Table of Contents
System
System Logs are common to any product, application, or service that writes to Cortex Data
Lake. These are used to record system events that occur within the writing entity. The
definition of a system event will differ from one writing entity to the next, so to learn
about the events that causes a system log to be written, consult the documentation for the
product, application, or service that writes these logs.
For example, Palo Alto Networks next-generation firewalls write a system log any time the
firewall can't reach the syslog servers, any time WildFire is updated, any time an
administrator visits the Monitor tab, or whenever someone logs onto the firewall.
See the following for information related to supported log formats:
SYSTEM Field
(Display Name)
|
Description
|
|---|---|
agent_content_version
(AGENT CONTENT VERSION)
|
Version of the agent content that is installed on the endpoint.
CEF field name: PanOSAgentContentVersion EMAIL field name: AgentContentVersion HTTPS field name: AgentContentVersion LEEF field name: AgentContentVersion |
agent_data_collection_status.value
(AGENT DATA COLLECTION STATUS)
|
Indicates whether data related to another product (for example, EDR) is being collected by the agent.
CEF field name: PanOSAgentDataCollectionStatus EMAIL field name: AgentDataCollectionStatus HTTPS field name: AgentDataCollectionStatus LEEF field name: AgentDataCollectionStatus |
agent_id
(AGENT ID)
|
Unique identifier for the agent at the endpoint.
CEF field name: PanOSAgentID EMAIL field name: AgentID HTTPS field name: AgentID LEEF field name: AgentID |
agent_isolation_status
(AGENT ISOLATION STATUS)
|
Indicates whether the agent is isolated. Usually, agents are isolated if they have been compromised.
CEF field name: PanOSAgentIsolationStatus EMAIL field name: AgentIsolationStatus HTTPS field name: AgentIsolationStatus LEEF field name: AgentIsolationStatus |
agent_protection_status
(AGENT STATUS)
|
The protection status set for the endpoint.
CEF field name: PanOSAgentStatus EMAIL field name: AgentStatus HTTPS field name: AgentStatus LEEF field name: AgentStatus |
agent_version
(AGENT VERSION)
|
Version of the agent at the endpoint.
CEF field name: PanOSAgentVersion EMAIL field name: AgentVersion HTTPS field name: AgentVersion LEEF field name: AgentVersion |
config_version.value
(CONFIG VERSION)
|
Config version converted to string represented as major.minor.patch.build in value and as hex in id.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID EMAIL field name: TenantID HTTPS field name: TenantID LEEF field name: TenantID |
device_group.value
(DEVICE GROUP)
|
The ID and the name of the device group the firewall is in.
Syslog field name: Syslog Field Order CEF field name: PanOSDeviceGroup EMAIL field name: DeviceGroup HTTPS field name: DeviceGroup LEEF field name: DeviceGroup |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
endpoint_cpu_architecture.value
(ENDPOINT CPU ARCHITECTURE)
|
The architecture of the OS type that the endpoint is running.
CEF field name: PanOSEndpointCPUArchitecture EMAIL field name: EndpointCPUArchitecture HTTPS field name: EndpointCPUArchitecture LEEF field name: EndpointCPUArchitecture |
endpoint_device_domain
(ENDPOINT DEVICE DOMAIN)
|
Domain to which the endpoint belongs.
CEF field name: PanOSEndpointDeviceDomain EMAIL field name: EndpointDeviceDomain HTTPS field name: EndpointDeviceDomain LEEF field name: EndpointDeviceDomain |
endpoint_device_name
(ENDPOINT DEVICE NAME)
|
Hostname of the endpoint on which the event was logged.
CEF field name: PanOSEndpointDeviceName EMAIL field name: EndpointDeviceName HTTPS field name: EndpointDeviceName LEEF field name: EndpointDeviceName |
endpoint_ip.value
(ENDPOINT IP ADDRESS)
|
IP address of the source of the event.
CEF field name: PanOSEndpointIPaddress EMAIL field name: EndpointIPaddress HTTPS field name: EndpointIPaddress LEEF field name: EndpointIPaddress |
endpoint_is_vdi
(VDI ENDPOINT)
|
Indicates whether the endpoint is a virtual desktop infrastructure (VDI). 0—The endpoint is not a VDI, 1—The endpoint is a VDI.
CEF field name: PanOSVDIEndpoint EMAIL field name: VDIEndpoint HTTPS field name: VDIEndpoint LEEF field name: VDIEndpoint |
endpoint_os_type.value
(ENDPOINT OS TYPE)
|
The operating system on which the endpoint is running.
