Github user justinleet commented on the issue:
from @ctramnitz on the PR I made against his branch.
> However, I'm not sure the result for is really as expected.
> It shouldn't be "<11>Jan 5 05:38:59 PAN1.exampleCustomer.com 1", but just
"1". The rest is the Syslog header.
> Is the PaloParser called against the entire syslog line or after the
header has been stripped out?
Keeping in mind, that I'm definitely not an expert on this, here's what
I've dug up. If anybody has more expertise / insight, I'd be happy for the
Looking over it, the full log line. Check out
for the 6.0 fields, they are
NAT Source IP
NAT Destination IP
NAT Destination Port
The field we pull out as `palo_alto_domain` appears to be a `FUTURE_USE`
field. There also doesn't appear to something that would obviously correspond
to the PaloAltoDomain field (unless I can't read, which has happened before).
The field we call `time_logged` also appears to be `FUTURE_USE`. There's
also another FUTURE_USE, but I think I misread something because it didn't line
up like I expected (and the specifics aren't actually super important).
It makes me question how reliable anything labelled FUTURE_USE is (although
that doesn't stop us from looking at it and labelling it).