Table of Contents
Traffic
Traffic logs contain entries for the end of each network session, as well as (optionally)
the start of a network session. A network session can contain multiple messages sent and
received by two communicating endpoints.
Whether traffic logs are written at the start of a session is configurable by the
next-generation firewall's administrator. However, firewalls are rarely configured to log
session starts because of the volume of logs resulting from this configuration.
Session-start logs are usually written multiple times during the course of the session
— most frequently whenever the firewall must examine its policies to see if it can
allow the session to continue.
Palo Alto Networks next-generation firewalls write various log records when appropriate
during the course of a network session. However, session resource totals such as bytes sent
and received are unknown until the session is finished. Traffic logs contain these resource
totals because they are always the last log written for a session.
See the following for information related to supported log formats:
TRAFFIC Field
(Display Name)
|
Description
|
|---|---|
action.value
(ACTION)
|
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order CEF field name: act EMAIL field name: Action HTTPS field name: Action LEEF field name: EventID |
action_source.value
(ACTION SOURCE)
|
Specifies whether the action taken to allow or block an application was defined in the application or in policy.
Syslog field name: Syslog Field Order CEF field name: cat EMAIL field name: ActionSource HTTPS field name: ActionSource LEEF field name: ActionSource |
app
(APPLICATION)
|
Application associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: app EMAIL field name: Application HTTPS field name: Application LEEF field name: Application |
app_category
(APPLICATION CATEGORY)
|
Identifies the high-level family of the application.
CEF field name: PanOSApplicationCategory EMAIL field name: ApplicationCategory HTTPS field name: ApplicationCategory LEEF field name: ApplicationCategory |
app_sub_category
(APPLICATION SUBCATEGORY)
|
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
CEF field name: PanOSApplicationSubcategory EMAIL field name: ApplicationSubcategory HTTPS field name: ApplicationSubcategory LEEF field name: ApplicationSubcategory |
bytes_received
(BYTES RECEIVED)
|
Number of bytes in the server-to-client network traffic.
Syslog field name: Syslog Field Order CEF field name: in EMAIL field name: BytesReceived HTTPS field name: BytesReceived LEEF field name: dstBytes |
bytes_sent
(BYTES SENT)
|
Number of bytes in the client-to-server network traffic.
Syslog field name: Syslog Field Order CEF field name: out EMAIL field name: BytesSent HTTPS field name: BytesSent LEEF field name: srcBytes |
bytes_total
(BYTES)
|
Number of total bytes (transmit and receive).
Syslog field name: Syslog Field Order CEF field name: PanOSBytes EMAIL field name: Bytes HTTPS field name: Bytes LEEF field name: Bytes |
chunks_received
(CHUNKS RECEIVED)
|
The total number of SCTP data chunks in the server-to-client network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSChunksReceived EMAIL field name: ChunksReceived HTTPS field name: ChunksReceived LEEF field name: ChunksReceived |
chunks_sent
(CHUNKS SENT)
|
The total number of SCTP data chunks in the client-to-server network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSChunksSent EMAIL field name: ChunksSent HTTPS field name: ChunksSent LEEF field name: ChunksSent |
chunks_total
(CHUNKS TOTAL)
|
The total number of SCTP data chunks in the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSChunksTotal EMAIL field name: ChunksTotal HTTPS field name: ChunksTotal LEEF field name: ChunksTotal |
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
container_id
(CONTAINER ID)
|
Unknown field. No information is available at this time.
Syslog field name: Syslog Field Order CEF field name: PanOSContainerID EMAIL field name: ContainerID HTTPS field name: ContainerID LEEF field name: ContainerID |
container_of_app
(APPLICATION CONTAINER)
|
Identifies the managing application or parent of the application associated with this network traffic.
CEF field name: PanOSApplicationContainer EMAIL field name: ApplicationContainer HTTPS field name: ApplicationContainer LEEF field name: ApplicationContainer |
count_of_repeats
(REPEAT COUNT)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order CEF field name: cnt EMAIL field name: RepeatCount HTTPS field name: RepeatCount LEEF field name: RepeatCount |
customer_id
(CORTEX DATA LAKE TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantID HTTPS field name: CortexDataLakeTenantID LEEF field name: CortexDataLakeTenantID |
dest_device_category
(DESTINATION DEVICE CATEGORY)
|
Category of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceCategory EMAIL field name: DestinationDeviceCategory HTTPS field name: DestinationDeviceCategory LEEF field name: DestinationDeviceCategory |
dest_device_class
(DESTINATION DEVICE CLASS)
|
Destination device class.
CEF field name: PanOSDestinationDeviceClass EMAIL field name: DestinationDeviceClass HTTPS field name: DestinationDeviceClass LEEF field name: DestinationDeviceClass |
dest_device_host
(DESTINATION DEVICE HOST)
|
Hostname of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceHost EMAIL field name: DestinationDeviceHost HTTPS field name: DestinationDeviceHost LEEF field name: DestinationDeviceHost |
dest_device_mac
(DESTINATION DEVICE MAC)
|
MAC Address of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceMac EMAIL field name: DestinationDeviceMac HTTPS field name: DestinationDeviceMac LEEF field name: DestinationDeviceMac |
dest_device_model
(DESTINATION DEVICE MODEL)
|
Model of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceModel EMAIL field name: DestinationDeviceModel HTTPS field name: DestinationDeviceModel LEEF field name: DestinationDeviceModel |
dest_device_os
(DESTINATION DEVICE OS)
|
Destination device OS type.
CEF field name: PanOSDestinationDeviceOS EMAIL field name: DestinationDeviceOS HTTPS field name: DestinationDeviceOS LEEF field name: DestinationDeviceOS |
dest_device_osfamily
(DESTINATION DEVICE OS FAMILY)
|
OS family of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceOSFamily EMAIL field name: DestinationDeviceOSFamily HTTPS field name: DestinationDeviceOSFamily LEEF field name: DestinationDeviceOSFamily |
dest_device_osversion
(DESTINATION DEVICE OS VERSION)
|
OS version of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceOSVersion EMAIL field name: DestinationDeviceOSVersion HTTPS field name: DestinationDeviceOSVersion LEEF field name: DestinationDeviceOSVersion |
dest_device_profile
(DESTINATION DEVICE PROFILE)
|
Profile of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceProfile EMAIL field name: DestinationDeviceProfile HTTPS field name: DestinationDeviceProfile LEEF field name: DestinationDeviceProfile |
dest_device_vendor
(DESTINATION DEVICE VENDOR)
|
Vendor of the device to which the session was directed.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDeviceVendor EMAIL field name: DestinationDeviceVendor HTTPS field name: DestinationDeviceVendor LEEF field name: DestinationDeviceVendor |
dest_dynamic_address_group
(DESTINATION DYNAMIC ADDRESS GROUP)
|
The dynamic address group that Device-ID identifies as the destination for the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationDynamicAddressGroup EMAIL field name: DestinationDynamicAddressGroup HTTPS field name: DestinationDynamicAddressGroup LEEF field name: DestinationDynamicAddressGroup |
dest_edl
(DESTINATION EDL)
|
The name of the external dynamic list that contains the destination IP address of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationEDL EMAIL field name: DestinationEDL HTTPS field name: DestinationEDL LEEF field name: DestinationEDL |
dest_ip.value
(DESTINATION ADDRESS)
|
Original destination IP address.
Syslog field name: Syslog Field Order EMAIL field name: DestinationAddress HTTPS field name: DestinationAddress LEEF field name: dst |
dest_location
(DESTINATION LOCATION)
|
Destination country or internal region for private addresses.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationLocation EMAIL field name: DestinationLocation HTTPS field name: DestinationLocation LEEF field name: DestinationLocation |
dest_port
(DESTINATION PORT)
|
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order CEF field name: dpt EMAIL field name: DestinationPort HTTPS field name: DestinationPort LEEF field name: dstPort |
dest_user
(DESTINATION USER)
|
The username to which the network traffic was destined.
Syslog field name: Syslog Field Order CEF field name: duser EMAIL field name: DestinationUser HTTPS field name: DestinationUser LEEF field name: DestinationUser |
dest_user_info.domain
(DESTINATION USER DOMAIN)
|
Domain to which the Destination User belongs.
CEF field name: dntdom EMAIL field name: DestinationUserDomain HTTPS field name: DestinationUserDomain LEEF field name: DestinationUserDomain |
dest_user_info.name
(DESTINATION USER NAME)
|
The Destination User. That is, the username to which the network traffic was destined.
CEF field name: duser EMAIL field name: DestinationUserName HTTPS field name: DestinationUserName LEEF field name: DestinationUserName |
dest_user_info.uuid
(DESTINATION USER UUID)
|
Unique identifier assigned to the Destination User.
CEF field name: duid EMAIL field name: DestinationUserUUID HTTPS field name: DestinationUserUUID LEEF field name: DestinationUserUUID |
dest_uuid
(DESTINATION UUID)
|
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order CEF field name: PanOSDestinationUUID EMAIL field name: DestinationUUID HTTPS field name: DestinationUUID LEEF field name: DestinationUUID |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
dynusergroup_name
(DYNAMIC USER GROUP NAME)
|
Dynamic user group of the user who initiated the network connection.
Syslog field name: Syslog Field Order CEF field name: PanOSDynamicUserGroupName EMAIL field name: DynamicUserGroupName HTTPS field name: DynamicUserGroupName LEEF field name: DynamicUserGroupName |
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
|
Serial number of the host on which GlobalProtect is installed.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointSerialNumber EMAIL field name: EndpointSerialNumber HTTPS field name: EndpointSerialNumber LEEF field name: EndpointSerialNumber |
ep_assoc_id
(ENDPOINT ASSOCIATION ID)
|
The ID assigned to the endpoint association used for the SCTP network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointAssociationID EMAIL field name: EndpointAssociationID HTTPS field name: EndpointAssociationID LEEF field name: EndpointAssociationID |
from_zone
(FROM ZONE)
|
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order CEF field name: cs4 EMAIL field name: FromZone HTTPS field name: FromZone LEEF field name: FromZone |
ha_session_owner
(HA SESSION OWNER)
|
Name of cluster member in which session failed over from.
Syslog field name: Syslog Field Order CEF field name: PanOSHASessionOwner EMAIL field name: HASessionOwner HTTPS field name: HASessionOwner LEEF field name: HASessionOwner |
host_id
(GP HOST ID)
|
A unique ID that GlobalProtect assigns to identify the host.
Syslog field name: Syslog Field Order CEF field name: PanOSGPHostID EMAIL field name: GPHostID HTTPS field name: GPHostID LEEF field name: GPHostID |
http2_connection
(HTTP2 CONNECTION)
|
Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
Syslog field name: Syslog Field Order CEF field name: PanOSHTTP2Connection EMAIL field name: HTTP2Connection HTTPS field name: HTTP2Connection LEEF field name: HTTP2Connection |
inbound_if.value
(INBOUND INTERFACE)
|
Interface from which the network traffic was sourced.
Syslog field name: Syslog Field Order CEF field name: deviceInboundInterface EMAIL field name: InboundInterface HTTPS field name: InboundInterface LEEF field name: InboundInterface |
inbound_if_details.port
(INBOUND INTERFACE DETAILS PORT)
|
Hardware port or socket from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsPort EMAIL field name: InboundInterfaceDetailsPort HTTPS field name: InboundInterfaceDetailsPort LEEF field name: InboundInterfaceDetailsPort |
inbound_if_details.slot
(INBOUND INTERFACE DETAILS SLOT)
|
Interface slot from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsSlot EMAIL field name: InboundInterfaceDetailsSlot HTTPS field name: InboundInterfaceDetailsSlot LEEF field name: InboundInterfaceDetailsSlot |
inbound_if_details.type.value
(INBOUND INTERFACE DETAILS TYPE)
|
The type of interface from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsType EMAIL field name: InboundInterfaceDetailsType HTTPS field name: InboundInterfaceDetailsType LEEF field name: InboundInterfaceDetailsType |
inbound_if_details.unit
(INBOUND INTERFACE DETAILS UNIT)
|
Internal use.
CEF field name: PanOSInboundInterfaceDetailsUnit EMAIL field name: InboundInterfaceDetailsUnit HTTPS field name: InboundInterfaceDetailsUnit LEEF field name: InboundInterfaceDetailsUnit |
is_captive_portal
(CAPTIVE PORTAL)
|
Indicates if user information for the session was captured through Captive Portal.
CEF field name: PanOSCaptivePortal EMAIL field name: CaptivePortal HTTPS field name: CaptivePortal LEEF field name: CaptivePortal |
is_client_to_server
(IS CLIENT TO SERVER)
|
Indicates if direction of traffic is from client to server.
CEF field name: PanOSIsClienttoServer EMAIL field name: IsClienttoServer HTTPS field name: IsClienttoServer LEEF field name: IsClienttoServer |
is_container
(IS CONTAINER)
|
Indicates if the session is a container page access (Container Page).
CEF field name: PanOSIsContainer EMAIL field name: IsContainer HTTPS field name: IsContainer LEEF field name: IsContainer |
is_decrypt_mirror
(IS DECRYPT MIRROR)
|
Indicates whether decrypted traffic was sent out in clear text through a mirror port.
CEF field name: PanOSIsDecryptMirror EMAIL field name: IsDecryptMirror HTTPS field name: IsDecryptMirror LEEF field name: IsDecryptMirror |
is_decrypted
(IS DECRYPTED)
|
Flag that indicates that the session is decrypted.
CEF field name: PanOSIsDecrypted EMAIL field name: IsDecrypted HTTPS field name: IsDecrypted LEEF field name: IsDecrypted |
is_decrypted_payload_fwded
(IS DECRYPTED PAYLOAD FORWARD)
|
Unknown field. No information is available at this time.
