>
    Authentication
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Network Logs
    4. Authentication
    Download PDF
    Strata Logging Service

    Authentication

    Table of Contents

    Authentication

    Auth logs contain information about authentication events seen by the next-generation firewall. These occur when users access network resources which are controlled by authentication policy rules. Authentication Logs will never appear in Strata Logging Service if the associated firewalls are not configured with authentication policies.
    Authentication logs are most frequently written when the next-generation firewall is configured as a Multi-Factor Authentication gateway, and an end-user is using it to perform authentication.
    See the following for information related to supported log formats:
    AUTHENTICATION Field
    (Display Name)
    Description
    auth_description
    (AUTHENTICATION DESCRIPTION)
    Additional authentication information.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSAuthenticationDescription
    EMAIL field name: AuthenticationDescription
    HTTPS field name: AuthenticationDescription
    LEEF field name: AuthenticationDescription
    auth_event_name.​value
    (AUTH EVENT)
    The authentication event that caused the firewall to create this log record.
    Syslog field name: Syslog Field Order
    CEF field name: msg
    EMAIL field name: AuthEvent
    HTTPS field name: AuthEvent
    LEEF field name: EventID
    auth_factor_num
    (AUTH FACTOR NO)
    Indicates the use of primary authentication (1) or additional factors (2, 3).
    Syslog field name: Syslog Field Order
    CEF field name: cn1
    EMAIL field name: AuthFactorNo
    HTTPS field name: AuthFactorNo
    LEEF field name: AuthFactorNo
    auth_policy
    (AUTHENTICATION POLICY)
    Policy invoked for authentication before allowing access to a protected resource.
    Syslog field name: Syslog Field Order
    CEF field name: cs4
    EMAIL field name: AuthenticationPolicy
    HTTPS field name: AuthenticationPolicy
    LEEF field name: AuthenticationPolicy
    auth_proto
    (AUTHENTICATION PROTOCOL)
    Indicates the authentication protocol used by the server. For example, PEAP with GTC.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSAuthenticationProtocol
    EMAIL field name: AuthenticationProtocol
    HTTPS field name: AuthenticationProtocol
    LEEF field name: AuthenticationProtocol
    auth_server_profile
    (AUTH SERVER PROFILE)
    Authentication server used for authentication.
    Syslog field name: Syslog Field Order
    CEF field name: cs1
    EMAIL field name: AuthServerProfile
    HTTPS field name: AuthServerProfile
    LEEF field name: AuthServerProfile
    authenticated_user_info.​domain
    (AUTHENTICATED USER DOMAIN)
    Domain to which the user who is being authenticated belongs.
    CEF field name: PanOSAuthenticatedUserDomain
    EMAIL field name: AuthenticatedUserDomain
    HTTPS field name: AuthenticatedUserDomain
    LEEF field name: AuthenticatedUserDomain
    authenticated_user_info.​name
    (AUTHENTICATED USER NAME)
    Name of the user who is being authenticated.
    CEF field name: PanOSAuthenticatedUserName
    EMAIL field name: AuthenticatedUserName
    HTTPS field name: AuthenticatedUserName
    LEEF field name: AuthenticatedUserName
    authenticated_user_info.​uuid
    (AUTHENTICATED USER UUID)
    Unique identifier assigned to the user who is being authenticated.
    CEF field name: PanOSAuthenticatedUserUUID
    EMAIL field name: AuthenticatedUserUUID
    HTTPS field name: AuthenticatedUserUUID
    LEEF field name: AuthenticatedUserUUID
    client_type
    (CLIENT TYPE)
    Type of client used to complete authentication (such as authentication portal).
    Syslog field name: Syslog Field Order
    CEF field name: cs5
    EMAIL field name: ClientType
    HTTPS field name: ClientType
    LEEF field name: ClientType
    client_type_name.​value
    (CLIENT TYPE NAME)
    Type of client used to complete authentication.
