Traffic CEF Fields

Example Traffic log in CEF:
Mar 1 20:46:50 xxx.xx.x.xx 4581 <14>1 2021-03-01T20:46:50.869Z stream-logfwd20-587718190-03011242-xynu-harness-zpqg logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-sharing PanOSApplicationTechnology=peer-to-peer PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDecryptedLog=false PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=false PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0 PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false PanOSSessionTracker=16 PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=deny-attackers cs1Label=Rule suser0=xxxxx\\xxxxx xxxxx duser0=paloaltonetwork\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092 sourceTranslatedPort=24429 destinationTranslatedPort=14744 proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846 cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27 2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-category cs2Label=URLCategory externalId=xxxxxxxxxxxxx PanOSSourceLocation=east-coast PanOSDestinationLocation=BR PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx cat=unknown PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40 PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628 PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-ForIP=xxx.xx.x.xx PanOSSourceDeviceCategory=N-Phone PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790 PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301 PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-Phone PanOSDestinationDeviceProfile=n-profile PanOSDestinationDeviceModel=Nexus PanOSDestinationDeviceVendor=Google PanOSDestinationDeviceOSFamily=H1511 PanOSDestinationDeviceOSVersion=Android v7 PanOSDestinationDeviceHost=pan-355 PanOSDestinationDeviceMac=530589561221 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= aqua_dag PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner=session_owner-4 PanOSTimeGeneratedHighResolution=Feb 27 2021 20:16:18 PanOSNSSAINetworkSliceType=0 PanOSNSSAINetworkSliceDifferentiator=1bca5
The following table identifies the Traffic field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
act
Query Name:
action.​value
Header Type:
Predefined
Max Length:
63
cat
Header Type:
Predefined
Max Length:
1023
app
Query Name:
app
Header Type:
Predefined
Max Length:
31
PanOSApplicationCategory
Query Name:
app_category
Header Type:
Custom
PanOSApplicationSubcategory
Query Name:
app_sub_category
Header Type:
Custom
in
Query Name:
bytes_received
Header Type:
Predefined
out
Query Name:
bytes_sent
Header Type:
Predefined
PanOSBytes
Query Name:
bytes_total
Header Type:
Custom
PanOSChunksReceived
Query Name:
chunks_received
Header Type:
Custom
PanOSChunksSent
Query Name:
chunks_sent
Header Type:
Custom
PanOSChunksTotal
Query Name:
chunks_total
Header Type:
Custom
PanOSConfigVersion
Header Type:
Custom
PanOSContainerID
Query Name:
container_id
Header Type:
Custom
PanOSApplicationContainer
Query Name:
container_of_app
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSCortexDataLakeTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDestinationDeviceCategory
Header Type:
Custom
PanOSDestinationDeviceClass
Query Name:
dest_device_class
Header Type:
Custom
PanOSDestinationDeviceHost
Query Name:
dest_device_host
Header Type:
Custom
PanOSDestinationDeviceMac
Query Name:
dest_device_mac
Header Type:
Custom
PanOSDestinationDeviceModel
Query Name:
dest_device_model
Header Type:
Custom
PanOSDestinationDeviceOS
Query Name:
dest_device_os
Header Type:
Custom
PanOSDestinationDeviceOSFamily
Header Type:
Custom
PanOSDestinationDeviceOSVersion
Header Type:
Custom
PanOSDestinationDeviceProfile
Header Type:
Custom
PanOSDestinationDeviceVendor
Query Name:
dest_device_vendor
Header Type:
Custom
PanOSDestinationDynamicAddressGroup
Header Type:
Custom
PanOSDestinationEDL
Query Name:
dest_edl
Header Type:
Custom
dst or c6a3
Query Name:
dest_ip.​value
Header Type:
Predefined
Label:
|| c6a3Label
Label Text:
|| Destination IPv6 Address
PanOSDestinationLocation
Query Name:
dest_location
Header Type:
Custom
dpt
Query Name:
dest_port
Header Type:
Predefined
duser
Query Name:
dest_user
Header Type:
Predefined
Max Length:
1023
dntdom
Header Type:
Predefined
Max Length:
255
duser
Header Type:
Predefined
Max Length:
255
duid
Header Type:
Predefined
Max Length:
255
PanOSDestinationUUID
Query Name:
dest_uuid
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
PanOSDynamicUserGroupName
Query Name:
dynusergroup_name
Header Type:
Custom
PanOSEndpointSerialNumber
Header Type:
Custom
PanOSEndpointAssociationID
Query Name:
ep_assoc_id
Header Type:
Custom
cs4
Query Name:
from_zone
Header Type:
Predefined
Label:
cs4Label
Label Text:
FromZone
Max Length:
4000
PanOSHASessionOwner
Query Name:
ha_session_owner
Header Type:
Custom
PanOSGPHostID
Query Name:
host_id
Header Type:
Custom
PanOSHTTP2Connection
Query Name:
http2_connection
Header Type:
Custom
deviceInboundInterface
Header Type:
Predefined
Max Length:
128
PanOSInboundInterfaceDetailsPort
Header Type:
Custom
PanOSInboundInterfaceDetailsSlot
Header Type:
Custom
PanOSInboundInterfaceDetailsType
Header Type:
Custom
PanOSInboundInterfaceDetailsUnit
Header Type:
Custom
PanOSCaptivePortal
Query Name:
is_captive_portal
Header Type:
Custom
PanOSIsClienttoServer
Header Type:
Custom
PanOSIsContainer
Query Name:
is_container
Header Type:
Custom
PanOSIsDecryptMirror
Query Name:
is_decrypt_mirror
Header Type:
Custom
PanOSIsDecrypted
Query Name:
is_decrypted
Header Type:
Custom
PanOSIsDecryptedPayloadForward
Header Type:
Custom
PanOSIsDecryptedLog
Query Name:
is_decryption_log
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSIsEncrypted
Query Name:
is_encrypted
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsIPV6
Query Name:
is_ipv6
Header Type:
Custom
PanOSIsInspectionBeforeSession
Header Type:
Custom
PanOSIsMptcpOn
Query Name:
is_mptcp_on
Header Type:
Custom
PanOSNAT
Query Name:
is_nat
Header Type:
Custom
PanOSIsNonStandardDestinationPort
Header Type:
Custom
PanOSIsOffloaded
Query Name:
is_offloaded
Header Type:
Custom
PanOSIsPacketCapture
Query Name:
is_packet_capture
Header Type:
Custom
PanOSIsPhishing
Query Name:
is_phishing
Header Type:
Custom
PanOSIsPrismaNetwork
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSIsProxy
Query Name:
is_proxy
Header Type:
Custom
PanOSIsReconExcluded
Query Name:
is_recon_excluded
Header Type:
Custom
PanOSIsSaaSApplication
Query Name:
is_saas_app
Header Type:
Custom
PanOSIsServertoClient
Header Type:
Custom
PanOSIsSourceXForwarded
Query Name:
is_source_x_fwded
Header Type:
Custom
PanOSIsSystemReturn
Query Name:
is_sym_return
Header Type:
Custom
PanOSIsTransaction
Query Name:
is_transaction
Header Type:
Custom
PanOSIsTunnelInspected
Header Type:
Custom
PanOSIsURLDenied
Query Name:
is_url_denied
Header Type:
Custom
PanOSLinkChangeCount
Query Name:
link_change_count
Header Type:
Custom
PanOSLinkSwitches
Query Name:
link_switches
Header Type:
Custom
PanOSLocation
Query Name:
location
Header Type:
Custom
cs6
Query Name:
log_set
Header Type:
Predefined
Label:
cs6Label
Label Text:
LogSetting
Max Length:
4000
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
PanOSIMEI
Query Name:
monitor_tag_imei
Header Type:
Custom
destinationTranslatedAddress
Query Name:
nat_dest.​value
Header Type:
Predefined
destinationTranslatedPort
Query Name:
nat_dest_port
Header Type:
Predefined
sourceTranslatedAddress
Header Type:
Predefined
sourceTranslatedPort
Query Name:
nat_source_port
Header Type:
Predefined
PanOSNonStandardDestinationPort
Header Type:
Custom
PanOSNSSAINetworkSliceDifferentiator
Header Type:
Custom
PanOSNSSAINetworkSliceType
Header Type:
Custom
deviceOutboundInterface