CEF field name: PanOSIsDecryptedPayloadForward EMAIL field name: IsDecryptedPayloadForward HTTPS field name: IsDecryptedPayloadForward LEEF field name: IsDecryptedPayloadForward |
is_decryption_log
(IS DECRYPTED LOG)
|
Unknown field. No information is available at this time.
CEF field name: PanOSIsDecryptedLog EMAIL field name: IsDecryptedLog HTTPS field name: IsDecryptedLog LEEF field name: IsDecryptedLog |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_encrypted
(IS ENCRYPTED)
|
Flag that indicates that the session is encrypted.
CEF field name: PanOSIsEncrypted EMAIL field name: IsEncrypted HTTPS field name: IsEncrypted LEEF field name: IsEncrypted |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_ipv6
(IS IPV6)
|
Indicates whether IPV6 was used for the session.
CEF field name: PanOSIsIPV6 EMAIL field name: IsIPV6 HTTPS field name: IsIPV6 LEEF field name: IsIPV6 |
is_l7_inspection_b4_session
(IS INSPECTION BEFORE SESSION)
|
Unknown field. No information is available at this time.
CEF field name: PanOSIsInspectionBeforeSession EMAIL field name: IsInspectionBeforeSession HTTPS field name: IsInspectionBeforeSession LEEF field name: IsInspectionBeforeSession |
is_mptcp_on
(IS MPTCP ON)
|
Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
CEF field name: PanOSIsMptcpOn EMAIL field name: IsMptcpOn HTTPS field name: IsMptcpOn LEEF field name: IsMptcpOn |
is_non_std_dest_port
(IS NON STANDARD DESTINATION PORT)
|
Indicates if the destination port is non-standard.
CEF field name: PanOSIsNonStandardDestinationPort EMAIL field name: IsNonStandardDestinationPort HTTPS field name: IsNonStandardDestinationPort LEEF field name: IsNonStandardDestinationPort |
is_offloaded
(IS OFFLOADED)
|
Indicates whether the traffic flow is offloaded to hardware before the packets enter Linux kernel on VM/CN series.
CEF field name: PanOSIsOffloaded EMAIL field name: IsOffloaded HTTPS field name: IsOffloaded LEEF field name: IsOffloaded |
is_packet_capture
(IS PACKET CAPTURE)
|
Indicates whether the session has a packet capture (PCAP).
CEF field name: PanOSIsPacketCapture EMAIL field name: IsPacketCapture HTTPS field name: IsPacketCapture LEEF field name: IsPacketCapture |
is_phishing
(IS PHISHING)
|
Indicates whether enterprise credentials were submitted by an end user.
CEF field name: PanOSIsPhishing EMAIL field name: IsPhishing HTTPS field name: IsPhishing LEEF field name: IsPhishing |
is_prisma_branch
(IS PRISMA NETWORK)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork EMAIL field name: IsPrismaNetwork HTTPS field name: IsPrismaNetwork LEEF field name: IsPrismaNetwork |
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
is_proxy
(IS PROXY)
|
Indicates whether the SSL session is decrypted (SSL Proxy).
CEF field name: PanOSIsProxy EMAIL field name: IsProxy HTTPS field name: IsProxy LEEF field name: IsProxy |
is_recon_excluded
(IS RECON EXCLUDED)
|
Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
CEF field name: PanOSIsReconExcluded EMAIL field name: IsReconExcluded HTTPS field name: IsReconExcluded LEEF field name: IsReconExcluded |
is_saas_app
(IS SAAS APPLICATION)
|
Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
CEF field name: PanOSIsSaaSApplication EMAIL field name: IsSaaSApplication HTTPS field name: IsSaaSApplication LEEF field name: IsSaaSApplication |
is_server_to_client
(IS SERVER TO CLIENT)
|
Indicates if direction of traffic is from server to client.
CEF field name: PanOSIsServertoClient EMAIL field name: IsServertoClient HTTPS field name: IsServertoClient LEEF field name: IsServertoClient |
is_source_x_fwded
(IS SOURCE X FORWARDED)
|
Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
CEF field name: PanOSIsSourceXForwarded EMAIL field name: IsSourceXForwarded HTTPS field name: IsSourceXForwarded LEEF field name: IsSourceXForwarded |
is_sym_return
(IS SYSTEM RETURN)
|
Indicates whether symmetric return was used to forward traffic for this session.
CEF field name: PanOSIsSystemReturn EMAIL field name: IsSystemReturn HTTPS field name: IsSystemReturn LEEF field name: IsSystemReturn |
is_transaction
(IS TRANSACTION)
|
Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
CEF field name: PanOSIsTransaction EMAIL field name: IsTransaction HTTPS field name: IsTransaction LEEF field name: IsTransaction |
is_tunnel_inspected
(IS TUNNEL INSPECTED)
|
Indicates whether the payload for the outer tunnel was inspected.
CEF field name: PanOSIsTunnelInspected EMAIL field name: IsTunnelInspected HTTPS field name: IsTunnelInspected LEEF field name: IsTunnelInspected |
is_url_denied
(IS URL DENIED)
|
Indicates whether the session was denied due to a URL filtering rule.
CEF field name: PanOSIsURLDenied EMAIL field name: IsURLDenied HTTPS field name: IsURLDenied LEEF field name: IsURLDenied |
link_change_count
(LINK CHANGE COUNT)
|
Number of times the app flapped in that session.
Syslog field name: Syslog Field Order CEF field name: PanOSLinkChangeCount EMAIL field name: LinkChangeCount HTTPS field name: LinkChangeCount LEEF field name: LinkChangeCount |
link_switches
(LINK SWITCHES)
|
Details of the links switches (up-to 4).
Syslog field name: Syslog Field Order CEF field name: PanOSLinkSwitches EMAIL field name: LinkSwitches HTTPS field name: LinkSwitches LEEF field name: LinkSwitches |
location
(PRISMA ACCESS LOCATION)
|
Prisma Access Region/Location.
CEF field name: PanOSLocation EMAIL field name: Location HTTPS field name: Location LEEF field name: Location |
log_set
(LOG SETTING)
|
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order CEF field name: cs6 EMAIL field name: LogSetting HTTPS field name: LogSetting LEEF field name: LogSetting |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
| The ID of the Cloud NGFW resource. CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
monitor_tag_imei
(IMEI)
|
A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
Syslog field name: Syslog Field Order CEF field name: PanOSIMEI EMAIL field name: IMEI HTTPS field name: IMEI LEEF field name: IMEI |
nat_dest.value
(NAT DESTINATION)
|
If destination NAT was performed, the post-NAT destination IP address.
Syslog field name: Syslog Field Order CEF field name: destinationTranslatedAddress EMAIL field name: NATDestination HTTPS field name: NATDestination LEEF field name: dstPostNAT |
nat_dest_port
(NAT DESTINATION PORT)
|
Post-NAT destination port.
Syslog field name: Syslog Field Order CEF field name: destinationTranslatedPort EMAIL field name: NATDestinationPort HTTPS field name: NATDestinationPort LEEF field name: dstPostNATPort |
nat_source.value
(NAT SOURCE)
|
If source NAT was performed, the post-NAT source IP address.
Syslog field name: Syslog Field Order CEF field name: sourceTranslatedAddress EMAIL field name: NATSource HTTPS field name: NATSource LEEF field name: srcPostNAT |
nat_source_port
(NAT SOURCE PORT)
|
Post-NAT source port.
Syslog field name: Syslog Field Order CEF field name: sourceTranslatedPort EMAIL field name: NATSourcePort HTTPS field name: NATSourcePort LEEF field name: srcPostNATPort |
non_standard_dest_port
(NON STANDARD DESTINATION PORT)
|
Identifies the non-standard or unexpected port used by the application associated with this session.
CEF field name: PanOSNonStandardDestinationPort EMAIL field name: NonStandardDestinationPort HTTPS field name: NonStandardDestinationPort LEEF field name: NonStandardDestinationPort |
nssai_network_slice_differentiator.value
(NSSAI NETWORK SLICE DIFFERENTIATOR)
|
Network Slice Differentiator (SD part of SNSSAI).
Syslog field name: Syslog Field Order CEF field name: PanOSNSSAINetworkSliceDifferentiator EMAIL field name: NSSAINetworkSliceDifferentiator HTTPS field name: NSSAINetworkSliceDifferentiator LEEF field name: NSSAINetworkSliceDifferentiator |
nssai_network_slice_type.value
(NSSAI NETWORK SLICE TYPE)
|
Network Slice Type (SST part of SNSSAI).
Syslog field name: Syslog Field Order CEF field name: PanOSNSSAINetworkSliceType EMAIL field name: NSSAINetworkSliceType HTTPS field name: NSSAINetworkSliceType LEEF field name: NSSAINetworkSliceType |
outbound_if.value
(OUTBOUND INTERFACE)
|
Interface to which the network traffic was destined.
Syslog field name: Syslog Field Order CEF field name: deviceOutboundInterface EMAIL field name: OutboundInterface HTTPS field name: OutboundInterface LEEF field name: OutboundInterface |
outbound_if_details.port
(OUTBOUND INTERFACE DETAILS PORT)
|
Hardware port or socket to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsPort EMAIL field name: OutboundInterfaceDetailsPort HTTPS field name: OutboundInterfaceDetailsPort LEEF field name: OutboundInterfaceDetailsPort |
outbound_if_details.slot
(OUTBOUND INTERFACE DETAILS SLOT)
|
Interface slot to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsSlot EMAIL field name: OutboundInterfaceDetailsSlot HTTPS field name: OutboundInterfaceDetailsSlot LEEF field name: OutboundInterfaceDetailsSlot |
outbound_if_details.type.value
(OUTBOUND INTERFACE DETAILS TYPE)
|
The type of interface to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsType EMAIL field name: OutboundInterfaceDetailsType HTTPS field name: OutboundInterfaceDetailsType LEEF field name: OutboundInterfaceDetailsType |
outbound_if_details.unit
(OUTBOUND INTERFACE DETAILS UNIT)
|
Internal use.
CEF field name: PanOSOutboundInterfaceDetailsUnit EMAIL field name: OutboundInterfaceDetailsUnit HTTPS field name: OutboundInterfaceDetailsUnit LEEF field name: OutboundInterfaceDetailsUnit |
packets_received
(PACKETS RECEIVED)
|
Number of server-to-client packets for the session.
Syslog field name: Syslog Field Order CEF field name: PanOSPacketsReceived EMAIL field name: PacketsReceived HTTPS field name: PacketsReceived LEEF field name: dstPackets |
packets_sent
(PACKETS SENT)
|
Number of client-to-server packets for the session.
Syslog field name: Syslog Field Order CEF field name: PanOSPacketsSent EMAIL field name: PacketsSent HTTPS field name: PacketsSent LEEF field name: srcPackets |
packets_total
(PACKETS TOTAL)
|
Number of total packets (transmit and receive) seen for the session.
Syslog field name: Syslog Field Order CEF field name: cn2 EMAIL field name: PacketsTotal HTTPS field name: PacketsTotal LEEF field name: totalPackets |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
parent_session_id
(PARENT SESSION ID)
|
ID of the session in which this network traffic was tunneled.
Syslog field name: Syslog Field Order CEF field name: PanOSParentSessionID EMAIL field name: ParentSessionID HTTPS field name: ParentSessionID LEEF field name: ParentSessionID |
parent_start_time
(PARENT START TIME)
|
Time that the parent session began. This string contains a timestamp value that is the
number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: PanOSParentStarttime EMAIL field name: ParentStarttime HTTPS field name: ParentStarttime LEEF field name: ParentStarttime |
pod_name
(CONTAINER NAME)
|
Container name.
Syslog field name: Syslog Field Order CEF field name: PanOSContainerName EMAIL field name: ContainerName HTTPS field name: ContainerName LEEF field name: ContainerName |
pod_namespace
(CONTAINER NAME SPACE)
|
Container namespace.
Syslog field name: Syslog Field Order CEF field name: PanOSContainerNameSpace EMAIL field name: ContainerNameSpace HTTPS field name: ContainerNameSpace LEEF field name: ContainerNameSpace |
policy_id
(SDWAN POLICY NAME)
|
Name of the SD-WAN policy.
Syslog field name: Syslog Field Order CEF field name: PanOSSDWANPolicyName EMAIL field name: SDWANPolicyName HTTPS field name: SDWANPolicyName LEEF field name: SDWANPolicyName |
protocol.value
(PROTOCOL)
|
IP protocol associated with the session.
Syslog field name: Syslog Field Order CEF field name: proto EMAIL field name: Protocol HTTPS field name: Protocol LEEF field name: proto |
risk_of_app
(APPLICATION RISK)
|
Indicates how risky the application is from a network security perspective.
CEF field name: PanOSApplicationRisk EMAIL field name: ApplicationRisk HTTPS field name: ApplicationRisk LEEF field name: ApplicationRisk |
rule_matched
(RULE)
|
Name of the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order CEF field name: cs1 EMAIL field name: Rule HTTPS field name: Rule LEEF field name: Rule |
rule_matched_uuid
(RULE UUID)
|
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order CEF field name: PanOSRuleUUID EMAIL field name: RuleUUID HTTPS field name: RuleUUID LEEF field name: RuleUUID |
sanctioned_state_of_app
(SANCTIONED STATE OF APP)
|
Indicates whether the application has been flagged as sanctioned by the firewall administrator.
CEF field name: PanOSSanctionedStateOfApp EMAIL field name: SanctionedStateOfApp HTTPS field name: SanctionedStateOfApp LEEF field name: SanctionedStateOfApp |
sdwan_FEC_ratio
(SDWAN FEC RATIO)
|
SDWAN forward error correction (FEC) ratio.
