Authentication Log Fields
Format: FUTURE_USE, Receive Time, Serial Number,
Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System,
Source IP, User, Normalize User, Object, Authentication Policy,
Repeat Count, Authentication ID, Vendor, Log Action, Server Profile,
Description, Client Type, Event Type, Factor Number, Sequence Number,
Action Flags, Device Group Hierarchy 1, Device Group Hierarchy 2,
Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System
Name, Device Name, Virtual System ID, Authentication Protocol, UUID
for rule, High Resolution Timestamp, Source Device Category, Source
Device Profile, Source Device Model, Source Device Vendor, Source
Device OS Family, Source Device OS Version, Source Hostname, Source
Mac Address, Region, FUTURE_USE, User Agent, Session ID
|
Receive Time (receive_time or cef-formatted-receive_time) | Time the log was received at the management
plane. |
Serial Number (serial) | Serial number of the device that generated
the log. |
Type (type) | Specifies the type of log; value is AUTHENTICATION. |
Threat/Content Type (subtype) | Subtype of the system log; refers to the
system daemon generating the log; values are crypto, dhcp, dnsproxy,
dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe,
ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. |
Generated Time (time_generated or cef-formatted-time_generated) | Time the log was generated on the dataplane. |
Virtual System (vsys) | Virtual System associated with the session. |
Source IP (ip) | Original session source IP address. |
User (user) | End user being authenticated. |
Normalize User (normalize_user) | Normalized version of username being authenticated
(such as appending a domain name to the username). |
Object (object) | Name of the object associated with the system
event. |
Authentication Policy (authpolicy) | Policy invoked for authentication before
allowing access to a protected resource. |
Repeat Count (repeatcnt) | Number of sessions with same Source IP,
Destination IP, Application, and Subtype seen within 5 seconds. |
Authentication ID (authid) | Unique ID given across primary authentication
and additional (multi factor) authentication. |
Vendor (vendor) | Vendor providing additional factor authentication. |
Log Action (logset) | Log Forwarding Profile that was applied
to the session. |
Server Profile (serverprofile) | Authentication server used for authentication. |
Description (desc) | Additional authentication information. |
Client Type (clienttype) | Type of client used to complete authentication
(such as authentication portal). |
Event Type (event) | Result of the authentication attempt. |
Factor Number (factorno) | Indicates the use of primary authentication
(1) or additional factors (2, 3). |
Sequence Number (seqno) | A 64-bit log entry identifier incremented
sequentially. Each log type has a unique number space. |
Action Flags (actionflags) | A bit field indicating if the log was forwarded
to Panorama. |
Device Group Hierarchy (dg_hier_level_1
to dg_hier_level_4) | A sequence of identification numbers that
indicate the device group’s location within a device group hierarchy.
The firewall (or virtual system) generating the log includes the
identification number of each ancestor in its device group hierarchy.
The shared device group (level 0) is not included in this structure. If
the log values are 12, 34, 45, 0, it means that the log was generated by
a firewall (or virtual system) that belongs to device group 45,
and its ancestors are 34, and 12. To view the device group names
that correspond to the value 12, 34 or 45, use one of the following
methods: API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
|
Virtual System Name (vsys_name) | The name of the virtual system associated
with the session; only valid on firewalls enabled for multiple virtual
systems. |
Device Name (device_name) | The hostname of the firewall
on which the session was logged. |
Virtual System ID (vsys_id) | A unique identifier for a virtual
system on a Palo Alto Networks firewall. |
Authentication Protocol (authproto) | Indicates the authentication protocol used
by the server. For example, PEAP with GTC. |
UUID for rule (rule_uuid) | The UUID that permanently identifies the
rule. |
High Resolution Timestamp (high_res _timestamp) | Time in milliseconds the log was received
at the management plane. The format for this new field is
YYYY-MM-DDThh:ss:sssTZD: YYYY—Four digit year MM—Two-digit month DD—Two-digit day of the month (01 through 31) T—Indicator for the beginning of the timestamp hh—Two-digit hour using 24-hour time (00 through 23) mm—Two-digit minute (00 through 59) ss—Two-digit second (00 through 60) sss—One or more digits for millisecond TZD—Time zone designator (+hh:mm or -hh:mm)
The
High Resolution Timestamp is supported for logs received from managed
firewalls running PAN-OS 10.0 and later releases. Logs received from
managed firewalls running PAN-OS 9.1 and earlier releases display a 1969-12-31T16:00:00:000-8:00 timestamp
regardless of when the log was received. |
Source Device Category (src_category) | The category for the device that Device-ID
identifies as the source of the traffic. |
Source Device Profile (src_profile) | The device profile for the device that Device-ID
identifies as the source of the traffic. |
Source Device Model (src_model) | The model of the device that Device-ID identifies
as the source of the traffic. |
Source Device Vendor (src_vendor) | The vendor of the device that Device-ID
identifies as the source of the traffic. |
Source Device OS Family (src_osfamily) | The operating system type for the device
that Device-ID identifies as the source of the traffic. |
Source Device OS Version (src_osversion) | The version of the operating system for
the device that Device-ID identifies as the source of the traffic. |
Source Hostname (src_host) | The hostname of the device that Device-ID
identifies as the source of the traffic. |
Source MAC Address (src_mac) | The MAC address for the device that Device-ID
identifies as the source of the traffic. |
Region (region) | The geographical region where the traffic
originates. |
User Agent (user_agent) | The string from the HTTP request header User-Agent. |
Session ID | A string that uniquely identifies the traffic
session. |
