Authentication

Auth logs contain information about authentication events seen by the next-generation firewall. These occur when users access network resources which are controlled by authentication policy rules. Authentication Logs will never appear in Cortex Data Lake if the associated firewalls are not configured with authentication policies.
Authentication logs are most frequently written when the next-generation firewall is configured as a Multi-Factor Authentication gateway, and an end-user is using it to perform authentication.
See the following for information related to supported log formats:
AUTHENTICATION Field
(Display Name)
Description
auth_description
(AUTHENTICATION DESCRIPTION)
Additional authentication information.
Syslog field name: Syslog Field Order
EMAIL field name: AuthenticationDescription
HTTPS field name: AuthenticationDescription
LEEF field name: AuthenticationDescription
auth_event_name.​value
(AUTH EVENT)
The authentication event that caused the firewall to create this log record.
Syslog field name: Syslog Field Order
CEF field name: msg
EMAIL field name: AuthEvent
HTTPS field name: AuthEvent
LEEF field name: EventID
auth_factor_num
(AUTH FACTOR NO)
Indicates the use of primary authentication (1) or additional factors (2, 3).
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: AuthFactorNo
HTTPS field name: AuthFactorNo
LEEF field name: AuthFactorNo
auth_policy
(AUTHENTICATION POLICY)
Policy invoked for authentication before allowing access to a protected resource.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: AuthenticationPolicy
HTTPS field name: AuthenticationPolicy
LEEF field name: AuthenticationPolicy
auth_proto
(AUTHENTICATION PROTOCOL)
Indicates the authentication protocol used by the server. For example, PEAP with GTC.
Syslog field name: Syslog Field Order
EMAIL field name: AuthenticationProtocol
HTTPS field name: AuthenticationProtocol
LEEF field name: AuthenticationProtocol
auth_server_profile
(AUTH SERVER PROFILE)
Authentication server used for authentication.
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: AuthServerProfile
HTTPS field name: AuthServerProfile
LEEF field name: AuthServerProfile
authenticated_user_info.​domain
(AUTHENTICATED USER DOMAIN)
Domain to which the user who is being authenticated belongs.
EMAIL field name: AuthenticatedUserDomain
HTTPS field name: AuthenticatedUserDomain
LEEF field name: AuthenticatedUserDomain
authenticated_user_info.​name
(AUTHENTICATED USER NAME)
Name of the user who is being authenticated.
EMAIL field name: AuthenticatedUserName
HTTPS field name: AuthenticatedUserName
LEEF field name: AuthenticatedUserName
authenticated_user_info.​uuid
(AUTHENTICATED USER UUID)
Unique identifier assigned to the user who is being authenticated.
EMAIL field name: AuthenticatedUserUUID
HTTPS field name: AuthenticatedUserUUID
LEEF field name: AuthenticatedUserUUID
client_type
(CLIENT TYPE)
Type of client used to complete authentication (such as authentication portal).
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ClientType
HTTPS field name: ClientType
LEEF field name: ClientType
client_type_name.​value
(CLIENT TYPE NAME)
Type of client used to complete authentication.
CEF field name: PanOSClientTypeName
EMAIL field name: ClientTypeName
HTTPS field name: ClientTypeName
LEEF field name: ClientTypeName
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
count_of_repeats
(COUNT OF REPEATS)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: CountOfRepeats
HTTPS field name: CountOfRepeats
LEEF field name: CountOfRepeats
customer_id
(CORTEX DATA LAKE TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from the Logging Service and also from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_prisma_branch
(IS PRISMA NETWORKS)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
location
(PRISMA ACCESS LOCATION)
Prisma Access Region/Location.
CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location
log_set
(LOG SETTING)
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order
CEF field name: cs6
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: DeviceEventClassId
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
mfa_auth_id
(MFA AUTHENTICATION ID)
Unique ID given across primary authentication and additional (multi-factor) authentication.
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: MFAAuthenticationID
HTTPS field name: MFAAuthenticationID
LEEF field name: MFAAuthenticationID
mfa_vendor
(MFA VENDOR)
Vendor providing additional factor authentication.
Syslog field name: Syslog Field Order
CEF field name: PanOSMFAVendor
EMAIL field name: MFAVendor
HTTPS field name: MFAVendor
LEEF field name: MFAVendor
normalize_user
(NORMALIZE USER)
Normalized version of the username being authenticated (such as appending a domain name to the username).
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: NormalizeUser
HTTPS field name: NormalizeUser
LEEF field name: usrName
object
(OBJECT)
Name of the object associated with the system event.
Syslog field name: Syslog Field Order
CEF field name: fname
EMAIL field name: Object
HTTPS field name: Object
LEEF field name: Object
rule_matched
(RULE MATCHED)
Name of the security policy rule that the network traffic matched.
CEF field name: PanOSRuleMatched
EMAIL field name: RuleMatched
HTTPS field name: RuleMatched
LEEF field name: RuleMatched
rule_matched_uuid
(RULE MATCHED UUID)
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleMatchedUUID
EMAIL field name: RuleMatchedUUID
HTTPS field name: RuleMatchedUUID
LEEF field name: RuleMatchedUUID
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
service_region
(AUTH CACHE SERVICE REGION)
Region where the service is deployed.
Syslog field name: Syslog Field Order
EMAIL field name: AuthCacheServiceRegion
HTTPS field name: AuthCacheServiceRegion
LEEF field name: AuthCacheServiceRegion
session_id
(SESSION ID)
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order
CEF field name: PanOSSessionID
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID
source_device_category
(SOURCE DEVICE CATEGORY)
Category of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceCategory
HTTPS field name: SourceDeviceCategory
LEEF field name: SourceDeviceCategory
source_device_host
(SOURCE DEVICE HOST)
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost
source_device_mac
(SOURCE DEVICE MAC)
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac
source_device_model
(SOURCE DEVICE MODEL)
Model of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceOSFamily
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily
source_device_osversion
(SOURCE DEVICE OS VERSION)
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion
LEEF field name: SourceDeviceOSVersion
source_device_profile
(SOURCE DEVICE PROFILE)
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile
source_device_vendor
(SOURCE DEVICE VENDOR)
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor
source_ip.​value
(SOURCE IP)
Original source IP address.
Syslog field name: Syslog Field Order
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP
HTTPS field name: SourceIP
LEEF field name: src
sub_type.​value
(SUBTYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
user
(USER)
End user being authenticated.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: User
HTTPS field name: User
LEEF field name: User
user_agent
(USER AGENT STRING)
The User Agent field specifies the web browser that the user used to access the URL.
Syslog field name: Syslog Field Order
CEF field name: PanOSUserAgentString
EMAIL field name: UserAgentString
HTTPS field name: UserAgentString
LEEF field name: UserAgentString
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Recommended For You