>
    Strata Copilot
    Directory sync
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. Cloud Identity Engine Logs
    5. Directory sync
    Download PDF
    Strata Logging Service

    Directory sync

    Table of Contents

    Directory sync

    By syncing this data, the firewall can apply security policies based on user identity (User-ID) across the entire network without needing a direct connection to every individual directory server.
    See the following for information related to supported log formats:
    DIRECTORY SYNC Field
    (Display Name)
    Description
    cie_log_time
    (CIE TIME RECEIVED)
    Time of the event in UTC.
    CEF field name: PanOSCIETimeReceived
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: CIETimeReceived
    client_application_id
    (CLIENT APPLICATION ID)
    ID of the client application used in the directory sync.
    CEF field name: PanOSClientApplicationId
    EMAIL field name: ClientApplicationId
    HTTPS field name: ClientApplicationId
    LEEF field name: ClientApplicationId
    count
    (COUNT)
    Indicates the number of impacted resources.
    CEF field name: PanOSCount
    EMAIL field name: Count
    HTTPS field name: Count
    LEEF field name: Count
    count_summary.​application
    (COUNT SUMMARY- APPLICATION)
    CEF field name: PanOSCountSummaryApplication
    EMAIL field name: CountSummaryApplication
    HTTPS field name: CountSummaryApplication
    LEEF field name: CountSummaryApplication
    count_summary.​computer
    (COUNT SUMMARY- COMPUTER)
    CEF field name: PanOSCountSummaryComputer
    EMAIL field name: CountSummaryComputer
    HTTPS field name: CountSummaryComputer
    LEEF field name: CountSummaryComputer
    count_summary.​container
    (COUNT SUMMARY- CONTAINER)
    CEF field name: PanOSCountSummaryContainer
    EMAIL field name: CountSummaryContainer
    HTTPS field name: CountSummaryContainer
    LEEF field name: CountSummaryContainer
    count_summary.​group
    (COUNT SUMMARY- GROUP)
    CEF field name: PanOSCountSummaryGroup
    EMAIL field name: CountSummaryGroup
    HTTPS field name: CountSummaryGroup
    LEEF field name: CountSummaryGroup
    count_summary.​ou
    (COUNT SUMMARY- OU)
    CEF field name: PanOSCountSummaryOU
    EMAIL field name: CountSummaryOU
    HTTPS field name: CountSummaryOU
    LEEF field name: CountSummaryOU
    count_summary.​roleassignments
    (COUNT SUMMARY- ROLEASSIGNMENTS)
    CEF field name: PanOSCountSummar RoleAssignment
    EMAIL field name: CountSummar RoleAssignments
    HTTPS field name: CountSummar RoleAssignments
    LEEF field name: CountSummar RoleAssignments
    count_summary.​user
    (COUNT SUMMARY- USER)
    CEF field name: PanOSCountSummaryUser
    EMAIL field name: CountSummaryUser
    HTTPS field name: CountSummaryUser
    LEEF field name: CountSummaryUser
    customer_id
    (CORTEX DATA LAKE TENANT ID)
    The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
    CEF field name: PanOSCortexDataLakeTenantID
    EMAIL field name: CortexDataLakeTenantId
    HTTPS field name: CortexDataLakeTenantId
    LEEF field name: s
    directory_id
    (DIRECTORY ID)
    ID of the directory.
    CEF field name: PanOSDirectoryId
    EMAIL field name: DirectoryId
    HTTPS field name: DirectoryId
    LEEF field name: DirectoryId
    directory_name
    (DIRECTORY NAME)
    Name of the directory.
    CEF field name: PanOSDirectoryName
    EMAIL field name: DirectoryName
    HTTPS field name: DirectoryName
    LEEF field name: DirectoryName
    directory_type
    (DIRECTORY TYPE)
    Type of the directory.
    CEF field name: PanOSDirectoryType
    EMAIL field name: DirectoryType
    HTTPS field name: DirectoryType
    LEEF field name: DirectoryType
    event_category
    (EVENT CATEGORY)
    Indicates the event category.
    CEF field name: PanOSEventCategory
    EMAIL field name: EventCategory
    HTTPS field name: EventCategory
    LEEF field name: EventCategory
    event_sequence_id
    (EVENT SEQUENCE ID)
    Indicates the sequence ID of the events.
    CEF field name: PanOSEventSequenceId
    EMAIL field name: EventSequenceId
    HTTPS field name: EventSequenceId
    LEEF field name: EventSequenceId
    event_state
    (EVENT STATE)
    Indicates the state of the sync.
    CEF field name: PanOSEventState
    EMAIL field name: EventState
    HTTPS field name: EventState
    LEEF field name: EventState
    event_type
    (EVENT TYPE)
    Indicates the event type.
    CEF field name: PanOSEventType
    EMAIL field name: EventType
    HTTPS field name: EventType
    LEEF field name: EventType
    failure_reason_code
    (FAILURE REASON CODE)
    Indicates the error that caused the sync failure.
    CEF field name: PanOSFailureReasonCode
    EMAIL field name: FailureReasonCode
    HTTPS field name: FailureReasonCode
    LEEF field name: FailureReasonCode
    flattened_membership_count_cie
    (FLATTENED MEMBERSHIP COUNT CIE)
    Indicates the total flattened users in this group during the active sync.
    CEF field name: PanOSFlattenedMembershipCountCIE
    EMAIL field name: FlattenedMembershipCountCIE
    HTTPS field name: FlattenedMembershipCountCIE
    LEEF field name: FlattenedMembershipCountCIE
    flattened_membership_count_cie_previous_sync
    (FLATTENED MEMBERSHIP COUNT CIE PREVIOUS SYNC)
    Indicates the total flattened users in this group from the last successful sync.
    CEF field name: PanOSFlattenedMembershipCountCIEPreviousSync
    EMAIL field name: FlattenedMembershipCountCIEPreviousSync
    HTTPS field name: FlattenedMembershipCountCIEPreviousSync
    LEEF field name: FlattenedMembershipCountCIEPreviousSync
    flattened_membership_count_idp
    (FLATTENED MEMBERSHIP COUNT IDP)
    Indicates the total flattened users in this group reported by the Identity Provider.
    CEF field name: PanOSFlattenedMembershipCountIDP
    EMAIL field name: FlattenedMembershipCountIDP
    HTTPS field name: FlattenedMembershipCountIDP
    LEEF field name: FlattenedMembershipCountIDP
    immediate_membership_count_cie
    (IMMEDIATE MEMBERSHIP COUNT CIE)
    Indicates the total immediate users in this group during the active sync.
    CEF field name: PanOSImmediateMembershipCountCIE
    EMAIL field name: ImmediateMembershipCountCIE
    HTTPS field name: ImmediateMembershipCountCIE
    LEEF field name: ImmediateMembershipCountCIE
    immediate_membership_count_cie_previous_sync
    (IMMEDIATE MEMBERSHIP COUNT CIE PREVIOUS SYNC)
    Indicates the total immediate users in this group from the last successful sync.
    CEF field name: PanOSImmediateMembershipCountCIEPreviousSync
    EMAIL field name: ImmediateMembershipCountCIEPreviousSync
    HTTPS field name: ImmediateMembershipCountCIEPreviousSync
    LEEF field name: ImmediateMembershipCountCIEPreviousSync
    immediate_membership_count_idp
    (IMMEDIATE MEMBERSHIP COUNT IDP)
    Indicates the total immediate users in this group reported by the Identity Provider.
    CEF field name: PanOSImmediateMembershipCountIDP
    EMAIL field name: ImmediateMembershipCountIDP
    HTTPS field name: ImmediateMembershipCountIDP
    LEEF field name: ImmediateMembershipCountIDP
    log_source
    (LOG SOURCE)
    Identifies the origin of the data - the system that produced the data.
    CEF field name: PanOSLogSource
    EMAIL field name: LogSource
    HTTPS field name: LogSource
    LEEF field name: LogSource
    log_source_group_id
    (LOG SOURCE GROUP ID)
    ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
    CEF field name: LogSourceGroupID
    EMAIL field name: LogSourceGroupID
    HTTPS field name: LogSourceGroupID
    LEEF field name: LogSourceGroupID
    log_source_id
    (DEVICE SN)
    ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
    CEF field name: deviceExternalID
    EMAIL field name: DeviceSN
    HTTPS field name: DeviceSN
    LEEF field name: DeviceSN
    log_source_name
    (DEVICE NAME)
    Name of the source of the log - hostname of the firewall that logged the network traffic.
    CEF field name: dvchost
    EMAIL field name: DeviceName
    HTTPS field name: DeviceName
    LEEF field name: DeviceName
    log_source_tz_offset
    (LOG SOURCE TIMEZONE OFFSET)
    Time Zone offset from GMT of the source of the log.
    CEF field name: PanOSLogSourceTimeZoneOffset
    EMAIL field name: LogSourceTimeZoneOffset
    HTTPS field name: LogSourceTimeZoneOffset
    LEEF field name: LogSourceTimeZoneOffset
    log_time
    (TIME RECEIVED)
    Time the log was received in Cortex Data Lake. This is populated by the platform.
    CEF field name: rt
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: TimeReceived
    log_type.​value
    (LOG TYPE)
    Identifies the log type.
    CEF field name: DeviceEventClassID
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    platform_type
    (PLATFORM TYPE)
    Identifies the platform that generated the log.
    CEF field name: PanOSPlatformType
    EMAIL field name: PlatformType
    HTTPS field name: PlatformType
    LEEF field name: PlatformType
    recommended_action
    (RECOMMENDED ACTION)
    Indicates the action to be performed by the customer.
    CEF field name: PanOSRecommendedAction
    EMAIL field name: RecommendedAction
    HTTPS field name: RecommendedAction
    LEEF field name: RecommendedAction
    source_id
    (SOURCE ID)
    Indicates the source entity.
    CEF field name: PanOSSourceType
    EMAIL field name: SourceId
    HTTPS field name: SourceId
    LEEF field name: SourceId
    source_type
    (SOURCE TYPE)
    Object type of source entity.
    CEF field name: PanOSSourceType
    EMAIL field name: SourceType
    HTTPS field name: SourceType
    LEEF field name: SourceType
    sub_type.​value
    (SUB TYPE)
    Identifies the log subtype.
    CEF field name: Name
    EMAIL field name: SubType
    HTTPS field name: SubType
    LEEF field name: SubType
    sync_job_id
    (SYNC JOB ID)
    Indicates the ID of the sync.
    CEF field name: PanOSSyncJobId
    EMAIL field name: SyncJobId
    HTTPS field name: SyncJobId
    LEEF field name: SyncJobId
    sync_type
    (SYNC TYPE)
    Indicates the type of sync.
    CEF field name: PanOSSyncType
    EMAIL field name: SyncType
    HTTPS field name: SyncType
    LEEF field name: SyncType
    target_id
    (TARGET ID)
    Indicates the object entity being operated on.
    CEF field name: PanOSTargetId
    EMAIL field name: TargetId
    HTTPS field name: TargetId
    LEEF field name: TargetId
    target_type
    (TARGET TYPE)
    Object type of the entity being operated on.
    CEF field name: PanOSTargetType
    EMAIL field name: TargetType
    HTTPS field name: TargetType
    LEEF field name: TargetType
    time_generated
    (TIME GENERATED)
    Time the log was generated on the data plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    CEF field name: start
    EMAIL field name: TimeGenerated
    HTTPS field name: TimeGenerated
    LEEF field name: devTime
    time_generated_high_res
    (TIME GENERATED HIGH RESOLUTION)
    Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    CEF field name: PanOSTimeGeneratedHighResolution
    EMAIL field name: TimeGeneratedHighResolution
    HTTPS field name: TimeGeneratedHighResolution
    LEEF field name: TimeGeneratedHighResolution
    tsg_id
    (TSG ID)
    The ID that uniquely identifiers a Tenant Sevice Group (TSG) that this log record should be associated with.
    CEF field name: PanOSTSGID
    EMAIL field name: TSGID
    HTTPS field name: TSGID
    LEEF field name: TSGID
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.
    CEF field name: Device Vendor
    EMAIL field name: VendorName
    HTTPS field name: VendorName
    LEEF field name: Vendor

    © 2026 Palo Alto Networks, Inc. All rights reserved.