CEF field name: PanOSSDWANFECRatio EMAIL field name: SDWANFECRatio HTTPS field name: SDWANFECRatio LEEF field name: SDWANFECRatio |
sdwan_cluster
(SDWAN CLUSTER)
|
Name of the SD-WAN cluster.
Syslog field name: Syslog Field Order CEF field name: PanOSSDWANCluster EMAIL field name: SDWANCluster HTTPS field name: SDWANCluster LEEF field name: SDWANCluster |
sdwan_cluster_type
(SDWAN CLUSTER TYPE)
|
Type of SD-WAN cluster. Either mesh or hub-spoke .
Syslog field name: Syslog Field Order CEF field name: PanOSSDWANClusterType EMAIL field name: SDWANClusterType HTTPS field name: SDWANClusterType LEEF field name: SDWANClusterType |
sdwan_device_type
(SDWAN DEVICE TYPE)
|
Type of SD-WAN device. Either hub or branch .
Syslog field name: Syslog Field Order CEF field name: PanOSSDWANDeviceType EMAIL field name: SDWANDeviceType HTTPS field name: SDWANDeviceType LEEF field name: SDWANDeviceType |
sdwan_site
(SDWAN SITE)
|
Name of the SD-WAN site.
Syslog field name: Syslog Field Order CEF field name: PanOSSDWANSite EMAIL field name: SDWANSite HTTPS field name: SDWANSite LEEF field name: SDWANSite |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
sess_owner_rt_midx
(SESSION OWNER MIDX)
|
Unknown field. No information is available at this time.
CEF field name: PanOSSessionOwnerMidx EMAIL field name: SessionOwnerMidx HTTPS field name: SessionOwnerMidx LEEF field name: SessionOwnerMidx |
session_end_reason.value
(SESSION END REASON)
|
The reason a session terminated.
Syslog field name: Syslog Field Order CEF field name: reason EMAIL field name: SessionEndReason HTTPS field name: SessionEndReason LEEF field name: SessionEndReason |
session_id
(SESSION ID)
|
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order CEF field name: cn1 EMAIL field name: SessionID HTTPS field name: SessionID LEEF field name: SessionID |
session_start_time
(SESSION START TIME)
|
Time when the session was established. This string contains a timestamp value that is the
number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: PanOSSessionStartTime EMAIL field name: SessionStartTime HTTPS field name: SessionStartTime LEEF field name: SessionStartTime |
session_tracker
(SESSION TRACKER)
|
Unknown field. No information is available at this time.
CEF field name: PanOSSessionTracker EMAIL field name: SessionTracker HTTPS field name: SessionTracker LEEF field name: SessionTracker |
source_device_category
(SOURCE DEVICE CATEGORY)
|
Category of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceCategory EMAIL field name: SourceDeviceCategory HTTPS field name: SourceDeviceCategory LEEF field name: SourceDeviceCategory |
source_device_class
(SOURCE DEVICE CLASS)
|
Source device class.
CEF field name: PanOSSourceDeviceClass EMAIL field name: SourceDeviceClass HTTPS field name: SourceDeviceClass LEEF field name: SourceDeviceClass |
source_device_host
(SOURCE DEVICE HOST)
|
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceHost EMAIL field name: SourceDeviceHost HTTPS field name: SourceDeviceHost LEEF field name: SourceDeviceHost |
source_device_mac
(SOURCE DEVICE MAC)
|
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceMac EMAIL field name: SourceDeviceMac HTTPS field name: SourceDeviceMac LEEF field name: SourceDeviceMac |
source_device_model
(SOURCE DEVICE MODEL)
|
Model of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceModel EMAIL field name: SourceDeviceModel HTTPS field name: SourceDeviceModel LEEF field name: SourceDeviceModel |
source_device_os
(SOURCE DEVICE OS)
|
Source device OS type.
CEF field name: PanOSSourceDeviceOS EMAIL field name: SourceDeviceOS HTTPS field name: SourceDeviceOS LEEF field name: SourceDeviceOS |
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
|
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSFamily EMAIL field name: SourceDeviceOSFamily HTTPS field name: SourceDeviceOSFamily LEEF field name: SourceDeviceOSFamily |
source_device_osversion
(SOURCE DEVICE OS VERSION)
|
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceOSVersion EMAIL field name: SourceDeviceOSVersion HTTPS field name: SourceDeviceOSVersion LEEF field name: SourceDeviceOSVersion |
source_device_profile
(SOURCE DEVICE PROFILE)
|
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceProfile EMAIL field name: SourceDeviceProfile HTTPS field name: SourceDeviceProfile LEEF field name: SourceDeviceProfile |
source_device_vendor
(SOURCE DEVICE VENDOR)
|
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDeviceVendor EMAIL field name: SourceDeviceVendor HTTPS field name: SourceDeviceVendor LEEF field name: SourceDeviceVendor |
source_dynamic_address_group
(SOURCE DYNAMIC ADDRESS GROUP)
|
The dynamic address group that Device-ID identifies as the source of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceDynamicAddressGroup EMAIL field name: SourceDynamicAddressGroup HTTPS field name: SourceDynamicAddressGroup LEEF field name: SourceDynamicAddressGroup |
source_edl
(SOURCE EDL)
|
The name of the external dynamic list that contains the source IP address of the traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceEDL EMAIL field name: SourceEDL HTTPS field name: SourceEDL LEEF field name: SourceEDL |
source_ip.value
(SOURCE ADDRESS)
|
Original source IP address.
