URL CEF Fields
Table of Contents
URL CEF Fields
Example URL log in CEF:
Mar 1 20:48:23 xxx.xx.x.xx 4377 <14>1 2021-03-01T20:48:23.048Z stream-logfwd20-587718190-03011242-xynu-harness-zpqg logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationCategory=database PanOSApplicationContainer= PanOSApplicationRisk=2 PanOSApplicationSubcategory=database PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=xxxxx duser=xxxxx o"'"test duid= PanOSHTTPRefererFQDN= PanOSHTTPRefererPort= PanOSHTTPRefererProtocol= PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=32350 PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSSanctionedStateofApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled PanOSURLDomain=?% PanOSUsers=xxxxx\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSConfigVersion=10.0 start=Mar 01 2021 20:48:16 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-business-apps cs1Label=Rule suser0=xxxxx\\xxxxx xxxxx duser0=xxxxx\\xxxxx o"'"test app=maxdb cs3=vsys1 cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=ethernet1/2 cs6=rs-logging cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350 dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016 proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast PanOSDestinationLocation=PK requestContext=application/jpeg fileId=0 PanOSURLCounter=1 requestClientApplication= PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802 PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN PanOSInlineMLVerdict=overflow PanOSContentVersion=50222 PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,11008,38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-Phone PanOSDestinationDeviceProfile=l-profile PanOSDestinationDeviceModel=Note XT PanOSDestinationDeviceVendor=Lenovo PanOSDestinationDeviceOSFamily=K8 PanOSDestinationDeviceOSVersion=Android v8 PanOSDestinationDeviceHost=pan-506 PanOSDestinationDeviceMac=150083646537 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= blue_dag PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=b5
The following table identifies the URL field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
|---|---|
act
| |
app
| |
PanOSApplicationCategory
| Query Name: app_categoryHeader Type: Custom |
PanOSApplicationSubcategory
| Query Name: app_sub_categoryHeader Type: Custom |
PanOSCloudHostname
| Query Name: cloud_hostnameHeader Type: Custom |
PanOSCloudReportID
| Query Name: cloud_reportidHeader Type: Custom |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSContainerID
| Query Name: container_idHeader Type: Custom |
PanOSApplicationContainer
| Query Name: container_of_appHeader Type: Custom |
requestContext
| |
PanOSContentVersion
| Query Name: content_versionHeader Type: Custom |
cnt
| Query Name: count_of_repeatsHeader Type: Predefined |
PanOSCortexDataLakeTenantID
| Query Name: customer_idHeader Type: Custom |
PanOSDestinationDeviceCategory
| Query Name: dest_device_categoryHeader Type: Custom |
PanOSDestinationDeviceClass
| Query Name: dest_device_classHeader Type: Custom |
PanOSDestinationDeviceHost
| Query Name: dest_device_hostHeader Type: Custom |
PanOSDestinationDeviceMac
| Query Name: dest_device_macHeader Type: Custom |
PanOSDestinationDeviceModel
| Query Name: dest_device_modelHeader Type: Custom |
PanOSDestinationDeviceOS
| Query Name: dest_device_osHeader Type: Custom |
PanOSDestinationDeviceOSFamily
| Query Name: dest_device_osfamilyHeader Type: Custom |
PanOSDestinationDeviceOSVersion
| Query Name: dest_device_osversionHeader Type: Custom |
PanOSDestinationDeviceProfile
| Query Name: dest_device_profileHeader Type: Custom |
PanOSDestinationDeviceVendor
| Query Name: dest_device_vendorHeader Type: Custom |
PanOSDestinationDynamicAddressGroup
| Query Name: dest_dynamic_address_groupHeader Type: Custom |
PanOSDestinationEDL
| Query Name: dest_edlHeader Type: Custom |
dst or c6a3
| Query Name: dest_ip.valueHeader Type: PredefinedLabel: || c6a3LabelLabel Text: || Destination IPv6 Address |
PanOSDestinationLocation