Header Type:
Predefined
Max Length:
128
PanOSOutboundInterfaceDetailsPort
Header Type:
Custom
PanOSOutboundInterfaceDetailsSlot
Header Type:
Custom
PanOSOutboundInterfaceDetailsType
Header Type:
Custom
PanOSOutboundInterfaceDetailsUnit
Header Type:
Custom
PanOSPacketsReceived
Query Name:
packets_received
Header Type:
Custom
PanOSPacketsSent
Query Name:
packets_sent
Header Type:
Custom
cn2
Query Name:
packets_total
Header Type:
Predefined
Label:
cn2Label
Label Text:
PacketsTotal
PanOSParentSessionID
Query Name:
parent_session_id
Header Type:
Custom
PanOSParentStarttime
Query Name:
parent_start_time
Header Type:
Custom
PanOSContainerName
Query Name:
pod_name
Header Type:
Custom
PanOSContainerNameSpace
Query Name:
pod_namespace
Header Type:
Custom
PanOSSDWANPolicyName
Query Name:
policy_id
Header Type:
Custom
proto
Query Name:
protocol.​value
Header Type:
Predefined
Max Length:
31
PanOSApplicationRisk
Query Name:
risk_of_app
Header Type:
Custom
cs1
Query Name:
rule_matched
Header Type:
Predefined
Label:
cs1Label
Label Text:
Rule
Max Length:
4000
PanOSRuleUUID
Query Name:
rule_matched_uuid
Header Type:
Custom
PanOSSanctionedStateOfApp
Header Type:
Custom
PanOSSDWANFECRatio
Query Name:
sdwan_FEC_ratio
Header Type:
Custom
PanOSSDWANCluster
Query Name:
sdwan_cluster
Header Type:
Custom
PanOSSDWANClusterType
Query Name:
sdwan_cluster_type
Header Type:
Custom
PanOSSDWANDeviceType
Query Name:
sdwan_device_type
Header Type:
Custom
PanOSSDWANSite
Query Name:
sdwan_site
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
PanOSSessionOwnerMidx
Query Name:
sess_owner_rt_midx
Header Type:
Custom
reason
Header Type:
Predefined
Max Length:
1023
cn1
Query Name:
session_id
Header Type:
Predefined
Label:
cn1Label
Label Text:
SessionID
PanOSSessionStartTime
Query Name:
session_start_time
Header Type:
Custom
PanOSSessionTracker
Query Name:
session_tracker
Header Type:
Custom
PanOSSourceDeviceCategory
Header Type:
Custom
PanOSSourceDeviceClass
Header Type:
Custom
PanOSSourceDeviceHost
Query Name:
source_device_host
Header Type:
Custom
PanOSSourceDeviceMac
Query Name:
source_device_mac
Header Type:
Custom
PanOSSourceDeviceModel
Header Type:
Custom
PanOSSourceDeviceOS
Query Name:
source_device_os
Header Type:
Custom
PanOSSourceDeviceOSFamily
Header Type:
Custom
PanOSSourceDeviceOSVersion
Header Type:
Custom
PanOSSourceDeviceProfile
Header Type:
Custom
PanOSSourceDeviceVendor
Header Type:
Custom
PanOSSourceDynamicAddressGroup
Header Type:
Custom
PanOSSourceEDL
Query Name:
source_edl
Header Type:
Custom
src or c6a2
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label
Label Text:
|| Source IPv6 Address
PanOSSourceLocation
Query Name:
source_location
Header Type:
Custom
spt
Query Name:
source_port
Header Type:
Predefined
suser
Query Name:
source_user
Header Type:
Predefined
Max Length:
1023
sntdom
Header Type:
Predefined
Max Length:
1023
suser
Header Type:
Predefined
Max Length:
1023
suid
Header Type:
Predefined
Max Length:
1023
PanOSSourceUUID
Query Name:
source_uuid
Header Type:
Custom
Name
Query Name:
sub_type.​value
Header Type:
Custom
PanOSApplicationTechnology
Query Name:
technology_of_app
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
cs5
Query Name:
to_zone
Header Type:
Predefined
Label:
cs5Label
Label Text:
ToZone
Max Length:
4000
cn3
Query Name:
total_time_elapsed
Header Type:
Predefined
Label:
cn3Label
Label Text:
SessionDuration
PanOSTunnel
Query Name:
tunnel.​value
Header Type:
Custom
PanOSTunneledApplication
Query Name:
tunneled_app
Header Type:
Custom
PanOSIMSI
Query Name:
tunnelid_imsi
Header Type:
Custom
cs2
Header Type:
Predefined
Label:
cs2Label
Label Text:
URLCategory
Max Length:
4000
PanOSUsers
Query Name:
users
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom
PanOSX-Forwarded-ForIP
Query Name:
xff_ip.​value
Header Type:
Custom

Recommended For You