Focus

Log Forwarding App Schema Reference

GlobalProtect EMAIL Fields

Table of Contents

GlobalProtect EMAIL Fields

Example GlobalProtect log in EMAIL:

TimeReceived=2021-02-23T02:44:27.000000Z
DeviceSN=xxxxxxxxxxxxx
LogType=GLOBALPROTECT
LogSubtype=globalprotect
ConfigVersion=
SourceUserUUID=
TenantID=xxxxxxxxxxxxx
VendorName=Palo Alto Networks
VirtualSystemName=
SourceUserName=xxxxx
SourceUserDomain=paloaltonetwork
LogSourceTimeZoneOffset=
Gateway=
DGHierarchyLevel1=20
DGHierarchyLevel2=0
DGHierarchyLevel3=0
DGHierarchyLevel4=0
DeviceName=PA-VM
EventID=309
IsDuplicateLog=false
IsPrismaNetworks=false
IsPrismaUsers=false
LogExported=false
LogSource=firewall
VirtualSystemID=1
TimeGenerated=2021-02-23T02:44:27.000000Z
VirtualSystem=vsys1
EventIDValue=satellite-gateway-update-route
Stage=connected
AuthMethod=RADIUS
TunnelType=ipsec
SourceUserName0="paloaltonetwork\\xxxxx"
SourceRegion=ET
EndpointDeviceName=machine_name2
PublicIPv4=xxx.xx.x.xx
PublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
PrivateIPv4=xxx.xx.x.xx
PrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
HostID=e667947f-d92e-4815-9222-89438203bc2b
EndpointSN=serialno_list-1
GlobalProtectClientVersion=3.0.9
EndpointOSType=Intel Mac OS
EndpointOSVersion=9.3.5
CountOfRepeats=16777216
QuarantineReason=Malicious Traffic
ConnectionError=Client cert not present
Description=opaque_list-1
EventStatus=failure
GlobalProtectGatewayLocation=San Francisco
LoginDuration=1
ConnectionMethod=connect_method_list-1
Portal=portal_list-2
SequenceNo=34401910
TimeGeneratedHighResolution=2019-07-25T23:30:12.000000Z
GatewaySelectionType=
SSLResponseTime=
GatewayPriority=
AttemptedGateways=

The following table identifies the GlobalProtect field names that the Log Forwarding app uses when you forward logs using the EMAIL log format.

EMAIL Name	Query Name
AttemptedGateways	attempted_gateways
AuthMethod	auth_method
ConfigVersion	config_version.value
ConnectionMethod	connect_method
ConnectionErrorID	connection_error.id
ConnectionError	connection_error.value
RepeatCount, CountOfRepeats	count_of_repeats
CortexDataLakeTenantID, TenantID	customer_id
DGHierarchyLevel1	dg_hier_level_1
DGHierarchyLevel2	dg_hier_level_2
DGHierarchyLevel3	dg_hier_level_3
DGHierarchyLevel4	dg_hier_level_4
EndpointDeviceName	endpoint_device_name
GlobalProtectClientVersion	endpoint_gp_version
EndpointOSType	endpoint_os_type
EndpointOSVersion	endpoint_os_version
EndpointSN	endpoint_serial_number
EventIDValue	event_id.value
Gateway	gateway
GatewayPriority	gateway_priority.value
GatewaySelectionType	gateway_selection_type
GlobalProtectGatewayLocation	gpg_location
HostID	host_id
IsDuplicateLog	is_dup_log
LogExported	is_exported
LogForwarded	is_forwarded
IsPrismaNetworks	is_prisma_branch
IsPrismaUsers	is_prisma_mobile
LogSource	log_source
LogSourceGroupID	log_source_group_id
DeviceSN	log_source_id
DeviceName	log_source_name
LogSourceTimeZoneOffset	log_source_tz_offset
TimeReceived	log_time
LogType	log_type.value
LoginDuration	login_duration
Description	opaque
PanoramaSN	panorama_serial
PlatformType	platform_type
Portal	portal
PrivateIPv4	private_ip.value
PrivateIPv6	private_ipv6.value
ProjectName	project_name
PublicIPv4	public_ip.value
PublicIPv6	public_ipv6.value
QuarantineReason	quarantine_reason
SequenceNo	sequence_no
SourceRegion	source_region
SourceUserName	source_user
SourceUserDomain	source_user_info.domain
SourceUserName	source_user_info.name
SourceUserUUID	source_user_info.uuid
SSLResponseTime	ssl_response_time
Stage	stage
EventStatus	status.value
Subtype, LogSubtype	sub_type.value
TimeGenerated	time_generated
TimeGeneratedHighResolution	time_generated_high_res
TunnelType	tunnel
VendorName	vendor_name
VirtualSystem	vsys
VirtualSystemID	vsys_id
VirtualSystemName	vsys_name

GlobalProtect CEF Fields

GlobalProtect HTTPS Fields

Log Forwarding App Schema Reference

GlobalProtect EMAIL Fields

GlobalProtect EMAIL Fields

Recommended For You