Strata Logging Service
Decryption CEF Fields
Table of Contents
Expand All
|
Collapse All
Decryption CEF Fields
Example Decryption log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 2341 <14>1 2021-03-01T20:35:56.343Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\xxxxx duser=paloaltonetwork\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx
The following table identifies the Decryption field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
---|---|
act
| |
app
| |
PanOSApplicationCategory
| Query Name: app_categoryHeader Type: Custom |
PanOSApplicationSubcategory
| Query Name: app_sub_categoryHeader Type: Custom |
PanOSCertificateFlags
| Query Name: cert_flagsHeader Type: Custom |
PanOSCertificateSerial
| Query Name: cert_serialHeader Type: Custom |
PanOSCertificateSize
| Query Name: certificate_sizeHeader Type: Custom |
PanOSCertificateVersion
| Query Name: certificate_version.valueHeader Type: Custom |
PanOSChainStatus
| Query Name: chain_status.valueHeader Type: Custom |
PanOSApplicationCharacteristics
| Query Name: characteristics_of_appHeader Type: Custom |
PanOSClientToFirewall
| Query Name: client_to_firewall.valueHeader Type: Custom |
PanOSCommonName
| Query Name: cnHeader Type: Custom |
PanOSCommonNameLength
| Query Name: cn_lenHeader Type: Custom |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSContainerID
| Query Name: container_idHeader Type: Custom |
PanOSApplicationContainer
| Query Name: container_of_appHeader Type: Custom |
cnt
| Query Name: count_of_repeatsHeader Type: Predefined |
PanOSCpadding
| Query Name: cpaddingHeader Type: Custom |
PanOSCortexDataLakeTenantID
| Query Name: customer_idHeader Type: Custom |
PanOSDestinationDeviceCategory
| Query Name: dest_device_categoryHeader Type: Custom |
PanOSDestinationDeviceClass
| Query Name: dest_device_classHeader Type: Custom |
PanOSDestinationDeviceHost
| Query Name: dest_device_hostHeader Type: Custom |
PanOSDestinationDeviceMac
| Query Name: dest_device_macHeader Type: Custom |
PanOSDestinationDeviceModel
| Query Name: dest_device_modelHeader Type: Custom |
PanOSDestinationDeviceOS
| Query Name: dest_device_osHeader Type: Custom |
PanOSDestinationDeviceOSFamily
| Query Name: dest_device_osfamilyHeader Type: Custom |
PanOSDestinationDeviceOSVersion
| Query Name: dest_device_osversionHeader Type: Custom |
PanOSDestinationDeviceProfile
| Query Name: dest_device_profileHeader Type: Custom |
PanOSDestinationDeviceVendor
| Query Name: dest_device_vendorHeader Type: Custom |
PanOSDestinationDynamicAddressGroup
| Query Name: dest_dynamic_address_groupHeader Type: Custom |
PanOSDestinationEDL
| Query Name: dest_edlHeader Type: Custom |
dst or c6a3
| Query Name: dest_ip.valueHeader Type: PredefinedLabel: || c6a3LabelLabel Text: || Destination IPv6 Address |
PanOSDestinationLocation
| Query Name: dest_locationHeader Type: Custom |
dpt
| Query Name: dest_portHeader Type: Predefined |
duser
| |
dntdom
| |
duser
| |
duid
| |
PanOSDestinationUUID
| Query Name: dest_uuidHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
PanOSDomain
| Query Name: domainHeader Type: Custom |
PanOSEllipticCurve
| Query Name: elliptic_curve.valueHeader Type: Custom |
PanOSErrorIndex
| Query Name: error_index.valueHeader Type: Custom |
PanOSErrorMessage
| Query Name: error_messageHeader Type: Custom |
PanOSFingerprint
| Query Name: fingerprintHeader Type: Custom |
PanOSFirewallToClient
| Query Name: firewall_to_client.valueHeader Type: Custom |
cs4
| |
deviceInboundInterface
| |
PanOSInboundInterfaceDetailsPort
| Query Name: inbound_if_details.portHeader Type: Custom |
