Thank you @marziglt much appreciated.
Can you share the context that this grok pattern is used? For example, via an extractor? Via a pipeline rule?
Also to expand on what Patrick said, it appears the Grok pattern does not match the sample log message, specifically it matches up to NUMBER:natsport
%{WORD:logsrc}.div.company.com %{NUMBER:num},%{DATA:receive_time},%{NUMBER:serial},%{WORD:type},%{WORD:subtype},%{NUMBER:port},%{DATA:time_generated},%{DATA:src},%{DATA:dst},%{DATA:natsrc},%{DATA:natdst},%{DATA:rule},%{DATA:srcuser},%{DATA:dstuser},%{DATA:app},%{DATA:vsys},%{DATA:from},%{DATA:to},%{DATA:inbound_if},%{DATA:outboundif}%{DATA:logset},%{DATA:unknown_time},%{NUMBER:sessionid},%{NUMBER:repeatcnt},%{NUMBER:sport},%{NUMBER:dport},%{NUMBER:natsport},
which matches
panorama.div.company.com 1,2024/12/02 15:18:02,024101003988,TRAFFIC,end,2817,2024/12/02 15:18:02,10.101.19.7,10.101.159.130,0.0.0.0,0.0.0.0,inside-in_46,msrpc-base,vdiv1,PROD.Internal,PROD.DIVNET,ethernet1/2,ethernet1/1,default,2024/12/02 15:18:02,655765,1,61636,49681,0,0,
The next part of the grok pattern %{NUMBER:natdport}, fails to match the next part of the message which is 0x401a. It seems the grok pattern is off by one? The text its trying ot match appears to be the next grok pattern: %{DATA:flags} which would correctly match 0x401a.
I’m not sure if this is the cause of your issue though.
For what its worth, Graylog Illuminate parses Palo Alto logs out of the box.
Thanks,
Drew