Strata Logging Service
File
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
File
Represents a file transfer across the network. These log records can represent either
a successful transfer, or an attempted transfer that was blocked by the firewall.
See the following for information related to supported log formats:
|
FILE Field
(Display Name)
|
Description
|
|---|---|
|
action.value
(ACTION)
|
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: Action
|
|
app
(APPLICATION)
|
Application associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application
|
|
app_category
(APPLICATION CATEGORY)
|
Identifies the high-level family of the application.
CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory
|
|
app_sub_category
(APPLICATION SUBCATEGORY)
|
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in app_category.
CEF field name: PanOSApplicationSubcategory
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory
|
|
cloud_hostname
(CLOUD HOSTNAME)
|
The hostname in which the VM-series firewall is running.
CEF field name: PanOSCloudHostname
EMAIL field name: CloudHostname
HTTPS field name: CloudHostname
LEEF field name: CloudHostname
|
|
cloud_reportid
(CLOUD REPORTID)
|
Unique 32 character ID for a file scanned by the DLP
cloud service sent by a firewall running PAN-OS 10.2.0.
The same Cloud Report ID is displayed for a file the DLP cloud
service has already scanned and generated a Cloud Report ID for. CEF field name: PanOSCloudReportID
EMAIL field name: CloudReportID
HTTPS field name: CloudReportID
LEEF field name: CloudReportID
|
|
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
|
|
container_id
(CONTAINER ID)
|
Unknown field. No information is available at this time.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerID
EMAIL field name: ContainerID
HTTPS field name: ContainerID
LEEF field name: ContainerID
|
|
container_of_app
(APPLICATION CONTAINER)
|
Identifies the managing application or parent of the application associated with this network traffic.
CEF field name: PanOSApplicationContainer
EMAIL field name: ApplicationContainer
HTTPS field name: ApplicationContainer
LEEF field name: ApplicationContainer
|
|
content_version
(CONTENT VERSION)
|
Applications and Threats version installed on the firewall when the log was generated.
Syslog field name: Syslog Field Order
CEF field name: PanOSContentVersion
EMAIL field name: ContentVersion
HTTPS field name: ContentVersion
LEEF field name: ContentVersion
|
|
count_of_repeats
(REPEAT COUNT)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: RepeatCount
HTTPS field name: RepeatCount
LEEF field name: RepeatCount
|
|
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Strata Logging Service instance which
received this log record.
CEF field name: PanOSCortexDataLakeTenantID
EMAIL field name: CortexDataLakeTenantID
HTTPS field name: CortexDataLakeTenantID
LEEF field name: CortexDataLakeTenantID
|
|
dest_device_category
(DESTINATION DEVICE CATEGORY)
|
Category of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceCategory
EMAIL field name: DestinationDeviceCategory
HTTPS field name: DestinationDeviceCategory
LEEF field name: DestinationDeviceCategory
|
|
dest_device_class
(DESTINATION DEVICE CLASS)
|
Destination device class.
CEF field name: PanOSDestinationDeviceClass
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass
|
|
dest_device_host
(DESTINATION DEVICE HOST)
|
Hostname of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceHost
EMAIL field name: DestinationDeviceHost
HTTPS field name: DestinationDeviceHost
LEEF field name: DestinationDeviceHost
|
|
dest_device_mac
(DESTINATION DEVICE MAC)
|
MAC Address of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceMac
EMAIL field name: DestinationDeviceMac
HTTPS field name: DestinationDeviceMac
LEEF field name: DestinationDeviceMac
|
|
dest_device_model
(DESTINATION DEVICE MODEL)
|
Model of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceModel
EMAIL field name: DestinationDeviceModel
HTTPS field name: DestinationDeviceModel
LEEF field name: DestinationDeviceModel
|
|
dest_device_os
(DESTINATION DEVICE OS)
|
Destination device OS type.
CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS
|
|
dest_device_osfamily
(DESTINATION DEVICE OS FAMILY)
|
OS family of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceOSFamily
EMAIL field name: DestinationDeviceOSFamily
HTTPS field name: DestinationDeviceOSFamily
LEEF field name: DestinationDeviceOSFamily
|
|
dest_device_osversion
(DESTINATION DEVICE OS VERSION)
|
OS version of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceOSVersion
EMAIL field name: DestinationDeviceOSVersion
HTTPS field name: DestinationDeviceOSVersion
LEEF field name: DestinationDeviceOSVersion
|
|
dest_device_profile
(DESTINATION DEVICE PROFILE)
|
Profile of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceProfile
EMAIL field name: DestinationDeviceProfile
HTTPS field name: DestinationDeviceProfile
LEEF field name: DestinationDeviceProfile
|
|
dest_device_vendor
(DESTINATION DEVICE VENDOR)
|
Vendor of the device to which the session was directed.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDeviceVendor
EMAIL field name: DestinationDeviceVendor
HTTPS field name: DestinationDeviceVendor
LEEF field name: DestinationDeviceVendor
|
|
dest_dynamic_address_group
(DESTINATION DYNAMIC ADDRESS GROUP)
|
The dynamic address group that Device-ID identifies as the destination for the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationDynamicAddressGroup
EMAIL field name: DestinationDynamicAddressGroup
HTTPS field name: DestinationDynamicAddressGroup
LEEF field name: DestinationDynamicAddressGroup
|
|
dest_edl
(DESTINATION EDL)
|
The name of the external dynamic list that contains the destination IP address of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationEDL
EMAIL field name: DestinationEDL
HTTPS field name: DestinationEDL
LEEF field name: DestinationEDL
|
|
dest_ip.value
(DESTINATION ADDRESS)
|
Original destination IP address.
Syslog field name: Syslog Field Order
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst
|
|
dest_location
(DESTINATION LOCATION)
|
Destination country or internal region for private addresses.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation
|
|
dest_port
(DESTINATION PORT)
|
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order
CEF field name: dpt
EMAIL field name: DestinationPort
HTTPS field name: DestinationPort
LEEF field name: dstPort
|
|
dest_user
(DESTINATION USER)
|
The username to which the network traffic was destined.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser
|
|
dest_user_info.domain
(DESTINATION USER DOMAIN)
|
Domain to which the Destination User belongs.
CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain
|
|
dest_user_info.name
(DESTINATION USER NAME)
|
The Destination User. That is, the username to which the network traffic was destined.
CEF field name: duser
EMAIL field name: DestinationUserName
HTTPS field name: DestinationUserName
LEEF field name: DestinationUserName
|
|
dest_user_info.uuid
(DESTINATION USER UUID)
|
Unique identifier assigned to the Destination User.
CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID
|
|
dest_uuid
(DESTINATION UUID)
|
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationUUID
EMAIL field name: DestinationUUID
HTTPS field name: DestinationUUID
LEEF field name: DestinationUUID
|
|
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
|
|
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
|
|
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
|
|
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
|
|
direction_of_attack.value
(DIRECTION OF ATTACK)
|
Indicates the direction of the attack.
Syslog field name: Syslog Field Order
CEF field name: flexString2
EMAIL field name: DirectionOfAttack
HTTPS field name: DirectionOfAttack
LEEF field name: DirectionOfAttack
|
|
dlp_version_flag
(DLP VERSION FLAG)
|
Indicates whether these are old or new data filtering logs.
CEF field name: PanOSDLPVersionFlag
EMAIL field name: DLPVersionFlag
HTTPS field name: DLPVersionFlag
LEEF field name: DLPVersionFlag
|
|
domain_edl
(DOMAIN EDL)
|
Domain External Dynamic List. That is, the name of the external dynamic list that
contains the destination domain of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDomainEDL
EMAIL field name: DomainEDL
HTTPS field name: DomainEDL
LEEF field name: DomainEDL
|
|
dynusergroup_name
(DYNAMIC USER GROUP)
|
Dynamic user group of the user who initiated the network connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSDynamicUserGroup
EMAIL field name: DynamicUserGroup
HTTPS field name: DynamicUserGroup
LEEF field name: DynamicUserGroup
|
|
endpoint_serial_number
(ENDPOINT SERIAL NUMBER)
|
Serial number of the host on which GlobalProtect is installed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointSerialNumber
EMAIL field name: EndpointSerialNumber
HTTPS field name: EndpointSerialNumber
LEEF field name: EndpointSerialNumber
|
|
file_name
(FILE NAME)
|
The name of the file that is blocked.
