Authentication Log Fields
Format:FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Normalize User, Object, Authentication Policy, Repeat Count, Authentication ID, Vendor, Log Action, Server Profile, Description, Client Type, Event Type, Factor Number, Sequence Number, Action Flags, Device Group Hierarchy 1, Device Group Hierarchy 2, Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System Name, Device Name, Virtual System ID, Authentication Protocol, UUID for rule
Receive Time (receive_time or cef-formatted-receive_time)
Time the log was received at the management plane.
Serial Number (serial)
Serial number of the device that generated the log.
Type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type (subtype)
Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (time_generated or cef-formatted-time_generated)
Time the log was generated on the dataplane.
Virtual System (vsys)
Virtual System associated with the session.
Source IP (ip)
Original session source IP address.
End user being authenticated.
Normalize User (normalize_user)
Normalized version of username being authenticated (such as appending a domain name to the username).
Name of the object associated with the system event.
Authentication Policy (authpolicy)
Policy invoked for authentication before allowing access to a protected resource.
Repeat Count (repeatcnt)
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
Authentication ID (authid)
Unique ID given across primary authentication and additional (multi factor) authentication.
Vendor providing additional factor authentication.
Log Action (logset)
Log Action (logset)
Server Profile (serverprofile)
Authentication server used for authentication.
Additional authentication information.
Client Type (clienttype)
Type of client used to complete authentication (such as authentication portal).
Event Type (event)
Result of the authentication attempt.
Factor Number (factorno)
Indicates the use of primary authentication (1) or additional factors (2, 3).
Sequence Number (seqno)
A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods:
CLI command in configure mode:
Virtual System Name (vsys_name)
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name)
The hostname of the firewall on which the session was logged.
Virtual System ID (vsys_id)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Authentication Protocol (authproto)
Indicates the authentication protocol used by the server. For example, PEAP with GTC.
UUID for rule (rule_uuid)
The UUID that permanently identifies the rule.