Table of Contents
UserID
User ID logs contain IP address-to-username mappings, authentication timestamps, the sources
of the IP-to-username mappings, and so forth.
Next-generation firewalls can be configured to perform IP-to-username mappings for a network
session. This mapping requires a variety of techniques so that users in all locations,
regardless of access method or operating system, can be identified by the firewall. In
addition to allowing the firewall to map an IP address to a username, this integration also
allow the firewall to recognize when a user has logged in or logged out of a networked
resource.
User-ID logs are generated whenever a user authentication event occurs using a resource to
which the firewall has visibility. For example, a User-ID agent can be installed on the
network so that the firewall has visibility to authentication events on domain controllers,
Microsoft Exchange servers, or even Windows clients.
See the following for information related to supported log formats:
USERID Field
(Display Name)
|
Description
|
|---|---|
auth_completion_time
(AUTH COMPLETION TIME)
|
Time when the authentication was completed. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: end EMAIL field name: AuthCompletionTime HTTPS field name: AuthCompletionTime LEEF field name: AuthCompletionTime |
auth_factor_num
(AUTH FACTOR NO)
|
Indicates the use of primary authentication (1) or additional factors (2, 3).
Syslog field name: Syslog Field Order CEF field name: cn1 EMAIL field name: AuthFactorNo HTTPS field name: AuthFactorNo LEEF field name: AuthFactorNo |
authenticated_user_info.domain
(AUTHENTICATED USER DOMAIN)
|
Domain to which the user who is being authenticated belongs.
CEF field name: dntdom EMAIL field name: AuthenticatedUserDomain HTTPS field name: AuthenticatedUserDomain LEEF field name: AuthenticatedUserDomain |
authenticated_user_info.name
(AUTHENTICATED USER NAME)
|
Name of the user who is being authenticated.
CEF field name: duser EMAIL field name: AuthenticatedUserName HTTPS field name: AuthenticatedUserName LEEF field name: AuthenticatedUserName |
authenticated_user_info.uuid
(AUTHENTICATED USER UUID)
|
Unique identifier assigned to the user who is being authenticated.
CEF field name: duid EMAIL field name: AuthenticatedUserUUID HTTPS field name: AuthenticatedUserUUID LEEF field name: AuthenticatedUserUUID |
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
count_of_repeats
(COUNT OF REPEATS)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order CEF field name: cnt EMAIL field name: CountofRepeats HTTPS field name: CountofRepeats LEEF field name: CountofRepeats |
customer_id
(CORTEX DATA LAKE TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSCortexDataLakeTenantID EMAIL field name: CortexDataLakeTenantID HTTPS field name: CortexDataLakeTenantID LEEF field name: CortexDataLakeTenantID |
dest_port
(DESTINATION PORT)
|
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order CEF field name: dpt EMAIL field name: DestinationPort HTTPS field name: DestinationPort LEEF field name: dstPort |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
event_id
(EVENT ID)
|
The event's unique identifier.
Syslog field name: Syslog Field Order CEF field name: cat EMAIL field name: EventID HTTPS field name: EventID LEEF field name: EventIdName |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_duplicate_user
(IS DUPLICATE USER)
|
Indicates whether duplicate users were found in a user group.
CEF field name: PanOSIsDuplicateUser EMAIL field name: IsDuplicateUser HTTPS field name: IsDuplicateUser LEEF field name: IsDuplicateUser |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_prisma_branch
(IS PRISMA NETWORKS)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks EMAIL field name: IsPrismaNetworks HTTPS field name: IsPrismaNetworks LEEF field name: IsPrismaNetworks |
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
| The ID of the Cloud NGFW resource. CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
mapping_data_source.value
(MAPPING DATA SOURCE)
|
Source from which mapping information is collected.
Syslog field name: Syslog Field Order CEF field name: cs5 EMAIL field name: MappingDataSource HTTPS field name: MappingDataSource LEEF field name: MappingDataSource |
mapping_data_source_name
(MAPPING DATA SOURCE NAME)
|
User-ID source that sends the IP (Port)-User Mapping.
Syslog field name: Syslog Field Order CEF field name: cs4 EMAIL field name: MappingDataSourceName HTTPS field name: MappingDataSourceName LEEF field name: MappingDataSourceName |
mapping_data_source_type.value
(MAPPING DATA SOURCE TYPE)
|
Mechanism used to identify the IP/User mappings within a data source.
Syslog field name: Syslog Field Order CEF field name: cs6 EMAIL field name: MappingDataSourceType HTTPS field name: MappingDataSourceType LEEF field name: MappingDataSourceType |
mapping_timeout
(MAPPING TIMEOUT)
|
Timeout interval after which the IP/User Mappings are cleared.
Syslog field name: Syslog Field Order CEF field name: cn3 EMAIL field name: MappingTimeout HTTPS field name: MappingTimeout LEEF field name: MappingTimeout |
mfa_factor_type
(MFA FACTOR TYPE)
|
The vendor used to authenticate a user when multi-factor authentication is present.
Syslog field name: Syslog Field Order CEF field name: cs1 EMAIL field name: MFAFactorType HTTPS field name: MFAFactorType LEEF field name: MFAFactorType |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: externalId EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
source_port
(SOURCE PORT)
|
Source port utilized by the session.
Syslog field name: Syslog Field Order CEF field name: spt EMAIL field name: SourcePort HTTPS field name: SourcePort LEEF field name: srcPort |
sub_type.value
(SUBTYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: Subtype HTTPS field name: Subtype LEEF field name: EventID |
tag_name
(TAG)
|
The tag mapped to the user.
Syslog field name: Syslog Field Order CEF field name: PanOSTag EMAIL field name: Tag HTTPS field name: Tag LEEF field name: Tag |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
ug_flags
(UG FLAGS)
|
Bit field used to indicate the status of user and group information when the next-generation firewall is performing an IP-to-username mapping.
Syslog field name: Syslog Field Order CEF field name: PanOSUGFlags EMAIL field name: UGFlags HTTPS field name: UGFlags LEEF field name: UGFlags |
user
(USER)
|
End user being authenticated.
Syslog field name: Syslog Field Order CEF field name: duser EMAIL field name: User HTTPS field name: User LEEF field name: usrName |
user_group_found
(USER GROUP FOUND)
|
Indicates whether the user could be mapped to a group.
CEF field name: PanOSUserGroupFound EMAIL field name: UserGroupFound HTTPS field name: UserGroupFound LEEF field name: UserGroupFound |
user_identified_by_source_as
(USER IDENTIFIED BY SOURCE)
|
The user name as sent by the data source.
Syslog field name: Syslog Field Order CEF field name: PanOSUserIdentifiedBySource EMAIL field name: UserIdentifiedBySource HTTPS field name: UserIdentifiedBySource LEEF field name: UserIdentifiedBySource |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualLocation HTTPS field name: VirtualLocation LEEF field name: VirtualLocation |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: cn2 EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemName EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |