Threat Syslog Default Field Order
Table of Contents
Threat Syslog Default Field Order
Example Threat log in Syslog:
Oct 13 01:12:15 gke-standard-cluster-2-pool-1-6ea9f13a-moqf 1028 <142>1 2020-10-13T01:12:15.892Z stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs - 1,2020-10-13T01:12:03.000000Z,007051000113358,THREAT,wildfire,10.0,2020-10-13T01:11:59.000000Z,fe80:aa33:abcd:444:7202:b3ff:fe1e:8329,fe80:55ee:ee89:abcd:e202:b3ff:fe1e:8329,xxx.xx.x.xx,xxx.xx.x.xx,allow-all-employees,paloaltonetwork\xxxxx,"xxxxx\xxxxx o"xxxxxxxxxx"'"xxxxxxxxxx"test",xunlei-kankan,vsys1,dmz,ethernet4Zone-test4,,,rs-logging,,721482,1,25342,442,16758,29009,2899968,tcp,block-ip,some other fake filename,21000,,Low,server to client,400993366,-6917529027641081856,chicago,US,,,0,885e78ce802e42561193c1d76bd3a7ac3e2fec291508e6ba75d1e10ddb522869,"xxxxxxxxxx",0,,filetype_name3,,,,,,10003,0,0,0,0,,PA-VM,,,,,0,,0,,N/A,unknown,50118,0,,,,,75fd49ee-9899-4257-94f3-54abc79faa5a,0,,xxx.xx.x.xx,S-Phone,s-profile,Redmi,Xiaomi,5 Plus,Android v8.2,pan-603,264570122566,S-Phone,s-profile,S9,Samsung,Galaxy,Android v9,pan-121,180872328842,1873cc5c-0d31,pns_default,pan-dp-77754f4,,,6060606060,XM0000001,,,,0,2020-10-13T01:12:00.306000Z,,,172,ac
The following identifies the default field order for filters
migrated from an earlier version of the log forwarding application.
For log filters created after that migration, you specify the field order when you
create a log filter
by specifying the columns you want to receive.
The fields are identified in the default order that they appear in each log
line.
HEADER, log_time, log_source_id, log_type.value, sub_type.value, config_version.value, time_generated, source_ip.value, dest_ip.value, nat_source.value, nat_dest.value, rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.value, outbound_if.value, log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port, nat_source_port, nat_dest_port, flags, protocol.value, action.value, file_name, threat_id, url_category.value, vendor_severity.value, direction_of_attack.value, sequence_no, action_flags, source_location, dest_location, EMPTY, EMPTY, pcap_id, file_sha_256, cloud, url_idx, EMPTY, file_type, EMPTY, EMPTY, sender_of_virus, subject_of_email, recipient_of_virus, report_id, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, log_source_name, EMPTY, source_uuid, dest_uuid, EMPTY, tunnelid_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel.value, threat_category.value, content_version, sig_flags, EMPTY, EMPTY, EMPTY, EMPTY, rule_matched_uuid, http2_connection, dynusergroup_name, xff_ip.value, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_osfamily, source_device_osversion, source_device_host, source_device_mac, dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor, dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id, pod_namespace, pod_name, source_edl, dest_edl, host_id, endpoint_serial_number, domain_edl, source_dynamic_address_group, dest_dynamic_address_group, partial_hash, time_generated_high_res, EMPTY, EMPTY, nssai_network_slice_type.value