SCTP LEEF Fields

Example SCTP log in LEEF:
Sep 21 07:09:02 gke-standard-cluster-2-pool-3-f004381a-0gw6 1557 <14>1 2021-09-21T07:09:02.763Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|alert| |TimeReceived=2021-09-21 07:09:00.046851 DeviceSN=xxxxxxxxxxxxx cat=sctp SubType= ConfigVersion= devTime=2021-09-21 07:09:00.046860 src=xxx.xx.x.xx dst=xxx.xx.x.xx NATSource=xxx.xx.x.xx NATDestination=xxx.xx.x.xx Rule=allow-business-apps usrName=paloaltonetwork\xxxxx DestinationUser=paloaltonetworkxxxxx Application=panorama VirtualLocation=vsys1 FromZone=corporate ToZone=untrust InboundInterface=ethernet1/1 OutboundInterface=ethernet1/2 LogSetting=test SessionID=391582 RepeatCount=1 srcPort=3033 dstPort=5496 NATSourcePort=26714 NATDestinationPort=15054 proto=tcp DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-5220 SequenceNo=6711379990526573312 EndpointAssociationID=2086888838 PayloadProtocolID=-1 VendorSeverity=Critical SctpChunkType=9 SCTPEventType=Kerberos single sign-on failed EventCode=3 VerificationTag1=0x3bae3042 VerificationTag2=0x1911015e SctpCauseCode=0 DiamAppID=-1 DiameterCommandCode=-1 DiamAvpCode=0 StreamID=0 AssocationEndReason= MapAppCode=0 SccpCallingSSN=0 SccpCallingGt= SctpFilter= ChunksTotal=0 ChunksSent=0 ChunksReceived=0 PacketsTotal=0 srcPackets=0 dstPackets=0 RuleUUID= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution= devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the SCTP field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
EventID
Header
Application
app
Custom
AssocationEndReason
Custom
ChunksReceived
Custom
ChunksSent
Custom
ChunksTotal
Custom
ConfigVersion
Custom
ContainerID
Custom
ContentVersion
Custom
RepeatCount
Custom
CortexDataLakeTenantID
Custom
DestinationDeviceClass
Custom
DestinationDeviceMac
Custom
DestinationDeviceModel
Custom
DestinationDeviceOS
Custom
DestinationDeviceVendor
Custom
DestinationDynamicAddressGroup
Custom
DestinationEDL
Custom
dst
Predefined
DestinationLocation
Custom
dstPort
Predefined
DestinationUser
Custom
DestinationUserDomain
Custom
DestinationUserName
Custom
DestinationUserUUID
Custom
DestinationUUID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
DiamAppID
Custom
DiamAvpCode
Custom
DiameterCommandCode
Custom
EndpointAssociationID
Custom
EventCode
Custom
SCTPEventType
Custom
FromZone
Custom
InboundInterface
Custom
InboundInterfaceDetailsPort
Custom
InboundInterfaceDetailsSlot
Custom
InboundInterfaceDetailsType
Custom
InboundInterfaceDetailsUnit
Custom
CaptivePortal
Custom
IsClienttoServer
Custom
IsContainer
Custom
IsDecryptMirror
Custom
IsDecryptedPayloadForward
Custom
IsDecryptedLog
Custom
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsIPV6
Custom
IsInspectrionBeforeSession
Custom
IsMptcpOn
Custom
NAT
Custom
IsNonStandardDestinationPort
Custom
IsPacketCapture
Custom
IsPhishing
Custom
IsPrismaNetwork
Custom
IsPrismaUsers
Custom
IsProxy
Custom
IsReconExcluded
Custom
IsServertoClient
Custom
IsSourceXForwarded
Custom
IsSystemReturn
Custom
IsTransaction
Custom
IsTunnelInspected
Custom
IsURLDenied
Custom
LogSetting
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
MapAppCode
Custom
NATDestination
Custom
NATDestinationPort
Custom
NATSource
Custom
NATSourcePort
Custom
OutboundInterface
Custom
OutboundInterfaceDetailsPort
Custom
OutboundInterfaceDetailsSlot
Custom
OutboundInterfaceDetailsType
Custom
OutboundInterfaceDetailsUnit
Custom
dstPackets
Predefined
srcPackets
Predefined
PacketsTotal
Custom
PayloadProtocolID
Custom
ContainerName
Custom
ContainerNameSpace
Custom
proto
Predefined
Rule
Custom
RuleUUID
Custom
SccpCallingGt
Custom
SccpCallingSSN
Custom
SctpCauseCode
Custom
SctpChunkType
Custom
SctpFilter
Custom
SequenceNo
Custom
SessionOwnerMidx
Custom
SessionEndReason
Custom
SessionID
Custom
SessionTracker
Custom
Severity
Custom
SourceDeviceClass
Custom
SourceDeviceMac
Custom
SourceDeviceModel
Custom
SourceDeviceOS
Custom
SourceDeviceVendor
Custom
SourceDynamicAddressGroup
Custom
SourceEDL
Custom
src
Predefined
SourceLocation
Custom
srcPort
Predefined
usrName
Predefined
SourceUserDomain
Custom
SourceUserName
Custom
SourceUserUUID
Custom
SourceUUID
Custom
StreamID
Custom
SubType
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
ToZone
Custom
Tunnel
Custom
Vendor
Header
VendorSeverity
Custom
VerificationTag1
Custom
VerificationTag2
Custom
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You