File CEF Fields

Example File log in CEF:
Mar 1 21:06:08 xxx.xx.x.xx 3916 <14>1 2021-03-01T21:06:08.438Z stream-logfwd20-587718190-03011255-ut6o-harness-5vlj logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|THREAT|file|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:06 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= PanOSApplicationCategory=collaboration PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=email PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=PA-5220 PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDLPVersionFlag= PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom= duser= duid= PanOSFileType=PNG File Upload PanOSInboundInterfaceDetailsPort=19 PanOSInboundInterfaceDetailsSlot=1 PanOSInboundInterfaceDetailsType=ethernet PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted= PanOSIsDuplicateLog=false PanOSIsEncrypted= PanOSIsIPV6= PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded= PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=19 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSProfileName= PanOSSanctionedStateOfApp=false PanOSSeverity=Low PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom= suser= suid= PanOSThreatCategory= PanOSThreatNameFirewall= PanOSTunneledApplication=untunneled PanOSURL= PanOSUsers=xxx.xx.x.xx PanOSVirtualSystemID=1 start=Mar 01 2021 21:06:06 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=dg-log-policy cs1Label=Rule suser0= duser0= app=smtp cs3=smtp cs3Label=VirtualLocation cs4=tap cs4Label=FromZone cs5=tap cs5Label=ToZone deviceInboundInterface=ethernet1/19 deviceOutboundInterface=ethernet1/19 cs6=test cs6Label=LogSetting cn1=4016143 cn1Label=SessionID cnt=9 spt=37404 dpt=25 sourceTranslatedPort=0 destinationTranslatedPort=0 proto=tcp act=alert filePath=page-icon.png cs2=any cs2Label=URLCategory flexString2=client to server flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=xxx.xx.x.xx-xxx.xx.x.xx PanOSDestinationLocation=xxx.xx.x.xx-xxx.xx.x.xx fileId=0 PanOSFileHash= PanOSReportID= PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStartTime=Jan 01 1970 00:00:00 PanOSTunnel=N/A PanOSContentVersion= PanOSSigFlags=0 PanOSRuleUUID= PanOSHTTP2Connection= PanOSDynamicUserGroup= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSDomainEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup= PanOSPartialHash= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSReasonForDataFilteringAction= PanOSJustification= PanOSNSSAINetworkSliceType=
The following table identifies the File field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
act
Query Name:
action.​value
Header Type:
Predefined
Max Length:
63
app
Query Name:
app
Header Type:
Predefined
Max Length:
31
PanOSApplicationCategory
Query Name:
app_category
Header Type:
Custom
PanOSApplicationSubcategory
Query Name:
app_sub_category
Header Type:
Custom
PanOSCloudHostname
Query Name:
cloud_hostname
Header Type:
Custom
PanOSCloudReportID
Query Name:
cloud_reportid
Header Type:
Custom
PanOSConfigVersion
Header Type:
Custom
PanOSContainerID
Query Name:
container_id
Header Type:
Custom
PanOSApplicationContainer
Query Name:
container_of_app
Header Type:
Custom
PanOSContentVersion
Query Name:
content_version
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSCortexDataLakeTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDestinationDeviceCategory
Header Type:
Custom
PanOSDestinationDeviceClass
Query Name:
dest_device_class
Header Type:
Custom
PanOSDestinationDeviceHost
Query Name:
dest_device_host
Header Type:
Custom
PanOSDestinationDeviceMac
Query Name:
dest_device_mac
Header Type:
Custom
PanOSDestinationDeviceModel
Query Name:
dest_device_model
Header Type:
Custom
PanOSDestinationDeviceOS
Query Name:
dest_device_os
Header Type:
Custom
PanOSDestinationDeviceOSFamily
Header Type:
Custom
PanOSDestinationDeviceOSVersion
Header Type:
Custom
PanOSDestinationDeviceProfile
Header Type:
Custom
PanOSDestinationDeviceVendor
Query Name:
dest_device_vendor
Header Type:
Custom
PanOSDestinationDynamicAddressGroup
Header Type:
Custom
PanOSDestinationEDL
Query Name:
dest_edl
Header Type:
Custom
dst or c6a3
Query Name:
dest_ip.​value
Header Type:
Predefined
Label:
|| c6a3Label
Label Text:
|| Destination IPv6 Address
PanOSDestinationLocation
Query Name:
dest_location
Header Type:
Custom
dpt
Query Name:
dest_port
Header Type:
Predefined
duser
Query Name:
dest_user
Header Type:
Predefined
Max Length:
1023
dntdom
Header Type:
Predefined
Max Length:
255
duser
Header Type:
Predefined
Max Length:
255
duid
Header Type:
Predefined
Max Length:
255
PanOSDestinationUUID
Query Name:
dest_uuid
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
flexString2
Header Type:
Predefined
Label:
flexString2Label
Label Text:
DirectionOfAttack
Max Length:
1023
PanOSDLPVersionFlag
Query Name:
dlp_version_flag
Header Type:
Custom
PanOSDomainEDL
Query Name:
domain_edl
Header Type:
Custom
PanOSDynamicUserGroup
Query Name:
dynusergroup_name
Header Type:
Custom
PanOSEndpointSerialNumber
Header Type:
Custom
filePath
Query Name:
file_name
Header Type:
Predefined
Max Length:
1023
PanOSFileHash
Query Name:
file_sha_256
Header Type:
Custom
PanOSFileType
Query Name:
file_type
Header Type:
Custom
PanOSFileURL
Query Name:
file_url
Header Type:
Custom
cs4
Query Name:
from_zone
Header Type:
Predefined
Label:
cs4Label
Label Text:
FromZone
Max Length:
4000
PanOSHostID
Query Name:
gp_host_id
Header Type:
Custom
PanOSHTTP2Connection
Query Name:
http2_connection
Header Type:
Custom
deviceInboundInterface
Header Type:
Predefined
Max Length:
128
PanOSInboundInterfaceDetailsPort
Header Type:
Custom
PanOSInboundInterfaceDetailsSlot
Header Type:
Custom
PanOSInboundInterfaceDetailsType
Header Type:
Custom
PanOSInboundInterfaceDetailsUnit
Header Type:
Custom
PanOSCaptivePortal
Query Name:
is_captive_portal
Header Type:
Custom
PanOSIsClienttoServer
Header Type:
Custom
PanOSIsContainer
Query Name:
is_container
Header Type:
Custom
PanOSIsDecryptMirror
Query Name:
is_decrypt_mirror
Header Type:
Custom
PanOSIsDecrypted
Query Name:
is_decrypted
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSIsEncrypted
Query Name:
is_encrypted
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsIPV6
Query Name:
is_ipv6
Header Type:
Custom
PanOSIsMptcpOn
Query Name:
is_mptcp_on
Header Type:
Custom
PanOSNAT
Query Name:
is_nat
Header Type:
Custom
PanOSIsNonStandardDestinationPort
Header Type:
Custom
PanOSIsPacketCapture
Query Name:
is_packet_capture
Header Type:
Custom
PanOSIsPhishing
Query Name:
is_phishing
Header Type:
Custom
PanOSIsPrismaNetwork
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSIsProxy
Query Name:
is_proxy
Header Type:
Custom
PanOSIsReconExcluded
Query Name:
is_recon_excluded
Header Type:
Custom
PanOSIsSaaSApplication
Query Name:
is_saas_app
Header Type:
Custom
PanOSIsServertoClient
Header Type:
Custom
PanOSIsSourceXForwarded
Query Name:
is_source_x_fwded
Header Type:
Custom
PanOSIsSystemReturn
Query Name:
is_sym_return
Header Type:
Custom
PanOSIsTransaction
Query Name:
is_transaction
Header Type:
Custom
PanOSIsTunnelInspected
Header Type:
Custom
PanOSIsURLDenied
Query Name:
is_url_denied
Header Type:
Custom
PanOSJustification
Query Name:
justification
Header Type:
Custom
PanOSLocation
Query Name:
location
Header Type:
Custom
cs6
Query Name:
log_set
Header Type:
Predefined
Label:
cs6Label
Label Text:
LogSetting
Max Length:
4000
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
PanOSIMEI
Query Name:
monitor_tag_imei
Header Type:
Custom
destinationTranslatedAddress
Query Name:
nat_dest.​value
Header Type:
Predefined
destinationTranslatedPort
