IPtag CEF Fields

Example IPtag log in CEF:
Mar 1 21:20:15 xxx.xx.x.xx 1042 <14>1 2021-03-01T21:20:15.116Z stream-logfwd20-587718190-03011312-b28y-harness-x4nx logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|IPTAG|iptag|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:20:13 deviceExternalId=xxxxxxxxxxxxx PanOSTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSetting= PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= PanOSRuleMatchedUUID= PanOSConfigVersion= start=Mar 01 2021 21:20:13 cs3=vsys1 cs3Label=VirtualLocation src=xxx.xx.x.xx dst=xxx.xx.x.xx PanOSTagName= PanOSEventID=Unregister cnt=1 PanOSMappingTimeout=10 PanOSMappingDataSource=XMLAPI PanOSMappingDataSourceType=XML-API PanOSMappingDataSourceSubType=Unknown externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=18 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-VM cn2=1 cn2Label=VirtualSystemID PanOSIPSubnetRange= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12
The following table identifies the IPtag field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
PanOSConfigVersion
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
PanOSEventID
Query Name:
event_id.​value
Header Type:
Custom
PanOSIPSubnetRange
Query Name:
ip_subnet_range
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsPrismaNetworks
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSLogSetting
Query Name:
log_set
Header Type:
Custom
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
PanOSMappingDataSource
Header Type:
Custom
PanOSMappingDataSourceSubType
Header Type:
Custom
PanOSMappingDataSourceType
Header Type:
Custom
PanOSMappingTimeout
Query Name:
mapping_timeout
Header Type:
Custom
PanOSRuleMatched
Query Name:
rule_matched
Header Type:
Custom
PanOSRuleMatchedUUID
Query Name:
rule_matched_uuid
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
src and dst, or c6a2 and c6a3
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label && c6a3Label
Label Text:
|| Source IPv6 Address && Destination IPv6 Address
Name
Query Name:
sub_type.​value
Header Type:
Custom
PanOSTagName
Query Name:
tag_name
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
cn2
Query Name:
vsys_id
Header Type:
Predefined
Label:
cn2Label
Label Text:
VirtualSystemID
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom

Recommended For You