User-ID Log Fields

: FUTURE_USER, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Data Source Name, Event ID, Repeat Count, Time Out Threshold, Source Port, Destination Port, Data Source, Data Source Type, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, Factor Type, Factor Completion Time, Factor Number, FUTURE_USE, FUTURE_USE, User Group Flags, User by Source
Field Name
Receive Time (receive_time or cef-formatted-receive_time)
Time the log was received at the management plane.
Serial Number (serial)
Serial number of the firewall that generated the log.
Type (type)
Specifies the type of log; value is USERID.
Threat/Content Type (subtype)
Subtype of User-ID log; values are login, logout, register-tag, and unregister-tag.
  • login—User logged in.
  • logout—User logged out.
  • register-tag—Indicates a tag or tags were registered for the user.
  • unregister-tag—Indicates a tag or tags were unregistered for the user.
Generated Time (time_generated or cef-formatted-time_generated)
The time the log was generated on the dataplane.
Virtual System (vsys)
Virtual System associated with the configuration log.
Source IP (ip)
Original session source IP address.
User (user)
Identifies the end user.
Data Source Name (datasourcename)
User-ID source that sends the IP (Port)-User Mapping.
Event ID (eventid)
String showing the name of the event.
Repeat Count (repeatcnt)
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
Time Out Threshold (timeout)
Timeout after which the IP/User Mappings are cleared.
Source Port (beginport)
Source port utilized by the session.
Destination Port (endport)
Destination port utilized by the session.
Data Source (datasource)
Source from which mapping information is collected.
Data Source Type (datasourcetype)
Mechanism used to identify the IP/User mappings within a data source.
Sequence Number (seqno)
Serial number of the firewall that generated the log.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods:
API query:
Virtual System Name (vsys_name)
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name)
The hostname of the firewall on which the session was logged.
Virtual System ID (vsys_id)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Factor Type (factortype)
Vendor used to authenticate a user when Multi Factor authentication is present.
Factor Completion Time (factorcompletiontime)
Time the authentication was completed.
Factor Number (factorno)
Indicates the use of primary authentication (1) or additional factors (2, 3).
User Group Flags (ugflags)
Displays whether the user group that was found during user group mapping. Supported values are:
  • User Group Found—Indicates whether the user could be mapped to a group.
  • Duplicate User—Indicates whether duplicate users were found in a user group. Displays
    if no user group is found.
User by Source (userbysource)
Indicates the username received from the source through IP address-to-username mapping.

Recommended For You