Focus

Log Forwarding App Schema Reference

HIP Match CEF Fields

Table of Contents

HIP Match CEF Fields

Example HIP Match log in CEF:

Mar 1 21:20:14 xxx.xx.x.xx 1505 <14>1 2021-03-01T21:20:14.889Z stream-logfwd20-587718190-03011312-b28y-harness-x4nx logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|HIPMATCH||3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx dntdom=xxxxx suser=xxxxx xxxxx duser=xxxxx xxxxx suid= duid= PanOSTenantID=xxxxxxxxxxxxx PanOSUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 PanOSSourceUser=xxxxx\\xxxxx xxxxx cs3=vsys1 cs3Label=VirtualLocation shost=machine_name1 dhost=machine_name1 cs2=iOS cs2Label=EndpointOSType src=xxx.xx.x.xx dst=xxx.xx.x.xx cat=match_name1 cnt=1 PanOSHipMatchType=HIP Profile externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID c6a1=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx c6a1Label=Device IPv6 Address PanOSHostID=xxxxxxxxxxxxxxe777947f-d92e-4815-9222-89438203bc2b PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceMac= PanOSSourceDeviceHost= PanOSSource= PanOSTimestampDeviceIdentification=Dec PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

The following table identifies the HIP Match field names that the Log Forwarding app uses when you forward logs using the CEF log format.

CEF Name	Field Details
PanOSConfigVersion	Query Name: config_version.value Header Type: Custom
cnt	Query Name: count_of_repeats Header Type: Predefined
PanOSTenantID	Query Name: customer_id Header Type: Custom
PanOSDGHierarchyLevel1	Query Name: dg_hier_level_1 Header Type: Custom
PanOSDGHierarchyLevel2	Query Name: dg_hier_level_2 Header Type: Custom
PanOSDGHierarchyLevel3	Query Name: dg_hier_level_3 Header Type: Custom
PanOSDGHierarchyLevel4	Query Name: dg_hier_level_4 Header Type: Custom
shost and dhost	Query Name: endpoint_device_name Header Type: Predefined
cs2	Query Name: endpoint_os_type Header Type: Predefined Label: cs2Label Label Text: EndpointOSType Max Length: 4000
PanOSEndpointSerialNumber	Query Name: endpoint_serial_number Header Type: Custom
cat	Query Name: hip_match_name Header Type: Predefined Max Length: 1023
PanOSHipMatchType	Query Name: hip_match_type.value Header Type: Custom
PanOSHostID	Query Name: host_id Header Type: Custom
PanOSIsDuplicateLog	Query Name: is_dup_log Header Type: Custom
PanOSLogExported	Query Name: is_exported Header Type: Custom
PanOSLogForwarded	Query Name: is_forwarded Header Type: Custom
PanOSIsPrismaNetworks	Query Name: is_prisma_branch Header Type: Custom
PanOSIsPrismaUsers	Query Name: is_prisma_mobile Header Type: Custom
PanOSLogSource	Query Name: log_source Header Type: Custom
LogSourceGroupID	Query Name: log_source_group_id Header Type: Custom
deviceExternalId	Query Name: log_source_id Header Type: Predefined Max Length: 255
dvchost	Query Name: log_source_name Header Type: Predefined Max Length: 100
PanOSLogSourceTimeZoneOffset	Query Name: log_source_tz_offset Header Type: Custom
rt	Query Name: log_time Header Type: Predefined
Device Event Class ID	Query Name: log_type.value Header Type: Custom
PanOSPanoramaSN	Query Name: panorama_serial Header Type: Custom
externalId	Query Name: sequence_no Header Type: Predefined Max Length: 40
PanOSSource	Query Name: source Header Type: Custom
PanOSSourceDeviceCategory	Query Name: source_device_category Header Type: Custom
PanOSSourceDeviceClass	Query Name: source_device_class Header Type: Custom
PanOSSourceDeviceHost	Query Name: source_device_host Header Type: Custom
PanOSSourceDeviceMac	Query Name: source_device_mac Header Type: Custom
PanOSSourceDeviceModel	Query Name: source_device_model Header Type: Custom
PanOSSourceDeviceOS	Query Name: source_device_os Header Type: Custom
PanOSSourceDeviceOSFamily	Query Name: source_device_osfamily Header Type: Custom
PanOSSourceDeviceOSVersion	Query Name: source_device_osversion Header Type: Custom
PanOSSourceDeviceProfile	Query Name: source_device_profile Header Type: Custom
PanOSSourceDeviceVendor	Query Name: source_device_vendor Header Type: Custom
src and dst, or c6a2 and c6a3	Query Name: source_ip.value Header Type: Predefined Label: \|\| c6a2Label && c6a3Label Label Text: \|\| Source IPv6 Address && Destination IPv6 Address
c6a1	Query Name: source_ip_v6.value Header Type: Predefined Label: c6a1Label Label Text: Device IPv6 Address
PanOSSourceUser	Query Name: source_user Header Type: Custom
sntdom and dntdom	Query Name: source_user_info.domain Header Type: Predefined
suser and duser	Query Name: source_user_info.name Header Type: Predefined
suid and duid	Query Name: source_user_info.uuid Header Type: Predefined
Name	Query Name: sub_type.value Header Type: Custom
start	Query Name: time_generated Header Type: Predefined
PanOSTimeGeneratedHighResolution	Query Name: time_generated_high_res Header Type: Custom
PanOSTimestampDeviceIdentification	Query Name: timestamp_device_identification Header Type: Custom
PanOSUUID	Query Name: uuid Header Type: Custom
Device Vendor	Query Name: vendor_name Header Type: Custom
cs3	Query Name: vsys Header Type: Predefined Label: cs3Label Label Text: VirtualLocation Max Length: 4000
cn2	Query Name: vsys_id Header Type: Predefined Label: cn2Label Label Text: VirtualSystemID
PanOSVirtualSystemName	Query Name: vsys_name Header Type: Custom

HIP Match Syslog Default Field Order

HIP Match EMAIL Fields

Log Forwarding App Schema Reference

HIP Match CEF Fields

HIP Match CEF Fields

Recommended For You