Configuration LEEF Fields

Table of Contents

Configuration LEEF Fields

Example Configuration log in LEEF:

Sep 21 02:01:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 732 <14>1 2021-09-21T02:01:01.316Z stream-logfwd20-d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|general|	|profileToken=Palotoken devTimeFormat=YYYY-MM-DDTHH:MM:SSZ

The following table identifies the Configuration field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
AdminUsername	admin_user	Custom
AdminUserDomain	admin_user_info.domain	Custom
AdminUserName	admin_user_info.name	Custom
AdminUserUUID	admin_user_info.uuid	Custom
Client	client.value	Custom
ConfigVersion	config_version.value	Custom
TenantID	customer_id	Custom
DeviceGroup	device_group.value	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
IPaddress	event_client_ip.value	Custom
EventDescription	event_description	Custom
EventDetails	event_detail	Custom
EventID	event_name.value	Header
EventPath	event_path	Custom
EventID	event_result.value	Header
devTime	event_time	Predefined
IsDuplicateLog	is_dup_log	Custom
LogExported	is_exported	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
LogCategory	log_category.value	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
LogSourceID	log_source_id	Custom
LogSourceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
LogTime	log_time	Custom
cat	log_type.value	Predefined
PanoramaSN	panorama_serial	Custom
PlatformType	platform_type	Custom
SequenceNo	sequence_no	Custom
Severity	severity	Custom
SubType	sub_type.value	Custom
Template	template.value	Custom
TimeGeneratedHighResolution	time_generated_high_res	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

Configuration HTTPS Fields

System

Strata Logging Service Docs

Configuration LEEF Fields

Strata Logging Service Docs

Configuration LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner