I ran accross an issue where a Cisco VCSE device was setup by another engineer but the Palo Alto FW kept seeing the syslog traffic come accross as “unknown-udp”. The issue was that the Cisco device was setup for “Legacy BSD format“. The correct setting is “IETF syslog format“. Just keep an eye on this for this device and other devices.
Here’s the Palo Alto showing the unknown for UDP and then identifying correctly after the change on the Cisco device:
Here’s the setting on the Cisco device: