Skip to main content
Question

Palo Alto Network Firewall Logs Not Parsing

  • July 10, 2026
  • 3 replies
  • 39 views

DOwusu
Forum|alt.badge.img

Palo Alto Network Firewall Logs Not Parsing. 

We are using Palo’s Strata Logging to forward Palo Alto Network Firewall Logs to Google Secops Webhook. Some logs are getting parsed and some are not.

When we take a look at the logs not getting parsed it shows the raw logs are coming in as a Stacked JSON with no way to do split delimiter due to the structure of the JSON. 

Has anyone seen this issue?

3 replies

whathehack81
Forum|alt.badge.img+2

Have you confirmed whether the failing payloads are always the same Palo log type (Traffic, Threat, System, Config, etc.)? Also, is Strata batching multiple events into a single HTTP POST for the failures? If you compare a successful request with a failed one, do the failed payloads contain multiple top-level JSON objects or a JSON array? That would help determine whether this is a parser issue or a payload-format mismatch.


DOwusu
Forum|alt.badge.img
  • Author
  • New Member
  • July 10, 2026

Have you confirmed whether the failing payloads are always the same Palo log type (Traffic, Threat, System, Config, etc.)? Also, is Strata batching multiple events into a single HTTP POST for the failures? If you compare a successful request with a failed one, do the failed payloads contain multiple top-level JSON objects or a JSON array? That would help determine whether this is a parser issue or a payload-format mismatch.

Hey, so it's a Payload-format mismatch for sure. The raw logs of the parsed logs are coming in as single events, and the failed parser logs are coming in as batched multiple events in one and contained top level JSON objects. 

I looked in Palo’s Strata logging and there is nothing around payload settings. 

We did configure the feed for it different than what Google had so that might also be an issue.
Under Google Secops → SIEM → Feed we selected webhook, got the api key from GCP’s API keys and added it to the webhook feed on the Google Secops side. Added the given webhook URL to Strata. 

Logs were coming in and being parsed so we thought it was good. but not sure if that is causing the issue.

We were trying to stay away from Service Account JSON keys.


whathehack81
Forum|alt.badge.img+2

That confirms it is probably message framing rather than the Palo log content itself.

 

If parsed events arrive as single JSON objects, but failed events arrive as multiple batched top-level JSON objects in one POST, the SecOps feed/parser may not be able to split them. A body like `{...}{...}{...}` is not one valid JSON document, even if each individual object is valid.

 

I would test with one failed raw payload:

 

1. Confirm whether the body is stacked JSON objects, a JSON array, or NDJSON.

2. Replay one object by itself into the same feed.

3. Replay the full batched body.

4. Compare parser behavior.

 

If the single object parses and the batch fails, the fix is likely one of:

 

- configure Strata to send one event per request if possible

- use an intermediary collector/Cloud Run/Function to split the batch before forwarding to SecOps

- switch to the Google-recommended feed/ingestion method for Palo Alto Strata if it handles batching differently

- confirm the SecOps feed type/parser is the Palo Alto/Strata parser and not a generic webhook parser

 

I do not think avoiding service account JSON keys is the root issue by itself. Since some events are ingesting and parsing, auth is probably fine. The main issue sounds like the payload shape being different between successful and failed requests.