URL Syslog Default Field Order

Example URL log in Syslog:
Oct 13 20:56:15 gke-standard-cluster-2-pool-1-6ea9f13a-fnid 394 <142>1 2020-10-13T20:56:15.519Z stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs - Palo Alto Networks,​firewall,​013201004706,​PA-5220,​22229,​2019-07-03T00:05:03.000000Z,​-2021464963,​3,​THREAT,​1,​url,​xxx.xx.x.xx,​00000000000000000000ffff0a365c38,​57085,​xxx.xx.x.xx,​00000000000000000000ffff0a65023e,​8080,​6,​tcp,​,​PA-5220,​0,​client to server,​sjccbovw01p:8080,​1,​,​1,​get,​\"\u001B\t\u0003 hL\"\"Z}u\u0015\",​sjccbovw01p:8080/BOE/portal/1606170029/InfoView/DataLoader?notification=true&usercurrenttime=2019-7-2%2017:4&usertimezoneoffset=-7:00,​https%253A%252F%252Fconsole.cloud.google.com%252Fdataflow%252FjobsDetail%252Flocations%252Fus-central1%252Fjobs%252F2019-08-09_20_00_42-9931281171472243776%253Fproject%253Drepl-prd1-eu%2526organizationId%253D992524860932,​1,​https,​80,​console.cloud.google.com,​/dataflow/jobsDetail/locations/us-central1/jobs/2019-08-09_20_00_42-9931281171472243776,​\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,​ like Gecko) Chrome/xxx.xx.x.xx Safari/537.36\",​,​1,​Informational,​Informational,​,​0,​0,​10077,​private-ip-addresses,​,​4,​alert,​-6917529027641081856,​web-browsing,​general-internet,​3\r\n4\r\n5\r\n6\r\n8,​\" Ezajw*{\u0000}`\",​12,​0,​0,​0,​,​xxx.xx.x.xx-xxx.xx.x.xx,​,​,​\"e y@i\u0003AQ\u0011\u0011c'H\r \",​,​false,​true,​tap,​,​ethernet,​1181132783616,​0,​0,​ethernet,​1,​19,​false,​false,​false,​false,​test,​\")\nq\u0010~\u0016C\u001F\",​0,​xxx.xx.x.xx,​00000000000000000000ffff00000000,​0,​xxx.xx.x.xx,​00000000000000000000ffff00000000,​8080,​ethernet,​1181132783616,​0,​0,​ethernet,​1,​19,​0,​\"WkuL0\n,​[Cr\",​1,​4,​dg-log-policy,​,​false,​6708774908183291111,​4189227,​,​xxx.xx.x.xx-xxx.xx.x.xx,​R9/k!`>\u0017:TN,​,​internet-utility,​browser-based,​2019-08-15T03:05:54.000000Z,​tap,​0,​N/A,​tunneled-app,​0,​xxx.xx.x.xx,​1,​vsys1,​\"\r\u0007\u001F+#c\bw\",​-1004264700,​,​1093632,​false,​false,​true,​false,​false,​false,​true,​false,​false,​false,​false,​false,​false,​false,​false,​false,​false,​,​\"eef3\u001A\u0012\\ozM\u0015>\u000E\u0003\",​,​\"S/!]\u000B\u0017\"\"r38\",​,​\"p<[<L\t(,​\",​,​,​,​,​,​,​,​\"\tm\u0004Pq<\u00066uJq\n\",​ujm@\u000Ek*Ggl6,​,​,​,​;H;jyv\\\u0016\u0000S,​,​,​,​\"j6u7^ ,​\u0015\b\u0016S~\u000E&\",​,​,​\":\u0018\r\u0006\u0016*-y\u0002OQN\",​,​\"\u0000#ROK4e \r\u0004DD\u0000\",​1551419174186411220,​,​,​-537061822,​,​^ \u0002@nRq\u001DxZ!w,​;nTVmp=H\u001CCQ\u0000O,​,​,​,​,​,​,​
The following identifies the fields contained by default when you forward logs to a syslog receiver. The fields are identified in the default order that they appear in each log line.
HEADER, log_time, log_source_id, log_type.​value, sub_type.​value, config_version.​value, time_generated, source_ip.​value, dest_ip.​value, nat_source.​value, nat_dest.​value, rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.​value, outbound_if.​value, log_set, EMPTY, session_id, count_of_repeats, source_port, dest_port, nat_source_port, nat_dest_port, flags, protocol.​value, action.​value, uri, EMPTY, url_category.​value, vendor_severity.​value, direction_of_attack.​value, sequence_no, action_flags, source_location, dest_location, EMPTY, content_type, pcap_id, EMPTY, EMPTY, url_idx, user_agent, EMPTY, xff, referer, EMPTY, EMPTY, EMPTY, EMPTY, dg_hier_level_1, dg_hier_level_2, dg_hier_level_3, dg_hier_level_4, vsys_name, log_source_name, EMPTY, source_uuid, dest_uuid, http_method.​value, tunnelid_imsi, monitor_tag_imei, parent_session_id, parent_start_time, tunnel.​value, inline_ml_verdict.​value, content_version, sig_flags, EMPTY, EMPTY, http_headers, url_category_list, rule_matched_uuid, http2_connection, dynusergroup_name, xff_ip.​value, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_osfamily, source_device_osversion, source_device_host, source_device_mac, dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor, dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, container_id, pod_namespace, pod_name, source_edl, dest_edl, gp_host_id, endpoint_serial_number, domain_edl, source_dynamic_address_group, dest_dynamic_address_group, partial_hash, time_generated_high_res, EMPTY, EMPTY, nssai_network_slice_type.​value

Recommended For You