Informational System Log Messages
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Informational System Log Messages
E-Log
Log Tags:
- audit
- auth
- bfd
- clusterd
- ddns
- debug
- dhcp
- dns-security
- dnsproxy
- dynamic-updates
- fips
- general
- hw
- ipv6nd
- lacp
- lldp
- monitoring
- nat
- ntpd
- panorama-check
- pbf
- port
- pppoe
- ras
- resctrl
- routing
- satd
- sched-push
- sdwan
- ssh
- sslmgr
- syslog
- tls
- url-filtering
- userid
- vm
- vpn
- wildfire
- wildfire-appliance
audit
Event ID | Description |
---|---|
api | <cmd> |
cli | <cmd> |
cli | <config command> |
api | <config command> |
gnmi | <config command> |
gui-op | <config command> |
auth
Event ID | Description |
---|---|
cas-message | (profile id:<id>)<message> |
auth-fail | Time clock does not match that on KDC server at '<name>' (code: <id>) |
auth-fail | User '<name>' does not exist on KDC server '<name>' (code: <id>) |
auth-fail | Wrong realm: '<name>' (code: <id>) |
auth-fail | Username and password do not match, preauth failed (code: <id>) |
Kerberos error: <error> (code: <id>) | |
auth-fail | When authenticating user "<name>", KDC Spoofing attack is detected by krb5_verify_init_creds() (krb5 error code: <id>) |
auth-success | Admin <name> account has been restored - lockout timer expired. |
user-password-change-success | When authenticating user '<name>' <remotehost>, a less secure authentication method <proto> is used. Please migrate to PEAP or EAP-TTLS. Authentication Profile '<name>', vsys '<name>', Server Profile '<name>', Server Address '<ip>' |
auth-fail | Certificate validation failed for user '<name>'. <error> |
auth-success | Certificate validated for user '<user>'. <error> auth profile '<name>', vsys '<id>', reply message '<msg>' From: <name>. |
user-password-change-success | Kerberos SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
auth-success | Kerberos SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
user-password-change-success | SAML SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
auth-success | SAML SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
user-password-change-success | CAS SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
auth-success | CAS SSO authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
user-password-change-success | authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
auth-success | authenticated for user '<name>'. realm '<name>', EAP outer identity '<name>, inner identity '<name>', auth profile '<name>', vsys '<id>', server profile '<name>', server address '<addr>', admin role '<name>', access domain '<name>', reply message '<msg>' From: <name>. |
cas-client-redirect | Client '<name>' redirected to '<url>' with auth_session_id '<id>' |
cas-token-received | Received CAS token from client '<name>' from '<url>' with auth_session_id '<id>' |
cas-token-parse-error | Failed to parse CAS token from client '<host>' from '<url>' with auth_session_id '<id>' : <message> |
cas-token-validated | Validated CAS token from client '<name>' from '<url>' with auth_session_id '<id>' and username '<name>' |
cas-mfa-info | MFA info from client '<name>' from '<url>' with auth_session_id '<id>' and username '<name>' : <info> |
saml-client-redirect | Client '<name>' redirected to '<url>' for authentication profile '<profile>' |
saml-idp-activity | Received SAML Assertion from '<name>' from client '<name>' |
saml-signature-validated | SAML Assertion: signature is validated against IdP certificate (subject '<name>') for user '<name>' |
idp-initiated-log-out-success | SAML Single Log out initiated for user '<name>' from '<name>', Auth profile: '<name>', Virtual System: '<name>', Server profile: '<name>', IdP entityID: '<id>' |
sp-initiated-log-out-success | SAML Single Log out initiated for user '<name>' from '<name>', Auth profile: '<name>', Virtual System: '<name>', Server profile: '<name>', IdP entityID: '<id>' |
auth-fail | Server certificate: '<name>' is invalid, its name does not match the host name '<name>' |
auth-fail | Server certificate: '<name>' is invalid for server '<name>': <error> |
bfd
Event ID | Description |
---|---|
session-state-change | BFD state changed to <name> for BFD session <name> to neighbor <name> on interface <name>. Protocol: <name> |
clusterd
Event ID | Description |
---|---|
cluster-cfg-mode | Cluster node mode is changed. |
cluster-config-p1-success | Cluster daemon configuration load phase-1 succeeded. |
cluster-config-p1-abort | Cluster daemon configuration load phase-1 aborted. |
cluster-config-p2-success | Cluster daemon configuration load phase-2 succeeded. |
cluster-self-join | Local node joined cluster: |
cluster-service-ready | Cluster service is ready. |
cluster-service-up | Cluster service up: |
cluster-split-brain-enter | Cluster enters split-brain mode. |
cluster-split-brain-leave | Cluster left split-brain mode. |
cluster-engine-start | Cluster engine will be started for: |
cluster-daemon-start | Cluster daemon is ready. |
cluster-daemon-exit | Cluster daemon has exited. |
cluster-daemon-init | Cluster daemon is initializing. |
ddns
Event ID | Description |
---|---|
