Sending Custom Config Syslog to elk

Hi All,

Im trying to send custom config syslogs to elk , the reason for the custom logs is i need to capture ;

Before Change Detail
After Change Detail

Im on PANOS 10.1.10-h2

Per https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields , this requires a custom log format

​

I keep getting a grok failure, "Provided Grok expressions do not match field value:"

I set it all back to default which allows the pipeline to run and grabbed a tcpdump of the incoming syslogs
ive removed some sensitive detail

Nov 20 15:09:07 FW1 1,2023/11/20 15:09:06,011901060797,CONFIG,0,2561,2023/11/20 15:09:07,HOSTIP,,edit,ADMIN,Web,Succeeded, vsys vsys1 rulebase security rules RULE-NAME,7301736379371749566,0x0,0,0,0,0,,FW1,0,COMMENT,2023-11-20T15:09:07.221+00:00

​

When i set the custom syslog format per the linked PA doc this is how it looks

Nov 20 15:27:42 FW1 2023/11/20 15:27:42,011901060797,CONFIG,0,2023/11/20 15:27:42,HOSTIP,,edit,ADMIN,Web,Succeeded, vsys vsys1 rulebase security rules RULE-NAME,7301736379371749571,0x0,0,0,0,0,,FW1,0,COMMENT,2023-11-20T15:27:42.968+00:00

From what i can see the following is different ;

​

​

Trailing 1 before the first date

extra comma between Trailing 1 before the first date

After type (in this case CONFIG) , then its subtype (in this case 0) there 2561 is present? ive no idea what this is , there is no reference to it on the PA linked doc

Below is the custom format i have configured

$receive_time,$serial,$type,$subtype,$time_generated,$host,$vsys,$cmd,$admin,$client,$result,$path,$seqno,$actionflags,$dg_hier_level_1,$dg_hier_level_2,$dg_hier_level_3,$dg_hier_level_4,$vsys_name,$device_name,$dg_id,$comment,$high_res_timestamp

​

Any ideas what im missing here?

​