Authentication

Auth logs contain information about authentication events seen by the next-generation firewall. These occur when users access network resources which are controlled by authentication policy rules. Authentication Logs will never appear in Cortex Data Lake if the associated firewalls are not configured with authentication policies.
Authentication logs are most frequently written when the next-generation firewall is configured as a Multi-Factor Authentication gateway, and an end-user is using it to perform authentication.
See the following for information related to supported log formats:
AUTHENTICATION Field
(Display Name)
Description
auth_description
(AUTHENTICATION DESCRIPTION)
Additional authentication information.
EMAIL field name: AuthenticationDescription
HTTPS field name: AuthenticationDescription
LEEF field name: AuthenticationDescription
auth_event_name.​value
(AUTH EVENT)
The authentication event that caused the firewall to create this log record.
CEF field name: msg
EMAIL field name: AuthEvent
HTTPS field name: AuthEvent
LEEF field name: AuthEvent
auth_factor_num
(AUTH FACTOR NO)
Indicates the use of primary authentication (1) or additional factors (2, 3).
CEF field name: cn1
EMAIL field name: AuthFactorNo
HTTPS field name: AuthFactorNo
LEEF field name: AuthFactorNo
auth_policy
(AUTHENTICATION POLICY)
Policy invoked for authentication before allowing access to a protected resource.
CEF field name: cs4
EMAIL field name: AuthenticationPolicy
HTTPS field name: AuthenticationPolicy
LEEF field name: AuthenticationPolicy
auth_proto
(AUTHENTICATION PROTOCOL)
Indicates the authentication protocol used by the server. For example, PEAP with GTC.
EMAIL field name: AuthenticationProtocol
HTTPS field name: AuthenticationProtocol
LEEF field name: AuthenticationProtocol
auth_server_profile
(AUTH SERVER PROFILE)
Authentication server used for authentication.
CEF field name: cs1
EMAIL field name: AuthServerProfile
HTTPS field name: AuthServerProfile
LEEF field name: AuthServerProfile
authenticated_user_info.​domain
(AUTHENTICATED USER DOMAIN)
Domain to which the user who is being authenticated belongs.
EMAIL field name: AuthenticatedUserDomain
HTTPS field name: AuthenticatedUserDomain
LEEF field name: AuthenticatedUserDomain
authenticated_user_info.​name
(AUTHENTICATED USER NAME)
Name of the user who is being authenticated.
EMAIL field name: AuthenticatedUserName
HTTPS field name: AuthenticatedUserName
LEEF field name: AuthenticatedUserName
authenticated_user_info.​uuid
(AUTHENTICATED USER UUID)
Unique identifier assigned to the user who is being authenticated.
EMAIL field name: AuthenticatedUserUUID
HTTPS field name: AuthenticatedUserUUID
LEEF field name: AuthenticatedUserUUID
client_type
(CLIENT TYPE)
Type of client used to complete authentication (such as authentication portal).
CEF field name: cs5
EMAIL field name: ClientType
HTTPS field name: ClientType
LEEF field name: ClientType
client_type_name.​value
(CLIENT TYPE NAME)
Type of client used to complete authentication.
CEF field name: PanOSClientTypeName
EMAIL field name: ClientTypeName
HTTPS field name: ClientTypeName
LEEF field name: ClientTypeName
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
count_of_repeats
(COUNT OF REPEATS)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
CEF field name: cnt
EMAIL field name: CountOfRepeats
HTTPS field name: CountOfRepeats
LEEF field name: CountOfRepeats
customer_id
(CORTEX DATA LAKE TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from the Logging Service and also from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_prisma_branch
(IS PRISMA NETWORKS)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
location
(PRISMA ACCESS LOCATION)
Prisma Access Region/Location.
CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location
log_set
(LOG SETTING)
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
CEF field name: cs6
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
CEF field name: DeviceEventClassId
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: EventID
mfa_auth_id
(MFA AUTHENTICATION ID)
Unique ID given across primary authentication and additional (multi-factor) authentication.
CEF field name: cn2
EMAIL field name: MFAAuthenticationID
HTTPS field name: MFAAuthenticationID
LEEF field name: MFAAuthenticationID
mfa_vendor
(MFA VENDOR)
Vendor providing additional factor authentication.
CEF field name: PanOSMFAVendor
EMAIL field name: MFAVendor
HTTPS field name: MFAVendor
LEEF field name: MFAVendor
normalize_user
(NORMALIZE USER)
Normalized version of the username being authenticated (such as appending a domain name to the username).
CEF field name: cs2
EMAIL field name: NormalizeUser
HTTPS field name: NormalizeUser
LEEF field name: usrName
object
(OBJECT)
Name of the object associated with the system event.
CEF field name: fname
EMAIL field name: Object
HTTPS field name: Object
LEEF field name: Object
rule_matched
(RULE MATCHED)
Name of the security policy rule that the network traffic matched.
CEF field name: PanOSRuleMatched
EMAIL field name: RuleMatched
HTTPS field name: RuleMatched
LEEF field name: RuleMatched
rule_matched_uuid
(RULE MATCHED UUID)
Unique identifier for the security policy rule that the network traffic matched.
CEF field name: PanOSRuleMatchedUUID
EMAIL field name: RuleMatchedUUID
HTTPS field name: RuleMatchedUUID
LEEF field name: RuleMatchedUUID
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
service_region
(AUTH CACHE SERVICE REGION)
Region where the service is deployed.
EMAIL field name: AuthCacheServiceRegion
HTTPS field name: AuthCacheServiceRegion
LEEF field name: AuthCacheServiceRegion
session_id
(SESSION ID)
Identifies the firewall's internal identifier for a specific network session.
CEF field name: PanOSSessionID
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID
source_device_category
(SOURCE DEVICE CATEGORY)
Category of the device from which the session originated.
EMAIL field name: SourceDeviceCategory
HTTPS field name: SourceDeviceCategory
LEEF field name: SourceDeviceCategory
source_device_host
(SOURCE DEVICE HOST)
Hostname of the device from which the session originated.
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost
source_device_mac
(SOURCE DEVICE MAC)
MAC Address of the device from which the session originated.
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac
source_device_model
(SOURCE DEVICE MODEL)
Model of the device from which the session originated.
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
OS family of the device from which the session originated.
EMAIL field name: SourceDeviceOSFamily
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily
source_device_osversion
(SOURCE DEVICE OS VERSION)
OS version of the device from which the session originated.
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion
LEEF field name: SourceDeviceOSVersion
source_device_profile
(SOURCE DEVICE PROFILE)
Profile of the device from which the session originated.
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile
source_device_vendor
(SOURCE DEVICE VENDOR)
Vendor of the device from which the session originated.
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor
source_ip.​value
(SOURCE IP)
Original source IP address.
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP
HTTPS field name: SourceIP
LEEF field name: src
sub_type.​value
(SUBTYPE)
Identifies the log subtype.
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: cat
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
user
(USER)
End user being authenticated.
CEF field name: duser
EMAIL field name: User
HTTPS field name: User
LEEF field name: User
user_agent
(USER AGENT STRING)
The User Agent field specifies the web browser that the user used to access the URL.
CEF field name: PanOSUserAgentString
EMAIL field name: UserAgentString
HTTPS field name: UserAgentString
LEEF field name: UserAgentString
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Authentication CEF Fields

