...
In the PAN-OS console, select Device → Certificate Management → Certificates → Device Certificates. Generate a new certificate and call it RootCA. Once generated, select the RootCA certificate in the CA Certificates table and edit its information. Select the Trusted Root CA check box, then click OK. For more information about Root CA certificates, see the vendor documentation.
  |  |
In the same area of the Palo Alto console, generate another new certificate, this time call it SyslogCert. Enter the IP address of the machine where stunnel is installed as the Common Name, select the RootCA certificate as the Signed By value, and do not select the Certificate Authority check box.
...
Click Generate. Finally, click the certificate name to edit it, select the Certificate for Secure Syslog check box, and click OK. For more information about generating a certificate, see the vendor documentation.
Now, you need to export the certificates. In Device → Certificate Management → Certificates → Device Certificates., select the RootCA certificate and click Export. Choose PEM as the format. Do the same for the SyslogCert certificate.
...
For more information about exporting certificates, see the vendor documentation.
Copy the Palo Alto certificates to the Devo relay/stunnel machine
...
You will need to set up just one type-4 relay rule that uses a regular expression and capturing groups to isolate data contained in the inbound event to build the correct Devo tag.
Source Port → port →
13005Source Data → data →
^[^,]+,[^,]+,[^,]+,([^,]+).*$Target Tag → firewalltag →
firewall.paloalto.\\D1Select the Stop Processing processing and Sent without syslog tag checkboxes
Once you add the rule, the relay is prepared to recieveievents receive events from stunnel and forward them correctly to the Devo cloud.
...
For more information about syslog forwarding, see the vendor documentation.