ddns-remove | Interface <name> DDNS config for host <host> to <label> removed. Please manually remove from DDNS service provider. |
debug
Event ID | Description |
---|---|
packet-diag-log | Packet-diag logging has been enabled |
packet-diag-log | Packet-diag logging has been disabled |
dhcp
Event ID | Description |
---|---|
if-update-ok | DHCP <desc>: interface <name>, dhcp server: <name> |
if-release-trigger | DHCP <name>: interface <name>, ip <ip> netmask <mask> dhcp server: <name> |
if-renew-trigger | DHCP <name>: interface <name>, ip <ip> netmask <mask> dhcp server: <name> |
if-update-fail | DHCP client could not clear IP address on interface:<name> due to: Error in updating interface/route table |
if-update-fail | DHCP client could not obtain IP address on interface:<name> due to: Error in updating interface/route table |
if-update-fail | DHCP client could not obtain IP address on interface:<name> due to: Error in updating interface/route table after HA sync from peer |
if-release-trigger | <dhcp_log_event> |
if-renew-trigger | <dhcp_log_event> |
if-update-ok | <dhcp_log_event> |
if-rcv-nak | <dhcp_log_event> |
if-duplicate-ip-intf | <dhcp_log_event> |
if-duplicate-ip-remote | <dhcp_log_event> |
if-update-fail | DHCP client could not obtain IP address on interface:<name> due to: Error in updating interface/route table |
if-update-fail | DHCP client could not clear IP address on interface:<name> due to: Error in updating interface/route table |
relay-on | DHCP relay on |
relay6-on | DHCPv6 relay on |
lease-end | DHCP lease ended |
lease-start | DHCP lease started |
server-auto-probe-off | DHCP server auto-probe finished |
server-auto-probe-on | DHCP server auto-probe finished |
server-on | DHCP server auto-probe finished |
if-inherit | DHCP server on interface: <name> inherited following values from dynamic interface: <name>: <server> |
if-update-fail | DHCP client could not obtain IP address on interface index:<num> due to: Error in updating interface/route table |
dns-security
Event ID | Description |
---|---|
PAN_ELOG_EVENT_DNSSEC_CACHE_SUCCESS | DNS signature initialization from file storage successful. |
dnsproxy
Event ID | Description |
---|---|
if-add | Interface <name> added to DNS proxy object:<obj> |
if-del | Interface <name> deleted from DNS proxy object:<obj> |
if-inherit | DNS Proxy object: <name> inherited following values from dynamic interface: <name>: Primary DNS: <name> Secondary DNS: <name> |
cache-cleared | All DNS Proxy cache entries were cleared |
object-enable | Dnsproxy object:<name> was enabled. |
object-enable | Dnsproxy object:<name> was disabled. |
dynamic-updates
Event ID | Description |
---|---|
palo-alto-networks-message | <message> |
fips
Event ID | Description |
---|---|
fips-selftest | FIPS Mode Self-test <description> ..... failed |
fips-selftest | FIPS-CC Mode Self-test <description> ..... failed |
fips-selftest | FIPS Mode Enabled Successfully |
general
Event ID | Description |
---|---|
general | Retrieved CRL from "<name>" with crl_next_update = <name> |
general | Slot s<num>: Application Pod '<namespace> : <name>:<interface>' using interfaces eth<num< and eth<num> |
general | Slot s<num>: Application Pod '<namespace> : <name>:<interface>' releasing interfaces eth<num< and eth<num> |
general | Machine Learning engine for <name> started |
general | Reconnect to MLAV cloud, enable all machine Learning engines |
general | <type> job was successfully reverted. Completion time=<time>. JobId=<id>. User: <name> |
wf-real-time-enabled | WildFire Real-time feature enabled |
general | Evtmgr: Client=<id>[<devid>] msg=<msg> code=<num> socket <num> |
general | Request made to <name> server is successful |
hw
Event ID | Description |
---|---|
fan-removed | Fan Tray #<num> removed |
fan-inserted | Fan Tray #<num> inserted |
ps-inserted | Power Supply #<num> inserted |
Thermal Failure | I2C Failure: Forcing the fan controler to run at maximum speed.\n"Setting the node [force] to pan_true\n |
Thermal Failure | I2C connection restored. Forcing fans to revert their normal speed.\n"Setting the node [force] to pan_false\n |
Thermal Failure | I2C connection restored. Forcing fans to revert their normal speed.\n"Setting the node [force] to pan_false\n |
slot-up | Slot <id> (<model>) detects Session Distribution Policy is no longer ingress-slot. Enabling DPC. |
bootstrap-success | Bootstrap successfully completed "sw-version: <version>; app-version: <version>; threat-version: <version> |
bootstrap-media-prep-success | <username>: Successfully prepared USB using bundle <file> |
ipv6nd
Event ID | Description |
---|---|
duplicated-IPv6-address-found | IPv6 address <address> on interface <name> is duplicate. |
lacp
Event ID | Description |
---|---|
lacp-up | LACP interface <name> moved into AE-group <name>. |
lldp
Event ID | Description |
---|---|
mib changed | Update: LLDP Update: Sent update for TLV <name> on local interface: <index> |
mib changed | Update: Received change on local interface <name> |
monitoring
Event ID | Description |
---|---|
deviating-device | Deviating device: <name>, Serial: <serial>, Object: <name> <nest>, Metric: <name>, Value: <value> |
