Strata Logging Service
System
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
System
System Logs are common to any product, application, or service that writes to Strata Logging Service. These are used to record system events that occur within
the writing entity. The definition of a system event will differ from one writing entity
to the next, so to learn about the events that causes a system log to be written,
consult the documentation for the product, application, or service that writes these
logs.
For example, Palo Alto Networks next-generation firewalls write a system log any time the
firewall can't reach the syslog servers, any time WildFire is updated, any time an
administrator visits the Monitor tab, or whenever someone logs onto the firewall.
See the following for information related to supported log formats:
|
SYSTEM Field
(Display Name)
|
Description
|
|---|---|
|
agent_content_version
(AGENT CONTENT VERSION)
|
Version of the agent content that is installed on the endpoint.
CEF field name: PanOSAgentContentVersion
EMAIL field name: AgentContentVersion
HTTPS field name: AgentContentVersion
LEEF field name: AgentContentVersion
|
|
agent_data_collection_status.value
(AGENT DATA COLLECTION STATUS)
|
Indicates whether data related to another product (for example, EDR) is being collected by the agent.
CEF field name: PanOSAgentDataCollectionStatus
EMAIL field name: AgentDataCollectionStatus
HTTPS field name: AgentDataCollectionStatus
LEEF field name: AgentDataCollectionStatus
|
|
agent_id
(AGENT ID)
|
Unique identifier for the agent at the endpoint.
CEF field name: PanOSAgentID
EMAIL field name: AgentID
HTTPS field name: AgentID
LEEF field name: AgentID
|
|
agent_isolation_status
(AGENT ISOLATION STATUS)
|
Indicates whether the agent is isolated. Usually, agents are isolated if they have been compromised.
CEF field name: PanOSAgentIsolationStatus
EMAIL field name: AgentIsolationStatus
HTTPS field name: AgentIsolationStatus
LEEF field name: AgentIsolationStatus
|
|
agent_protection_status
(AGENT STATUS)
|
The protection status set for the endpoint.
CEF field name: PanOSAgentStatus
EMAIL field name: AgentStatus
HTTPS field name: AgentStatus
LEEF field name: AgentStatus
|
|
agent_version
(AGENT VERSION)
|
Version of the agent at the endpoint.
CEF field name: PanOSAgentVersion
EMAIL field name: AgentVersion
HTTPS field name: AgentVersion
LEEF field name: AgentVersion
|
|
config_version.value
(CONFIG VERSION)
|
Config version converted to string represented as major.minor.patch.build in value and as hex in id.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
|
|
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Strata Logging Service instance which
received this log record.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
|
|
device_group.value
(DEVICE GROUP)
|
The ID and the name of the device group the firewall is in.
Syslog field name: Syslog Field Order
CEF field name: PanOSDeviceGroup
EMAIL field name: DeviceGroup
HTTPS field name: DeviceGroup
LEEF field name: DeviceGroup
|
|
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
|
|
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
|
|
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
|
|
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
|
|
endpoint_cpu_architecture.value
(ENDPOINT CPU ARCHITECTURE)
|
The architecture of the OS type that the endpoint is running.
CEF field name: PanOSEndpointCPUArchitecture
EMAIL field name: EndpointCPUArchitecture
HTTPS field name: EndpointCPUArchitecture
LEEF field name: EndpointCPUArchitecture
|
|
endpoint_device_domain
(ENDPOINT DEVICE DOMAIN)
|
Domain to which the endpoint belongs.
CEF field name: PanOSEndpointDeviceDomain
EMAIL field name: EndpointDeviceDomain
HTTPS field name: EndpointDeviceDomain
LEEF field name: EndpointDeviceDomain
|
|
endpoint_device_name
(ENDPOINT DEVICE NAME)
|
Hostname of the endpoint on which the event was logged.
CEF field name: PanOSEndpointDeviceName
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: EndpointDeviceName
|
|
endpoint_ip.value
(ENDPOINT IP ADDRESS)
|
IP address of the source of the event.
CEF field name: PanOSEndpointIPaddress
EMAIL field name: EndpointIPaddress
HTTPS field name: EndpointIPaddress
LEEF field name: EndpointIPaddress
|
|
endpoint_is_vdi
(VDI ENDPOINT)
|
Indicates whether the endpoint is a virtual desktop infrastructure (VDI). 0—The endpoint is not a VDI, 1—The endpoint is a VDI.
CEF field name: PanOSVDIEndpoint
EMAIL field name: VDIEndpoint
HTTPS field name: VDIEndpoint
LEEF field name: VDIEndpoint
|
|
endpoint_os_type.value
(ENDPOINT OS TYPE)
|
The operating system on which the endpoint is running.