CEF field name: PanOSEndpointOSType EMAIL field name: EndpointOSType HTTPS field name: EndpointOSType LEEF field name: EndpointOSType |
endpoint_os_version
(ENDPOINT OS VERSION)
|
The version of the operating system running on the endpoint.
CEF field name: PanOSEndpointOSVersion EMAIL field name: EndpointOSVersion HTTPS field name: EndpointOSVersion LEEF field name: EndpointOSVersion |
endpoint_tz_offset
(AGENT TIME ZONE OFFSET)
|
Effective endpoint time zone offset from UTC, in minutes.
CEF field name: PanOSAgentTimeZoneOffset EMAIL field name: AgentTimeZoneOffset HTTPS field name: AgentTimeZoneOffset LEEF field name: AgentTimeZoneOffset |
endpoint_user.domain
(ENDPOINT USER DOMAIN)
|
Domain of the user who was logged into the endpoint at the time of the system event.
CEF field name: PanOSEndpointUserDomain EMAIL field name: EndpointUserDomain HTTPS field name: EndpointUserDomain LEEF field name: EndpointUserDomain |
endpoint_user.name
(ENDPOINT USER NAME)
|
The name of the user logged into the endpoint at the time of the system event.
CEF field name: PanOSEndpointUserName EMAIL field name: EndpointUserName HTTPS field name: EndpointUserName LEEF field name: EndpointUserName |
endpoint_user.uuid
(ENDPOINT USER UUID)
|
The endpoint user's unique ID.
CEF field name: PanOSEndpointUserUUID EMAIL field name: EndpointUserUUID HTTPS field name: EndpointUserUUID LEEF field name: EndpointUserUUID |
event_component
(EVENT COMPONENT)
|
The component associated with the event. For example, the object from a firewall.
Syslog field name: Syslog Field Order CEF field name: fname EMAIL field name: EventComponent HTTPS field name: EventComponent LEEF field name: EventComponent |
event_description
(EVENT DESCRIPTION)
|
Description of the system event.
Syslog field name: Syslog Field Order CEF field name: msg EMAIL field name: EventDescription HTTPS field name: EventDescription LEEF field name: EventDescription |
event_name.value
(EVENT NAME)
|
Name of the system event.
Syslog field name: Syslog Field Order CEF field name: act EMAIL field name: EventName HTTPS field name: EventName LEEF field name: EventID |
event_time
(EVENT TIME)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: PanOSEventTime EMAIL field name: EventTime HTTPS field name: EventTime LEEF field name: devTime |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_prisma_branch
(IS PRISMA NETWORK)
|
If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork EMAIL field name: IsPrismaNetwork HTTPS field name: IsPrismaNetwork LEEF field name: IsPrismaNetwork |
is_prisma_mobile
(IS PRISMA USERS)
|
If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
log_category.value
(LOG CATEGORY)
|
The log category.
CEF field name: cat EMAIL field name: LogCategory HTTPS field name: LogCategory LEEF field name: LogCategory |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(LOG SOURCE ID)
|
ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsId.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: LogSourceID HTTPS field name: LogSourceID LEEF field name: LogSourceID |
log_source_name
(LOG SOURCE NAME)
|
Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: LogSourceName HTTPS field name: LogSourceName LEEF field name: LogSourceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(LOG TIME)
|
Time the log was received in Cortex Data Lake. This is populated by the platform.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: LogTime HTTPS field name: LogTime LEEF field name: LogTime |
log_type.value
(LOG TYPE)
|
Specifies the log type. Possible field values are: traffic, config, system, threat,
appstat, trsum, thsum, event, alarm, hipmatch, userid, iptag, mdm, extpcap, urlsum, gtp,
gtpsum, auth, panflex, extflex, sctp, sctpsum, analytics, action, scan, sam.
Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType EMAIL field name: PlatformType HTTPS field name: PlatformType LEEF field name: PlatformType |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
severity
(SEVERITY)
|
Severity as defined by the platform.
CEF field name: PanOSSeverity EMAIL field name: Severity HTTPS field name: Severity LEEF field name: Severity |
sub_type.value
(SUB TYPE)
|
The log sub type. Possible values are: start, end, drop, deny, netflow.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: Subtype HTTPS field name: Subtype LEEF field name: SubType |
template.value
(TEMPLATE)
|
The ID and name of the template/template stack to which the firewall belonged where the log was generated.
Syslog field name: Syslog Field Order CEF field name: PanOSTemplate EMAIL field name: Template HTTPS field name: Template LEEF field name: Template |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vendor_severity.value
(VENDOR SEVERITY)
|
Severity associated with the event.
Syslog field name: Syslog Field Order CEF field name: PanOSVendorSeverity EMAIL field name: VendorSeverity HTTPS field name: VendorSeverity LEEF field name: VendorSeverity |
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |