UserID CEF Fields

Example UserID log in CEF:
Mar 1 21:06:03 xxx.xx.x.xx 1324 <14>1 2021-03-01T21:06:03.844Z stream-logfwd20-587718190-03011255-ut6o-harness-5vlj logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|USERID|logout|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar 01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation src=xxx.xx.x.xx dst=xxx.xx.x.xx duser0=paloaltonetworks\\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015 dpt=49760 cs5=probing cs5Label=MappingDataSource cs6=netbios_probing cs6Label=MappingDataSourceType externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12
The following table identifies the UserID field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
end
Header Type:
Predefined
cn1
Query Name:
auth_factor_num
Header Type:
Predefined
Label:
cn1Label
Label Text:
AuthFactorNo
dntdom
Header Type:
Predefined
Max Length:
255
duser
Header Type:
Predefined
Max Length:
255
duid
Header Type:
Predefined
Max Length:
255
PanOSConfigVersion
Header Type:
Custom
cnt
Query Name:
count_of_repeats
Header Type:
Predefined
PanOSCortexDataLakeTenantID
Query Name:
customer_id
Header Type:
Custom
dpt
Query Name:
dest_port
Header Type:
Predefined
PanOSDGHierarchyLevel1
Query Name:
dg_hier_level_1
Header Type:
Custom
PanOSDGHierarchyLevel2
Query Name:
dg_hier_level_2
Header Type:
Custom
PanOSDGHierarchyLevel3
Query Name:
dg_hier_level_3
Header Type:
Custom
PanOSDGHierarchyLevel4
Query Name:
dg_hier_level_4
Header Type:
Custom
cat
Query Name:
event_id
Header Type:
Predefined
Max Length:
1023
PanOSIsDuplicateLog
Query Name:
is_dup_log
Header Type:
Custom
PanOSIsDuplicateUser
Query Name:
is_duplicate_user
Header Type:
Custom
PanOSLogExported
Query Name:
is_exported
Header Type:
Custom
PanOSLogForwarded
Query Name:
is_forwarded
Header Type:
Custom
PanOSIsPrismaNetworks
Query Name:
is_prisma_branch
Header Type:
Custom
PanOSIsPrismaUsers
Query Name:
is_prisma_mobile
Header Type:
Custom
PanOSLogSource
Query Name:
log_source
Header Type:
Custom
deviceExternalId
Query Name:
log_source_id
Header Type:
Predefined
Max Length:
255
dvchost
Query Name:
log_source_name
Header Type:
Predefined
Max Length:
100
PanOSLogSourceTimeZoneOffset
Header Type:
Custom
rt
Query Name:
log_time
Header Type:
Predefined
Device Event Class ID
Query Name:
log_type.​value
Header Type:
Custom
cs5
Header Type:
Predefined
Label:
cs5Label
Label Text:
MappingDataSource
Max Length:
4000
cs4
Header Type:
Predefined
Label:
cs4Label
Label Text:
MappingDataSourceName
Max Length:
4000
cs6
Header Type:
Predefined
Label:
cs6Label
Label Text:
MappingDataSourceType
Max Length:
4000
cn3
Query Name:
mapping_timeout
Header Type:
Predefined
Label:
cn3Label
Label Text:
MappingTimeout
cs1
Query Name:
mfa_factor_type
Header Type:
Predefined
Label:
cs1Label
Label Text:
MFAFactorType
Max Length:
4000
externalId
Query Name:
sequence_no
Header Type:
Predefined
Max Length:
40
src and dst, or c6a2 and c6a3
Query Name:
source_ip.​value
Header Type:
Predefined
Label:
|| c6a2Label && c6a3Label
Label Text:
|| Source IPv6 Address && Destination IPv6 Address
spt
Query Name:
source_port
Header Type:
Predefined
Name
Query Name:
sub_type.​value
Header Type:
Custom
PanOSTag
Query Name:
tag_name
Header Type:
Custom
start
Query Name:
time_generated
Header Type:
Predefined
PanOSTimeGeneratedHighResolution
Header Type:
Custom
PanOSUGFlags
Query Name:
ug_flags
Header Type:
Custom
duser
Query Name:
user
Header Type:
Predefined
Max Length:
1023
PanOSUserGroupFound
Query Name:
user_group_found
Header Type:
Custom
PanOSUserIdentifiedBySource
Header Type:
Custom
Device Vendor
Query Name:
vendor_name
Header Type:
Custom
cs3
Query Name:
vsys
Header Type:
Predefined
Label:
cs3Label
Label Text:
VirtualLocation
Max Length:
4000
cn2
Query Name:
vsys_id
Header Type:
Predefined
Label:
cn2Label
Label Text:
VirtualSystemID
PanOSVirtualSystemName
Query Name:
vsys_name
Header Type:
Custom

Recommended For You