Configuration CEF Fields

Example Configuration log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 928 <14>1 2021-03-01T20:35:56.500Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|CONFIG|config|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 deviceExternalId=xxxxxxxxxxxxx PanOSEventTime=Jul 25 2019 23:30:12 duser= dntdom= duid= PanOSEventDetails= PanOSIsDuplicateLog=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false cat=xxxxx PanOSLogExported=false PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSeverity= PanOSTenantID=xxxxxxxxxxxxx PanOSVirtualSystemID=0 src=xxx.xx.x.xx cs3= cs3Label=VirtualLocation act=commit-all duser0=Panorama-admin destinationServiceName= PanOSEventResult=submitted msg= externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=0 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName=<{xwo X dvchost=PA-VM PanOSEventDescription=\r_IYr0r PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12
The following table identifies the Configuration field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
duser
Query Name:
admin_user
Header Type:
Predefined
Max Length:
1023
dntdom
Header Type:
Predefined
Max Length:
1023
duser
Header Type:
Predefined
Max Length:
1023
duid
Header Type:
Predefined
Max Length:
1023
destinationServiceName
Query Name:
client.​value
Header Type:
Predefined
Max Length:
1023
PanOSConfigVersion
Header Type:
Custom
PanOSTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDeviceGroup
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
src or c6a2 or shost
Header Type:
Predefined
Label:
|| c6a2Label ||
Label Text:
|| Source IPv6 Address ||
PanOSEventDescription
Query Name:
event_description
Header Type:
Custom
PanOSEventDetails
Query Name:
event_detail
Header Type:
Custom
act
Header Type:
Predefined
Max Length:
63
msg
Query Name:
event_path
Header Type:
Predefined
Max Length:
1023
PanOSEventResult
Header Type:
Custom
PanOSEventTime
Query Name:
event_time
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSIsPrismaNetwork
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
cat
Header Type:
Predefined
Max Length:
1023
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
PanOSSeverity
Query Name:
severity
Header Type:
Custom
Name
Query Name:
sub_type.​value
Header Type:
Custom
PanOSTemplate
Query Name:
template.​value
Header Type:
Custom
PanOSTimeGeneratedHighResolution
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
PanOSVendorSeverity
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom

Recommended For You