URL CEF Fields

Example URL log in CEF:
Mar 1 20:48:23 xxx.xx.x.xx 4377 <14>1 2021-03-01T20:48:23.048Z stream-logfwd20-587718190-03011242-xynu-harness-zpqg logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|THREAT|url|1|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:48:21 deviceExternalId=xxxxxxxxxxxxx PanOSApplicationCategory=database PanOSApplicationContainer= PanOSApplicationRisk=2 PanOSApplicationSubcategory=database PanOSApplicationTechnology=client-server PanOSCaptivePortal=false PanOSCloudHostname=xxxxx PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSDestinationDeviceClass= PanOSDestinationDeviceOS= dntdom=xxxxx duser=xxxxx o"'"test duid= PanOSHTTPRefererFQDN= PanOSHTTPRefererPort= PanOSHTTPRefererProtocol= PanOSHTTPRefererURLPath= PanOSInboundInterfaceDetailsPort=0 PanOSInboundInterfaceDetailsSlot=0 PanOSInboundInterfaceDetailsType=unknown PanOSInboundInterfaceDetailsUnit=0 PanOSIsClienttoServer=true PanOSIsContainer=false PanOSIsDecryptMirror=false PanOSIsDecrypted=false PanOSIsDuplicateLog=false PanOSIsEncrypted=false PanOSIsIPV6=false PanOSIsMptcpOn=false PanOSIsNonStandardDestinationPort=false PanOSIsPacketCapture=false PanOSIsPhishing=false PanOSIsPrismaNetwork=false PanOSIsPrismaUsers=false PanOSIsProxy=false PanOSIsReconExcluded=false PanOSIsSaaSApplication=false PanOSIsServertoClient=false PanOSIsSourceXForwarded=true PanOSIsSystemReturn=true PanOSIsTransaction=false PanOSIsTunnelInspected=false PanOSIsURLDenied=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSNAT=false PanOSNonStandardDestinationPort=32350 PanOSOutboundInterfaceDetailsPort=2 PanOSOutboundInterfaceDetailsSlot=1 PanOSOutboundInterfaceDetailsType=ethernet PanOSOutboundInterfaceDetailsUnit=0 PanOSPacket= PanOSSanctionedStateofApp=false PanOSSeverity=Informational PanOSSourceDeviceClass= PanOSSourceDeviceOS= sntdom=xxxxx suser=xxxxx xxxxx suid= PanOSTunneledApplication=untunneled PanOSURLDomain=?% PanOSUsers=xxxxx\\xxxxx xxxxx PanOSVirtualSystemID=1 PanOSConfigVersion=10.0 start=Mar 01 2021 20:48:16 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-business-apps cs1Label=Rule suser0=xxxxx\\xxxxx xxxxx duser0=xxxxx\\xxxxx o"'"test app=maxdb cs3=vsys1 cs3Label=VirtualLocation cs4=ethernet4Zone-test4 cs4Label=FromZone cs5=untrust cs5Label=ToZone deviceInboundInterface=unknown deviceOutboundInterface=ethernet1/2 cs6=rs-logging cs6Label=LogSetting cn1=980296 cn1Label=SessionID cnt=1 spt=32350 dpt=1532 sourceTranslatedPort=26236 destinationTranslatedPort=12016 proto=tcp act=block-url request=?% cs2=sports cs2Label=URLCategory flexString2=server to client flexString2Label=DirectionOfAttack externalId=xxxxxxxxxxxxx PanOSSourceLocation=west-coast PanOSDestinationLocation=PK requestContext=application/jpeg fileId=0 PanOSURLCounter=1 requestClientApplication= PanOSX-Forwarded-For= PanOSReferer= PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSSourceUUID= PanOSDestinationUUID= requestMethod=post PanOSIMSI=1 PanOSIMEI=Navy Base PanOSParentSessionID=8802 PanOSParentStarttime=Mar 01 2021 20:48:10 PanOSTunnel=VXLAN PanOSInlineMLVerdict=overflow PanOSContentVersion=50222 PanOSSigFlags=2 PanOSHTTPHeaders= PanOSURLCategoryList=sports,​11008,​38340 PanOSRuleUUID=ec14df0b-c845-4435-87a2-d207730f5ae8 PanOSHTTP2Connection=8802 PanOSDynamicUserGroupName= PanOSX-Forwarded-ForIP= PanOSSourceDeviceCategory=L-Phone PanOSSourceDeviceProfile=l-profile PanOSSourceDeviceModel=Note 4G PanOSSourceDeviceVendor=Lenovo PanOSSourceDeviceOSFamily=K6 PanOSSourceDeviceOSVersion=Android v9 PanOSSourceDeviceHost=pan-505 PanOSSourceDeviceMac=596703749274 PanOSDestinationDeviceCategory=L-Phone PanOSDestinationDeviceProfile=l-profile PanOSDestinationDeviceModel=Note XT PanOSDestinationDeviceVendor=Lenovo PanOSDestinationDeviceOSFamily=K8 PanOSDestinationDeviceOSVersion=Android v8 PanOSDestinationDeviceHost=pan-506 PanOSDestinationDeviceMac=150083646537 PanOSContainerID=1873cc5c-0d31 PanOSContainerNameSpace=pns_default PanOSContainerName=pan-dp-77754f4 PanOSSourceEDL= PanOSDestinationEDL= PanOSHostID=xxxxxxxxxxxxxx PanOSEndpointSerialNumber=xxxxxxxxxxxxxx PanOSSourceDynamicAddressGroup= blue_dag PanOSDestinationDynamicAddressGroup= PanOSTimeGeneratedHighResolution=Mar 01 2021 20:48:16 PanOSNSSAINetworkSliceType=b5
The following table identifies the URL field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
act
Query Name:
action.​value
Header Type:
Predefined
Max Length:
63
app
Query Name:
app
Header Type:
Predefined
Max Length:
31
PanOSApplicationCategory
Query Name:
app_category
Header Type:
Custom
PanOSApplicationSubcategory
Query Name:
app_sub_category
Header Type:
Custom
PanOSCloudHostname
Query Name:
cloud_hostname
Header Type:
Custom
PanOSCloudReportID
Query Name:
cloud_reportid
Header Type:
Custom
PanOSConfigVersion
Header Type:
Custom
PanOSContainerID
Query Name:
container_id
Header Type:
Custom
PanOSApplicationContainer
Query Name:
container_of_app
Header Type:
Custom
requestContext
Query Name:
content_type
Header Type:
Predefined
Max Length:
2048
PanOSContentVersion
Query Name:
content_version
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSCortexDataLakeTenantID
Query Name:
customer_id
Header Type:
Custom
PanOSDestinationDeviceCategory
Header Type:
Custom
PanOSDestinationDeviceClass
Query Name:
dest_device_class
Header Type:
Custom
PanOSDestinationDeviceHost
Query Name:
dest_device_host
Header Type:
Custom
PanOSDestinationDeviceMac
Query Name:
dest_device_mac
Header Type:
Custom
PanOSDestinationDeviceModel
Query Name:
dest_device_model
Header Type:
Custom
PanOSDestinationDeviceOS
Query Name:
dest_device_os
Header Type:
Custom
PanOSDestinationDeviceOSFamily
Header Type:
Custom
PanOSDestinationDeviceOSVersion
Header Type:
Custom
PanOSDestinationDeviceProfile
Header Type:
Custom
PanOSDestinationDeviceVendor
Query Name:
dest_device_vendor
Header Type:
Custom
PanOSDestinationDynamicAddressGroup
Header Type:
Custom
PanOSDestinationEDL
Query Name:
dest_edl
Header Type:
Custom
dst or c6a3
Query Name:
dest_ip.​value
Header Type:
Predefined
Label:
|| c6a3Label
Label Text:
|| Destination IPv6 Address
PanOSDestinationLocation
Query Name:
dest_location
Header Type:
Custom
dpt
Query Name:
dest_port
Header Type:
Predefined
duser
Query Name:
dest_user
Header Type:
Predefined
Max Length:
1023
dntdom
Header Type:
Predefined
Max Length:
255
duser
Header Type:
Predefined
Max Length:
255
duid
Header Type:
Predefined
Max Length:
255
PanOSDestinationUUID
Query Name:
dest_uuid
Header Type:
Custom
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
flexString2
Header Type:
Predefined
Label:
flexString2Label
Label Text:
DirectionOfAttack
Max Length:
1023
PanOSDynamicUserGroupName
Query Name:
dynusergroup_name
Header Type:
Custom
PanOSEndpointSerialNumber
Header Type:
Custom