    CEF field name: PanOSClientTypeName
    EMAIL field name: ClientTypeName
    HTTPS field name: ClientTypeName
    LEEF field name: ClientTypeName
    config_version.​value
    (CONFIG VERSION)
    Version number of the firewall operating system that wrote this log record.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSConfigVersion
    EMAIL field name: ConfigVersion
    HTTPS field name: ConfigVersion
    LEEF field name: ConfigVersion
    count_of_repeats
    (COUNT OF REPEATS)
    Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
    Syslog field name: Syslog Field Order
    CEF field name: cnt
    EMAIL field name: CountOfRepeats
    HTTPS field name: CountOfRepeats
    LEEF field name: CountOfRepeats
    customer_id
    (TENANT ID)
    The ID that uniquely identifies the Strata Logging Service instance which received this log record.
    CEF field name: PanOSCortexDataLakeTenantID
    EMAIL field name: CortexDataLakeTenantID
    HTTPS field name: CortexDataLakeTenantID
    LEEF field name: CortexDataLakeTenantID
    dg_hier_level_1
    (DG HIERARCHY LEVEL 1)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel1
    EMAIL field name: DGHierarchyLevel1
    HTTPS field name: DGHierarchyLevel1
    LEEF field name: DGHierarchyLevel1
    dg_hier_level_2
    (DG HIERARCHY LEVEL 2)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel2
    EMAIL field name: DGHierarchyLevel2
    HTTPS field name: DGHierarchyLevel2
    LEEF field name: DGHierarchyLevel2
    dg_hier_level_3
    (DG HIERARCHY LEVEL 3)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel3
    EMAIL field name: DGHierarchyLevel3
    HTTPS field name: DGHierarchyLevel3
    LEEF field name: DGHierarchyLevel3
    dg_hier_level_4
    (DG HIERARCHY LEVEL 4)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel4
    EMAIL field name: DGHierarchyLevel4
    HTTPS field name: DGHierarchyLevel4
    LEEF field name: DGHierarchyLevel4
    is_dup_log
    (IS DUPLICATE LOG)
    Indicates whether this log data is available in multiple locations, such as from the Logging Service and also from an on-premise log collector.
    CEF field name: PanOSIsDuplicateLog
    EMAIL field name: IsDuplicateLog
    HTTPS field name: IsDuplicateLog
    LEEF field name: IsDuplicateLog
    is_exported
    (LOG EXPORTED)
    Indicates if this log was exported from the firewall using the firewall's log export function.
    CEF field name: PanOSLogExported
    EMAIL field name: LogExported
    HTTPS field name: LogExported
    LEEF field name: LogExported
    is_forwarded
    (LOG FORWARDED)
    Internal-use field that indicates if the log is being forwarded.
    CEF field name: PanOSLogForwarded
    EMAIL field name: LogForwarded
    HTTPS field name: LogForwarded
    LEEF field name: LogForwarded
    is_prisma_branch
    (IS PRISMA NETWORKS)
    Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
    CEF field name: PanOSIsPrismaNetworks
    EMAIL field name: IsPrismaNetworks
    HTTPS field name: IsPrismaNetworks
    LEEF field name: IsPrismaNetworks
    is_prisma_mobile
    (IS PRISMA USERS)
    Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
    CEF field name: PanOSIsPrismaUsers
    EMAIL field name: IsPrismaUsers
    HTTPS field name: IsPrismaUsers
    LEEF field name: IsPrismaUsers
    location
    (PRISMA ACCESS LOCATION)
    Prisma Access Region/Location.
    CEF field name: PanOSLocation
    EMAIL field name: Location
    HTTPS field name: Location
    LEEF field name: Location
    log_set
    (LOG SETTING)
    Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
    Syslog field name: Syslog Field Order
    CEF field name: cs6
    EMAIL field name: LogSetting
    HTTPS field name: LogSetting
    LEEF field name: LogSetting
    log_source
    (LOG SOURCE)
    Identifies the origin of the data. That is, the system that produced the data.
    CEF field name: PanOSLogSource
    EMAIL field name: LogSource
    HTTPS field name: LogSource
    LEEF field name: LogSource
    log_source_group_id
    (LOG SOURCE GROUP ID)
    ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
    CEF field name: LogSourceGroupID
    EMAIL field name: LogSourceGroupID
    HTTPS field name: LogSourceGroupID
    LEEF field name: LogSourceGroupID
    log_source_id
    (DEVICE SN)
    ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
    If the log is generated by Prisma Access, the serial number is not displayed.
    Syslog field name: Syslog Field Order
    CEF field name: deviceExternalId
    EMAIL field name: DeviceSN
    HTTPS field name: DeviceSN
    LEEF field name: DeviceSN
    log_source_name
    (DEVICE NAME)
    Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
    Syslog field name: Syslog Field Order
    CEF field name: dvchost
    EMAIL field name: DeviceName
    HTTPS field name: DeviceName
    LEEF field name: DeviceName
    log_source_tz_offset
    (LOG SOURCE TIMEZONE OFFSET)
    Time Zone offset from GMT of the source of the log.
    CEF field name: PanOSLogSourceTimeZoneOffset
    EMAIL field name: LogSourceTimeZoneOffset
    HTTPS field name: LogSourceTimeZoneOffset
    LEEF field name: LogSourceTimeZoneOffset
    log_time
    (TIME RECEIVED)
    Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    Syslog field name: Syslog Field Order
    CEF field name: rt
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: TimeReceived
    log_type.​value
    (LOG TYPE)
    Identifies the log type.
    Syslog field name: Syslog Field Order
    CEF field name: DeviceEventClassId
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    mfa_auth_id
    (MFA AUTHENTICATION ID)
    Unique ID given across primary authentication and additional (multi-factor) authentication.
    Syslog field name: Syslog Field Order
    CEF field name: cn2
    EMAIL field name: MFAAuthenticationID
    HTTPS field name: MFAAuthenticationID
    LEEF field name: MFAAuthenticationID
    mfa_vendor
    (MFA VENDOR)
    Vendor providing additional factor authentication.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSMFAVendor
    EMAIL field name: MFAVendor
    HTTPS field name: MFAVendor
    LEEF field name: MFAVendor
    normalize_user
    (NORMALIZE USER)
    Normalized version of the username being authenticated (such as appending a domain name to the username).
    Syslog field name: Syslog Field Order
    CEF field name: cs2
    EMAIL field name: NormalizeUser
    HTTPS field name: NormalizeUser
    LEEF field name: usrName
    object
    (OBJECT)
    Name of the object associated with the system event.
    Syslog field name: Syslog Field Order
    CEF field name: fname
    EMAIL field name: Object
    HTTPS field name: Object
    LEEF field name: Object
    panorama_serial
    (PANORAMA SN)
    Panorama Serial associated with CDL.
    CEF field name: PanOSPanoramaSN
    EMAIL field name: PanoramaSN
    HTTPS field name: PanoramaSN
    LEEF field name: PanoramaSN
    platform_type
    (PLATFORM TYPE)
    The platform type (Valid types are VM, PA, NGFW, CNGFW).
    CEF field name: PlatformType
    EMAIL field name: PlatformType
    HTTPS field name: PlatformType
    LEEF field name: PlatformType
    rule_matched
    (RULE MATCHED)
    Name of the security policy rule that the network traffic matched.
    CEF field name: PanOSRuleMatched
    EMAIL field name: RuleMatched
    HTTPS field name: RuleMatched
    LEEF field name: RuleMatched
    rule_matched_uuid
    (RULE MATCHED UUID)
    Unique identifier for the security policy rule that the network traffic matched.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSRuleMatchedUUID
    EMAIL field name: RuleMatchedUUID
    HTTPS field name: RuleMatchedUUID
    LEEF field name: RuleMatchedUUID
    sequence_no
    (SEQUENCE NO)
    The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
    Syslog field name: Syslog Field Order
    CEF field name: externalId
    EMAIL field name: SequenceNo
    HTTPS field name: SequenceNo
    LEEF field name: SequenceNo
    service_region
    (AUTH CACHE SERVICE REGION)
    Region where the service is deployed.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSAuthCacheServiceRegion
    EMAIL field name: AuthCacheServiceRegion
    HTTPS field name: AuthCacheServiceRegion
    LEEF field name: AuthCacheServiceRegion
    session_id
    (SESSION ID)
    Identifies the firewall's internal identifier for a specific network session.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSessionID
    EMAIL field name: SessionID
    HTTPS field name: SessionID
    LEEF field name: SessionID
    source_device_category
    (SOURCE DEVICE CATEGORY)
    Category of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceCategory
    EMAIL field name: SourceDeviceCategory
    HTTPS field name: SourceDeviceCategory
    LEEF field name: SourceDeviceCategory
    source_device_host
    (SOURCE DEVICE HOST)