N/A
Event ID | Description |
---|---|
N/A | Create audit logs |
N/A | test file |
nat
Event ID | Description |
---|---|
fqdn-add | Vsys <id> NAT rule <name> FQDN <key> add IP entry <ip> |
fqdn-del | Vsys <id> NAT rule <name> FQDN <key> delete IP entry <ip> |
ntpd
Event ID | Description |
---|---|
sync | NTP sync to server <address> |
time-learn | NTP time learnt from <time>; New time is: <time> and old time was <time> |
restart | NTP restart synchronization performed |
time-learn | NTP time learnt; New time is: <time> |
panorama-check
Event ID | Description |
---|---|
panorama-check-test | JobId=<id>: <message> |
panorama-check-skip | JobId=<id>: Skipping connection checks for <name>/<name> since the IP was changed. |
panorama-check-skip | JobId=<id>: Skipping connection check for <name> since the panorama is not actively connected. |
panorama-check-auto-revert | <type> job was successfully reverted. Completion time=<time>. JobId=<id>. User: <name> |
pbf
Event ID | Description |
---|---|
nh-up | Vsys <id> PBF rule <name> nexthop is UP |
nh-down | Vsys <id> PBF rule <name> nexthop is DOWN |
nh-down | Vsys <id> PBF rule <name> is Bypassed |
nh-up | Vsys <id> PBF rule <name> is Normal |
pbf-fqdn-change | Vsys <id> PBF rule <name> nexthop FQDN <key> IPv4 is changed "from <ip> to <ip> |
pbf-fqdn-change | Vsys <id> PBF rule <name> nexthop FQDN <key> IPv6 is changed "from <ip> to <ip> |
port
Event ID | Description |
---|---|
link-change | Port HSCI: Up <type> duplex |
link-change | Port HSCI: Down <type> duplex |
link-change | Port HA1-b: Up <type> duplex |
link-change | Port HA1-b: Down <type> duplex |
link-change | Port HA2: Up <type> duplex |
link-change | Port HA2: Down <type> duplex |
sdwan-link-change | Port <port>: Up <type> duplex |
link-change | Port <port>: Down <type> duplex |
sdwan-link-change | ethernet<num>/<num>: Up <type> duplex |
link-change | ethernet<num>/<num>: Down <type> duplex |
sdwan-link-change | Port <port>: MAC Up |
link-change | Port <port>: MAC Down |
nonsupp-forced | ethernet<num>/<num>: trying to force mode <type> not supported, using autoneg |
link-change | Port MGT: Up <type> |
link-change | Port <interface>: Up <type> |
link-change | Port <interface>: Down <type> |
pppoe
Event ID | Description |
---|---|
connect-fail | PPPoE session failed to connect for user:<name> on interface:<name>. Reason: <reason> |
connect | PPPoE session was connected for user:<name> on interface:<name> to AC:<name>, mac address: <mac>, session id:<id>, IP Address negotiated: <ip> |
if-update-fail | PPPoE session connected for user:<name> on interface:<name> but updating interface/routing table failed. |
connect-fail | PPPoE session failed to connect for user:<name> on interface:<name>. Reason: No PPPoE Offer received |
initiate | PPPoE session was initiated for user:<name> on interface:<name> |
connect-fail | PPPoE session failed to connect for user:<name> on interface:<name>. Reason: No PPPoE Confirm received |
terminate | PPPoE session was terminated for user:<name> on interface:<name> to AC:<name>, mac address: <mac>, session id:<id> |
terminate | PPPoE session was terminated for user:<name> on interface:<name> to AC:<name>, mac address: <mac>, session id:<id> |
ras
Event ID | Description |
---|---|
rasmgr-config-p1-success | RASMGR daemon configuration load phase-1 succeeded. |
rasmgr-config-p1-abort | RASMGR daemon configuration load phase-1 aborted. |
rasmgr-config-p2-success | RASMGR daemon configuration load phase-2 succeeded. |
rasmgr-ha-full-sync-done | RASMGR daemon sync all user info to HA peer exit. |
rasmgr-ha-full-sync-done | RASMGR daemon sync all user info to HA peer exit. |
rasmgr-flow-full-sync-start | RASMGR daemon sync all user info to Flow started. |
rasmgr-daemon-exit | RASMGR daemon has exited. |
rasmgr-daemon-init | RASMGR daemon is initializing. |
rasmgr-daemon-start | RASMGR daemon is ready. |
resctrl
Event ID | Description |
---|---|
mem-usage-normal | Memory usage is normal |
routing
Event ID | Description |
---|---|
routed-OSPF-stop-helper-mode | OSPF stopped helper mode for a restarting neighbor. Restarting neighbor router ID <name> neighbor IP address <ip>. Reason: <reason> |
routed-ECMP | ECMP maximum path changed to <num> in virtual router <name>. |
routed-ECMP | ECMP enabled in virtual router <name>. |
routed-ECMP | ECMP disabled in virtual router <name>. |
routed-config-p1-success | Route daemon configuration load phase-1 succeeded. |
routed-config-p2-success | Route daemon configuration load phase-2 succeeded. |
routed-static-fqdn-changed | Routed static fqdn mapping is changed |
routed-bgp-fqdn-changed | Routed BGP fqdn mapping is changed |
routed-ECMP | ECMP maximum path changed to <num> in logical router <name>. |
routed-ECMP | ECMP enabled in logical router <name>. |
routed-ECMP | ECMP disabled in logical router <name>. |
routed-ECMP | ECMP load balancing algorithm changed to <name> in logical router <name>. |
routed-ECMP | ECMP symmetric return enabled in logical router <name>. |
routed-ECMP | ECMP symmetric return disabled in logical router <name>. |
routed-ECMP | ECMP strict source path enabled in logical router <name>. |
