Traffic CEF Fields
Table of Contents
Traffic CEF Fields
Example Traffic log in CEF:
Mar 1 20:46:50 xxx.xx.x.xx 4581 <14>1 2021-03-01T20:46:50.869Z stream-logfwd20-587718190-03011242-xynu-harness-zpqg logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|TRAFFIC|end|3|ProfileToken=xxxxx dtz=UTC rt=Feb 27 2021 20:16:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationContainer= PanOSApplicationRisk=5 PanOSApplicationSubcategory=file-sharing PanOSApplicationTechnology=peer-to-peer PanOSCaptivePortal=false PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=paloaltonetwork duser=xxxxx duid= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=false PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDecryptedLog=false PanOSIsDecryptedPayloadForward=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsInspectionBeforeSession=true PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=false PanOSIsSystemReturn=false PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=0 PanOSOutboundInterfaceDetailsPort=0 PanOSOutboundInterfaceDetailsSlot=0 PanOSOutboundInterfaceDetailsType=unknown PanOSOutboundInterfaceDetailsUnit=0 PanOSSDWANFECRatio=0.0 PanOSSanctionedStateOfApp=false PanOSSessionOwnerMidx=false PanOSSessionTracker=16 PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=tunneled-app PanOSUsers=xxxxx\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSApplicationCategory=peer2peer PanOSConfigVersion=10.0 start=Feb 27 2021 20:16:17 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=deny-attackers cs1Label=Rule suser0=xxxxx\\xxxxx xxxxx duser0=paloaltonetwork\\xxxxx app=fileguri cs3=vsys1 cs3Label=VirtualLocation cs4=untrust cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=unknown cs6=rs-logging cs6Label=LogSetting cn1=25596 cn1Label=SessionID cnt=1 spt=22871 dpt=27092 sourceTranslatedPort=24429 destinationTranslatedPort=14744 proto=tcp act=deny PanOSBytes=1370294 out=400448 in=969846 cn2=314 cn2Label=PacketsTotal PanOSSessionStartTime=Feb 27 2021 20:15:48 cn3=56 cn3Label=SessionDuration cs2=custom-category cs2Label=URLCategory externalId=xxxxxxxxxxxxx PanOSSourceLocation=east-coast PanOSDestinationLocation=BR PanOSPacketsSent=194 PanOSPacketsReceived=120 reason=unknown PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx cat=unknown PanOSSourceUUID= PanOSDestinationUUID= PanOSIMSI=0 PanOSIMEI= PanOSParentSessionID=0 PanOSParentStarttime=Feb 27 2021 20:15:40 PanOSTunnel=GRE PanOSEndpointAssociationID=-3746994889972252628 PanOSChunksTotal=1945 PanOSChunksSent=323 PanOSChunksReceived=1622 PanOSRuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 PanOSHTTP2Connection=469139 PanOSLinkChangeCount=0 PanOSSDWANPolicyName= PanOSLinkSwitches= PanOSSDWANCluster= PanOSSDWANDeviceType= PanOSSDWANClusterType= PanOSSDWANSite= PanOSDynamicUserGroupName=dynug-4 PanOSX-Forwarded-ForIP=xxx.xx.x.xx PanOSSourceDeviceCategory=N-Phone PanOSSourceDeviceProfile=n-profile PanOSSourceDeviceModel=Nexus PanOSSourceDeviceVendor=Google PanOSSourceDeviceOSFamily=LG-H790 PanOSSourceDeviceOSVersion=Android v6 PanOSSourceDeviceHost=pan-301 PanOSSourceDeviceMac=839147449905 PanOSDestinationDeviceCategory=N-Phone PanOSDestinationDeviceProfile=n-profile PanOSDestinationDeviceModel=Nexus PanOSDestinationDeviceVendor=Google PanOSDestinationDeviceOSFamily=H1511 PanOSDestinationDeviceOSVersion=Android v7 PanOSDestinationDeviceHost=pan-355 PanOSDestinationDeviceMac=530589561221 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSGPHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= aqua_dag PanOSDestinationDynamicAddressGroup= PanOSHASessionOwner=session_owner-4 PanOSTimeGeneratedHighResolution=Feb 27 2021 20:16:18 PanOSNSSAINetworkSliceType=0 PanOSNSSAINetworkSliceDifferentiator=1bca5
