Authentication CEF Fields

Example Authentication log in CEF:
Mar 1 21:05:25 xxx.xx.x.xx 2206 <14>1 2021-03-01T21:05:25.508Z stream-logfwd20-587718190-03011255-ut6o-harness-5vlj logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\xxxxx cs2=paloaltonetwork\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID=
The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
PanOSAuthenticationDescription
Query Name:
auth_description
Header Type:
Custom
msg
Header Type:
Predefined
Max Length:
1023
cn1
Query Name:
auth_factor_num
Header Type:
Predefined
Label:
cn1Label
Label Text:
AuthFactorNo
cs4
Query Name:
auth_policy
Header Type:
Predefined
Label:
cs4Label
Label Text:
AuthenticationPolicy
Max Length:
4000
PanOSAuthenticationProtocol
Query Name:
auth_proto
Header Type:
Custom
cs1
Header Type:
Predefined
Label:
cs1Label
Label Text:
AuthServerProfile
Max Length:
4000
PanOSAuthenticatedUserDomain
Header Type:
Custom
PanOSAuthenticatedUserName
Header Type:
Custom
PanOSAuthenticatedUserUUID
Header Type:
Custom
cs5
Query Name:
client_type
Header Type:
Predefined
Label:
cs5Label
Label Text:
ClientType
Max Length:
4000
PanOSClientTypeName
Header Type:
Custom
PanOSConfigVersion
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSCortexDataLakeTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsPrismaNetworks
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSLocation
Query Name:
location
Header Type:
Custom
cs6
Query Name:
log_set
Header Type:
Predefined
Label:
cs6Label
Label Text:
LogSetting
Max Length:
4000
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
DeviceEventClassId
Query Name:
log_type.​value
Header Type:
Custom
cn2
Query Name:
mfa_auth_id
Header Type:
Predefined
Label:
cn2Label
Label Text:
MFAAuthenticationID
PanOSMFAVendor
Query Name:
mfa_vendor
Header Type:
Custom
cs2
Query Name:
normalize_user
Header Type:
Predefined
Label:
cs2Label
Label Text:
NormalizeUser
Max Length:
4000
fname
Query Name:
object
Header Type:
Predefined
Max Length:
1023
PanOSRuleMatched
Query Name:
rule_matched
Header Type:
Custom
PanOSRuleMatchedUUID
Query Name:
rule_matched_uuid
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
PanOSAuthCacheServiceRegion
Query Name:
service_region
Header Type:
Custom
PanOSSessionID
Query Name:
session_id
Header Type:
Custom
PanOSSourceDeviceCategory
Header Type:
Custom
PanOSSourceDeviceHost
Query Name:
source_device_host
Header Type:
Custom
PanOSSourceDeviceMac
Query Name:
source_device_mac
Header Type:
Custom
PanOSSourceDeviceModel
Header Type:
Custom
PanOSSourceDeviceOSFamily
Header Type:
Custom
PanOSSourceDeviceOSVersion
Header Type:
Custom
PanOSSourceDeviceProfile
Header Type:
Custom
PanOSSourceDeviceVendor
Header Type:
Custom
src and dst, or c6a2 and c6a3
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label && c6a3Label
Label Text:
|| Source IPv6 Address && Destination IPv6 Address
Name
Query Name:
sub_type.​value
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
duser
Query Name:
user
Header Type:
Predefined
Max Length:
1023
PanOSUserAgentString
Query Name:
user_agent
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom

Recommended For You