routed-ECMP | ECMP strict source path disabled in logical router <name>. |
routed-fib-sync-peer-backup | FIB HA sync started when peer device becomes passive. |
routed-fib-sync-self-master | FIB HA sync started when local device becomes master. |
routed-fib-sync-peer-backup | FIB HA sync started when peer device becomes passive. |
routed-fib-sync-self-master | FIB HA sync started when local device becomes master. |
routed-daemon-init | Route daemon is initializing. |
routed-daemon-start | Route daemon is ready. |
routed-daemon-exit | Route daemon has exited. |
routed-BGP-refresh-sent | ROUTE REFRESH message sent to a BGP peer. |
routed-BGP-ribin-recalc | An RIB-In is being recalculated as a result of changed import policy. |
routed-BGP-peer-enter-established | BGP peer session enters established state. |
routed-BGP-peer-mp-extension-negotiate | BGP peer MP extension negotiation. |
routed-IGMP-wrong-version | Wrong IGMP query version |
routed-OSPF-neighbor-full | OSPF full adjacency established with neighbor. |
routed-OSPF-neighbor-2dir | OSPF two-way communication established with neighbor. |
routed-OSPF-neighbor-full | OSPF full adjacency established with neighbor. |
routed-OSPF-start-graceful-restart | OSPF started graceful restart. |
routed-OSPF-stopped-graceful-restart | OSPF stopped graceful restart. |
routed-OSPF-start-helper_node | OSPF started helper mode for a restarting neighbor. |
routed-OSPF-not-help | OSPF did not help a restarting neighbor. |
routed-OSPF-start-graceful-restart | OSPF started graceful restart. |
routed-PIM-new-dr-elected | PIM elected a new DR |
routed-PIM-neighbor-discovered | PIM discovered a new neighbor |
routed-PIM-neighbor-disappeared | PIM neighbor disappeared |
routed-RIP-peer-add | RIP peer discovered. |
satd
Event ID | Description |
---|---|
satd-config-p1-success | SATD daemon configuration load phase-1 succeeded. |
satd-config-p1-abort | SATD daemon configuration load phase-1 aborted. |
satd-config-p2-success | SATD daemon configuration load phase-2 succeeded. |
satd-portal-connect-started | GlobalProtect Satellite connection to portal started. |
satd-gateway-connect-started | GlobalProtect Satellite connection to gateway started. |
satd-flow-full-sync-start | SATD daemon sync all gateway infos to Flow started. |
satd-ha-full-sync-done | SATD daemon sync all gateway infos to HA peer exit. |
satd-daemon-init | SATD daemon is initializing. |
satd-daemon-start | SATD daemon is ready. |
satd-daemon-exit | SATD daemon has exited. |
sched-push
Event ID | Description |
---|---|
sched-skip | Push schedule <name> skipped on passive panorama |
sched-exec | Push schedule <name> kicked in. <num> jobs scheduled. Jobids: <ids> |
sdwan
Event ID | Description |
---|---|
sdwan-vif-status-up | <vif> start with state UP. FW is Active |
sdwan-vif-status-up | <vif> start with state UP. FW is Non-Active |
sdwan-vif-status-up | <vif> is up |
sdwan-vif-status-down | <vif> is down |
ssh
Event ID | Description |
---|---|
ssh-default-hostkey-changed | Default MGMT SSH host key set to ECDSA key of length <length>. |
ssh-default-hostkey-changed | Default MGMT SSH host key set to RSA key of length <length> |
ssh-default-hostkey-changed | Default MGMT SSH host key set to all. |
ssh-default-hostkey-changed | Default HA SSH host key set to ECDSA key of length <length>. |
ssh-default-hostkey-changed | Default HA SSH host key set to RSA key of length <length>. |
ssh-default-hostkey-changed | Error occurred while setting default host key for HA of type ECDSA and of length <length> |
ssh-default-hostkey-changed | Error occurred while setting default host key for MGMT of type ECDSA and of length <length> |
ssh-default-hostkey-changed | Error occurred while setting default host key for HA of type RSA and of length <length> |
ssh-default-hostkey-changed | Error occurred while setting default host key for MGMT of type RSA and of length <length> |
ssh-hostkey-regenerated | SSH host key for HA of type ECDSA and of length <num> generated |
ssh-hostkey-regenerated | SSH host key for MGMT of type ECDSA and of length <num> generated |
ssh-hostkey-regenerated | SSH host key for HA of type RSA and of length <num> generated |
ssh-hostkey-regenerated | SSH host key for MGMT of type RSA and of length <num> generated |
ssh-session-rekey-params-changed | New Rekeying parameters for MGMT SSH set. |
ssh-session-rekey-params-changed | New Rekeying parameters for HA SSH set. |
ssh-session-rekey-params-changed | Error occurred while setting rekeying parameters for MGMT SSH. |
ssh-session-rekey-params-changed | Error occurred while setting rekeying parameters for HA SSH. |
ssh-ciphers-changed | Ciphers set to default for MGMT SSH. |
ssh-ciphers-changed | Ciphers set to default for HA SSH. |
ssh-ciphers-changed | Error occurred while setting ciphers for MGMT SSH. |
ssh-ciphers-changed | Error occurred while setting ciphers for HA SSH. |
ssh-macs-changed | Macs set to default for MGMT SSH. |
ssh-macs-changed | Macs set to default for HA SSH. |
ssh-macs-changed | Error occurred while setting macs for MGMT SSH. |
ssh-macs-changed | Error occurred while setting macs for HA SSH. |
