GlobalProtect CEF Fields

Example GlobalProtect log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 1544 <14>1 2021-03-01T20:35:56.565Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=xxx.xx.x.xx PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=xxx.xx.x.xx PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1
The following table identifies the GlobalProtect field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
PanOSAttemptedGateways
Query Name:
attempted_gateways
Header Type:
Custom
PanOSAuthMethod
Query Name:
auth_method
Header Type:
Custom
PanOSConfigVersion
Header Type:
Custom
PanOSConnectionMethod
Query Name:
connect_method
Header Type:
Custom
PanOSConnectionErrorID
Header Type:
Custom
PanOSConnectionError
Header Type:
Custom
PanOSCountOfRepeats
Query Name:
count_of_repeats
Header Type:
Custom
PanOSTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
shost
Header Type:
Predefined
PanOSGlobalProtectClientVersion
Header Type:
Custom
PanOSEndpointOSType
Query Name:
endpoint_os_type
Header Type:
Custom
PanOSEndpointOSVersion
Header Type:
Custom
PanOSEndpointSN
Header Type:
Custom
Name
Query Name:
event_id.​value
Header Type:
Custom
PanOSGateway
Query Name:
gateway
Header Type:
Custom
PanOSGatewayPriority
Header Type:
Custom
PanOSGatewaySelectionType
Header Type:
Custom
PanOSGlobalProtectGatewayLocation
Query Name:
gpg_location
Header Type:
Custom
deviceExternalId
Query Name:
host_id
Header Type:
Predefined
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsPrismaNetworks
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
sourceServiceName
Query Name:
log_source
Header Type:
Predefined
deviceExternalID
Query Name:
log_source_id
Header Type:
Predefined
dvchost
Query Name:
log_source_name
Header Type:
Predefined
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
PanOSLoginDuration
Query Name:
login_duration
Header Type:
Custom
PanOSDescription
Query Name:
opaque
Header Type:
Custom
PanOSPortal
Query Name:
portal
Header Type:
Custom
PanOSPrivateIPv4
Header Type:
Custom
PanOSPrivateIPv6
Header Type:
Custom
src
Query Name:
public_ip.​value
Header Type:
Predefined
c6a2
Header Type:
Predefined
PanOSQuarantineReason
Query Name:
quarantine_reason
Header Type:
Custom
PanOSSequenceNo
Query Name:
sequence_no
Header Type:
Custom
PanOSSourceRegion
Query Name:
source_region
Header Type:
Custom
suser
Query Name:
source_user
Header Type:
Predefined
sntdom and dntdom
Header Type:
Predefined
suser and duser
Header Type:
Predefined
suid and duid
Header Type:
Predefined
PanOSSSLResponseTime
Query Name:
ssl_response_time
Header Type:
Custom
PanOSStage
Query Name:
stage
Header Type:
Custom
outcome
Query Name:
status.​value
Header Type:
Predefined
PanOSLogSubtype
Query Name:
sub_type.​value
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
PanOSTunnelType
Query Name:
tunnel
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
PanOSVirtualSystem
Query Name:
vsys
Header Type:
Custom
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
cs3
Query Name:
vsys_name
Header Type:
Predefined

Recommended For You