Authentication LEEF Fields

Example Authentication log in LEEF:
Sep 21 07:25:05 gke-standard-cluster-2-pool-3-f004381a-0gw6 1412 <14>1 2021-09-21T07:25:05.173Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|authentication success| |TimeReceived=2021-09-21 07:25:01.057423 DeviceSN=xxxxxxxxxxxxx cat=auth SubType=Unknown ConfigVersion= devTime=2021-09-21 07:25:01.057449 VirtualLocation=vsys1 src=xxx.xx.x.xx User= usrName=paloaltonetworkxxxxx Object=Authentication object5 AuthenticationPolicy=Captive Portal CountOfRepeats=1 MFAAuthenticationID=1112 MFAVendor=xxxxx LogSetting=test AuthServerProfile=deny-time-wasters AuthenticationDescription=www.this.is.another.wannabe.long.url.com/and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hkjhkj34hk5jh34k5jhk3j4h5k3jh45kjh34k5jhk34jh5kj34h5kjh43kj5hk34jh5k3j4h5k3j4hghhg4j5h3g ClientType=Unknown AuthFactorNo=0 SequenceNo=6711379990526558227 DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-5220 VirtualSystemID=1 AuthenticationProtocol=PAP RuleMatchedUUID= TimeGeneratedHighResolution= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= AuthCacheServiceRegion= UserAgentString= SessionID= devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
AuthenticationDescription
Custom
EventID
Header
AuthFactorNo
Custom
AuthenticationPolicy
Custom
AuthenticationProtocol
Custom
AuthServerProfile
Custom
AuthenticatedUserDomain
Custom
AuthenticatedUserName
Custom
AuthenticatedUserUUID
Custom
ClientType
Custom
ClientTypeName
Custom
ConfigVersion
Custom
CountOfRepeats
Custom
CortexDataLakeTenantID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetworks
Custom
IsPrismaUsers
Custom
Location
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
MFAAuthenticationID
Custom
MFAVendor
Custom
usrName
Predefined
Object
Custom
RuleMatched
Custom
RuleMatchedUUID
Custom
SequenceNo
Custom
AuthCacheServiceRegion
Custom
SessionID
Custom
SourceDeviceCategory
Custom
SourceDeviceHost
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOSFamily
Custom
SourceDeviceOSVersion
Custom
SourceDeviceProfile
Custom
SourceDeviceVendor
Custom
src
Predefined
SubType
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
User
Custom
UserAgentString
Custom
Vendor
Header
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You