Example Authentication log in CEF:
Mar 1 21:05:25 xxx.xx.x.xx 2206 <14>1 2021-03-01T21:05:25.508Z stream-logfwd20-587718190-03011255-ut6o-harness-5vlj logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\xxxxx cs2=paloaltonetwork\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID=
The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the CEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
CEF Name
Field Details
PanOSAuthenticationDescription
Query Name:
auth_description
Header Type:
Custom
msg
Header Type:
Predefined
Max Length:
1023
cn1
Query Name:
auth_factor_num
Header Type:
Predefined
Label:
cn1Label
Label Text:
AuthFactorNo
cs4
Query Name:
auth_policy
Header Type:
Predefined
Label:
cs4Label
Label Text:
AuthenticationPolicy
Max Length:
4000
PanOSAuthenticationProtocol
Query Name:
auth_proto
Header Type:
Custom
cs1
Header Type:
Predefined
Label:
cs1Label
Label Text:
AuthServerProfile
Max Length:
4000
PanOSAuthenticatedUserDomain
Header Type:
Custom
PanOSAuthenticatedUserName
Header Type:
Custom
PanOSAuthenticatedUserUUID
Header Type:
Custom
cs5
Query Name:
client_type
Header Type:
Predefined
Label:
cs5Label
Label Text:
ClientType
Max Length:
4000
PanOSClientTypeName
Header Type:
Custom
PanOSConfigVersion
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSCortexDataLakeTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsPrismaNetworks
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSLocation
Query Name:
location
Header Type:
Custom
cs6
Query Name:
log_set
Header Type:
Predefined
Label:
cs6Label
Label Text:
LogSetting
Max Length:
4000
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
DeviceEventClassId
Query Name:
log_type.​value
Header Type:
Custom
cn2
Query Name:
mfa_auth_id
Header Type:
Predefined
Label:
cn2Label
Label Text:
MFAAuthenticationID
PanOSMFAVendor
Query Name:
mfa_vendor
Header Type:
Custom
cs2
Query Name:
normalize_user
Header Type:
Predefined
Label:
cs2Label
Label Text:
NormalizeUser
Max Length:
4000
fname
Query Name:
object
Header Type:
Predefined
Max Length:
1023
PanOSRuleMatched
Query Name:
rule_matched
Header Type:
Custom
PanOSRuleMatchedUUID
Query Name:
rule_matched_uuid
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
PanOSAuthCacheServiceRegion
Query Name:
service_region
Header Type:
Custom
PanOSSessionID
Query Name:
session_id
Header Type:
Custom
PanOSSourceDeviceCategory
Header Type:
Custom
PanOSSourceDeviceHost
Query Name:
source_device_host
Header Type:
Custom
PanOSSourceDeviceMac
Query Name:
source_device_mac
Header Type:
Custom
PanOSSourceDeviceModel
Header Type:
Custom
PanOSSourceDeviceOSFamily
Header Type:
Custom
PanOSSourceDeviceOSVersion
Header Type:
Custom
PanOSSourceDeviceProfile
Header Type:
Custom
PanOSSourceDeviceVendor
Header Type:
Custom
src and dst, or c6a2 and c6a3
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label && c6a3Label
Label Text:
|| Source IPv6 Address && Destination IPv6 Address
Name
Query Name:
sub_type.​value
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
duser
Query Name:
user
Header Type:
Predefined
Max Length:
1023
PanOSUserAgentString
Query Name:
user_agent
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom

Authentication EMAIL Fields

Example Authentication log in EMAIL:
TimeReceived=2021-02-22T03:55:30.000000Z DeviceSN=xxxxxxxxxxxxx LogType=AUTH Subtype=Unknown ConfigVersion=10.0 TimeGenerated=2021-02-22T03:55:21.000000Z VirtualLocation=vsys1 SourceIP=xxxxxxxxxxxx User="paloaltonetwork\xxxxx" NormalizeUser="paloaltonetwork\xxxxx" Object=Authentication object3 AuthenticationPolicy=DC CountOfRepeats=16777216 MFAAuthenticationID=-1725441607236321280 MFAVendor=Duo LogSetting=rs-logging AuthServerProfile=allow-all-employees AuthenticationDescription=www.something ClientType=Unknown AuthEvent=User Password Failure AuthFactorNo=2 SequenceNo=476277 DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx VirtualSystemID=1 AuthenticationProtocol=PEAP-MSCHAPv2 RuleMatchedUUID= TimeGeneratedHighResolution=2021-02-22T03:55:21.963000Z SourceDeviceCategory=src_category_list-2 SourceDeviceProfile=src_profile_list-1 SourceDeviceModel=src_model_list-1 SourceDeviceVendor=src_vendor_list-1 SourceDeviceOSFamily=src_osfamily_list-2 SourceDeviceOSVersion=src_osversion_list-1 SourceDeviceHost=src_host_list-1 SourceDeviceMac=src_mac_list-1 AuthCacheServiceRegion= UserAgentString= SessionID=
The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.
EMAIL Name
Query Name
AuthenticationDescription
AuthEvent
AuthFactorNo
AuthenticationPolicy
AuthenticationProtocol
AuthServerProfile
AuthenticatedUserDomain
AuthenticatedUserName
AuthenticatedUserUUID
ClientType
ClientTypeName
ConfigVersion
CountOfRepeats
CortexDataLakeTenantID
DGHierarchyLevel1
DGHierarchyLevel2
DGHierarchyLevel3
DGHierarchyLevel4
IsDuplicateLog
LogExported
LogForwarded
IsPrismaNetworks
IsPrismaUsers
Location
LogSetting
LogSource
DeviceSN
DeviceName
LogSourceTimeZoneOffset
TimeReceived
LogType
MFAAuthenticationID
MFAVendor
NormalizeUser
Object
RuleMatched
RuleMatchedUUID
SequenceNo
AuthCacheServiceRegion
SessionID
SourceDeviceCategory
SourceDeviceHost
SourceDeviceMac
SourceDeviceModel
SourceDeviceOSFamily
SourceDeviceOSVersion
SourceDeviceProfile
SourceDeviceVendor
SourceIP
Subtype
TimeGenerated
TimeGeneratedHighResolution
User
UserAgentString
VendorName
VirtualLocation
VirtualSystemID
VirtualSystemName

Authentication HTTPS Fields

The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the HTTPS log format.
HTTPS Name
Query Name
AuthenticationDescription
AuthEvent
AuthFactorNo
AuthenticationPolicy
AuthenticationProtocol
AuthServerProfile
AuthenticatedUserDomain
AuthenticatedUserName
AuthenticatedUserUUID
ClientType
ClientTypeName
ConfigVersion
CountOfRepeats
CortexDataLakeTenantID
DGHierarchyLevel1
DGHierarchyLevel2
DGHierarchyLevel3
DGHierarchyLevel4
IsDuplicateLog
LogExported
LogForwarded
IsPrismaNetworks
IsPrismaUsers
Location
LogSetting
LogSource
DeviceSN
DeviceName
LogSourceTimeZoneOffset
TimeReceived
LogType
MFAAuthenticationID
MFAVendor
NormalizeUser
Object
RuleMatched
RuleMatchedUUID
SequenceNo
AuthCacheServiceRegion
SessionID
SourceDeviceCategory
SourceDeviceHost
SourceDeviceMac
SourceDeviceModel
SourceDeviceOSFamily
SourceDeviceOSVersion
SourceDeviceProfile
SourceDeviceVendor
SourceIP
Subtype
TimeGenerated
TimeGeneratedHighResolution
User
UserAgentString
VendorName
VirtualLocation
VirtualSystemID
VirtualSystemName

Authentication LEEF Fields

Example Authentication log in LEEF:
Oct 14 19:48:39 xxx.xx.x.xx 1 2020-10-22T22:35:56.409Z stream-logfwd20-468367654-10221530-0p6k-harness-xtb4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|LF|2.0|AUTH| |profileToken=Palotoken AuthenticationDescription="www.something" AuthEvent=user not allowed AuthFactorNo=1 AuthenticationPolicy=SVN AuthenticationProtocol= AuthServerProfile=deny-attackers AuthenticatedUserDomain=paloaltonetwork AuthenticatedUserName=xxxxx AuthenticatedUserUUID= ClientType=GlobalProtect CountOfRepeats=33554432 CortexDataLakeTenantID=xxxxxxxxxxxxx IsDuplicateLog=false LogExported=false LogForwarded=true IsPrismaNetworks=false IsPrismaUsers=false LogSetting=test LogSource=firewall DeviceSN=xxxxxxxxxxxxx DeviceName=PA-VM LogSourceTimeZoneOffset= TimeReceived=2020-10-21T14:53:23.000000Z EventID=AUTH MFAAuthenticationID=-6914714277873975296 MFAVendor=xxxxx Object=Authentication object2 RuleMatched= RuleMatchedUUID= SequenceNo=34195614 SourceDeviceCategory=src_category_list-0 SourceDeviceHost=src_host_list-1 SourceDeviceMac=src_mac_list-0 SourceDeviceModel=src_model_list-2 SourceDeviceOSFamily=src_osfamily_list-1 SourceDeviceOSVersion=src_osversion_list-0 SourceDeviceProfile=src_profile_list-2 SourceDeviceVendor=src_vendor_list-1 src=::6500:a14:ffff:0 cat=Unknown devTime=2020-10-21T14:53:01.000000Z TimeGeneratedHighResolution=2020-10-21T14:53:02.095000Z Vendor=Palo Alto Networks VirtualLocation=vsys1 VirtualSystemID=1 VirtualSystemName= devTimeFormat=YYYY-MM-DDTHH:MM:SSZ
The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Header Type
AuthenticationDescription
Custom
AuthEvent
Custom
AuthFactorNo
Custom
AuthenticationPolicy
Custom
AuthenticationProtocol
Custom
AuthServerProfile
Custom
AuthenticatedUserDomain
Custom
AuthenticatedUserName
Custom
AuthenticatedUserUUID
Custom
ClientType
Custom
ClientTypeName
Custom
ConfigVersion
Custom
CountOfRepeats
Custom
CortexDataLakeTenantID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetworks
Custom
IsPrismaUsers
Custom
Location
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
EventID
Custom
MFAAuthenticationID
Custom
MFAVendor
Custom
usrName
Predefined
Object
Custom
RuleMatched
Custom
RuleMatchedUUID
Custom
SequenceNo
Custom
AuthCacheServiceRegion
Custom
SessionID
Custom
SourceDeviceCategory
Custom
SourceDeviceHost
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOSFamily
Custom
SourceDeviceOSVersion
Custom
SourceDeviceProfile
Custom
SourceDeviceVendor
Custom
src
Predefined
cat
Predefined
devTime
Predefined
TimeGeneratedHighResolution
Custom
User
Custom
UserAgentString
Custom
Vendor
Custom
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You