ssh-kexs-changed | Kexs set to default for MGMT SSH. |
ssh-kexs-changed | Kexs set to default for HA SSH. |
ssh-kexs-changed | Error occurred while setting kexs for MGMT SSH. |
ssh-kexs-changed | Error occurred while setting kexs for HA SSH. |
sslmgr
Event ID | Description |
---|---|
ca-session-establishment-success | Destination address <addr>, Destination port <num>, Source address <addr>, Source port <num> |
ca-session-establishment-failed | Failed to get CRL %s |
ca-session-establishment-failed | Key Usage cRLSign check failed for CRL <name> |
ca-session-establishment-success | "Successfully get CRL <name> |
ca-session-establishment-success | CRL request to <name> succeeded |
ca-session-establishment-success | OCSP request to "<host>" succeeded. \nDestination address: <addr>, Destination port: <port>, Source address: <addr>, Source port <port> \n |
ca-session-establishment-failed | OCSP request to "<host>" failed. \nDestination address: <addr>, Destination port: <port>, Source address: <addr>, Source port <port> \n |
ca-session-establishment-failed | <open_ssl_error> |
sslmgr-ha-not-full-sync | SSLMGR daemon not sync to HA peer. |
sslmgr-ha-not-full-sync | SSLMGR daemon not sync to HA peer. |
sslmgr-ha-not-full-sync | SSLMGR daemon not sync to HA peer. |
sslmgr-cert-ocsp-verify-failed | SSLMGR certificate ocsp verification failed. |
sslmgr-config-p1-success | SSLMGR daemon configuration load phase-1 succeeded. |
sslmgr-config-p2-success | SSLMGR daemon configuration load phase-2 succeeded. |
sslmgr-daemon-start | SSLMGR daemon is ready. |
sslmgr-satellite-info-deleted | SSLMGR satellite info deleted |
sslmgr-cert-status-deleted | SSLMGR certificate status deleted. |
sslmgr-cert-status-revoked | SSLMGR certificate status revoked. |
sslmgr-satellite-info-deleted | SSLMGR satellite info deleted |
sslmgr-cert-status-revoked | SSLMGR certificate status revoked. |
sslmgr-scep-ca-cert-failed | SSLMGR import SCEP CA certificate failed. |
sslmgr-scep-cert-failed | SSLMGR generate SCEP certificate failed. |
sslmgr-scep-cert-failed | SSLMGR generate SCEP certificate failed. |
sslmgr-scep-cert-failed | SSLMGR generate SCEP certificate failed. |
sslmgr-satellite-info-updated | SSLMGR satellite info updated |
sslmgr-cert-gen-failed | SSLMGR generate certificate failed. |
sslmgr-ha-full-sync | SSLMGR daemon sync to HA peer. |
sslmgr-ha-full-sync | SSLMGR daemon sync to HA peer. |
sslmgr-ha-full-sync | SSLMGR daemon sync to HA peer. |
ca-session-establishment-success | Destination address <addr>, Destination port <port>, Source address <addr>, Source port <port> |
syslog
Event ID | Description |
---|---|
syslog-conn-status | <syslog-ng message> |
tls
Event ID | Description |
---|---|
panos-auth-success | <name> Server CN: <name> - [<name>] Connection Successfully established. |
tls-session-disconnected | Device <name> disconnected from the server |
panorama-auth-success | <reason> PAN-OS ver: <version> Panorama ver:<version> Client IP: <ip> Server IP: <ip> Client CN: <name> |
panorama-auth-success | <reason> WildFire ver: <version> Panorama ver:<version> Client IP: <ip> Server IP: <ip> Client CN: <name> |
certificate-renewal | Client Certificate expiry is under 30 days. Fetch a new certificate from the scep server |
url-filtering
Event ID | Description |
---|---|
failed-to-lock-update | Failed to lock URL database update process! Maybe another instance is running. |
download-url-database-success | Brightcloud URL database was downloaded successfully |
revert-url-database-success | URL filtering database was reverted from version <ver> to version <ver> |
url-database-is-latest | URL filtering database version <ver> is already the latest version |
failed-to-lock-download | Failed to lock URL database update process. Another instance may be running. |
download-url-database-success | PAN-DB was downloaded successfully |
load-success | Intial PAN-DB activated successfully |
failed-to-lock-download | PAN-DB download: Failed. |
downloading-url-database | Downloading full BrightCloud URL database. This can take a long while. |
downloading-url-database | Downloading full BrightCloud URL database. This can take a long while. |
proxy-connection-failure | Failed to connect to proxy server. "Please check if proxy user name and password are "correct. |
receive-data-failure | Cannot receive data from '<server>:<port>' to download BrightCloud URL database |
proxy-connection-failure | Failed to connect to proxy server. "Please check if proxy user name and password are correct. |
proxy-connection-failure | Cannot connect to proxy server '<server>:<port>' to download BrightCloud URL database |
proxy-connection-failure | Cannot connect to proxy server '<server>:<port>' to download BrightCloud URL database |
connection-success | Connected to Brightcloud update server <name> |
cloud-election | CLOUD ELECTION: <name> IP: <ip> was elected, measured alive test <num>. |
url-engine-stopped | PAN-DB engine stopped. |
url-engine-starts | PAN-DB engine started. |
url-engine-stopped | URL filtering engine stopped... |
ha-sync-failure | Failed to sync the URL with HA peer. |