Syslog field name: Syslog Field Order
CEF field name: filePath
EMAIL field name: FileName
HTTPS field name: FileName
LEEF field name: FileName
|
|
file_sha_256
(FILE HASH)
|
The binary hash (SHA256) of the file.
Syslog field name: Syslog Field Order
CEF field name: PanOSFileHash
EMAIL field name: FileHash
HTTPS field name: FileHash
LEEF field name: FileHash
|
|
file_type
(FILE TYPE)
|
Palo Alto Networks textual identifier for the threat.
CEF field name: PanOSFileType
EMAIL field name: FileType
HTTPS field name: FileType
LEEF field name: EventID
|
|
file_url
(FILE URL)
|
File URL.
CEF field name: PanOSFileURL
EMAIL field name: FileURL
HTTPS field name: FileURL
LEEF field name: FileURL
|
|
from_zone
(FROM ZONE)
|
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone
|
|
gp_host_id
(HOST ID)
|
A unique ID that GlobalProtect assigns to identify the host.
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
|
|
http2_connection
(HTTP2 CONNECTION)
|
Parent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
Syslog field name: Syslog Field Order
CEF field name: PanOSHTTP2Connection
EMAIL field name: HTTP2Connection
HTTPS field name: HTTP2Connection
LEEF field name: HTTP2Connection
|
|
inbound_if.value
(INBOUND INTERFACE)
|
Interface from which the network traffic was sourced.
Syslog field name: Syslog Field Order
CEF field name: deviceInboundInterface
EMAIL field name: InboundInterface
HTTPS field name: InboundInterface
LEEF field name: InboundInterface
|
|
inbound_if_details.port
(INBOUND INTERFACE DETAILS PORT)
|
Hardware port or socket from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsPort
EMAIL field name: InboundInterfaceDetailsPort
HTTPS field name: InboundInterfaceDetailsPort
LEEF field name: InboundInterfaceDetailsPort
|
|
inbound_if_details.slot
(INBOUND INTERFACE DETAILS SLOT)
|
Interface slot from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsSlot
EMAIL field name: InboundInterfaceDetailsSlot
HTTPS field name: InboundInterfaceDetailsSlot
LEEF field name: InboundInterfaceDetailsSlot
|
|
inbound_if_details.type.value
(INBOUND INTERFACE DETAILS TYPE)
|
The type of interface from which the network traffic was sourced.
CEF field name: PanOSInboundInterfaceDetailsType
EMAIL field name: InboundInterfaceDetailsType
HTTPS field name: InboundInterfaceDetailsType
LEEF field name: InboundInterfaceDetailsType
|
|
inbound_if_details.unit
(INBOUND INTERFACE DETAILS UNIT)
|
Internal use.
CEF field name: PanOSInboundInterfaceDetailsUnit
EMAIL field name: InboundInterfaceDetailsUnit
HTTPS field name: InboundInterfaceDetailsUnit
LEEF field name: InboundInterfaceDetailsUnit
|
|
is_captive_portal
(CAPTIVE PORTAL)
|
Indicates if user information for the session was captured through Captive Portal.
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal
|
|
is_client_to_server
(IS CLIENT TO SERVER)
|
Indicates if direction of traffic is from client to server.
CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer
|
|
is_container
(IS CONTAINER)
|
Indicates if the session is a container page access (Container Page).
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer
|
|
is_decrypt_mirror
(IS DECRYPT MIRROR)
|
Indicates whether decrypted traffic was sent out in clear text through a mirror port.
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror
|
|
is_decrypted
(IS DECRYPTED)
|
Flag that indicates that the session is decrypted.
CEF field name: PanOSIsDecrypted
EMAIL field name: IsDecrypted
HTTPS field name: IsDecrypted
LEEF field name: IsDecrypted
|
|
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log
collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
|
|
is_encrypted
(IS ENCRYPTED)
|
Flag that indicates that the session is encrypted.
