Audit LEEF Fields

Table of Contents

Audit LEEF Fields

The following table identifies the Audit field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
EventCategory	event_category	Custom
EventDescription	event_description	Custom
EventDestinationURL	event_dest_url	Custom
EventDestinationUserUserID	event_dest_user.user_id	Custom
DestinationVendor	event_dest_vendor	Custom
EventDetails	event_detail	Custom
EventID	event_id	Header
EventName	event_name	Custom
EventResult	event_result	Custom
EventSourceUserUserID	event_source_user.user_id	Custom
EventTime	event_time	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
PlatformType	platform_type	Custom
Subtype	sub_type.value	Custom
TSGID	tsg_id	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom

Audit HTTPS Fields

Configuration

Audit LEEF Fields

Audit LEEF Fields

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Agents & Agentless

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner