UserID

User ID logs contain IP address-to-username mappings, authentication timestamps, the sources of the IP-to-username mappings, and so forth.
Next-generation firewalls can be configured to perform IP-to-username mappings for a network session. This mapping requires a variety of techniques so that users in all locations, regardless of access method or operating system, can be identified by the firewall. In addition to allowing the firewall to map an IP address to a username, this integration also allow the firewall to recognize when a user has logged in or logged out of a networked resource.
User-ID logs are generated whenever a user authentication event occurs using a resource to which the firewall has visibility. For example, a User-ID agent can be installed on the network so that the firewall has visibility to authentication events on domain controllers, Microsoft Exchange servers, or even Windows clients.
See the following for information related to supported log formats:
USERID Field
(Display Name)
Description
auth_completion_time
(AUTH COMPLETION TIME)
Time when the authentication was completed. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: end
EMAIL field name: AuthCompletionTime
HTTPS field name: AuthCompletionTime
LEEF field name: AuthCompletionTime
auth_factor_num
(AUTH FACTOR NO)
Indicates the use of primary authentication (1) or additional factors (2, 3).
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: AuthFactorNo
HTTPS field name: AuthFactorNo
LEEF field name: AuthFactorNo
authenticated_user_info.​domain
(AUTHENTICATED USER DOMAIN)
Domain to which the user who is being authenticated belongs.
CEF field name: dntdom
EMAIL field name: AuthenticatedUserDomain
HTTPS field name: AuthenticatedUserDomain
LEEF field name: AuthenticatedUserDomain
authenticated_user_info.​name
(AUTHENTICATED USER NAME)
Name of the user who is being authenticated.
CEF field name: duser
EMAIL field name: AuthenticatedUserName
HTTPS field name: AuthenticatedUserName
LEEF field name: AuthenticatedUserName
authenticated_user_info.​uuid
(AUTHENTICATED USER UUID)
Unique identifier assigned to the user who is being authenticated.
CEF field name: duid
EMAIL field name: AuthenticatedUserUUID
HTTPS field name: AuthenticatedUserUUID
LEEF field name: AuthenticatedUserUUID
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
count_of_repeats
(COUNT OF REPEATS)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: CountofRepeats
HTTPS field name: CountofRepeats
LEEF field name: CountofRepeats
customer_id
(CORTEX DATA LAKE TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
dest_port
(DESTINATION PORT)
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order
CEF field name: dpt
EMAIL field name: DestinationPort
HTTPS field name: DestinationPort
LEEF field name: dstPort
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
event_id
(EVENT ID)
The event's unique identifier.
Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: EventID
HTTPS field name: EventID
LEEF field name: EventIdName
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_duplicate_user
(IS DUPLICATE USER)
Indicates whether duplicate users were found in a user group.
CEF field name: PanOSIsDuplicateUser
EMAIL field name: IsDuplicateUser
HTTPS field name: IsDuplicateUser
LEEF field name: IsDuplicateUser
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_prisma_branch
(IS PRISMA NETWORKS)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
mapping_data_source.​value
(MAPPING DATA SOURCE)
Source from which mapping information is collected.
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: MappingDataSource
HTTPS field name: MappingDataSource
LEEF field name: MappingDataSource
mapping_data_source_name
(MAPPING DATA SOURCE NAME)
User-ID source that sends the IP (Port)-User Mapping.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: MappingDataSourceName
HTTPS field name: MappingDataSourceName
LEEF field name: MappingDataSourceName
mapping_data_source_type.​value
(MAPPING DATA SOURCE TYPE)
Mechanism used to identify the IP/User mappings within a data source.
Syslog field name: Syslog Field Order
CEF field name: cs6
EMAIL field name: MappingDataSourceType
HTTPS field name: MappingDataSourceType
LEEF field name: MappingDataSourceType
mapping_timeout
(MAPPING TIMEOUT)
Timeout interval after which the IP/User Mappings are cleared.
Syslog field name: Syslog Field Order
CEF field name: cn3
EMAIL field name: MappingTimeout
HTTPS field name: MappingTimeout
LEEF field name: MappingTimeout
mfa_factor_type
(MFA FACTOR TYPE)
The vendor used to authenticate a user when multi-factor authentication is present.
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: MFAFactorType
HTTPS field name: MFAFactorType
LEEF field name: MFAFactorType
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
source_ip.​value
(SOURCE IP)
Original source IP address.
Syslog field name: Syslog Field Order
CEF fields: src and dst, or c6a2 and c6a3
EMAIL field name: SourceIP
HTTPS field name: SourceIP
LEEF field name: src
source_port
(SOURCE PORT)
Source port utilized by the session.
Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort
sub_type.​value
(SUBTYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: EventID
tag_name
(TAG)
The tag mapped to the user.
Syslog field name: Syslog Field Order
CEF field name: PanOSTag
EMAIL field name: Tag
HTTPS field name: Tag
LEEF field name: Tag
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
ug_flags
(UG FLAGS)
Bit field used to indicate the status of user and group information when the next-generation firewall is performing an IP-to-username mapping.
Syslog field name: Syslog Field Order
CEF field name: PanOSUGFlags
EMAIL field name: UGFlags
HTTPS field name: UGFlags
LEEF field name: UGFlags
user
(USER)
End user being authenticated.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: User
HTTPS field name: User
LEEF field name: usrName
user_group_found
(USER GROUP FOUND)
Indicates whether the user could be mapped to a group.
CEF field name: PanOSUserGroupFound
EMAIL field name: UserGroupFound
HTTPS field name: UserGroupFound
LEEF field name: UserGroupFound
user_identified_by_source_as
(USER IDENTIFIED BY SOURCE)
The user name as sent by the data source.
Syslog field name: Syslog Field Order
EMAIL field name: UserIdentifiedBySource
HTTPS field name: UserIdentifiedBySource
LEEF field name: UserIdentifiedBySource
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Recommended For You