Only traffic and system logs are coming over from the PANW module. I checked for error.message : * and I can't even see any failures from URL/Threat syslog. I've verified that I am sending all log types from the firewall, and a packet capture from the management interface to elastic shows that URL and threat syslogs are getting sent to Elastic.

Please let me know if/how I can provide more information.

I've had this issue on PANW module versions 1.5.0 - 1.5.2. I am running PANOS 10.2 but I downgraded to 10.1 and still saw this issue. I can provide syslog examples if necessary.