CEF field name: PanOSIsEncrypted
EMAIL field name: IsEncrypted
HTTPS field name: IsEncrypted
LEEF field name: IsEncrypted
|
|
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
|
|
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
|
|
is_ipv6
(IS IPV6)
|
Indicates whether IPV6 was used for the session.
CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6
LEEF field name: IsIPV6
|
|
is_mptcp_on
(IS MPTCP ON)
|
Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
CEF field name: PanOSIsMptcpOn
EMAIL field name: IsMptcpOn
HTTPS field name: IsMptcpOn
LEEF field name: IsMptcpOn
|
|
is_non_std_dest_port
(IS NON STANDARD DESTINATION PORT)
|
Indicates if the destination port is non-standard.
CEF field name: PanOSIsNonStandardDestinationPort
EMAIL field name: IsNonStandardDestinationPort
HTTPS field name: IsNonStandardDestinationPort
LEEF field name: IsNonStandardDestinationPort
|
|
is_packet_capture
(IS PACKET CAPTURE)
|
Indicates whether the session has a packet capture (PCAP).
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture
|
|
is_phishing
(IS PHISHING)
|
Indicates whether enterprise credentials were submitted by an end user.
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing
|
|
is_prisma_branch
(IS PRISMA NETWORK)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork
|
|
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
|
|
is_proxy
(IS PROXY)
|
Indicates whether the SSL session is decrypted (SSL Proxy).
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy
LEEF field name: IsProxy
|
|
is_recon_excluded
(IS RECON EXCLUDED)
|
Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
CEF field name: PanOSIsReconExcluded
EMAIL field name: IsReconExcluded
HTTPS field name: IsReconExcluded
LEEF field name: IsReconExcluded
|
|
is_saas_app
(IS SAAS APPLICATION)
|
Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
CEF field name: PanOSIsSaaSApplication
EMAIL field name: IsSaaSApplication
HTTPS field name: IsSaaSApplication
LEEF field name: IsSaaSApplication
|
|
is_server_to_client
(IS SERVER TO CLIENT)
|
Indicates if direction of traffic is from server to client.
CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient
|
|
is_source_x_fwded
(IS SOURCE X FORWARDED)
|
Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
CEF field name: PanOSIsSourceXForwarded
EMAIL field name: IsSourceXForwarded
HTTPS field name: IsSourceXForwarded
LEEF field name: IsSourceXForwarded
|
|
is_sym_return
(IS SYSTEM RETURN)
|
Indicates whether symmetric return was used to forward traffic for this session.
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn
|
|
is_transaction
(IS TRANSACTION)
|
Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction
|
|
is_tunnel_inspected
(IS TUNNEL INSPECTED)
|
Indicates whether the payload for the outer tunnel was inspected.
CEF field name: PanOSIsTunnelInspected
EMAIL field name: IsTunnelInspected
HTTPS field name: IsTunnelInspected
LEEF field name: IsTunnelInspected
|
|
is_url_denied
(IS URL DENIED)
|
Indicates whether the session was denied due to a URL filtering rule.
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied
|
|
justification
(JUSTIFICATION)
|
Justification string.
Syslog field name: Syslog Field Order
CEF field name: PanOSJustification
EMAIL field name: Justification
HTTPS field name: Justification
LEEF field name: Justification
|
|
location
(PRISMA ACCESS LOCATION)
|
Prisma Access Region/Location.
CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location
|
|
log_set
(LOG SETTING)
|
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order
CEF field name: cs6
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting
|
|
log_source
(LOG SOURCE)
|
Identifies the origin of the data - the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
|
|
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
|
|
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
|
|
log_source_name
(DEVICE NAME)
|
Name of the source of the log - hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
|
|
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
|
|
log_time
(TIME RECEIVED)
|
Time the log was received in Strata Logging Service. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
|
|
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
|
|
monitor_tag_imei
(IMEI)
|
A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMEI
EMAIL field name: IMEI
HTTPS field name: IMEI
LEEF field name: IMEI
|
|
nat_dest.value
(NAT DESTINATION)
|
If destination NAT performed, the post-NAT destination IP address.
Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedAddress
EMAIL field name: NATDestination
HTTPS field name: NATDestination
LEEF field name: dstPostNAT
|
|
nat_dest_port
(NAT DESTINATION PORT)
|
Post-NAT destination port.
Syslog field name: Syslog Field Order
CEF field name: destinationTranslatedPort
EMAIL field name: NATDestinationPort
HTTPS field name: NATDestinationPort
LEEF field name: dstPostNATPort
|
|
nat_source.value
(NAT SOURCE)
|
If source NAT was performed, the post-NAT source IP address.
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT
|
|
nat_source_port
(NAT SOURCE PORT)
|
Post-NAT source port.
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort
|
|
non_standard_dest_port
(NON STANDARD DESTINATION PORT)
|
Identifies the non-standard or unexpected port used by the application associated with this session.
CEF field name: PanOSNonStandardDestinationPort
EMAIL field name: NonStandardDestinationPort
HTTPS field name: NonStandardDestinationPort
LEEF field name: NonStandardDestinationPort
|
|
nssai_network_slice_type.value
(NSSAI NETWORK SLICE TYPE)
|
Network Slice Type (SST part of SNSSAI).
Syslog field name: Syslog Field Order
CEF field name: PanOSNSSAINetworkSliceType
EMAIL field name: NSSAINetworkSliceType
HTTPS field name: NSSAINetworkSliceType
LEEF field name: NSSAINetworkSliceType
|
|
outbound_if.value
(OUTBOUND INTERFACE)
|
Interface to which the network traffic was destined.
Syslog field name: Syslog Field Order
CEF field name: deviceOutboundInterface
EMAIL field name: OutboundInterface
HTTPS field name: OutboundInterface
LEEF field name: OutboundInterface
|
|
outbound_if_details.port
(OUTBOUND INTERFACE DETAILS PORT)
|
Hardware port or socket to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsPort
EMAIL field name: OutboundInterfaceDetailsPort
HTTPS field name: OutboundInterfaceDetailsPort
LEEF field name: OutboundInterfaceDetailsPort
|
|
outbound_if_details.slot
(OUTBOUND INTERFACE DETAILS SLOT)
|
Interface slot to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsSlot
EMAIL field name: OutboundInterfaceDetailsSlot
HTTPS field name: OutboundInterfaceDetailsSlot
LEEF field name: OutboundInterfaceDetailsSlot
|
|
outbound_if_details.type.value
(OUTBOUND INTERFACE DETAILS TYPE)
|
The type of interface to which the network traffic was sent.
CEF field name: PanOSOutboundInterfaceDetailsType
EMAIL field name: OutboundInterfaceDetailsType
HTTPS field name: OutboundInterfaceDetailsType
LEEF field name: OutboundInterfaceDetailsType
|
|
outbound_if_details.unit
(OUTBOUND INTERFACE DETAILS UNIT)
|
Internal use.
CEF field name: PanOSOutboundInterfaceDetailsUnit
EMAIL field name: OutboundInterfaceDetailsUnit
HTTPS field name: OutboundInterfaceDetailsUnit
LEEF field name: OutboundInterfaceDetailsUnit
|
|
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
|
|
parent_session_id
(PARENT SESSION ID)
|
ID of the session in which this network traffic was tunneled.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentSessionID
EMAIL field name: ParentSessionID
HTTPS field name: ParentSessionID
LEEF field name: ParentSessionID
|
|
parent_start_time
(PARENT START TIME)
|
Time that the parent session began. This string contains a timestamp value that is the
number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStartTime
EMAIL field name: ParentStartTime
HTTPS field name: ParentStartTime
LEEF field name: ParentStartTime
|
|
partial_hash
(PARTIAL HASH)
|
Machine learning partial hash.
Syslog field name: Syslog Field Order
CEF field name: PanOSPartialHash
EMAIL field name: PartialHash
HTTPS field name: PartialHash
LEEF field name: PartialHash
|
|
pcap
(PACKET)
|
Packet that triggered the firewall to generate this threat log record.