PanOSFileURL
Query Name:
file_url
Header Type:
Custom
cs4
Query Name:
from_zone
Header Type:
Predefined
Label:
cs4Label
Label Text:
FromZone
Max Length:
4000
PanOSHostID
Query Name:
gp_host_id
Header Type:
Custom
PanOSHTTP2Connection
Query Name:
http2_connection
Header Type:
Custom
PanOSHTTPHeaders
Query Name:
http_headers
Header Type:
Custom
requestMethod
Header Type:
Predefined
Max Length:
1023
deviceInboundInterface
Header Type:
Predefined
Max Length:
128
PanOSInboundInterfaceDetailsPort
Header Type:
Custom
PanOSInboundInterfaceDetailsSlot
Header Type:
Custom
PanOSInboundInterfaceDetailsType
Header Type:
Custom
PanOSInboundInterfaceDetailsUnit
Header Type:
Custom
PanOSInlineMLVerdict
Header Type:
Custom
PanOSCaptivePortal
Query Name:
is_captive_portal
Header Type:
Custom
PanOSIsClienttoServer
Header Type:
Custom
PanOSIsContainer
Query Name:
is_container
Header Type:
Custom
PanOSIsDecryptMirror
Query Name:
is_decrypt_mirror
Header Type:
Custom
PanOSIsDecrypted
Query Name:
is_decrypted
Header Type:
Custom
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSIsEncrypted
Query Name:
is_encrypted
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsIPV6
Query Name:
is_ipv6
Header Type:
Custom
PanOSIsMptcpOn
Query Name:
is_mptcp_on
Header Type:
Custom
PanOSNAT
Query Name:
is_nat
Header Type:
Custom
PanOSIsNonStandardDestinationPort
Header Type:
Custom
PanOSIsPacketCapture
Query Name:
is_packet_capture
Header Type:
Custom
PanOSIsPhishing
Query Name:
is_phishing
Header Type:
Custom
PanOSIsPrismaNetwork
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSIsProxy
Query Name:
is_proxy
Header Type:
Custom
PanOSIsReconExcluded
Query Name:
is_recon_excluded
Header Type:
Custom
PanOSIsSaaSApplication
Query Name:
is_saas_app
Header Type:
Custom
PanOSIsServertoClient
Header Type:
Custom
PanOSIsSourceXForwarded
Query Name:
is_source_x_fwded
Header Type:
Custom
PanOSIsSystemReturn
Query Name:
is_sym_return
Header Type:
Custom
PanOSIsTransaction
Query Name:
is_transaction
Header Type:
Custom
PanOSIsTunnelInspected
Header Type:
Custom
PanOSIsURLDenied
Query Name:
is_url_denied
Header Type:
Custom
PanOSLocation
Query Name:
location
Header Type:
Custom
cs6
Query Name:
log_set
Header Type:
Predefined
Label:
cs6Label
Label Text:
LogSetting
Max Length:
4000
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
PanOSIMEI
Query Name:
monitor_tag_imei
Header Type:
Custom
destinationTranslatedAddress
Query Name:
nat_dest.​value
Header Type:
Predefined
destinationTranslatedPort
Query Name:
nat_dest_port
Header Type:
Predefined
sourceTranslatedAddress
Header Type:
Predefined
sourceTranslatedPort
Query Name:
nat_source_port
Header Type:
Predefined
PanOSNonStandardDestinationPort
Header Type:
Custom
PanOSNSSAINetworkSliceType
Header Type:
Custom
deviceOutboundInterface
Header Type:
Predefined
Max Length:
128
PanOSOutboundInterfaceDetailsPort
Header Type:
Custom
PanOSOutboundInterfaceDetailsSlot
Header Type:
Custom
PanOSOutboundInterfaceDetailsType
Header Type:
Custom
PanOSOutboundInterfaceDetailsUnit
Header Type:
Custom
PanOSParentSessionID
Query Name:
parent_session_id
Header Type:
Custom
PanOSParentStarttime
Query Name:
parent_start_time
Header Type:
Custom
PanOSPacket
Query Name:
pcap
Header Type:
Custom
fileId
Query Name:
pcap_id
Header Type:
Predefined
Max Length:
1023
PanOSContainerName
Query Name:
pod_name
Header Type:
Custom
PanOSContainerNameSpace
