>
    Strata Copilot
    Audit
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. Common Logs
    5. Audit
    Download PDF
    Strata Logging Service

    Audit

    Table of Contents

    Audit

    Audit logs are written to Strata Logging Service by specific products, applications, or services. These are used to record changes made to the service writing the logs.
    The products, applications, or services that write audit logs are:
    • Prisma Access Integration with Cisco Meraki SD-WAN
    See the following for information related to supported log formats:
    AUDIT Field
    (Display Name)
    Description
    actor_display_name
    (ACTOR DISPLAY NAME)
    The display name of actor for delegation.
    CEF field name: PanOSActorDisplayName
    EMAIL field name: ActorDisplayName
    HTTPS field name: ActorDisplayName
    LEEF field name: ActorDisplayName
    actor_id
    (ACTOR ID)
    The identity of actor for delegation.
    CEF field name: PanOSActorID
    EMAIL field name: ActorID
    HTTPS field name: ActorID
    LEEF field name: ActorID
    connection_error.​id
    (CONNECTION ERROR ID)
    Enumeration integer assigned to the connection_error field value.
    CEF field name: PanOSConnectionErrorID
    EMAIL field name: ConnectionErrorID
    HTTPS field name: ConnectionErrorID
    LEEF field name: ConnectionErrorID
    connection_error.​value
    (CONNECTION ERROR VALUE)
    The user related to the destination.
    CEF field name: PanOSConnectionErrorValue
    EMAIL field name: ConnectionErrorValue
    HTTPS field name: ConnectionErrorValue
    LEEF field name: ConnectionErrorValue
    customer_id
    (CORTEX DATA LAKE TENANT ID)
    The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
    CEF field name: PanOSCortexDataLakeTenantID
    EMAIL field name: CortexDataLakeTenantID
    HTTPS field name: CortexDataLakeTenantID
    LEEF field name: CortexDataLakeTenantID
    event_category
    (EVENT CATEGORY)
    The category of the event.
    • Prisma Access Integration with Cisco Meraki SD-WAN: The HTTP method that Prisma Access used to modify a Meraki resource.
      Example: GET if Prisma Access made a GET call.
    CEF field name: PanOSEventCategory
    EMAIL field name: EventCategory
    HTTPS field name: EventCategory
    LEEF field name: EventCategory
    event_client_ip.​value
    (EVENT CLIENT IP)
    The client ip of the event.
    CEF field name: PanOSEventClientIP
    EMAIL field name: EventClientIP
    HTTPS field name: EventClientIP
    LEEF field name: EventClientIP
    event_description
    (EVENT DESCRIPTION)
    A description of the event.
    • Prisma Access Integration with Cisco Meraki SD-WAN: The modification that Prisma Access made to the Meraki resource.
      Example:
      Update Non Meraki VPN Peer N_354359432522
    CEF field name: PanOSEventDescription
    EMAIL field name: EventDescription
    HTTPS field name: EventDescription
    LEEF field name: EventDescription
    event_dest.​value
    (EVENT DESTINATION)
    Identity of the event destination.
    CEF field name: PanOSEventDestination
    EMAIL field name: EventDestination
    HTTPS field name: EventDestination
    LEEF field name: EventDestination
    event_dest_action
    (EVENT DESTINATION ACTION)
    Action for destination or related device.
    CEF field name: PanOSEventDestinationAction
    EMAIL field name: EventDestinationAction
    HTTPS field name: EventDestinationAction
    LEEF field name: EventDestinationAction
    event_dest_url
    (EVENT DESTINATION URL)
    The URL related to the destination.
    CEF field name: PanOSEventDestinationURL
    EMAIL field name: EventDestinationURL
    HTTPS field name: EventDestinationURL
    LEEF field name: EventDestinationURL
    event_dest_user.​user_id
    (EVENT DESTINATION USER USER ID)
    CEF field name: PanOSEventDestinationUserUserID
    EMAIL field name: EventDestinationUserUserID
    HTTPS field name: EventDestinationUserUserID
    LEEF field name: EventDestinationUserUserID
    event_dest_user.​uuid
    (EVENT DESTINATION USER UUID)
    CEF field name: PanOSEventDestinationUserUUID
    EMAIL field name: EventDestinationUserUUID
    HTTPS field name: EventDestinationUserUUID
    LEEF field name: EventDestinationUserUUID
    event_dest_vendor
    (DESTINATION VENDOR)
    Name of the service that sent the log to Strata Logging Service.
    CEF field name: PanOSDestinationVendor
    EMAIL field name: DestinationVendor
    HTTPS field name: DestinationVendor
    LEEF field name: DestinationVendor
    event_detail
    (EVENT DETAILS)
    Details about the event.
    • Prisma Access Integration with Cisco Meraki SD-WAN: The Event Category followed by details about the kind of change made and the ID of the object receiving the change. Example: 
      UPDATE performed on API set appliance and objectID 1274905
    CEF field name: PanOSEventDetails
    EMAIL field name: EventDetails
    HTTPS field name: EventDetails
    LEEF field name: EventDetails
    event_id
    (EVENT ID)
    System event identifier.
    CEF field name: PanOSEventID
    EMAIL field name: EventID
    HTTPS field name: EventID
    LEEF field name: EventID
    event_name
    (EVENT NAME)
    The name associated with an event
    • Prisma Access Integration with Cisco Meraki SD-WAN: The Meraki resource that Prisma Access acted on.
      Example: updateDevice if Prisma Access made an API call to update a device.
    CEF field name: PanOSEventName
    EMAIL field name: EventName
    HTTPS field name: EventName
    LEEF field name: EventName
    event_result
    (EVENT RESULT)
    The result of an event.
    • Prisma Access Integration with Cisco Meraki SD-WAN: The response code returned from a Meraki API.
      Example: 200 if the request was successful.
    CEF field name: PanOSEventResult
    EMAIL field name: EventResult
    HTTPS field name: EventResult
    LEEF field name: EventResult
    event_source.​value
    (EVENT SOURCE)
    Identity of the event source.
    CEF field name: PanOSEventSource
    EMAIL field name: EventSource
    HTTPS field name: EventSource
    LEEF field name: EventSource
    event_source_url
    (EVENT SOURCE URL)
    The URL related to the source.
    CEF field name: PanOSEventSourceURL
    EMAIL field name: EventSourceURL
    HTTPS field name: EventSourceURL
    LEEF field name: EventSourceURL
    event_source_user.​domain
    (EVENT SOURCE USER DOMAIN)
    CEF field name: PanOSEventSourceUserDomain
    EMAIL field name: EventSourceUserDomain
    HTTPS field name: EventSourceUserDomain
    LEEF field name: EventSourceUserDomain
    event_source_user.​user
    (EVENT SOURCE USER)
    CEF field name: PanOSEventSourceUser
    EMAIL field name: EventSourceUser
    HTTPS field name: EventSourceUser
    LEEF field name: EventSourceUser
    event_source_user.​user_id
    (EVENT SOURCE USER USER ID)
    CEF field name: PanOSEventSourceUserUserID
    EMAIL field name: EventSourceUserUserID
    HTTPS field name: EventSourceUserUserID
    LEEF field name: EventSourceUserUserID
    event_source_user.​uuid
    (EVENT SOURCE USER UUID)
    CEF field name: PanOSEventSourceUserUUID
    EMAIL field name: EventSourceUserUUID
    HTTPS field name: EventSourceUserUUID
    LEEF field name: EventSourceUserUUID
    event_source_user_email
    (EVENT SOURCE USER EMAIL)
    The email address for the user.
    CEF field name: PanOSEventSourceUserEmail
    EMAIL field name: EventSourceUserEmail
    HTTPS field name: EventSourceUserEmail
    LEEF field name: EventSourceUserEmail
    event_source_user_first_name
    (EVENT SOURCE USER FIRST NAME)
    The first name for the user.
    CEF field name: PanOSEventSourceUserFirstName
    EMAIL field name: EventSourceUserFirstName
    HTTPS field name: EventSourceUserFirstName
    LEEF field name: EventSourceUserFirstName
    event_source_user_last_name
    (EVENT SOURCE USER LAST NAME)
    The last name for the user.
    CEF field name: PanOSEventSourceUserLastName
    EMAIL field name: EventSourceUserLastName
    HTTPS field name: EventSourceUserLastName
    LEEF field name: EventSourceUserLastName
    event_source_user_uuid_v4
    (EVENT SOURCE USER UUID V4)
    The unique uuid for the user.
    CEF field name: PanOSEventSourceUserUUIDV4
    EMAIL field name: EventSourceUserUUIDV4
    HTTPS field name: EventSourceUserUUIDV4
    LEEF field name: EventSourceUserUUIDV4
    event_sub_category
    (EVENT SUB CATEGORY)
    The sub-category of the event (defined by the application).
    CEF field name: PanOSEventSubCategory
    EMAIL field name: EventSubCategory
    HTTPS field name: EventSubCategory
    LEEF field name: EventSubCategory
    event_time
    (EVENT TIME)
    Time when the log was generated.
    • Prisma Access Integration with Cisco Meraki SD-WAN: The time, in UTC, when Prisma Access invoked the Meraki API. Example:
      2023-03-26 16:52:19
    CEF field name: PanOSEventTime
    EMAIL field name: EventTime
    HTTPS field name: EventTime
    LEEF field name: EventTime
    log_source
    (LOG SOURCE)
    Identifies the origin of the data - the system that produced the data.
    CEF field name: PANOSLogSource
    EMAIL field name: LogSource
    HTTPS field name: LogSource
    LEEF field name: LogSource
    log_source_group_id
    (LOG SOURCE GROUP ID)
    ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
    CEF field name: PanOSLogSourceGroupID
    EMAIL field name: LogSourceGroupID
    HTTPS field name: LogSourceGroupID
    LEEF field name: LogSourceGroupID
    log_source_id
    (DEVICE SN)
    Unique identifier of the log source. For example, if a firewall generated the log, this would be the serial number of the firewall.
    CEF field name: deviceExternalID
    EMAIL field name: DeviceSN
    HTTPS field name: DeviceSN
    LEEF field name: DeviceSN
    log_source_name
    (DEVICE NAME)
    Name of the source of the log - hostname of the firewall that logged the network traffic.
    CEF field name: dvchost
    EMAIL field name: DeviceName
    HTTPS field name: DeviceName
    LEEF field name: DeviceName
    log_source_tz_offset
    (LOG SOURCE TIMEZONE OFFSET)
    Time Zone offset from GMT of the source of the log.
    CEF field name: PanOSLogSourceTimeZoneOffset
    EMAIL field name: LogSourceTimeZoneOffset
    HTTPS field name: LogSourceTimeZoneOffset
    LEEF field name: LogSourceTimeZoneOffset
    log_time
    (TIME RECEIVED)
    Time the log was received in Cortex Data Lake. This is populated by the platform.
    CEF field name: rt
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: TimeReceived
    log_type.​value
    (LOG TYPE)
    Identifies the log type.
    CEF field name: Device Event Class ID
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    platform_type
    (PLATFORM TYPE)
    Identifies the platform that generated the log.
    CEF field name: PlatformType
    EMAIL field name: PlatformType
    HTTPS field name: PlatformType
    LEEF field name: PlatformType
    sub_type.​value
    (SUBTYPE)
    Identifies the log subtype.
    CEF field name: Name
    EMAIL field name: Subtype
    HTTPS field name: Subtype
    LEEF field name: Subtype
    tsg_id
    (TSG ID)
    The ID that uniquely identifiers a Tenant Sevice Group (TSG) that this log record should be associated with.
    CEF field name: PanOSTSGID
    EMAIL field name: TSGID
    HTTPS field name: TSGID
    LEEF field name: TSGID
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.
    CEF field name: Device Vendor
    EMAIL field name: VendorName
    HTTPS field name: Vendor
    LEEF field name: Vendor
    vendor_severity.​value
    (VENDOR SEVERITY)
    Severity associated with the event.
    CEF field name: PanOSVendorSeverity
    EMAIL field name: VendorSeverity
    HTTPS field name: VendorSeverity
    LEEF field name: VendorSeverity

    © 2026 Palo Alto Networks, Inc. All rights reserved.