CEF field name: PanOSPacket
EMAIL field name: Packet
HTTPS field name: Packet
LEEF field name: Packet
|
|
pcap_id
(PACKET ID)
|
Packet capture ID. Used to correlate threat pcap files with extended pcaps taken as a part of the session flow.
Syslog field name: Syslog Field Order
CEF field name: fileId
EMAIL field name: PacketID
HTTPS field name: PacketID
LEEF field name: PacketID
|
|
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
|
|
pod_name
(CONTAINER NAME)
|
Container name.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName
|
|
pod_namespace
(CONTAINER NAME SPACE)
|
Container namespace.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerNameSpace
EMAIL field name: ContainerNameSpace
HTTPS field name: ContainerNameSpace
LEEF field name: ContainerNameSpace
|
|
profile_name
(PROFILE NAME)
|
Data filtering profile name.
CEF field name: PanOSProfileName
EMAIL field name: ProfileName
HTTPS field name: ProfileName
LEEF field name: ProfileName
|
|
protocol.value
(PROTOCOL)
|
IP protocol associated with the session.
Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto
|
|
reason_data_filtering
(REASON FOR DATA FILTERING ACTION)
|
Reason for data filtering action.
Syslog field name: Syslog Field Order
CEF field name: PanOSReasonForDataFilteringAction
EMAIL field name: ReasonForDataFilteringAction
HTTPS field name: ReasonForDataFilteringAction
LEEF field name: ReasonForDataFilteringAction
|
|
report_id
(REPORT ID)
|
Identifies the analysis requested from the sandbox (cloud or appliance).
Syslog field name: Syslog Field Order
CEF field name: PanOSReportID
EMAIL field name: ReportID
HTTPS field name: ReportID
LEEF field name: ReportID
|
|
risk_of_app
(APPLICATION RISK)
|
Indicates how risky the application is from a network security perspective.
CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk
|
|
rule_matched
(RULE)
|
Name of the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: Rule
HTTPS field name: Rule
LEEF field name: Rule
|
|
rule_matched_uuid
(RULE UUID)
|
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID
|
|
sanctioned_state_of_app
(SANCTIONED STATE OF APP)
|
Indicates whether the application has been flagged as sanctioned by the firewall administrator.
CEF field name: PanOSSanctionedStateOfApp
EMAIL field name: SanctionedStateOfApp
HTTPS field name: SanctionedStateOfApp
LEEF field name: SanctionedStateOfApp
|
|
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
|
|
session_id
(SESSION ID)
|
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID
|
|
severity
(SEVERITY)
|
Severity as defined by the platform.
CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity
|
|
sig_flags
(SIG FLAGS)
|
Internal use only.
Syslog field name: Syslog Field Order
CEF field name: PanOSSigFlags
EMAIL field name: SigFlags
HTTPS field name: SigFlags
LEEF field name: SigFlags
|
|
source_device_category
(SOURCE DEVICE CATEGORY)
|
Category of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceCategory
EMAIL field name: SourceDeviceCategory
HTTPS field name: SourceDeviceCategory
LEEF field name: SourceDeviceCategory
|
|
source_device_class
(SOURCE DEVICE CLASS)
|
Source device class.
CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass
|
|
source_device_host
(SOURCE DEVICE HOST)
|
Hostname of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceHost
EMAIL field name: SourceDeviceHost
HTTPS field name: SourceDeviceHost
LEEF field name: SourceDeviceHost
|
|
source_device_mac
(SOURCE DEVICE MAC)
|
MAC Address of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac
|
|
source_device_model
(SOURCE DEVICE MODEL)
|
Model of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel
|
|
source_device_os
(SOURCE DEVICE OS)
|
Source device OS type.
CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS
|
|
source_device_osfamily
(SOURCE DEVICE OS FAMILY)
|
OS family of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceOSFamily
EMAIL field name: SourceDeviceOSFamily
HTTPS field name: SourceDeviceOSFamily
LEEF field name: SourceDeviceOSFamily
|
|
source_device_osversion
(SOURCE DEVICE OS VERSION)
|
OS version of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceOSVersion
EMAIL field name: SourceDeviceOSVersion
HTTPS field name: SourceDeviceOSVersion
LEEF field name: SourceDeviceOSVersion
|
|
source_device_profile
(SOURCE DEVICE PROFILE)
|
Profile of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceProfile
EMAIL field name: SourceDeviceProfile
HTTPS field name: SourceDeviceProfile
LEEF field name: SourceDeviceProfile
|
|
source_device_vendor
(SOURCE DEVICE VENDOR)
|
Vendor of the device from which the session originated.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor
|
|
source_dynamic_address_group
(SOURCE DYNAMIC ADDRESS GROUP)
|
The dynamic address group that Device-ID identifies as the source of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceDynamicAddressGroup
EMAIL field name: SourceDynamicAddressGroup
HTTPS field name: SourceDynamicAddressGroup
LEEF field name: SourceDynamicAddressGroup
|
|
source_edl
(SOURCE EDL)
|
The name of the external dynamic list that contains the source IP address of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceEDL
EMAIL field name: SourceEDL
HTTPS field name: SourceEDL
LEEF field name: SourceEDL
|
|
source_ip.value
(SOURCE ADDRESS)
|
Original source IP address.
Syslog field name: Syslog Field Order
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src
|
|
source_location
(SOURCE LOCATION)
|
Source country or internal region for private addresses.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation
|
|
source_port
(SOURCE PORT)
|
Source port utilized by the session.
Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort
|
|
source_user
(SOURCE USER)
|
The username that initiated the network traffic.
Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName
|
|
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
|
|
source_user_info.name
(SOURCE USER NAME)
|
The Source User. That is, the username that initiated the network traffic.
CEF field name: suser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
|
|
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
|
|
source_uuid
(SOURCE UUID)
|
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceUUID
EMAIL field name: SourceUUID
HTTPS field name: SourceUUID
LEEF field name: SourceUUID
|
|
sub_type.value
(SUB TYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: SubType
HTTPS field name: SubType
LEEF field name: SubType
|
|
technology_of_app
(APPLICATION TECHNOLOGY)
|
The networking technology used by the identified application.
CEF field name: PanOSApplicationTechnology
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology
|
|
threat_category.value
(THREAT CATEGORY)
|
Threat category of the detected threat.
CEF field name: PanOSThreatCategory
EMAIL field name: ThreatCategory
HTTPS field name: ThreatCategory
LEEF field name: ThreatCategory
|
|
threat_name_firewall
(THREAT NAME FIREWALL)
|
Threat Name written by the firewall.
CEF field name: PanOSThreatNameFirewall
EMAIL field name: ThreatNameFirewall
HTTPS field name: ThreatNameFirewall
LEEF field name: ThreatNameFirewall
|
|
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
|
|
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
|
|
to_zone
(TO ZONE)
|
Networking zone to which the traffic was sent.
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone
|
|
tunnel.value
(TUNNEL)
|
Type of tunnel.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnel
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel
|
|
tunneled_app
(TUNNELED APPLICATION)
|
For internal use only.
CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication
|
|
tunnelid_imsi
(IMSI)
|
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMSI
EMAIL field name: IMSI
HTTPS field name: IMSI
LEEF field name: IMSI
|
|
url_category.value
(URL CATEGORY)
|
The URL category.
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: URLCategory
HTTPS field name: URLCategory
LEEF field name: URLCategory
|
|
users
(USERS)
|
Source/Destination user. If neither is available, source_ip is used.
CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users
|
|
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
|
|
vendor_severity.value
(VENDOR SEVERITY)
|
Severity associated with the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity
|
|
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
|
|
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
|
|
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName
|
|
xff_ip.value
(X-FORWARDED-FOR IP)
|
X-Forwarded-For IP.
Syslog field name: Syslog Field Order
CEF field name: PanOSX-Forwarded-ForIP
EMAIL field name: X-Forwarded-ForIP
HTTPS field name: X-Forwarded-ForIP
LEEF field name: X-Forwarded-ForIP
|