Query Name:
pod_namespace
Header Type:
Custom
proto
Query Name:
protocol.​value
Header Type:
Predefined
Max Length:
31
PanOSReferer
Query Name:
referer
Header Type:
Custom
PanOSHTTPRefererFQDN
Query Name:
referer_fqdn
Header Type:
Custom
PanOSHTTPRefererPort
Query Name:
referer_port
Header Type:
Custom
PanOSHTTPRefererProtocol
Header Type:
Custom
PanOSHTTPRefererURLPath
Query Name:
referer_url_path
Header Type:
Custom
PanOSApplicationRisk
Query Name:
risk_of_app
Header Type:
Custom
cs1
Query Name:
rule_matched
Header Type:
Predefined
Label:
cs1Label
Label Text:
Rule
Max Length:
4000
PanOSRuleUUID
Query Name:
rule_matched_uuid
Header Type:
Custom
PanOSSanctionedStateofApp
Header Type:
Custom
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
cn1
Query Name:
session_id
Header Type:
Predefined
Label:
cn1Label
Label Text:
SessionID
PanOSSeverity
Query Name:
severity
Header Type:
Custom
PanOSSigFlags
Query Name:
sig_flags
Header Type:
Custom
PanOSSourceDeviceCategory
Header Type:
Custom
PanOSSourceDeviceClass
Header Type:
Custom
PanOSSourceDeviceHost
Query Name:
source_device_host
Header Type:
Custom
PanOSSourceDeviceMac
Query Name:
source_device_mac
Header Type:
Custom
PanOSSourceDeviceModel
Header Type:
Custom
PanOSSourceDeviceOS
Query Name:
source_device_os
Header Type:
Custom
PanOSSourceDeviceOSFamily
Header Type:
Custom
PanOSSourceDeviceOSVersion
Header Type:
Custom
PanOSSourceDeviceProfile
Header Type:
Custom
PanOSSourceDeviceVendor
Header Type:
Custom
PanOSSourceDynamicAddressGroup
Header Type:
Custom
PanOSSourceEDL
Query Name:
source_edl
Header Type:
Custom
src or c6a2
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label
Label Text:
|| Source IPv6 Address
PanOSSourceLocation
Query Name:
source_location
Header Type:
Custom
spt
Query Name:
source_port
Header Type:
Predefined
suser
Query Name:
source_user
Header Type:
Predefined
Max Length:
1023
sntdom
Header Type:
Predefined
Max Length:
1023
suser
Header Type:
Predefined
Max Length:
1023
suid
Header Type:
Predefined
Max Length:
1023
PanOSSourceUUID
Query Name:
source_uuid
Header Type:
Custom
Name
Query Name:
sub_type.​value
Header Type:
Custom
PanOSApplicationTechnology
Query Name:
technology_of_app
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
cs5
Query Name:
to_zone
Header Type:
Predefined
Label:
cs5Label
Label Text:
ToZone
Max Length:
4000
PanOSTunnel
Query Name:
tunnel.​value
Header Type:
Custom
PanOSTunneledApplication
Query Name:
tunneled_app
Header Type:
Custom
PanOSIMSI
Query Name:
tunnelid_imsi
Header Type:
Custom
request
Query Name:
uri
Header Type:
Predefined
Max Length:
1023
cs2
Header Type:
Predefined
Label:
cs2Label
Label Text:
URLCategory
Max Length:
4000
PanOSURLCategoryList
Query Name:
url_category_list
Header Type:
Custom
PanOSURLDomain
Query Name:
url_domain
Header Type:
Custom
PanOSURLCounter
Query Name:
url_idx
Header Type:
Custom
requestClientApplication
Query Name:
user_agent
Header Type:
Predefined
Max Length:
1023
PanOSUsers
Query Name:
users
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
PanOSVendorSeverity
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
PanOSVirtualSystemID
Query Name:
vsys_id
Header Type:
Custom
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom
PanOSX-Forwarded-For
Query Name:
xff
Header Type:
Custom
PanOSX-Forwarded-ForIP
Query Name:
xff_ip.​value
Header Type:
Custom

Recommended For You