Threat Syslog Default Field Order

Example Threat log in Syslog:
Oct 13 01:12:15 gke-standard-cluster-2-pool-1-6ea9f13a-moqf 1028 <142>1 2020-10-13T01:12:15.892Z stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs - 1,​2020-10-13T01:12:03.000000Z,​007051000113358,​THREAT,​wildfire,​10.0,​2020-10-13T01:11:59.000000Z,​fe80:aa33:abcd:444:7202:b3ff:fe1e:8329,​fe80:55ee:ee89:abcd:e202:b3ff:fe1e:8329,​xxx.xx.x.xx,​xxx.xx.x.xx,​allow-all-employees,​paloaltonetwork\xxxxx,​"xxxxx\xxxxx o"xxxxxxxxxx"'"xxxxxxxxxx"test",​xunlei-kankan,​vsys1,​dmz,​ethernet4Zone-test4,​,​,​rs-logging,​,​721482,​1,​25342,​442,​16758,​29009,​2899968,​tcp,​block-ip,​some other fake filename,​21000,​,​Low,​server to client,​400993366,​-6917529027641081856,​chicago,​US,​,​,​0,​885e78ce802e42561193c1d76bd3a7ac3e2fec291508e6ba75d1e10ddb522869,​"xxxxxxxxxx",​0,​,​filetype_name3,​,​,​,​,​,​10003,​0,​0,​0,​0,​,​PA-VM,​,​,​,​,​0,​,​0,​,​N/A,​unknown,​50118,​0,​,​,​,​,​75fd49ee-9899-4257-94f3-54abc79faa5a,​0,​,​xxx.xx.x.xx,​S-Phone,​s-profile,​Redmi,​Xiaomi,​5 Plus,​Android v8.2,​pan-603,​264570122566,​S-Phone,​s-profile,​S9,​Samsung,​Galaxy,​Android v9,​pan-121,​180872328842,​1873cc5c-0d31,​pns_default,​pan-dp-77754f4,​,​,​6060606060,​XM0000001,​,​,​,​0,​2020-10-13T01:12:00.306000Z,​,​,​172,​ac
The following identifies the fields contained by default when you forward logs to a syslog receiver. The fields are identified in the default order that they appear in each log line.
HEADER, log_time, log_source_id, log_type.​value, sub_type.​value, config_version.​value, time_generated, source_ip.​value, dest_ip.​value, nat_source.​value, nat_dest.​value, rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.​value, outbound_if.​value, log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port, nat_source_port, nat_dest_port, flags, protocol.​value, action.​value, file_name, threat_id, url_category.​value, vendor_severity.​value, direction_of_attack.​value, sequence_no, action_flags, source_location, dest_location, EMPTY, EMPTY, pcap_id, file_sha_256, cloud, url_idx, EMPTY, file_type, EMPTY, EMPTY, sender_of_virus, subject_of_email, recipient_of_virus, report_id, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, log_source_name, EMPTY, source_uuid, dest_uuid, EMPTY, tunnelid_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel.​value, threat_category.​value, content_version, sig_flags, EMPTY, EMPTY, EMPTY, EMPTY, rule_matched_uuid, http2_connection, dynusergroup_name, xff_ip.​value, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_osfamily, source_device_osversion, source_device_host, source_device_mac, dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor, dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id, pod_namespace, pod_name, source_edl, dest_edl, host_id, endpoint_serial_number, domain_edl, source_dynamic_address_group, dest_dynamic_address_group, partial_hash, time_generated_high_res, EMPTY, EMPTY, nssai_network_slice_type.​value

Recommended For You