| Query Name: dest_locationHeader Type: Custom |
dpt
| Query Name: dest_portHeader Type: Predefined |
duser
| |
dntdom
| |
duser
| |
duid
| |
PanOSDestinationUUID
| Query Name: dest_uuidHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
flexString2
| Query Name: direction_of_attack.valueHeader Type: PredefinedLabel: flexString2LabelLabel Text: DirectionOfAttackMax Length: 1023 |
PanOSDynamicUserGroupName
| Query Name: dynusergroup_nameHeader Type: Custom |
PanOSEndpointSerialNumber
| Query Name: endpoint_serial_numberHeader Type: Custom |
PanOSFileURL
| Query Name: file_urlHeader Type: Custom |
FlowType
| Query Name: flow_type.valueHeader Type: Custom |
cs4
| |
PanOSHostID
| Query Name: gp_host_idHeader Type: Custom |
PanOSHTTP2Connection
| Query Name: http2_connectionHeader Type: Custom |
PanOSHTTPHeaders
| Query Name: http_headersHeader Type: Custom |
requestMethod
| |
deviceInboundInterface
| |
PanOSInboundInterfaceDetailsPort
| Query Name: inbound_if_details.portHeader Type: Custom |
PanOSInboundInterfaceDetailsSlot
| Query Name: inbound_if_details.slotHeader Type: Custom |
PanOSInboundInterfaceDetailsType
| Query Name: inbound_if_details.type.valueHeader Type: Custom |
PanOSInboundInterfaceDetailsUnit
| Query Name: inbound_if_details.unitHeader Type: Custom |
PanOSInlineMLVerdict
| Query Name: inline_ml_verdict.valueHeader Type: Custom |
PanOSCaptivePortal
| Query Name: is_captive_portalHeader Type: Custom |
PanOSIsClienttoServer
| Query Name: is_client_to_serverHeader Type: Custom |
PanOSIsContainer
| Query Name: is_containerHeader Type: Custom |
PanOSIsDecryptMirror
| Query Name: is_decrypt_mirrorHeader Type: Custom |
PanOSIsDecrypted
| Query Name: is_decryptedHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSIsEncrypted
| Query Name: is_encryptedHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSLogForwarded
| Query Name: is_forwardedHeader Type: Custom |
PanOSIsIPV6
| Query Name: is_ipv6Header Type: Custom |
PanOSIsMptcpOn
| Query Name: is_mptcp_onHeader Type: Custom |
PanOSNAT
| Query Name: is_natHeader Type: Custom |
PanOSIsNonStandardDestinationPort
| Query Name: is_non_std_dest_portHeader Type: Custom |
PanOSIsPacketCapture
| Query Name: is_packet_captureHeader Type: Custom |
PanOSIsPhishing
| Query Name: is_phishingHeader Type: Custom |
PanOSIsPrismaNetwork
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
PanOSIsProxy
| Query Name: is_proxyHeader Type: Custom |
PanOSIsReconExcluded
| Query Name: is_recon_excludedHeader Type: Custom |
PanOSIsSaaSApplication
| Query Name: is_saas_appHeader Type: Custom |
PanOSIsServertoClient
| Query Name: is_server_to_clientHeader Type: Custom |
PanOSIsSourceXForwarded
| Query Name: is_source_x_fwdedHeader Type: Custom |
PanOSIsSystemReturn
| Query Name: is_sym_returnHeader Type: Custom |
PanOSIsTransaction
| Query Name: is_transactionHeader Type: Custom |
PanOSIsTunnelInspected
| Query Name: is_tunnel_inspectedHeader Type: Custom |
PanOSIsURLDenied
| Query Name: is_url_deniedHeader Type: Custom |
PanOSLocation
| Query Name: locationHeader Type: Custom |
cs6
| |
PanOSLogSource
| Query Name: log_sourceHeader Type: Custom |
LogSourceGroupID
| Query Name: log_source_group_idHeader Type: Custom |
deviceExternalId
| |
dvchost
| |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
PanOSIMEI
| Query Name: monitor_tag_imeiHeader Type: Custom |
destinationTranslatedAddress
| Query Name: nat_dest.valueHeader Type: Predefined |
destinationTranslatedPort
| Query Name: nat_dest_portHeader Type: Predefined |
sourceTranslatedAddress
| Query Name: nat_source.valueHeader Type: Predefined |
sourceTranslatedPort
| Query Name: nat_source_portHeader Type: Predefined |
PanOSNonStandardDestinationPort
| Query Name: non_standard_dest_portHeader Type: Custom |
PanOSNSSAINetworkSliceType
| Query Name: nssai_network_slice_type.valueHeader Type: Custom |
deviceOutboundInterface
| |
PanOSOutboundInterfaceDetailsPort
| Query Name: outbound_if_details.portHeader Type: Custom |
PanOSOutboundInterfaceDetailsSlot
| Query Name: outbound_if_details.slotHeader Type: Custom |
PanOSOutboundInterfaceDetailsType
| Query Name: outbound_if_details.type.valueHeader Type: Custom |
PanOSOutboundInterfaceDetailsUnit
| Query Name: outbound_if_details.unitHeader Type: Custom |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
PanOSParentSessionID
| Query Name: parent_session_idHeader Type: Custom |
PanOSParentStarttime
| Query Name: parent_start_timeHeader Type: Custom |
PanOSPacket
| Query Name: pcapHeader Type: Custom |
fileId
| |
PanOSContainerName
| Query Name: pod_nameHeader Type: Custom |
PanOSContainerNameSpace
| Query Name: pod_namespaceHeader Type: Custom |
proto
| |
PanOSReferer
| Query Name: refererHeader Type: Custom |
PanOSHTTPRefererFQDN
| Query Name: referer_fqdnHeader Type: Custom |
PanOSHTTPRefererPort
| Query Name: referer_portHeader Type: Custom |
PanOSHTTPRefererProtocol
| Query Name: referer_protocol.valueHeader Type: Custom |
PanOSHTTPRefererURLPath
| Query Name: referer_url_pathHeader Type: Custom |
PanOSApplicationRisk
| Query Name: risk_of_appHeader Type: Custom |
cs1
| |
PanOSRuleUUID
| Query Name: rule_matched_uuidHeader Type: Custom |
PanOSSanctionedStateofApp
| Query Name: sanctioned_state_of_appHeader Type: Custom |
externalId
| |
cn1
| |
PanOSSeverity
| Query Name: severityHeader Type: Custom |
PanOSSigFlags
| Query Name: sig_flagsHeader Type: Custom |
PanOSSourceDeviceCategory
| Query Name: source_device_categoryHeader Type: Custom |
PanOSSourceDeviceClass
| Query Name: source_device_classHeader Type: Custom |
PanOSSourceDeviceHost
| Query Name: source_device_hostHeader Type: Custom |
PanOSSourceDeviceMac
| Query Name: source_device_macHeader Type: Custom |
PanOSSourceDeviceModel
| Query Name: source_device_modelHeader Type: Custom |
PanOSSourceDeviceOS
| Query Name: source_device_osHeader Type: Custom |
PanOSSourceDeviceOSFamily
| Query Name: source_device_osfamilyHeader Type: Custom |
PanOSSourceDeviceOSVersion
| Query Name: source_device_osversionHeader Type: Custom |
PanOSSourceDeviceProfile
| Query Name: source_device_profileHeader Type: Custom |
PanOSSourceDeviceVendor
| Query Name: source_device_vendorHeader Type: Custom |
PanOSSourceDynamicAddressGroup
| Query Name: source_dynamic_address_groupHeader Type: Custom |
PanOSSourceEDL
| Query Name: source_edlHeader Type: Custom |
src or c6a2
| Query Name: source_ip.valueHeader Type: PredefinedLabel: || c6a2LabelLabel Text: || Source IPv6 Address |
PanOSSourceLocation
| Query Name: source_locationHeader Type: Custom |
spt
| Query Name: source_portHeader Type: Predefined |
suser
| |
sntdom
| |
suser
| |
suid
| |
PanOSSourceUUID
| Query Name: source_uuidHeader Type: Custom |
Name
| Query Name: sub_type.valueHeader Type: Custom |
PanOSApplicationTechnology
| Query Name: technology_of_appHeader Type: Custom |
start
| Query Name: time_generatedHeader Type: Predefined |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
cs5
| |
PanOSTunnel
| Query Name: tunnel.valueHeader Type: Custom |
PanOSTunneledApplication
| Query Name: tunneled_appHeader Type: Custom |
PanOSIMSI
| Query Name: tunnelid_imsiHeader Type: Custom |
request
| |
cs2
| Query Name: url_category.valueHeader Type: PredefinedLabel: cs2LabelLabel Text: URLCategoryMax Length: 4000 |
PanOSURLCategoryList
| Query Name: url_category_listHeader Type: Custom |
PanOSURLDomain
| Query Name: url_domainHeader Type: Custom |
PanOSURLCounter
| Query Name: url_idxHeader Type: Custom |
requestClientApplication
| |
PanOSUsers
| Query Name: usersHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
PanOSVendorSeverity
| Query Name: vendor_severity.valueHeader Type: Custom |
cs3
| Query Name: vsysHeader Type: PredefinedLabel: cs3LabelLabel Text: VirtualLocationMax Length: 4000 |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
PanOSVirtualSystemName
| Query Name: vsys_nameHeader Type: Custom |
PanOSX-Forwarded-For
| Query Name: xffHeader Type: Custom |
PanOSX-Forwarded-ForIP
| Query Name: xff_ip.valueHeader Type: Custom |