The following table identifies the Traffic field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
|---|---|
act
| |
cat
| |
app
| |
PanOSApplicationCategory
| Query Name: app_categoryHeader Type: Custom |
PanOSApplicationSubcategory
| Query Name: app_sub_categoryHeader Type: Custom |
in
| Query Name: bytes_receivedHeader Type: Predefined |
out
| Query Name: bytes_sentHeader Type: Predefined |
PanOSBytes
| Query Name: bytes_totalHeader Type: Custom |
PanOSChunksReceived
| Query Name: chunks_receivedHeader Type: Custom |
PanOSChunksSent
| Query Name: chunks_sentHeader Type: Custom |
PanOSChunksTotal
| Query Name: chunks_totalHeader Type: Custom |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSContainerID
| Query Name: container_idHeader Type: Custom |
PanOSApplicationContainer
| Query Name: container_of_appHeader Type: Custom |
cnt
| Query Name: count_of_repeatsHeader Type: Predefined |
PanOSCortexDataLakeTenantID
| Query Name: customer_idHeader Type: Custom |
PanOSDestinationDeviceCategory
| Query Name: dest_device_categoryHeader Type: Custom |
PanOSDestinationDeviceClass
| Query Name: dest_device_classHeader Type: Custom |
PanOSDestinationDeviceHost
| Query Name: dest_device_hostHeader Type: Custom |
PanOSDestinationDeviceMac
| Query Name: dest_device_macHeader Type: Custom |
PanOSDestinationDeviceModel
| Query Name: dest_device_modelHeader Type: Custom |
PanOSDestinationDeviceOS
| Query Name: dest_device_osHeader Type: Custom |
PanOSDestinationDeviceOSFamily
| Query Name: dest_device_osfamilyHeader Type: Custom |
PanOSDestinationDeviceOSVersion
| Query Name: dest_device_osversionHeader Type: Custom |
PanOSDestinationDeviceProfile
| Query Name: dest_device_profileHeader Type: Custom |
PanOSDestinationDeviceVendor
| Query Name: dest_device_vendorHeader Type: Custom |
PanOSDestinationDynamicAddressGroup
| Query Name: dest_dynamic_address_groupHeader Type: Custom |
PanOSDestinationEDL
| Query Name: dest_edlHeader Type: Custom |
dst or c6a3
| Query Name: dest_ip.valueHeader Type: PredefinedLabel: || c6a3LabelLabel Text: || Destination IPv6 Address |
PanOSDestinationLocation
| Query Name: dest_locationHeader Type: Custom |
dpt
| Query Name: dest_portHeader Type: Predefined |
duser
| |
dntdom
| |
duser
| |
duid
| |
PanOSDestinationUUID
| Query Name: dest_uuidHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
PanOSDynamicUserGroupName
| Query Name: dynusergroup_nameHeader Type: Custom |
PanOSEndpointSerialNumber
| Query Name: endpoint_serial_numberHeader Type: Custom |
PanOSEndpointAssociationID
| Query Name: ep_assoc_idHeader Type: Custom |
FlowType
| Query Name: flow_type.valueHeader Type: Custom |
cs4
| |
PanOSHASessionOwner
| Query Name: ha_session_ownerHeader Type: Custom |
PanOSGPHostID
| Query Name: host_idHeader Type: Custom |
PanOSHTTP2Connection
| Query Name: http2_connectionHeader Type: Custom |
deviceInboundInterface
| |
PanOSInboundInterfaceDetailsPort
| Query Name: inbound_if_details.portHeader Type: Custom |
PanOSInboundInterfaceDetailsSlot
| Query Name: inbound_if_details.slotHeader Type: Custom |
PanOSInboundInterfaceDetailsType
| Query Name: inbound_if_details.type.valueHeader Type: Custom |
PanOSInboundInterfaceDetailsUnit
| Query Name: inbound_if_details.unitHeader Type: Custom |
PanOSCaptivePortal
| Query Name: is_captive_portalHeader Type: Custom |
PanOSIsClienttoServer
| Query Name: is_client_to_serverHeader Type: Custom |
PanOSIsContainer
| Query Name: is_containerHeader Type: Custom |
PanOSIsDecryptMirror
| Query Name: is_decrypt_mirrorHeader Type: Custom |
PanOSIsDecrypted
| Query Name: is_decryptedHeader Type: Custom |
PanOSIsDecryptedPayloadForward
| Query Name: is_decrypted_payload_fwdedHeader Type: Custom |
PanOSIsDecryptedLog
| Query Name: is_decryption_logHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSIsEncrypted
| Query Name: is_encryptedHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSLogForwarded
| Query Name: is_forwardedHeader Type: Custom |
PanOSIsIPV6
| Query Name: is_ipv6Header Type: Custom |
PanOSIsInspectionBeforeSession
| Query Name: is_l7_inspection_b4_sessionHeader Type: Custom |
PanOSIsMptcpOn
| Query Name: is_mptcp_onHeader Type: Custom |
PanOSNAT
| Query Name: is_natHeader Type: Custom |
PanOSIsNonStandardDestinationPort
| Query Name: is_non_std_dest_portHeader Type: Custom |
PanOSIsOffloaded
| Query Name: is_offloadedHeader Type: Custom |
PanOSIsPacketCapture
| Query Name: is_packet_captureHeader Type: Custom |
PanOSIsPhishing
| Query Name: is_phishingHeader Type: Custom |
PanOSIsPrismaNetwork
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
PanOSIsProxy
| Query Name: is_proxyHeader Type: Custom |
PanOSIsReconExcluded
| Query Name: is_recon_excludedHeader Type: Custom |
PanOSIsSaaSApplication
| Query Name: is_saas_appHeader Type: Custom |
PanOSIsServertoClient
| Query Name: is_server_to_clientHeader Type: Custom |
PanOSIsSourceXForwarded
| Query Name: is_source_x_fwdedHeader Type: Custom |
PanOSIsSystemReturn
| Query Name: is_sym_returnHeader Type: Custom |
PanOSIsTransaction
| Query Name: is_transactionHeader Type: Custom |
PanOSIsTunnelInspected
| Query Name: is_tunnel_inspectedHeader Type: Custom |
PanOSIsURLDenied
| Query Name: is_url_deniedHeader Type: Custom |
PanOSLinkChangeCount
| Query Name: link_change_countHeader Type: Custom |
PanOSLinkSwitches
| Query Name: link_switchesHeader Type: Custom |
PanOSLocation
| Query Name: locationHeader Type: Custom |
cs6
| |
PanOSLogSource
| Query Name: log_sourceHeader Type: Custom |
LogSourceGroupID
| |
deviceExternalId
| |
dvchost
| |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
PanOSIMEI
| Query Name: monitor_tag_imeiHeader Type: Custom |
destinationTranslatedAddress
| Query Name: nat_dest.valueHeader Type: Predefined |
destinationTranslatedPort
| Query Name: nat_dest_portHeader Type: Predefined |
sourceTranslatedAddress
| Query Name: nat_source.valueHeader Type: Predefined |
sourceTranslatedPort
| Query Name: nat_source_portHeader Type: Predefined |
PanOSNonStandardDestinationPort
| Query Name: non_standard_dest_portHeader Type: Custom |
PanOSNSSAINetworkSliceDifferentiator
| Query Name: nssai_network_slice_differentiator.valueHeader Type: Custom |
PanOSNSSAINetworkSliceType
| Query Name: nssai_network_slice_type.valueHeader Type: Custom |
deviceOutboundInterface
| |
PanOSOutboundInterfaceDetailsPort
| Query Name: outbound_if_details.portHeader Type: Custom |
PanOSOutboundInterfaceDetailsSlot
| Query Name: outbound_if_details.slotHeader Type: Custom |
PanOSOutboundInterfaceDetailsType
| Query Name: outbound_if_details.type.valueHeader Type: Custom |
PanOSOutboundInterfaceDetailsUnit
| Query Name: outbound_if_details.unitHeader Type: Custom |
PanOSPacketsReceived
| Query Name: packets_receivedHeader Type: Custom |
PanOSPacketsSent
| Query Name: packets_sentHeader Type: Custom |
cn2
