Strata Logging Service
GlobalProtect CEF Fields
Table of Contents
Expand All
|
Collapse All
GlobalProtect CEF Fields
Example GlobalProtect log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 1544 <14>1 2021-03-01T20:35:56.565Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=xxx.xx.x.xx PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=xxx.xx.x.xx PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1
The following table identifies the GlobalProtect field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
|---|---|
PanOSAttemptedGateways
| Query Name: attempted_gatewaysHeader Type: Custom |
PanOSAuthMethod
| Query Name: auth_methodHeader Type: Custom |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSConnectionMethod
| Query Name: connect_methodHeader Type: Custom |
PanOSConnectionErrorID
| Query Name: connection_error.idHeader Type: Custom |
PanOSConnectionError
| Query Name: connection_error.valueHeader Type: Custom |
PanOSCountOfRepeats
| Query Name: count_of_repeatsHeader Type: Custom |
PanOSTenantID
| Query Name: customer_idHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
shost
| Query Name: endpoint_device_nameHeader Type: Predefined |
PanOSGlobalProtectClientVersion
| Query Name: endpoint_gp_versionHeader Type: Custom |
PanOSEndpointOSType
| Query Name: endpoint_os_typeHeader Type: Custom |
PanOSEndpointOSVersion
| Query Name: endpoint_os_versionHeader Type: Custom |
PanOSEndpointSN
| Query Name: endpoint_serial_numberHeader Type: Custom |
Name
| Query Name: event_id.valueHeader Type: Custom |
PanOSGateway
| Query Name: gatewayHeader Type: Custom |
PanOSGatewayPriority
| Query Name: gateway_priority.valueHeader Type: Custom |
PanOSGatewaySelectionType
| Query Name: gateway_selection_typeHeader Type: Custom |
PanOSGlobalProtectGatewayLocation
| Query Name: gpg_locationHeader Type: Custom |
PanOSHostID
| Query Name: host_idHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSLogForwarded
| Query Name: is_forwardedHeader Type: Custom |
PanOSIsPrismaNetworks
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
sourceServiceName
| Query Name: log_sourceHeader Type: Predefined |
LogSourceGroupID
| Query Name: log_source_group_idHeader Type: Custom |
deviceExternalID
| Query Name: log_source_idHeader Type: Predefined |
dvchost
| Query Name: log_source_nameHeader Type: Predefined |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
PanOSLoginDuration
| Query Name: login_durationHeader Type: Custom |
PanOSDescription
| Query Name: opaqueHeader Type: Custom |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
PlatformType
| Query Name: platform_typeHeader Type: Custom |
PanOSPortal
| Query Name: portalHeader Type: Custom |
PanOSPrivateIPv4
| Query Name: private_ip.valueHeader Type: Custom |
PanOSPrivateIPv6
| Query Name: private_ipv6.valueHeader Type: Custom |
ProjectName
| Query Name: project_nameHeader Type: Custom |
src
| Query Name: public_ip.valueHeader Type: Predefined |
c6a2
| Query Name: public_ipv6.valueHeader Type: Predefined |
PanOSQuarantineReason
| Query Name: quarantine_reasonHeader Type: Custom |
PanOSSequenceNo
| Query Name: sequence_noHeader Type: Custom |
PanOSSourceRegion
| Query Name: source_regionHeader Type: Custom |
suser
| Query Name: source_userHeader Type: Predefined |
sntdom and dntdom
| Query Name: source_user_info.domainHeader Type: Predefined |
suser and duser
| Query Name: source_user_info.nameHeader Type: Predefined |
suid and duid
| Query Name: source_user_info.uuidHeader Type: Predefined |
PanOSSSLResponseTime
| Query Name: ssl_response_timeHeader Type: Custom |
PanOSStage
| Query Name: stageHeader Type: Custom |
outcome
| Query Name: status.valueHeader Type: Predefined |
PanOSLogSubtype
| Query Name: sub_type.valueHeader Type: Custom |
start
| Query Name: time_generatedHeader Type: Predefined |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
PanOSTunnelType
| Query Name: tunnelHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
PanOSVirtualSystem
| Query Name: vsysHeader Type: Custom |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
cs3
| Query Name: vsys_nameHeader Type: Predefined |