UserID LEEF Fields

Example UserID log in LEEF:
Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2| |profileToken=Palotoken VirtualSystemID=1 AuthFactorNo=3 DeviceName=PA-5220 dstPort=49760 MappingDataSourceType=netbios_probing MappingDataSource=probing SequenceNo=6711379990526558750 MFAFactorType=xxxxx LogExported=false src=xxx.xx.x.xx VirtualSystemName= DeviceSN=xxxxxxxxxxxxx TimeGeneratedHighResolution= usrName="paloaltonetworks\\xxxxx" UserIdentifiedBySource=xxxxxxxxxxxxxx IsDuplicateUser= TimeReceived=2020-10-13T03:31:40.000000Z MappingDataSourceName=fake-data-source-169 UGFlags=256 IsPrismaNetworks=false AuthenticatedUserUUID= AuthCompletionTime=2019-07-09T18:15:44.000000Z IsDuplicateLog=false UserGroupFound= LogForwarded=true CountofRepeats=1 EventID=0 VirtualLocation=vsys1 MappingTimeout=3531 AuthenticatedUserName=xxxxx LogSource=firewall devTime=2020-10-13T03:31:40.000000Z Vendor=Palo Alto Networks AuthenticatedUserDomain=paloaltonetwork Tag= LogSourceTimeZoneOffset= cat=logout srcPort=21015 CortexDataLakeTenantID=xxxxxxxxxxxxx IsPrismaUsers=false LogType=USERID devTimeFormat=YYYY-MM-DDTHH:MM:SSZ
The following table identifies the UserID field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example,
TRAFFIC
,
THREAT
,
HIPMATCH
, and so forth). The token will appear on a parameter called
profileToken
.
LEEF Name
Query Name
Field Type
AuthCompletionTime
Custom
AuthFactorNo
Custom
AuthenticatedUserDomain
Custom
AuthenticatedUserName
Custom
AuthenticatedUserUUID
Custom
ConfigVersion
Custom
CountofRepeats
Custom
CortexDataLakeTenantID
Custom
dstPort
Predefined
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
EventIdName
Custom
IsDuplicateLog
Custom
IsDuplicateUser
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetworks
Custom
IsPrismaUsers
Custom
LogSource
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
MappingDataSource
Custom
MappingDataSourceName
Custom
MappingDataSourceType
Custom
MappingTimeout
Custom
MFAFactorType
Custom
SequenceNo
Custom
src
Predefined
srcPort
Predefined
EventID
Header
Tag
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
UGFlags
Custom
usrName
Predefined
UserGroupFound
Custom
UserIdentifiedBySource
Custom
Vendor
Header
VirtualLocation
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom

Recommended For You