Configuration CEF Fields
Table of Contents
Configuration CEF Fields
Example Configuration log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 928 <14>1 2021-03-01T20:35:56.500Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|CONFIG|config|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 deviceExternalId=xxxxxxxxxxxxx PanOSEventTime=Jul 25 2019 23:30:12 duser= dntdom= duid= PanOSEventDetails= PanOSIsDuplicateLog=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false cat=xxxxx PanOSLogExported=false PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSeverity= PanOSTenantID=xxxxxxxxxxxxx PanOSVirtualSystemID=0 src=xxx.xx.x.xx cs3= cs3Label=VirtualLocation act=commit-all duser0=Panorama-admin destinationServiceName= PanOSEventResult=submitted msg= externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=0 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName=<{xwo X dvchost=PA-VM PanOSEventDescription=\r_IYr0r PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12
The following table identifies the Configuration field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
|---|---|
duser
| |
dntdom
| |
duser
| |
duid
| |
destinationServiceName
| |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSTenantID
| Query Name: customer_idHeader Type: Custom |
PanOSDeviceGroup
| Query Name: device_group.valueHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
src or c6a2 or shost
| Query Name: event_client_ip.valueHeader Type: PredefinedLabel: || c6a2Label ||Label Text: || Source IPv6 Address || |
PanOSEventDescription
| Query Name: event_descriptionHeader Type: Custom |
PanOSEventDetails
| Query Name: event_detailHeader Type: Custom |
act
| |
msg
| |
PanOSEventResult
| Query Name: event_result.valueHeader Type: Custom |
PanOSEventTime
| Query Name: event_timeHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSIsPrismaNetwork
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
cat
| |
PanOSLogSource
| Query Name: log_sourceHeader Type: Custom |
LogSourceGroupID
| Query Name: log_source_group_idHeader Type: Custom |
deviceExternalId
| |
dvchost
| |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
externalId
| |
PanOSSeverity
| Query Name: severityHeader Type: Custom |
Name
| Query Name: sub_type.valueHeader Type: Custom |
PanOSTemplate
| Query Name: template.valueHeader Type: Custom |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
PanOSVendorSeverity
| Query Name: vendor_severity.valueHeader Type: Custom |
cs3
| Query Name: vsysHeader Type: PredefinedLabel: cs3LabelLabel Text: VirtualLocationMax Length: 4000 |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
PanOSVirtualSystemName
| Query Name: vsys_nameHeader Type: Custom |