| |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
PanOSParentSessionID
| Query Name: parent_session_idHeader Type: Custom |
PanOSParentStarttime
| Query Name: parent_start_timeHeader Type: Custom |
PlatformType
| Query Name: platform_typeHeader Type: Custom |
PanOSContainerName
| Query Name: pod_nameHeader Type: Custom |
PanOSContainerNameSpace
| Query Name: pod_namespaceHeader Type: Custom |
PanOSSDWANPolicyName
| Query Name: policy_idHeader Type: Custom |
proto
| |
PanOSApplicationRisk
| Query Name: risk_of_appHeader Type: Custom |
cs1
| |
PanOSRuleUUID
| Query Name: rule_matched_uuidHeader Type: Custom |
PanOSSanctionedStateOfApp
| Query Name: sanctioned_state_of_appHeader Type: Custom |
PanOSSDWANFECRatio
| Query Name: sdwan_FEC_ratioHeader Type: Custom |
PanOSSDWANCluster
| Query Name: sdwan_clusterHeader Type: Custom |
PanOSSDWANClusterType
| Query Name: sdwan_cluster_typeHeader Type: Custom |
PanOSSDWANDeviceType
| Query Name: sdwan_device_typeHeader Type: Custom |
PanOSSDWANSite
| Query Name: sdwan_siteHeader Type: Custom |
externalId
| |
PanOSSessionOwnerMidx
| Query Name: sess_owner_rt_midxHeader Type: Custom |
reason
| |
cn1
| |
PanOSSessionStartTime
| Query Name: session_start_timeHeader Type: Custom |
PanOSSessionTracker
| Query Name: session_trackerHeader Type: Custom |
PanOSSourceDeviceCategory
| Query Name: source_device_categoryHeader Type: Custom |
PanOSSourceDeviceClass
| Query Name: source_device_classHeader Type: Custom |
PanOSSourceDeviceHost
| Query Name: source_device_hostHeader Type: Custom |
PanOSSourceDeviceMac
| Query Name: source_device_macHeader Type: Custom |
PanOSSourceDeviceModel
| Query Name: source_device_modelHeader Type: Custom |
PanOSSourceDeviceOS
| Query Name: source_device_osHeader Type: Custom |
PanOSSourceDeviceOSFamily
| Query Name: source_device_osfamilyHeader Type: Custom |
PanOSSourceDeviceOSVersion
| Query Name: source_device_osversionHeader Type: Custom |
PanOSSourceDeviceProfile
| Query Name: source_device_profileHeader Type: Custom |
PanOSSourceDeviceVendor
| Query Name: source_device_vendorHeader Type: Custom |
PanOSSourceDynamicAddressGroup
| Query Name: source_dynamic_address_groupHeader Type: Custom |
PanOSSourceEDL
| Query Name: source_edlHeader Type: Custom |
src or c6a2
| Query Name: source_ip.valueHeader Type: PredefinedLabel: || c6a2LabelLabel Text: || Source IPv6 Address |
PanOSSourceLocation
| Query Name: source_locationHeader Type: Custom |
spt
| Query Name: source_portHeader Type: Predefined |
suser
| |
sntdom
| |
suser
| |
suid
| |
PanOSSourceUUID
| Query Name: source_uuidHeader Type: Custom |
Name
| Query Name: sub_type.valueHeader Type: Custom |
PanOSApplicationTechnology
| Query Name: technology_of_appHeader Type: Custom |
start
| Query Name: time_generatedHeader Type: Predefined |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
cs5
| |
cn3
| |
PanOSTunnel
| Query Name: tunnel.valueHeader Type: Custom |
PanOSTunneledApplication
| Query Name: tunneled_appHeader Type: Custom |
PanOSIMSI
| Query Name: tunnelid_imsiHeader Type: Custom |
cs2
| Query Name: url_category.valueHeader Type: PredefinedLabel: cs2LabelLabel Text: URLCategoryMax Length: 4000 |
PanOSUsers
| Query Name: usersHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
cs3
| Query Name: vsysHeader Type: PredefinedLabel: cs3LabelLabel Text: VirtualLocationMax Length: 4000 |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
PanOSVirtualSystemName
| Query Name: vsys_nameHeader Type: Custom |
PanOSX-Forwarded-ForIP
| Query Name: xff_ip.valueHeader Type: Custom |