Authentication Log Fields
Focus
Focus

Authentication Log Fields

Table of Contents
End-of-Life (EoL)

Authentication Log Fields

Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Normalize User, Object, Authentication Policy, Repeat Count, Authentication ID, Vendor, Log Action, Server Profile, Description, Client Type, Event Type, Factor Number, Sequence Number, Action Flags, Device Group Hierarchy 1, Device Group Hierarchy 2, Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System Name, Device Name, Virtual System ID, Authentication Protocol, UUID for rule, High Resolution Timestamp, Source Device Category, Source Device Profile, Source Device Model, Source Device Vendor, Source Device OS Family, Source Device OS Version, Source Hostname, Source Mac Address, Region, FUTURE_USE, User Agent, Session ID, Cluster Name
Field Name
Description
Receive Time (receive_time or cef-formatted-receive_time)
Time the log was received at the management plane.
Serial Number (serial)
Serial number of the device that generated the log.
Type (type)
Specifies the type of log; value is AUTHENTICATION.
Threat/Content Type (subtype)
Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (time_generated or cef-formatted-time_generated)
Time the log was generated on the dataplane.
Virtual System (vsys)
Virtual System associated with the session.
Source IP (ip)
Original session source IP address.
User (user)
End user being authenticated.
Normalize User (normalize_user)
Normalized version of username being authenticated (such as appending a domain name to the username).
Object (object)
Name of the object associated with the system event.
Authentication Policy (authpolicy)
Policy invoked for authentication before allowing access to a protected resource.
Repeat Count (repeatcnt)
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
Authentication ID (authid)
Unique ID given across primary authentication and additional (multi factor) authentication.
Vendor (vendor)
Vendor providing additional factor authentication.
Log Action (logset)
Log Forwarding Profile that was applied to the session.
Server Profile (serverprofile)
Authentication server used for authentication.
Description (desc)
Additional authentication information.
Client Type (clienttype)
Type of client used to complete authentication (such as authentication portal).
Event Type (event)
Result of the authentication attempt.
Factor Number (factorno)
Indicates the use of primary authentication (1) or additional factors (2, 3).
Sequence Number (seqno)
A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods:
API query:
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name)
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name)
The hostname of the firewall on which the session was logged.
Virtual System ID (vsys_id)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Authentication Protocol (authproto)
Indicates the authentication protocol used by the server. For example, PEAP with GTC.
UUID for rule (rule_uuid)
The UUID that permanently identifies the rule.
High Resolution Timestamp (high_res _timestamp)
Time in milliseconds the log was received at the management plane.
The format for this new field is YYYY-MM-DDThh:ss:sssTZD:
  • YYYY—Four digit year
  • MM—Two-digit month
  • DD—Two-digit day of the month (01 through 31)
  • T—Indicator for the beginning of the timestamp
  • hh—Two-digit hour using 24-hour time (00 through 23)
  • mm—Two-digit minute (00 through 59)
  • ss—Two-digit second (00 through 60)
  • sss—One or more digits for millisecond
  • TZD—Time zone designator (+hh:mm or -hh:mm)
The High Resolution Timestamp is supported for logs received from managed firewalls running PAN-OS 11.0 and later releases. Logs received from managed firewalls running PAN-OS 9.1 and earlier releases display a 1969-12-31T16:00:00:000-8:00 timestamp regardless of when the log was received.
Source Device Category (src_category)
The category for the device that Device-ID identifies as the source of the traffic.
Source Device Profile (src_profile)
The device profile for the device that Device-ID identifies as the source of the traffic.
Source Device Model (src_model)
The model of the device that Device-ID identifies as the source of the traffic.
Source Device Vendor (src_vendor)
The vendor of the device that Device-ID identifies as the source of the traffic.
Source Device OS Family (src_osfamily)
The operating system type for the device that Device-ID identifies as the source of the traffic.
Source Device OS Version (src_osversion)
The version of the operating system for the device that Device-ID identifies as the source of the traffic.
Source Hostname (src_host)
The hostname of the device that Device-ID identifies as the source of the traffic.
Source MAC Address (src_mac)
The MAC address for the device that Device-ID identifies as the source of the traffic.
Region (region)
The geographical region where the traffic originates.
User Agent (user_agent)
The string from the HTTP request header User-Agent.
Session ID (sessionid)
A string that uniquely identifies the traffic session.
Cluster Name (cluster_name)
Name of the CN-Series firewall cluster.