Syslog field name: Syslog Field Order EMAIL field name: SourceAddress HTTPS field name: SourceAddress LEEF field name: src |
source_location
(SOURCE LOCATION)
|
Source country or internal region for private addresses.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceLocation EMAIL field name: SourceLocation HTTPS field name: SourceLocation LEEF field name: SourceLocation |
source_port
(SOURCE PORT)
|
Source port utilized by the session.
Syslog field name: Syslog Field Order CEF field name: spt EMAIL field name: SourcePort HTTPS field name: SourcePort LEEF field name: srcPort |
source_user
(SOURCE USER)
|
The username that initiated the network traffic.
Syslog field name: Syslog Field Order CEF field name: suser EMAIL field name: SourceUser HTTPS field name: SourceUser LEEF field name: usrName |
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
CEF field name: sntdom EMAIL field name: SourceUserDomain HTTPS field name: SourceUserDomain LEEF field name: SourceUserDomain |
source_user_info.name
(SOURCE USER NAME)
|
The Source User. That is, the username that initiated the network traffic.
CEF field name: suser EMAIL field name: SourceUserName HTTPS field name: SourceUserName LEEF field name: SourceUserName |
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
CEF field name: suid EMAIL field name: SourceUserUUID HTTPS field name: SourceUserUUID LEEF field name: SourceUserUUID |
source_uuid
(SOURCE UUID)
|
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceUUID EMAIL field name: SourceUUID HTTPS field name: SourceUUID LEEF field name: SourceUUID |
sub_type.value
(SUBTYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: Subtype HTTPS field name: Subtype LEEF field name: SubType |
technology_of_app
(APPLICATION TECHNOLOGY)
|
The networking technology used by the identified application.
CEF field name: PanOSApplicationTechnology EMAIL field name: ApplicationTechnology HTTPS field name: ApplicationTechnology LEEF field name: ApplicationTechnology |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
to_zone
(TO ZONE)
|
Networking zone to which the traffic was sent.
Syslog field name: Syslog Field Order CEF field name: cs5 EMAIL field name: ToZone HTTPS field name: ToZone LEEF field name: ToZone |
total_time_elapsed
(SESSION DURATION)
|
Total time taken for the network session to complete.
Syslog field name: Syslog Field Order CEF field name: cn3 EMAIL field name: SessionDuration HTTPS field name: SessionDuration LEEF field name: SessionDuration |
tunnel.value
(TUNNEL)
|
Type of tunnel.
Syslog field name: Syslog Field Order CEF field name: PanOSTunnel EMAIL field name: Tunnel HTTPS field name: Tunnel LEEF field name: Tunnel |
tunneled_app
(TUNNELED APPLICATION)
|
For internal use only.
CEF field name: PanOSTunneledApplication EMAIL field name: TunneledApplication HTTPS field name: TunneledApplication LEEF field name: TunneledApplication |
tunnelid_imsi
(IMSI)
|
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Syslog field name: Syslog Field Order CEF field name: PanOSIMSI EMAIL field name: IMSI HTTPS field name: IMSI LEEF field name: IMSI |
url_category.value
(URL CATEGORY)
|
URL category associated with the session.
Syslog field name: Syslog Field Order CEF field name: cs2 EMAIL field name: URLCategory HTTPS field name: URLCategory LEEF field name: URLCategory |
users
(USERS)
|
Source/Destination user. If neither is available, source_ip is used.
CEF field name: PanOSUsers EMAIL field name: Users HTTPS field name: Users LEEF field name: Users |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |
xff_ip.value
(X-FORWARDED-FOR IP)
|
X-Forwarded-For IP.
Syslog field name: Syslog Field Order CEF field name: PanOSX-Forwarded-ForIP EMAIL field name: X-Forwarded-ForIP HTTPS field name: X-Forwarded-ForIP LEEF field name: X-Forwarded-ForIP |