    Hostname of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceHost
    EMAIL field name: SourceDeviceHost
    HTTPS field name: SourceDeviceHost
    LEEF field name: SourceDeviceHost
    source_device_mac
    (SOURCE DEVICE MAC)
    MAC Address of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceMac
    EMAIL field name: SourceDeviceMac
    HTTPS field name: SourceDeviceMac
    LEEF field name: SourceDeviceMac
    source_device_model
    (SOURCE DEVICE MODEL)
    Model of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceModel
    EMAIL field name: SourceDeviceModel
    HTTPS field name: SourceDeviceModel
    LEEF field name: SourceDeviceModel
    source_device_osfamily
    (SOURCE DEVICE OS FAMILY)
    OS family of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceOSFamily
    EMAIL field name: SourceDeviceOSFamily
    HTTPS field name: SourceDeviceOSFamily
    LEEF field name: SourceDeviceOSFamily
    source_device_osversion
    (SOURCE DEVICE OS VERSION)
    OS version of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceOSVersion
    EMAIL field name: SourceDeviceOSVersion
    HTTPS field name: SourceDeviceOSVersion
    LEEF field name: SourceDeviceOSVersion
    source_device_profile
    (SOURCE DEVICE PROFILE)
    Profile of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceProfile
    EMAIL field name: SourceDeviceProfile
    HTTPS field name: SourceDeviceProfile
    LEEF field name: SourceDeviceProfile
    source_device_vendor
    (SOURCE DEVICE VENDOR)
    Vendor of the device from which the session originated.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceDeviceVendor
    EMAIL field name: SourceDeviceVendor
    HTTPS field name: SourceDeviceVendor
    LEEF field name: SourceDeviceVendor
    source_ip.​value
    (SOURCE IP)
    Original source IP address.
    Syslog field name: Syslog Field Order
    CEF fields: src and dst, or c6a2 and c6a3
    EMAIL field name: SourceIP
    HTTPS field name: SourceIP
    LEEF field name: src
    sub_type.​value
    (SUBTYPE)
    Identifies the log subtype.
    Syslog field name: Syslog Field Order
    CEF field name: Name
    EMAIL field name: Subtype
    HTTPS field name: Subtype
    LEEF field name: SubType
    time_generated
    (TIME GENERATED)
    Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    Syslog field name: Syslog Field Order
    CEF field name: start
    EMAIL field name: TimeGenerated
    HTTPS field name: TimeGenerated
    LEEF field name: devTime
    time_generated_high_res
    (TIME GENERATED HIGH RESOLUTION)
    Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSTimeGeneratedHighResolution
    EMAIL field name: TimeGeneratedHighResolution
    HTTPS field name: TimeGeneratedHighResolution
    LEEF field name: TimeGeneratedHighResolution
    user
    (USER)
    End user being authenticated.
    Syslog field name: Syslog Field Order
    CEF field name: duser
    EMAIL field name: User
    HTTPS field name: User
    LEEF field name: User
    user_agent
    (USER AGENT STRING)
    The User Agent field specifies the web browser that the user used to access the URL.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSUserAgentString
    EMAIL field name: UserAgentString
    HTTPS field name: UserAgentString
    LEEF field name: UserAgentString
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.
    CEF field name: Device Vendor
    EMAIL field name: VendorName
    HTTPS field name: VendorName
    LEEF field name: Vendor
    vsys
    (VIRTUAL LOCATION)
    String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
    Syslog field name: Syslog Field Order
    CEF field name: cs3
    EMAIL field name: VirtualLocation
    HTTPS field name: VirtualLocation
    LEEF field name: VirtualLocation
    vsys_id
    (VIRTUAL SYSTEM ID)
    A unique identifier for a virtual system on a Palo Alto Networks firewall.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSVirtualSystemID
    EMAIL field name: VirtualSystemID
    HTTPS field name: VirtualSystemID
    LEEF field name: VirtualSystemID
    vsys_name
    (VIRTUAL SYSTEM NAME)
    The name of the virtual system associated with the network traffic.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSVirtualSystemName
    EMAIL field name: VirtualSystemName
    HTTPS field name: VirtualSystemName
    LEEF field name: VirtualSystemName

    © 2024 Palo Alto Networks, Inc. All rights reserved.