SD-WAN Traffic LEEF Fields

Table of Contents

SD-WAN Traffic LEEF Fields

The following table identifies the SD-WAN Traffic field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
Action	action.value	Custom
Application	app	Custom
ApplicationCategory	app_category	Custom
ApplicationSubcategory	app_sub_category	Custom
dstBytes	bytes_received	Predefined
srcBytes	bytes_sent	Predefined
ApplicationCharacteristics	characteristics_of_app	Custom
ApplicationContainer	container_of_app	Custom
CortexDataLakeTenantId	customer_id	Custom
DestinationIP	dest_ip.value	Custom
dstPort	dest_port	Predefined
DestinationUserInfoDomain	dest_user_info.domain	Custom
DestinationUserInfoName	dest_user_info.name	Custom
DestinationUserInfoUUID	dest_user_info.uuid	Custom
FromZone	from_zone	Custom
InboundInterface	inbound_if.value	Custom
IsClienttoServer	is_client_to_server	Custom
IsIPV6	is_ipv6	Custom
IsSaaSApplication	is_saas_app	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
EgressInterface	outbound_if.value	Custom
dstPackets	packets_received	Predefined
srcPackets	packets_sent	Predefined
PathValue	path.value	Custom
PathLabel	path_label	Custom
PlatformType	platform_type	Custom
SDWANElementId	prisma_sdwan_element_id	Custom
SDWANElementName	prisma_sdwan_element_name	Custom
SDWANSiteId	prisma_sdwan_site_id	Custom
SDWANSiteName	prisma_sdwan_site_name	Custom
SDWANTenantId	prisma_sdwan_tenant_id	Custom
proto	protocol.value	Predefined
ApplicationRisk	risk_of_app	Custom
SecurityRule	rule_matched	Custom
RuleUUID	rule_matched_uuid	Custom
SanctionedStateOfApp	sanctioned_state_of_app	Custom
SessionEndReason	session_end_reason.value	Custom
SessionID	session_id	Custom
SessionStartTime	session_start_time	Custom
SourceDeviceCategory	source_device_category	Custom
SourceDeviceClass	source_device_class	Custom
SourceDeviceHost	source_device_host	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOS	source_device_os	Custom
SourceDeviceOSFamily	source_device_osfamily	Custom
SourceDeviceOSVersion	source_device_osversion	Custom
SourceDeviceProfile	source_device_profile	Custom
SourceDeviceVendor	source_device_vendor	Custom
src	source_ip.value	Predefined
srcPort	source_port	Predefined
UsrName	source_user	Custom
SourceUserInfoDomain	source_user_info.domain	Custom
SourceUserInfoName	source_user_info.name	Custom
SourceUserInfoUUID	source_user_info.uuid	Custom
SubType	sub_type.value	Custom
ApplicationTechnology	technology_of_app	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
ToZone	to_zone	Custom
SessionDuration	total_time_elapsed	Custom
TrafficClass	traffic_class	Custom
TSGID	tsg_id	Custom
URLCategory	url_category.value	Custom
Vendor	vendor_name	Header

SD-WAN Traffic HTTPS Fields

SaaS Security Logs

Strata Logging Service Docs

SD-WAN Traffic LEEF Fields

Strata Logging Service Docs

SD-WAN Traffic LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner