IPtag LEEF Fields

Example IPtag log in LEEF:
Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2| |profileToken=Palotoken VirtualSystemID=1 DeviceName=PA-VM RuleMatched= SequenceNo=7743 IPSubnetRange= LogExported=false src=xxx.xx.x.xx VirtualSystemName= Vendor=Palo Alto Networks DeviceSN=xxxxxxxxxxxxx TimeGeneratedHighResolution= LogSetting= TimeReceived=2020-10-13T03:31:40.000000Z MappingDataSource=XMLAPI RuleMatchedUUID= IsPrismaNetworks=false MappingTimeout=10 MappingDataSourceType=XML-API IsDuplicateLog=false LogForwarded=true CountOfRepeats=1 devTime=2020-10-13T03:31:40.000000Z VirtualLocation=vsys1 LogSource=firewall EventID=Unregister TagName= LogSourceTimeZoneOffset= cat=iptag MappingDataSourceSubType=Unknown TenantID=xxxxxxxxxxxxx IsPrismaUsers=false EventID0=IPTAG devTimeFormat=YYYY-MM-DDTHH:MM:SSZ
The following table identifies the IPtag field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
ConfigVersion
Custom
CountOfRepeats
Custom
TenantID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
EventID
Header
IPSubnetRange
Custom
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetworks
Custom
IsPrismaUsers
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
MappingDataSource
Custom
MappingDataSourceSubType
Custom
MappingDataSourceType
Custom
MappingTimeout
Custom
RuleMatched
Custom
RuleMatchedUUID
Custom
SequenceNo
Custom
src
Predefined
SubType
Custom
TagName
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
Vendor
Header
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You