Query Name:
nat_dest_port
Header Type:
Predefined
sourceTranslatedAddress
Header Type:
Predefined
sourceTranslatedPort
Query Name:
nat_source_port
Header Type:
Predefined
PanOSNonStandardDestinationPort
Header Type:
Custom
PanOSNSSAINetworkSliceType
Header Type:
Custom
deviceOutboundInterface
Header Type:
Predefined
Max Length:
128
PanOSOutboundInterfaceDetailsPort
Header Type:
Custom
PanOSOutboundInterfaceDetailsSlot
Header Type:
Custom
PanOSOutboundInterfaceDetailsType
Header Type:
Custom
PanOSOutboundInterfaceDetailsUnit
Header Type:
Custom
PanOSParentSessionID
Query Name:
parent_session_id
Header Type:
Custom
PanOSParentStartTime
Query Name:
parent_start_time
Header Type:
Custom
PanOSPartialHash
Query Name:
partial_hash
Header Type:
Custom
PanOSPacket
Query Name:
pcap
Header Type:
Custom
fileId
Query Name:
pcap_id
Header Type:
Predefined
Max Length:
1023
PanOSContainerName
Query Name:
pod_name
Header Type:
Custom
PanOSContainerNameSpace
Query Name:
pod_namespace
Header Type:
Custom
PanOSProfileName
Query Name:
profile_name
Header Type:
Custom
proto
Query Name:
protocol.​value
Header Type:
Predefined
Max Length:
31
PanOSReasonForDataFilteringAction
Header Type:
Custom
PanOSReportID
Query Name:
report_id
Header Type:
Custom
PanOSApplicationRisk
Query Name:
risk_of_app
Header Type:
Custom
cs1
Query Name:
rule_matched
Header Type:
Predefined
Label:
cs1Label
Label Text:
Rule
Max Length:
4000
PanOSRuleUUID
Query Name:
rule_matched_uuid
Header Type:
Custom
PanOSSanctionedStateOfApp
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
cn1
Query Name:
session_id
Header Type:
Predefined
Label:
cn1Label
Label Text:
SessionID
PanOSSeverity
Query Name:
severity
Header Type:
Custom
PanOSSigFlags
Query Name:
sig_flags
Header Type:
Custom
PanOSSourceDeviceCategory
Header Type:
Custom
PanOSSourceDeviceClass
Header Type:
Custom
PanOSSourceDeviceHost
Query Name:
source_device_host
Header Type:
Custom
PanOSSourceDeviceMac
Query Name:
source_device_mac
Header Type:
Custom
PanOSSourceDeviceModel
Header Type:
Custom
PanOSSourceDeviceOS
Query Name:
source_device_os
Header Type:
Custom
PanOSSourceDeviceOSFamily
Header Type:
Custom
PanOSSourceDeviceOSVersion
Header Type:
Custom
PanOSSourceDeviceProfile
Header Type:
Custom
PanOSSourceDeviceVendor
Header Type:
Custom
PanOSSourceDynamicAddressGroup
Header Type:
Custom
PanOSSourceEDL
Query Name:
source_edl
Header Type:
Custom
src or c6a2
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label
Label Text:
|| Source IPv6 Address
PanOSSourceLocation
Query Name:
source_location
Header Type:
Custom
spt
Query Name:
source_port
Header Type:
Predefined
suser
Query Name:
source_user
Header Type:
Predefined
Max Length:
1023
sntdom
Header Type:
Predefined
Max Length:
1023
suser
Header Type:
Predefined
Max Length:
1023
suid
Header Type:
Predefined
Max Length:
1023
PanOSSourceUUID
Query Name:
source_uuid
Header Type:
Custom
Name
Query Name:
sub_type.​value
Header Type:
Custom
PanOSApplicationTechnology
Query Name:
technology_of_app
Header Type:
Custom
PanOSThreatCategory
Header Type:
Custom
PanOSThreatNameFirewall
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
cs5
Query Name:
to_zone
Header Type:
Predefined
Label:
cs5Label
Label Text:
ToZone
Max Length:
4000
PanOSTunnel
Query Name:
tunnel.​value
Header Type:
Custom
PanOSTunneledApplication
Query Name:
tunneled_app
Header Type:
Custom
PanOSIMSI
Query Name:
tunnelid_imsi
Header Type:
Custom
cs2
Header Type:
Predefined
Label:
cs2Label
Label Text:
URLCategory
Max Length:
4000
PanOSURL
Query Name:
url_domain
Header Type:
Custom
PanOSUsers
Query Name:
users
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
PanOSVendorSeverity
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom
PanOSX-Forwarded-ForIP
Query Name:
xff_ip.​value
Header Type:
Custom

Recommended For You