Strata Logging Service
GlobalProtect
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
GlobalProtect
GlobalProtect logs identify network traffic between a GlobalProtect portal or gateway, and
GlobalProtect apps.
See the following for information related to supported log formats:
GLOBALPROTECT Field
(Display Name)
|
Description
|
---|---|
attempted_gateways
(ATTEMPTED GATEWAYS)
|
String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon.
Syslog field name: Syslog Field Order
CEF field name: PanOSAttemptedGateways
EMAIL field name: AttemptedGateways
HTTPS field name: AttemptedGateways
LEEF field name: AttemptedGateways
|
auth_method
(AUTH METHOD)
|
Authentication method used for the GlobalProtect connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSAuthMethod
EMAIL field name: AuthMethod
HTTPS field name: AuthMethod
LEEF field name: AuthMethod
|
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
|
connect_method
(CONNECTION METHOD)
|
Identifies how the GlobalProtect app connected to the the Gateway. For example,
on-demand or user-logon.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionMethod
EMAIL field name: ConnectionMethod
HTTPS field name: ConnectionMethod
LEEF field name: ConnectionMethod
|
connection_error.id
(CONNECTION ERROR ID)
|
Enumeration integer assigned to the connection_error field value.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionErrorID
EMAIL field name: ConnectionErrorID
HTTPS field name: ConnectionErrorID
LEEF field name: ConnectionErrorID
|
connection_error.value
(CONNECTION ERROR)
|
Error information for unsuccessful connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionError
EMAIL field name: ConnectionError
HTTPS field name: ConnectionError
LEEF field name: ConnectionError
|
count_of_repeats
(COUNT OF REPEATS)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: PanOSCountOfRepeats
EMAIL field name: CountOfRepeats
HTTPS field name: CountOfRepeats
LEEF field name: CountOfRepeats
|
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
|
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
|
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
|
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
|
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
|
endpoint_device_name
(ENDPOINT DEVICE NAME)
|
Name of the device that the user used for the connection.
Syslog field name: Syslog Field Order
CEF field name: shost
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: EndpointDeviceName
|
endpoint_gp_version
(GLOBALPROTECT CLIENT VERSION)
|
GlobalProtect client version number.
Syslog field name: Syslog Field Order
CEF field name: PanOSGlobalProtectClientVersion
EMAIL field name: GlobalProtectClientVersion
HTTPS field name: GlobalProtectClientVersion
LEEF field name: GlobalProtectClientVersion
|
endpoint_os_type
(ENDPOINT OS TYPE)
|
OS type of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSType
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType
|
endpoint_os_version
(ENDPOINT OS VERSION)
|
OS version of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSVersion
EMAIL field name: EndpointOSVersion
HTTPS field name: EndpointOSVersion
LEEF field name: EndpointOSVersion
|
endpoint_serial_number
(ENDPOINT SN)
|
ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointSN
EMAIL field name: EndpointSN
HTTPS field name: EndpointSN
LEEF field name: EndpointSN
|
event_id.value
(EVENT ID VALUE)
|
The name of the event.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: EventIDValue
HTTPS field name: EventIDValue
LEEF field name: EventID
|
gateway
(GATEWAY)
|
Selected Gateway for the connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSGateway
EMAIL field name: Gateway
HTTPS field name: Gateway
LEEF field name: Gateway
|
gateway_priority.value
(GATEWAY PRIORITY)
|
Priority of gateway, retrieved from portal configuration.
Syslog field name: Syslog Field Order
CEF field name: PanOSGatewayPriority
EMAIL field name: GatewayPriority
HTTPS field name: GatewayPriority
LEEF field name: GatewayPriority
|
gateway_selection_type
(GATEWAY SELECTION TYPE)
|
Gateway Selection Method i.e automatic, preferred or manual.
Syslog field name: Syslog Field Order
CEF field name: PanOSGatewaySelectionType
EMAIL field name: GatewaySelectionType
HTTPS field name: GatewaySelectionType
LEEF field name: GatewaySelectionType
|
gpg_location
(GLOBALPROTECT GATEWAY LOCATION)
|
Location of the Global Protect Gateway.
