Focus

Log Forwarding App Schema Reference

System CEF Fields

Table of Contents

System CEF Fields

Example System log in CEF:

Feb 28 08:30:27 xxx.xx.x.xx 1442 <14>1 2021-02-28T08:30:27.339Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|SYSTEM|wildfire-appliance|1|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 08:30:26 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=0.0 PanOSAgentContentVersion= PanOSAgentDataCollectionStatus= PanOSAgentID= PanOSAgentIsolationStatus= PanOSAgentStatus= PanOSAgentTimeZoneOffset= PanOSAgentVersion= PanOSEndpointCPUArchitecture= PanOSEndpointDeviceDomain= PanOSEndpointDeviceName= PanOSEndpointIPaddress= PanOSEndpointOSType= PanOSEndpointOSVersion= PanOSEndpointUserDomain= PanOSEndpointUserName=xxxxx PanOSEndpointUserUUID= PanOSIsDuplicateLog=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false cat= PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSeverity=Informational PanOSTenantID=xxxxxxxxxxxxx PanOSVDIEndpoint= PanOSVirtualSystemID=0 PanOSEventTime=Feb 28 2021 08:30:17 cs3= cs3Label=VirtualLocation act= fname= msg=gRPC connection to f0d7d88a-0391-4899-a2e4-0938c4309e17.fei.lcaas-qa.us.paloaltonetworks.com:443 is established, xxx.xx.x.xx:48558 -> xxx.xx.x.xx:443 time: 2021-02-28 00:30:17 externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=0 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSDeviceGroup= PanOSTemplate= PanOSTimeGeneratedHighResolution=Feb 28 2021 08:30:17

The following table identifies the System field names that the Log Forwarding app uses when you forward logs using the CEF log format.

CEF Name	Field Details
PanOSAgentContentVersion	Query Name: agent_content_version Header Type: Custom
PanOSAgentDataCollectionStatus	Query Name: agent_data_collection_status.value Header Type: Custom
PanOSAgentID	Query Name: agent_id Header Type: Custom
PanOSAgentIsolationStatus	Query Name: agent_isolation_status Header Type: Custom
PanOSAgentStatus	Query Name: agent_protection_status Header Type: Custom
PanOSAgentVersion	Query Name: agent_version Header Type: Custom
PanOSConfigVersion	Query Name: config_version.value Header Type: Custom
PanOSTenantID	Query Name: customer_id Header Type: Custom
PanOSDeviceGroup	Query Name: device_group.value Header Type: Custom
PanOSDGHierarchyLevel1	Query Name: dg_hier_level_1 Header Type: Custom
PanOSDGHierarchyLevel2	Query Name: dg_hier_level_2 Header Type: Custom
PanOSDGHierarchyLevel3	Query Name: dg_hier_level_3 Header Type: Custom
PanOSDGHierarchyLevel4	Query Name: dg_hier_level_4 Header Type: Custom
PanOSEndpointCPUArchitecture	Query Name: endpoint_cpu_architecture.value Header Type: Custom
PanOSEndpointDeviceDomain	Query Name: endpoint_device_domain Header Type: Custom
PanOSEndpointDeviceName	Query Name: endpoint_device_name Header Type: Custom
PanOSEndpointIPaddress	Query Name: endpoint_ip.value Header Type: Custom
PanOSVDIEndpoint	Query Name: endpoint_is_vdi Header Type: Custom
PanOSEndpointOSType	Query Name: endpoint_os_type.value Header Type: Custom
PanOSEndpointOSVersion	Query Name: endpoint_os_version Header Type: Custom
PanOSAgentTimeZoneOffset	Query Name: endpoint_tz_offset Header Type: Custom
PanOSEndpointUserDomain	Query Name: endpoint_user.domain Header Type: Custom
PanOSEndpointUserName	Query Name: endpoint_user.name Header Type: Custom
PanOSEndpointUserUUID	Query Name: endpoint_user.uuid Header Type: Custom
fname	Query Name: event_component Header Type: Predefined Max Length: 1023
msg	Query Name: event_description Header Type: Predefined Max Length: 1023
act	Query Name: event_name.value Header Type: Predefined Max Length: 63
PanOSEventTime	Query Name: event_time Header Type: Custom
PanOSIsDuplicateLog	Query Name: is_dup_log Header Type: Custom
PanOSLogExported	Query Name: is_exported Header Type: Custom
PanOSLogForwarded	Query Name: is_forwarded Header Type: Custom
PanOSIsPrismaNetwork	Query Name: is_prisma_branch Header Type: Custom
PanOSIsPrismaUsers	Query Name: is_prisma_mobile Header Type: Custom
cat	Query Name: log_category.value Header Type: Predefined Max Length: 1023
PanOSLogSource	Query Name: log_source Header Type: Custom
LogSourceGroupID	Query Name: log_source_group_id Header Type: Custom
deviceExternalId	Query Name: log_source_id Header Type: Predefined Max Length: 255
dvchost	Query Name: log_source_name Header Type: Predefined Max Length: 100
PanOSLogSourceTimeZoneOffset	Query Name: log_source_tz_offset Header Type: Custom
rt	Query Name: log_time Header Type: Predefined
Device Event Class ID	Query Name: log_type.value Header Type: Custom
PanOSPanoramaSN	Query Name: panorama_serial Header Type: Custom
externalId	Query Name: sequence_no Header Type: Predefined Max Length: 40
PanOSSeverity	Query Name: severity Header Type: Custom
Name	Query Name: sub_type.value Header Type: Custom
PanOSTemplate	Query Name: template.value Header Type: Custom
PanOSTimeGeneratedHighResolution	Query Name: time_generated_high_res Header Type: Custom
Device Vendor	Query Name: vendor_name Header Type: Custom
PanOSVendorSeverity	Query Name: vendor_severity.value Header Type: Custom
cs3	Query Name: vsys Header Type: Predefined Label: cs3Label Label Text: VirtualLocation Max Length: 4000
PanOSVirtualSystemID	Query Name: vsys_id Header Type: Custom
PanOSVirtualSystemName	Query Name: vsys_name Header Type: Custom

System Syslog Default Field Order

System EMAIL Fields

Log Forwarding App Schema Reference

System CEF Fields

System CEF Fields

Recommended For You