CEF field name: PanOSEndpointOSType
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType
|
|
endpoint_os_version
(ENDPOINT OS VERSION)
|
The version of the operating system running on the endpoint.
CEF field name: PanOSEndpointOSVersion
EMAIL field name: EndpointOSVersion
HTTPS field name: EndpointOSVersion
LEEF field name: EndpointOSVersion
|
|
endpoint_tz_offset
(AGENT TIME ZONE OFFSET)
|
Effective endpoint time zone offset from UTC, in minutes.
CEF field name: PanOSAgentTimeZoneOffset
EMAIL field name: AgentTimeZoneOffset
HTTPS field name: AgentTimeZoneOffset
LEEF field name: AgentTimeZoneOffset
|
|
endpoint_user.domain
(ENDPOINT USER DOMAIN)
|
Domain of the user who was logged into the endpoint at the time of the system event.
CEF field name: PanOSEndpointUserDomain
EMAIL field name: EndpointUserDomain
HTTPS field name: EndpointUserDomain
LEEF field name: EndpointUserDomain
|
|
endpoint_user.name
(ENDPOINT USER NAME)
|
The name of the user logged into the endpoint at the time of the system event.
CEF field name: PanOSEndpointUserName
EMAIL field name: EndpointUserName
HTTPS field name: EndpointUserName
LEEF field name: EndpointUserName
|
|
endpoint_user.uuid
(ENDPOINT USER UUID)
|
The endpoint user's unique ID.
CEF field name: PanOSEndpointUserUUID
EMAIL field name: EndpointUserUUID
HTTPS field name: EndpointUserUUID
LEEF field name: EndpointUserUUID
|
|
event_component
(EVENT COMPONENT)
|
The component associated with the event. For example, the object from a firewall.
Syslog field name: Syslog Field Order
CEF field name: fname
EMAIL field name: EventComponent
HTTPS field name: EventComponent
LEEF field name: EventComponent
|
|
event_description
(EVENT DESCRIPTION)
|
Description of the system event.
Syslog field name: Syslog Field Order
CEF field name: msg
EMAIL field name: EventDescription
HTTPS field name: EventDescription
LEEF field name: EventDescription
|
|
event_name.value
(EVENT NAME)
|
Name of the system event.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: EventName
HTTPS field name: EventName
LEEF field name: EventID
|
|
event_time
(EVENT TIME)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSEventTime
EMAIL field name: EventTime
HTTPS field name: EventTime
LEEF field name: devTime
|
|
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log
collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
|
|
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
|
|
is_forwarded
(LOG FORWARDED)
|
Indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
|
|
is_prisma_branch
(IS PRISMA NETWORK)
|
If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork
|
|
is_prisma_mobile
(IS PRISMA USERS)
|
If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
|
|
log_category.value
(LOG CATEGORY)
|
The log category.
CEF field name: cat
EMAIL field name: LogCategory
HTTPS field name: LogCategory
LEEF field name: LogCategory
|
|
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
|
|
log_source_group_id
(LOG SOURCE GROUP ID)
|
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
|
|
log_source_id
(LOG SOURCE ID)
|
ID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsId.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: LogSourceID
HTTPS field name: LogSourceID
LEEF field name: LogSourceID
|
|
log_source_name
(LOG SOURCE NAME)
|
Name of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: LogSourceName
HTTPS field name: LogSourceName
LEEF field name: LogSourceName
|
|
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
|
|
log_time
(LOG TIME)
|
Time the log was received in Strata Logging Service. This is populated by the
platform.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: LogTime
HTTPS field name: LogTime
LEEF field name: LogTime
|
|
log_type.value
(LOG TYPE)
|
Specifies the log type. Possible field values are: traffic, config, system, threat,
appstat, trsum, thsum, event, alarm, hipmatch, userid, iptag, mdm, extpcap, urlsum, gtp,
gtpsum, auth, panflex, extflex, sctp, sctpsum, analytics, action, scan, sam.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
|
|
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
|
|
platform_type
(PLATFORM TYPE)
|
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
|
|
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
|
|
severity
(SEVERITY)
|
Severity as defined by the platform.
CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity
|
|
sub_type.value
(SUB TYPE)
|
The log sub type. Possible values are: start, end, drop, deny, netflow.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType
|
|
template.value
(TEMPLATE)
|
The ID and name of the template/template stack to which the firewall belonged where the log was generated.
Syslog field name: Syslog Field Order
CEF field name: PanOSTemplate
EMAIL field name: Template
HTTPS field name: Template
LEEF field name: Template
|
|
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
|
|
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
|
|
vendor_severity.value
(VENDOR SEVERITY)
|
Severity associated with the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity
|
|
vsys
(VIRTUAL LOCATION)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
|
|
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
|
|
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName
|