Configuration

Config logs are common to any product, application, or service that writes to Cortex Data Lake. These are used to record changes made to the writing entity. Usually config logs are written infrequently and it is possible that they will age-out of Cortex Data Lake, depending on quota levels, so that none are available if you query for them.
For example, Cortex Data Lake quotas are defined by collections, or buckets, that encompass many types of logs. Next-generation firewall config logs are placed in the
Infrastructure and Audit
quota bucket. They share this bucket with system logs, which the firewall writes considerably more frequently than config logs.
As a specific quota fills up in Cortex Data Lake, older logs are automatically removed to make space for new logs (that is, they age-out). Consequently, as system logs are written and the
Infrastructure and Audit
quota is met, older logs (including config logs) are automatically removed. If the firewall's configuration is stable so that it is not changing very often, you might not find any config logs in Cortex Data Lake, even if the firewall is forwarding them to the data lake.
See the following for information related to supported log formats:
CONFIGURATION Field
(Display Name)
Description
admin_user
(ADMIN USERNAME)
Username of the administrator performing the configuration.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: AdminUsername
HTTPS field name: AdminUsername
LEEF field name: AdminUsername
admin_user_info.​domain
(ADMIN USER DOMAIN)
Domain to which the admin user belongs.
CEF field name: dntdom
EMAIL field name: AdminUserDomain
HTTPS field name: AdminUserDomain
LEEF field name: AdminUserDomain
admin_user_info.​name
(ADMIN USER)
Name of the user who created the configuration change.
CEF field name: duser
EMAIL field name: AdminUserName
HTTPS field name: AdminUserName
LEEF field name: AdminUserName
admin_user_info.​uuid
(ADMIN USER UUID)
The admin user's unique ID.
CEF field name: duid
EMAIL field name: AdminUserUUID
HTTPS field name: AdminUserUUID
LEEF field name: AdminUserUUID
client.​value
(CLIENT)
Client used by the administrator who is performing the configuration.
Syslog field name: Syslog Field Order
CEF field name: destinationServiceName
EMAIL field name: Client
HTTPS field name: Client
LEEF field name: Client
config_version.​value
(CONFIG VERSION)
Config version converted to string represented as major.minor.patch.build in value and as hex in id.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
customer_id
(TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
device_group.​value
(DEVICE GROUP)
The ID and the name of the device group the firewall is in.
Syslog field name: Syslog Field Order
CEF field name: PanOSDeviceGroup
EMAIL field name: DeviceGroup
HTTPS field name: DeviceGroup
LEEF field name: DeviceGroup
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
event_client_ip.​value
(IP ADDRESS)
Hostname or IP address of the client.
Syslog field name: Syslog Field Order
CEF fields: src or c6a2 or shost
EMAIL field name: IPaddress
HTTPS field name: IPaddress
LEEF field name: IPaddress
event_description
(EVENT DESCRIPTION)
Description of the system event. If the source is a firewall, this is opaque. If the source is TMS, this is the msgTextEn field.
Syslog field name: Syslog Field Order
CEF field name: PanOSEventDescription
EMAIL field name: EventDescription
HTTPS field name: EventDescription
LEEF field name: EventDescription
event_detail
(EVENT DETAILS)
Identifies the firewall's configuration prior to and immediately after the configuration change.
CEF field name: PanOSEventDetails
EMAIL field name: EventDetails
HTTPS field name: EventDetails
LEEF field name: EventDetails
event_name.​value
(EVENT NAME)
Name of the system event.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: EventName
HTTPS field name: EventName
LEEF field name: EventID
event_path
(EVENT PATH)
The path of the configuration command issued.
Syslog field name: Syslog Field Order
CEF field name: msg
EMAIL field name: EventPath
HTTPS field name: EventPath
LEEF field name: EventPath
event_result.​value
(EVENT RESULT)
Result of the configuration action.
Syslog field name: Syslog Field Order
CEF field name: PanOSEventResult
EMAIL field name: EventResult
HTTPS field name: EventResult
LEEF field name: EventID
event_time
(EVENT TIME)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSEventTime
EMAIL field name: EventTime
HTTPS field name: EventTime
LEEF field name: devTime
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_prisma_branch
(IS PRISMA NETWORK)
If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork
is_prisma_mobile
(IS PRISMA USERS)
If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
log_category.​value
(LOG CATEGORY)
The log category.
CEF field name: cat
EMAIL field name: LogCategory
HTTPS field name: LogCategory
LEEF field name: LogCategory
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(LOG SOURCE ID)
ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsId.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: LogSourceID
HTTPS field name: LogSourceID
LEEF field name: LogSourceID
log_source_name
(LOG SOURCE NAME)
Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: LogSourceName
HTTPS field name: LogSourceName
LEEF field name: LogSourceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(LOG TIME)
Time the log was received in Cortex Data Lake. This is populated by the platform.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: LogTime
HTTPS field name: LogTime
LEEF field name: LogTime
log_type.​value
(LOG TYPE)
Specifies the log type. Possible field values are: traffic, config, system, threat, appstat, trsum, thsum, event, alarm, hipmatch, userid, iptag, mdm, extpcap, urlsum, gtp, gtpsum, auth, panflex, extflex, sctp, sctpsum, analytics, action, scan, sam.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
severity
(SEVERITY)
Severity as defined by the platform.
CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity
sub_type.​value
(SUB TYPE)
The log sub type. Possible values are: start, end, drop, deny, netflow.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType
template.​value
(TEMPLATE)
The ID and name of the template/template stack to which the firewall belonged where the log was generated.
Syslog field name: Syslog Field Order
CEF field name: PanOSTemplate
EMAIL field name: Template
HTTPS field name: Template
LEEF field name: Template
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vendor_severity.​value
(VENDOR SEVERITY)
Severity associated with the event.
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Recommended For You