Syslog field name: Syslog Field Order
CEF field name: PanOSGlobalProtectGatewayLocation
EMAIL field name: GlobalProtectGatewayLocation
HTTPS field name: GlobalProtectGatewayLocation
LEEF field name: GlobalProtectGatewayLocation
|
host_id
(HOST ID)
|
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
|
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log
collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
|
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
|
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
|
is_prisma_branch
(IS PRISMA NETWORKS)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
|
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
|
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: sourceServiceName
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
|
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
|
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
|
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
|
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
|
log_time
(TIME RECEIVED)
|
Time the log was received in Strata Logging Service. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
|
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
|
login_duration
(LOGIN DURATION)
|
Duration for which the connected user was logged on.
Syslog field name: Syslog Field Order
CEF field name: PanOSLoginDuration
EMAIL field name: LoginDuration
HTTPS field name: LoginDuration
LEEF field name: LoginDuration
|
opaque
(DESCRIPTION)
|
Additional information regarding the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSDescription
EMAIL field name: Description
HTTPS field name: Description
LEEF field name: Description
|
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
|
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
|
portal
(PORTAL)
|
Global Protect Portal or Gateway that the user connected to.
Syslog field name: Syslog Field Order
CEF field name: PanOSPortal
EMAIL field name: Portal
HTTPS field name: Portal
LEEF field name: Portal
|
private_ip.value
(PRIVATE IPV4)
|
Private IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv4
EMAIL field name: PrivateIPv4
HTTPS field name: PrivateIPv4
LEEF field name: PrivateIPv4
|
private_ipv6.value
(PRIVATE IPV6)
|
Private IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv6
EMAIL field name: PrivateIPv6
HTTPS field name: PrivateIPv6
LEEF field name: PrivateIPv6
|
project_name
(PROJECT NAME)
|
Reserved for future use.
CEF field name: ProjectName
EMAIL field name: ProjectName
HTTPS field name: ProjectName
LEEF field name: ProjectName
|
public_ip.value
(PUBLIC IPV4)
|
Public IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: src
EMAIL field name: PublicIPv4
HTTPS field name: PublicIPv4
LEEF field name: PublicIPv4
|
public_ipv6.value
(PUBLIC IPV6)
|
Public IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: c6a2
EMAIL field name: PublicIPv6
HTTPS field name: PublicIPv6
LEEF field name: PublicIPv6
|
quarantine_reason
(QUARANTINE REASON)
|
Quarantine reason.
Syslog field name: Syslog Field Order
CEF field name: PanOSQuarantineReason
EMAIL field name: QuarantineReason
HTTPS field name: QuarantineReason
LEEF field name: QuarantineReason
|
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: PanOSSequenceNo
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
|
source_region
(SOURCE REGION)
|
Region of the Gateway (or User) that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceRegion
EMAIL field name: SourceRegion
HTTPS field name: SourceRegion
LEEF field name: SourceRegion
|
source_user
(SOURCE USER NAME)
|
The username that connected.
Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: usrName
|
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
|
source_user_info.name
(SOURCE USER INFO)
|
The Source User. That is, the username that initiated the network traffic.
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
|
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
|
ssl_response_time
(SSL RESPONSE TIME)
|
SSL Response Time in milliseconds.
Syslog field name: Syslog Field Order
CEF field name: PanOSSSLResponseTime
EMAIL field name: SSLResponseTime
HTTPS field name: SSLResponseTime
LEEF field name: SSLResponseTime
|
stage
(STAGE)
|
Name of the stage in the GlobalProtect connection workflow.
Syslog field name: Syslog Field Order
CEF field name: PanOSStage
EMAIL field name: Stage
HTTPS field name: Stage
LEEF field name: Stage
|
status.value
(EVENT STATUS)
|
The status (success or failure) of the event.
Syslog field name: Syslog Field Order
CEF field name: outcome
EMAIL field name: EventStatus
HTTPS field name: EventStatus
LEEF field name: EventStatus
|
sub_type.value
(LOG SUBTYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: PanOSLogSubtype
EMAIL field name: LogSubtype
HTTPS field name: LogSubtype
LEEF field name: SubType
|
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
|
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
|
tunnel
(TUNNEL TYPE)
|
Tunnel Type i.e. SSL or VPN.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelType
EMAIL field name: TunnelType
HTTPS field name: TunnelType
LEEF field name: TunnelType
|
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
|
vsys
(VIRTUAL SYSTEM)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystem
EMAIL field name: VirtualSystem
HTTPS field name: VirtualSystem
LEEF field name: VirtualSystem
|
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
|
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName
|