starts-from-empty-seed | Starting with an empty SEED. |
starts-from-backup-seed | Starting with backup seed. |
starts-from-empty-seed | Starting with an empty SEED. |
ha-sync-success | Successfully synced PAN-DB to peer. |
ha-sync-success | PAN-DB sync with HA started at <seconds>. |
url-backup-seed-success | Backup of PAN-DB finished successfully. |
upgrade-url-database-success | PAN-DB was upgraded to version <version>. |
ha-sync-success | URL vendor matches and is set to 'PAN-DB'. |
ha-sync-failure | Not synching file to peer because mode is not Active-Passive (<mode>). |
ha-sync-failure | No synching file to peer because local state is not Active (<mode>). |
ha-sync-failure | Not accepting file from peer local state is not Passive (<mode>). |
ha-sync-failure | No synching file to peer because peer state is not Passive (<mode>). |
userid
Event ID | Description |
---|---|
connect-agent | Redistribution Agent <name>(vsys<id>): connected to <host>, status <status>, version <num> |
connect-client | CMS Redistribution Client is connected to global collector: <devid> vsys <id> |
connect-client | Redistribution Client is connected to collector <name>: <client>, vsys <id> |
connect-ldap-sever | ldap cfg <name> connected to server <server> |
connect-ldap-sever | ldap cfg <name> connected to server <server> |
connect-agent | <agent> <name>(vsys<id>): connected to <name>, status <status>, version <version> |
connect-client | User-ID Client is connected to collector <name>: "IP <ip> port <num> vsys <num> |
disconnect-client | User-ID Client is disconnected from collector <name>: "IP <ip> port <num> vsys_id <num> |
disconnect-client | User-ID Client is disconnected from collector <name>: "IP <ip> port <num> vsys_id <num> |
connect-client | User-ID Client is connected to collector <name>:<conn_id> vsys_id <id> |
disconnect-client | User-ID Client is disconnected from collector <name>:<conn_id> vsys_id <id> |
connect-agent | <agent_desc> <name>(vsys<id>): connected to <name>, version <id> |
agent-read-log-error | <name> failed <num> time(s) |
agent-get-domain-error | <name> please check pan-agent log file for actual incorrect DC IP address(es) |
agent-get-groups-error | <name> failed <num> time(s) |
agent-get-config-error | <name> failed <num> time(s) |
agent-get-users-error | <name> failed <num> time(s) |
agent-no-domain | <name> failed <num> time(s) |
disconnect-syslog | User-ID Syslog Proxy: Client <name>: disconnected <addr> |
connect-syslog | User-ID Syslog Proxy: Client <name>(vsys<id>): connected <addr> |
disconnect-syslog | User-ID Syslog Proxy: Client <name>: disconnected <addr> |
disconnect-syslog | User-ID Syslog Proxy: Client <name>: disconnected <addr> |
connect-agent | Pan-TS-Agent <name> disconnected: IP <ip> port <num> vsys<num> |
disconnect-agent | PAN-Agent <name> disconnected: IP <ip> port <num> vsys<id> |
agent-status-failure | Failed to get status <num> times, connection may be down or protocol mismatch between device and pan-agent |
disconnect-agent | User-ID-Agent <name> disconnected: IP <ip> port <num> vsys<id> |
disconnect-agent | User-ID-Agent <name> disconnected: <conn_str> vsys<id> |
agent-event | User-ID-Agent <name> event: <type>, name <name>, status <status>, vsys<id> |
agent-status-failure | Failed to get status <num> times, connection may be down or protocol mismatch between device and pan-agent |
connect-server-monitor | Please change server monitor(<name>) Transport Protocol from WMI to WinRM for better performance |
connect-server-monitor | User-ID server monitor <name>(vsys<id>): connected to <host> |
connect-server-monitor | Server monitor <name>(vsys<id>) is connected |
connect-vm-info-source | vm-info-source <name>(vsys<id>): Connected to <host>, status <status> |
connect-vm-info-source | vm-info-source <name>(vsys<id>): Connected to <host>, status <status> |
connect-vm-info-source | vm-info-source <name>(vsys<id>): connected to <host>, status <status>, version <version> |
disconnect-vm-info-source | vm-info-source <name>(vsys<id>): disconnected to <host>, status <status>, version <version> |
vm
Event ID | Description |
---|---|
dvf-init-succeed | VMware dvfilter init succeeded |
vpn
Event ID | Description |
---|---|
vpnctl-ike-rekey-event | [<name>]: <davici_name>:<value, |
vpnctl-child-updown-event | [<name>]: <davici_name>:<value, |
vpnctl-child-rekey-event | [<name>]: <davici_name>:<value, |
vpnctl-ike-updown-event | connction failed, peer <remote_host>, retry <conn_try> |
keymgr-daemon-init | KEYMGR daemon is initializing. |
keymgr-daemon-start | KEYMGR daemon is ready. |
keymgr-daemon-exit | KEYMGR daemon has exited. |
keymgr-flow-full-sync-done | KEYMGR sync all IPSec SA to Flow exit. |
ike-fqdn-change | IKE fqdn mapping is changed |
ike-config-p1-success | IKE daemon configuration load phase-1 succeeded. |
ike-config-p1-abort | IKE daemon configuration load phase-1 aborted. |
ike-config-p2-success | IKE daemon configuration load phase-2 succeeded. |
ike-nego-p1-fail-psk | IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. |
ike-nego-p1-fail-psk | IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. |
