URL LEEF Fields
Table of Contents
URL LEEF Fields
Example URL log in LEEF:
Sep 21 01:52:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 2646 <14>1 2021-09-21T01:52:01.328Z stream-logfwd20-d324e775--09201841-lxtx-harness-w8bx logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|sports| |TimeReceived=2021-09-21T01:52:00.000000Z DeviceSN=xxxxxxxxxxxxx cat=threat SubType=url ConfigVersion=10.1 devTime=2021-09-21T01:51:58.000000Z src=fe80:abcd:76cc:9802:d202:b3ff:fe1e:8329 dst=fe80:0:e426:5678:b202:b3ff:fe1e:8329 srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=deny-time-wasters usrName=xxxxx\xxxxx o"'"test DestinationUser=paloaltonetwork\xxxxx Application=aerofs VirtualLocation=vsys1 FromZone=ethernet4Zone-test3 ToZone=ethernet4Zone-test1 InboundInterface=ethernet1/1OutboundInterface=ethernet1/2 LogSetting=rs-logging SessionID=631434 RepeatCount=1 srcPort=29176 dstPort=20350 srcPostNATPort=2932 dstPostNATPort=7181 proto=tcp Action=reset-both URL=www.this.is.another.wannabe.long.url.com/and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hkjhkj34hk5jh34k5jhk3j4h5k3jh45kjh34k5jhk34jh5kj34h5kjh43kj5hk34jh5k3j4h5k3j4hghhg4j5h3g VendorSeverity=Critical DirectionOfAttack=client to server SequenceNo=7003061085140561391 SourceLocation=AU DestinationLocation=west-coast ContentType=text/xml PacketID=0 URLCounter=1 UserAgent= identSrc= Referer= DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx SourceUUID= DestinationUUID= HTTPMethod=get IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A InlineMLVerdict=unknown ContentVersion=50207 SigFlags=0 HTTPHeaders= URLCategoryList=sports,travel,health-and-medicine RuleUUID=2fb8efd4-2f01-421d-a113-097992777432 HTTP2Connection=0 DynamicUserGroupName= X-Forwarded-ForIP= SourceDeviceCategory=X-Phone SourceDeviceProfile=x-profile SourceDeviceModel=Redmi SourceDeviceVendor=Xiaomi SourceDeviceOSFamily=5 Plus SourceDeviceOSVersion=Android v8.2 SourceDeviceHost=pan-603 SourceDeviceMac=645701225660 DestinationDeviceCategory=X-Phone DestinationDeviceProfile=x-profile DestinationDeviceModel=MI DestinationDeviceVendor=Xiaomi DestinationDeviceOSFamily=A1 DestinationDeviceOSVersion=Android v9.1 DestinationDeviceHost=pan-622 DestinationDeviceMac=207974153661 ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL= HostID=1010101010 EndpointSerialNumber=xxxxxxxxxxxxxx SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-09-21T01:51:58.764000Z NSSAINetworkSliceType=cf devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the URL field names that the Log Forwarding app
uses when you forward logs using the LEEF log format.
When you
create a syslog forwarding profile
,
you can optionally create a profile token that the Log
Forwarding app uses when it sends logs to the syslog server. If you configure a profile token,
it appears in the log line immediately after the log type information (for example,
TRAFFIC
, THREAT
,
HIPMATCH
, and so forth). The token will appear on
a parameter called profileToken
.
LEEF Name
|
Query Name
|
Field Type
|
|---|---|---|