System LEEF Fields

Example System log in LEEF:
Sep 21 02:01:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 732 <14>1 2021-09-21T02:01:01.316Z stream-logfwd20-d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|general| |LogTime=2021-09-21T02:01:00.000000Z LogSourceID=xxxxxxxxxxxxxx cat=system SubType=general ConfigVersion=10.1 devTime=2021-09-21T02:00:56.000000ZVirtualLocation= EventComponent= VendorSeverity=Informational EventDescription=WildFire update job succeeded for user Auto update agent SequenceNo=7003061162447265681 DGHierarchyLevel1=0 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= LogSourceName=xxxxx DeviceGroup= Template= TimeGeneratedHighResolution=2021-09-21T02:00:56.997000Z devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the System field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
AgentContentVersion
Custom
AgentDataCollectionStatus
Custom
AgentID
Custom
AgentIsolationStatus
Custom
AgentStatus
Custom
AgentVersion
Custom
ConfigVersion
Custom
TenantID
Custom
DeviceGroup
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
EndpointCPUArchitecture
Custom
EndpointDeviceDomain
Custom
EndpointDeviceName
Custom
EndpointIPaddress
Custom
VDIEndpoint
Custom
EndpointOSType
Custom
EndpointOSVersion
Custom
AgentTimeZoneOffset
Custom
EndpointUserDomain
Custom
EndpointUserName
Custom
EndpointUserUUID
Custom
EventComponent
Custom
EventDescription
Custom
EventID
Header
devTime
Predefined
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetwork
Custom
IsPrismaUsers
Custom
LogCategory
Custom
LogSource
Custom
LogSourceID
Custom
LogSourceName
Custom
LogSourceTimeZoneOffset
Custom
LogTime
Custom
cat
Predefined
SequenceNo
Custom
Severity
Custom
SubType
Custom
Template
Custom
TimeGeneratedHighResolution
Custom
Vendor
Header
VendorSeverity
Custom
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You