PanOSInboundInterfaceDetailsSlot
| Query Name: inbound_if_details.slotHeader Type: Custom |
PanOSInboundInterfaceDetailsType
| Query Name: inbound_if_details.type.valueHeader Type: Custom |
PanOSInboundInterfaceDetailsUnit
| Query Name: inbound_if_details.unitHeader Type: Custom |
PanOSCaptivePortal
| Query Name: is_captive_portalHeader Type: Custom |
PanOSIsCertECDSA
| Query Name: is_cert_ECDSAHeader Type: Custom |
PanOSIsCertRSA
| Query Name: is_cert_RSAHeader Type: Custom |
PanOSIsCertCNTruncated
| Query Name: is_cert_cn_truncatedHeader Type: Custom |
PanOSIsClienttoServer
| Query Name: is_client_to_serverHeader Type: Custom |
PanOSIsContainer
| Query Name: is_containerHeader Type: Custom |
PanOSIsDecryptMirror
| Query Name: is_decrypt_mirrorHeader Type: Custom |
PanOSIsDecrypted
| Query Name: is_decryptedHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSIsEncrypted
| Query Name: is_encryptedHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSIsForwarded
| Query Name: is_forwardedHeader Type: Custom |
PanOSIsIPV6
| Query Name: is_ipv6Header Type: Custom |
PanOSIsIssuerCNTruncated
| Query Name: is_issuer_cn_truncatedHeader Type: Custom |
PanOSIsMptcpOn
| Query Name: is_mptcp_onHeader Type: Custom |
PanOSIsNAT
| Query Name: is_natHeader Type: Custom |
PanOSIsNonStandardDestinationPort
| Query Name: is_non_std_dest_portHeader Type: Custom |
PanOSPacketCapture
| Query Name: is_packet_captureHeader Type: Custom |
PanOSIsPhishing
| Query Name: is_phishingHeader Type: Custom |
PanOSIsPrismaNetwork
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
PanOSIsProxy
| Query Name: is_proxyHeader Type: Custom |
PanOSIsReconExcluded
| Query Name: is_recon_excludedHeader Type: Custom |
PanOSIsResumeSession
| Query Name: is_resume_sessionHeader Type: Custom |
PanOSIsRootCNTruncated
| Query Name: is_root_cn_truncatedHeader Type: Custom |
PanOSIsSaaSApplication
| Query Name: is_saas_appHeader Type: Custom |
PanOSIsServertoClient
| Query Name: is_server_to_clientHeader Type: Custom |
PanOSIsSNITruncated
| Query Name: is_sni_truncatedHeader Type: Custom |
PanOSIsSourceXForwarded
| Query Name: is_source_x_fwdedHeader Type: Custom |
PanOSIsSystemReturn
| Query Name: is_sym_returnHeader Type: Custom |
PanOSIsTransaction
| Query Name: is_transactionHeader Type: Custom |
PanOSIsTunnelInspected
| Query Name: is_tunnel_inspectedHeader Type: Custom |
PanOSIsURLDenied
| Query Name: is_url_deniedHeader Type: Custom |
PanOSIssuerCommonName
| Query Name: issuer_cnHeader Type: Custom |
PanOSIssuerNameLength
| Query Name: issuer_lenHeader Type: Custom |
cs6
| |
PanOSLogSource
| Query Name: log_sourceHeader Type: Custom |
LogSourceGroupID
| |
PanOSDeviceSN
| Query Name: log_source_idHeader Type: Custom |
PanOSDeviceName
| Query Name: log_source_nameHeader Type: Custom |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
destinationTranslatedAddress
| Query Name: nat_dest.valueHeader Type: Predefined |
destinationTranslatedPort
| Query Name: nat_dest_portHeader Type: Predefined |
sourceTranslatedAddress
| Query Name: nat_source.valueHeader Type: Predefined |
sourceTranslatedPort
| Query Name: nat_source_portHeader Type: Predefined |
PanOSTimeNotAfter
| Query Name: not_afterHeader Type: Custom |
PanOSTimeNotBefore
| Query Name: not_beforeHeader Type: Custom |
deviceOutboundInterface
| |
PanOSOutboundInterfaceDetailsPort
| Query Name: outbound_if_details.portHeader Type: Custom |
PanOSOutboundInterfaceDetailsSlot
| Query Name: outbound_if_details.slotHeader Type: Custom |
PanOSOutboundInterfaceDetailsType
| Query Name: outbound_if_details.type.valueHeader Type: Custom |
PanOSOutboundInterfaceDetailsUnit
| Query Name: outbound_if_details.unitHeader Type: Custom |
PanOSPadding
| Query Name: paddingHeader Type: Custom |
PanOSPadding3
| Query Name: padding3Header Type: Custom |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
PlatformType
| Query Name: platform_typeHeader Type: Custom |
PanOSContainerName
| Query Name: pod_nameHeader Type: Custom |
PanOSContainerNameSpace
| Query Name: pod_namespaceHeader Type: Custom |
PanOSPolicyName
| Query Name: policy_nameHeader Type: Custom |
proto
| |
PanOSProxyType
| Query Name: proxy_type.valueHeader Type: Custom |
PanOSApplicationRisk
| Query Name: risk_of_appHeader Type: Custom |
PanOSRootCommonName
| Query Name: root_cnHeader Type: Custom |
PanOSRootCNLength
| Query Name: root_cn_lenHeader Type: Custom |
PanOSRootStatus
| Query Name: root_status.valueHeader Type: Custom |
cs1
| |
PanOSRuleUUID
| Query Name: rule_matched_uuidHeader Type: Custom |
PanOSSanctionedStateOfApp
| Query Name: sanctioned_state_of_appHeader Type: Custom |
externalId
| |
cn1
| |
PanOSServerNameIndication
| Query Name: sniHeader Type: Custom |
PanOSSNILength
| Query Name: sni_lenHeader Type: Custom |
PanOSSourceDeviceCategory
| Query Name: source_device_categoryHeader Type: Custom |
PanOSSourceDeviceClass
| Query Name: source_device_classHeader Type: Custom |
PanOSSourceDeviceHost
| Query Name: source_device_hostHeader Type: Custom |
PanOSSourceDeviceMac
| Query Name: source_device_macHeader Type: Custom |
PanOSSourceDeviceModel
| Query Name: source_device_modelHeader Type: Custom |
PanOSSourceDeviceOS
| Query Name: source_device_osHeader Type: Custom |
PanOSSourceDeviceOSFamily
| Query Name: source_device_osfamilyHeader Type: Custom |
PanOSSourceDeviceOSVersion
| Query Name: source_device_osversionHeader Type: Custom |
PanOSSourceDeviceProfile
| Query Name: source_device_profileHeader Type: Custom |
PanOSSourceDeviceVendor
| Query Name: source_device_vendorHeader Type: Custom |
PanOSSourceDynamicAddressGroup
| Query Name: source_dynamic_address_groupHeader Type: Custom |
PanOSSourceEDL
| Query Name: source_edlHeader Type: Custom |
src or c6a2
| Query Name: source_ip.valueHeader Type: PredefinedLabel: || c6a2LabelLabel Text: || Source IPv6 Address |
PanOSSourceLocation
| Query Name: source_locationHeader Type: Custom |
spt
| Query Name: source_portHeader Type: Predefined |
suser
| |
sntdom
| |
suser
| |
suid
| |
PanOSSourceUUID
| Query Name: source_uuidHeader Type: Custom |
Name
| Query Name: sub_type.valueHeader Type: Custom |
PanOSApplicationTechnology
| Query Name: technology_of_appHeader Type: Custom |
start
| Query Name: time_generatedHeader Type: Predefined |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
PanOSTimeReceivedManagementPlane
| Query Name: time_received_mpHeader Type: Custom |
PanOSTLSAuth
| Query Name: tls_auth.valueHeader Type: Custom |
PanOSTLSEncryptionAlgorithm
| Query Name: tls_enc_algorithm.valueHeader Type: Custom |
PanOSTLSKeyExchange
| Query Name: tls_keyxchange.valueHeader Type: Custom |
PanOSTLSVersion
| Query Name: tls_version.valueHeader Type: Custom |
cs5
| |
PanOSTpadding
| Query Name: tpaddingHeader Type: Custom |
PanOSTunnel
| Query Name: tunnel.valueHeader Type: Custom |
PanOSTunneledApplication
| Query Name: tunneled_appHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
PanOSVpadding
| Query Name: vpaddingHeader Type: Custom |
cs3
| Query Name: vsysHeader Type: PredefinedLabel: cs3LabelLabel Text: VirtualLocationMax Length: 4000 |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
PanOSVirtualSystemName
| Query Name: vsys_nameHeader Type: Custom |