb Migration started on <serial> slot <num>
Logdb Migration paused on <serial> slot <num>.
Logdb Migration abandoned on <serial> slot <id>.
Logdb Migration completed on <serial> slot <id>.
Test email sent to <name> successfully for email profile <name>
Client certificate verification for OSCP/CRL failed from <host>.
Client certificate authentication successful from <host>.
Client certificate validation failed from <host>. No https is detected.
Client certificate validation failed from <host>. No https is detected.
Create system logs
Create custom system logs
Cluster member <id>, <name> successfully updated for <name> and push enqueued with jobid <id>
Cluster member <id>, <name> successfully deleted for <name> and push enqueued with jobid <id>
successfully connect to %s:%s:%d
Failed connect to %s:%s:%d
dsc service is started
Identity client received malformed policy recommendation.
Identity client received policy recommendation error: %v.
Identity client received %v policy recommendation.
Identity client failed to get policy recommendation.
Icd HA state is changed from %d to %d
Icd HA better state is changed from %d to %d
failed to retrieve source address with error %d"
iot-eal service is started
icd service is started
gRPC connection to %s is broken, error: %v
gRPC connection to %s is established, %s -> %s
"gRPC connection to %s is broken, error: %s"
Cloud Appid feature is disabled
Cloud Appid feature is enabled
Cloud Appid %s task[%d] completed, new cloud version: %s, %s",
Cloud Appid %s task[%d] failed: %v
Cloud App: %s data lost some files, %d -> %d
Cloud App: check and restore %s data, type %d.

Syslog Severity Reference

Low Severity System Log Messages