ike-nego-p1-fail-common | IKE phase-1 negotiation is failed_COMM |
ike-nego-p1-fail-common | IKE phase-1 negotiation is failed_COMM |
ike-nego-p1-fail-common | IKE phase-1 negotiation is failed_COMM |
ikev2-nego-child-ts-bad | IKEv2 child SA negotiation failed when processing traffic selector. |
ikev2-nego-child-ts-bad | IKEv2 child SA negotiation failed when processing traffic selector. |
ikev2-send-p1-delete | IKEv2 IKE SA delete message sent to peer. |
ike-nego-p1-fail-common | IKE phase-1 negotiation is failed_COMM |
ikev2-nego-use-v1 | IKEv1 is used in IKEv2 preferred mode. |
ike-nego-p2-stale-p1 | Deleting a possible stale phase-1 SA. |
ike-nego-p1-start | IKE phase-1 negotiation is started |
ike-nego-p1-fail | IKE phase-1 negotiation is failed |
ike-nego-p1-succ | IKE phase-1 negotiation is succeeded |
ike-nego-p1-delete | IKE phase-1 SA is deleted |
ike-nego-p1-expire | IKE phase-1 SA is expired |
ike-nego-p2-start | IKE phase-2 negotiation is started |
ike-nego-p2-fail | IKE phase-2 negotiation is failed |
ike-nego-p2-succ | IKE phase-2 negotiation is succeeded |
ipsec-key-install | IPSec key installed. |
ipsec-key-delete | IPSec key deleted. |
ipsec-key-expire | IPSec key lifetime expired. |
ike-nego-p2-proxy-id-bad | IKE phase-2 negotiation failed when processing proxy ID. |
ike-nego-p2-proxy-id-bad | IKE phase-2 negotiation failed when processing proxy ID. |
ike-nego-p2-no-p1 | IKE phase-2 negotiation request received but no phase-1 SA is found. |
ike-nego-p2-p1-not-ready | IKE phase-2 negotiation request received but no active phase-1 SA is available. |
ike-nego-p2-proposal-bad | IKE phase-2 negotiation failed when processing SA payload. |
ike-nego-p1-fail-common | IKE phase-1 negotiation is failed_COMM |
ike-nego-p1-psk-idtype | IKE phase-1 negotiation is failed. When pre-shared key is used |
ike-nego-p1-fail-psk | IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. |
ike-nego-p1-fail-psk | IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. |
ike-recv-notify | IKE protocol notification message received: |
ike-recv-p1-delete | IKE protocol phase-1 SA delete message received from peer. |
ike-recv-p2-delete | IKE protocol IPSec SA delete message received from peer. |
ike-send-p1-delete | IKE protocol phase-1 SA delete message sent to peer. |
ike-send-p2-delete | IKE protocol IPSec SA delete message sent to peer. |
ike-send-notify | IKE protocol notification message sent: |
ike-send-notify | IKE protocol notification message sent: |
ike-send-notify | IKE protocol notification message sent: |
ike-nego-p2-dup-rekey | duplicate phase-2 rekey request detected |
ike-nego-p1-cert-succ | IKE certificate authentication succeeded. |
ike-nego-p1-fail-psk | IKE phase-1 negotiation is failed likely due to pre-shared key mismatch. |
ikev2-nego-cert-succ | IKEv2 certificate authentication succeeded. |
ikev2-nego-fail-psk | IKEv2 SA negotiation is failed likely due to pre-shared key mismatch. |
ikev2-send-p2-delete | IKEv2 IPSec SA delete message sent to peer. |
ikev2-nego-child-fail | IKEv2 child SA negotiation is failed |
ikev2-nego-child-fail | IKEv2 child SA negotiation is failed |
ikev2-nego-child-fail | IKEv2 child SA negotiation is failed |
ikev2-nego-child-fail | IKEv2 child SA negotiation is failed |
ikev2-nego-stale-p2 | Deleting a possible stale IKEv2 child SA. |
ikev2-nego-fail-common | IKEv2 SA negotiation is failed. |
ike-recv-notify | IKE protocol notification message received: |
ikev2-recv-p1-delete | IKEv2 IKE SA delete message received from peer. |
ikev2-recv-p2-delete | IKEv2 IPSec SA delete message received from peer. |
ikev2-nego-ike-fail | IKEv2 IKE SA negotiation is failed |
ikev2-nego-ike-start | IKEv2 IKE SA negotiation is started |
ikev2-nego-ike-fail | IKEv2 IKE SA negotiation is failed |
ikev2-nego-ike-succ | IKEv2 IKE SA negotiation is succeeded |
ikev2-nego-ike-delete | IKEv2 IKE SA is deleted |
ikev2-nego-ike-expire | IKEv2 IKE SA is expired |
ikev2-nego-child-start | IKEv2 child SA negotiation is started |
ikev2-nego-child-fail | IKEv2 child SA negotiation is failed |
ikev2-nego-child-succ | IKEv2 child SA negotiation is succeeded |
ipsec-key-install | IPSec key installed. |
ipsec-key-delete | IPSec key deleted. |
ipsec-key-expire | IPSec key lifetime expired. |
ikev2-nego-use-v1 | IKEv1 is used in IKEv2 preferred mode. |
ike-daemon-init | IKE daemon is initializing. |
ike-daemon-start | IKE daemon is ready. |
ike-daemon-exit | IKE daemon has exited. |
wildfire
Event ID | Description |
---|---|
wildfire-no-policy | WildFire <name> channel disabled. No active WildFire analysis profile to <name> channel. |
wildfire-auth-failed | Failed to verify SSL peer's certificate with the certificate authority |
wildfire-appliance
Event ID | Description |
---|---|
cluster-mode-change | Cluster mode changed to stand_alone |
cluster-mode-change | Cluster mode changed to controller |
cluster-mode-change | Cluster mode changed to worker |
cluster-mode-change | Cluster mode changed to unknown |
cluster-engine-role | Cluster engine started as controller. |
Slog
- Fan Tray is missing, system will power down in <num> seconds if not replaced.
- <entry> is not present on startup
- Freeing slot <id>, uid <id> with Force
- Freeing slot <id>, uid <id> with Non-force
- Get registration with uid <id> sw_ver <version> slot <id> dp_ip <ip>
- Allocated slot %d for uid <uid> <id>
- Device certificate expires in 15 or less days
- Successfully fetched device certificate from Palo Alto Networks
- Logd failed to send disconnect to configd for (<id>)
- Logd blocking customerid (<id>)
- Logd Unblocking customerid (<id>)
- Logd failed to send disconnect to configd for (<name>)]
- Trigger AddrObjRefresh commit for group-mapping
- Purged mongdb data size (<num> recs) to bring "data size below limit <num>
- GlobalProtect data file version <version> downloaded from peer device
- Name resolution takes too long disable name lookup for report <name>
- Name resolution takes too long disable name for the report <name>
- The primary user attribute has been changed in one of the group-mapping configuration
- Captive Portal Client certificate validation failed from <host>. no certificate.
- Captive Portal Client certificate validation failed from <host<. Certificate does not belong to the Cert Profile chain
- Captive Portal Client certificate verification for OSCP/CRL failed from <host>.
- Captive Portal Client certificate is not yet active from <host>.
- Captive Portal Client certificate has expired from <host>.
- Captive Portal client certificate authentication successful from <host>
- <type> authentication succeeded for user: <name> on <host> vsys<id>
- <type> renew from session cookie for user: <user> on <addr> vsys<id>
- <type> NTLM authentication failed for user: <user> on <addr> vsys<id>
- <type> NTLM authentication succeeded for user: <user> on <addr> vsys<id>
- <type> authentication failed (INVALID) for user: <user> on <ip> vsys<id>
- <type> authentication failed for user: <name> on <ip> vsys<id>
- <type> authentication succeeded for user: <name> on <ip> vsys<id>
- Logd received error response code from http service (<num>) msg size <num> customerid <id> logtype <name> num_rec <num>
- Logdb downgrade started on <serial> slot <id>.
- Logdb downgrade completed on <serial> slot <id> in <num> days <num> hours <num> minutes <num> secs.
- Logdb Migration started on <serial> slot <num>
- Logdb Migration paused on <serial> slot <num>.
- Logdb Migration abandoned on <serial> slot <id>.
- Logdb Migration completed on <serial> slot <id>.
- Test email sent to <name> successfully for email profile <name>
- Client certificate verification for OSCP/CRL failed from <host>.
- Client certificate authentication successful from <host>.
- Client certificate validation failed from <host>. No https is detected.
- Client certificate validation failed from <host>. No https is detected.
- Create system logs
- Create custom system logs
- Cluster member <id>, <name> successfully updated for <name> and push enqueued with jobid <id>
- Cluster member <id>, <name> successfully deleted for <name> and push enqueued with jobid <id>
- successfully connect to %s:%s:%d
- Failed connect to %s:%s:%d
- dsc service is started
- Identity client received malformed policy recommendation.
- Identity client received policy recommendation error: %v.
- Identity client received %v policy recommendation.
- Identity client failed to get policy recommendation.
- Icd HA state is changed from %d to %d
- Icd HA better state is changed from %d to %d
- failed to retrieve source address with error %d"
- iot-eal service is started
- icd service is started
- gRPC connection to %s is broken, error: %v
- gRPC connection to %s is established, %s -> %s
- "gRPC connection to %s is broken, error: %s"
- Cloud Appid feature is disabled
- Cloud Appid feature is enabled
- Cloud Appid %s task[%d] completed, new cloud version: %s, %s",
- Cloud Appid %s task[%d] failed: %v
- Cloud App: %s data lost some files, %d -> %d
- Cloud App: check and restore %s data, type %d.