Authentication CEF Fields

Table of Contents

Authentication Syslog Default Field Order

Authentication CEF Fields

Example Authentication log in CEF:

Mar 1 21:05:25 xxx.xx.x.xx 2206 <14>1 2021-03-01T21:05:25.508Z stream-logfwd20-587718190-03011255-ut6o-harness-5vlj logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|AUTH|Radius|3|ProfileToken=xxxxx dtz=UTC rt=Feb 28 2021 18:20:54 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion=10.0 PanOSAuthenticatedUserDomain=paloaltonetwork PanOSAuthenticatedUserName=xxxxx PanOSAuthenticatedUserUUID= PanOSClientTypeName= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSRuleMatched= start=Feb 28 2021 18:20:40 cs3=vsys1 cs3Label=VirtualLocation c6a2=::ffff:0 c6a2Label=Source IPv6 Address c6a3=::ffff:0 c6a3Label=Destination IPv6 Address duser=paloaltonetwork\\xxxxx cs2=paloaltonetwork\\xxxxx cs2Label=NormalizeUser fname=Authentication object2 cs4=DC cs4Label=AuthenticationPolicy cnt=33554432 cn2=-5257671089978343424 cn2Label=MFAAuthenticationID PanOSMFAVendor=Symantec VIP cs6=rs-logging cs6Label=LogSetting cs1=deny-attackers cs1Label=AuthServerProfile PanOSAuthenticationDescription=www.something cs5=Unknown cs5Label=ClientType msg=Invalid Certificate cn1=0 cn1Label=AuthFactorNo externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=11 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=xxxxx PanOSVirtualSystemID=1 PanOSAuthenticationProtocol=EAP-TTLS with PAP PanOSRuleMatchedUUID= PanOSTimeGeneratedHighResolution=Feb 28 2021 18:20:41 PanOSSourceDeviceCategory=src_category_list-1 PanOSSourceDeviceProfile=src_profile_list-1 PanOSSourceDeviceModel=src_model_list-1 PanOSSourceDeviceVendor=src_vendor_list-1 PanOSSourceDeviceOSFamily=src_osfamily_list-0 PanOSSourceDeviceOSVersion=src_osversion_list-2 PanOSSourceDeviceHost=src_host_list-0 PanOSSourceDeviceMac=src_mac_list-2 PanOSAuthCacheServiceRegion= PanOSUserAgentString= PanOSSessionID=

The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the CEF log format.

CEF Name	Field Details
PanOSAuthenticationDescription	Query Name: auth_description Header Type: Custom
msg	Query Name: auth_event_name.value Header Type: Predefined Max Length: 1023
cn1	Query Name: auth_factor_num Header Type: Predefined Label: cn1Label Label Text: AuthFactorNo
cs4	Query Name: auth_policy Header Type: Predefined Label: cs4Label Label Text: AuthenticationPolicy Max Length: 4000
PanOSAuthenticationProtocol	Query Name: auth_proto Header Type: Custom
cs1	Query Name: auth_server_profile Header Type: Predefined Label: cs1Label Label Text: AuthServerProfile Max Length: 4000
PanOSAuthenticatedUserDomain	Query Name: authenticated_user_info.domain Header Type: Custom
PanOSAuthenticatedUserName	Query Name: authenticated_user_info.name Header Type: Custom
PanOSAuthenticatedUserUUID	Query Name: authenticated_user_info.uuid Header Type: Custom
cs5	Query Name: client_type Header Type: Predefined Label: cs5Label Label Text: ClientType Max Length: 4000
PanOSClientTypeName	Query Name: client_type_name.value Header Type: Custom
PanOSConfigVersion	Query Name: config_version.value Header Type: Custom
cnt	Query Name: count_of_repeats Header Type: Predefined
PanOSCortexDataLakeTenantID	Query Name: customer_id Header Type: Custom
PanOSDGHierarchyLevel1	Query Name: dg_hier_level_1 Header Type: Custom
PanOSDGHierarchyLevel2	Query Name: dg_hier_level_2 Header Type: Custom
PanOSDGHierarchyLevel3	Query Name: dg_hier_level_3 Header Type: Custom
PanOSDGHierarchyLevel4	Query Name: dg_hier_level_4 Header Type: Custom
PanOSIsDuplicateLog	Query Name: is_dup_log Header Type: Custom
PanOSLogExported	Query Name: is_exported Header Type: Custom
PanOSLogForwarded	Query Name: is_forwarded Header Type: Custom
PanOSIsPrismaNetworks	Query Name: is_prisma_branch Header Type: Custom
PanOSIsPrismaUsers	Query Name: is_prisma_mobile Header Type: Custom
PanOSLocation	Query Name: location Header Type: Custom
cs6	Query Name: log_set Header Type: Predefined Label: cs6Label Label Text: LogSetting Max Length: 4000
PanOSLogSource	Query Name: log_source Header Type: Custom
LogSourceGroupID	Query Name: log_source_group_id Header Type: Custom Max Length: 255
deviceExternalId	Query Name: log_source_id Header Type: Predefined Max Length: 255
dvchost	Query Name: log_source_name Header Type: Predefined Max Length: 100
PanOSLogSourceTimeZoneOffset	Query Name: log_source_tz_offset Header Type: Custom
rt	Query Name: log_time Header Type: Predefined
DeviceEventClassId	Query Name: log_type.value Header Type: Custom
cn2	Query Name: mfa_auth_id Header Type: Predefined Label: cn2Label Label Text: MFAAuthenticationID
PanOSMFAVendor	Query Name: mfa_vendor Header Type: Custom
cs2	Query Name: normalize_user Header Type: Predefined Label: cs2Label Label Text: NormalizeUser Max Length: 4000
fname	Query Name: object Header Type: Predefined Max Length: 1023
PanOSPanoramaSN	Query Name: panorama_serial Header Type: Custom
PlatformType	Query Name: platform_type Header Type: Custom
PanOSRuleMatched	Query Name: rule_matched Header Type: Custom
PanOSRuleMatchedUUID	Query Name: rule_matched_uuid Header Type: Custom
externalId	Query Name: sequence_no Header Type: Predefined Max Length: 40
PanOSAuthCacheServiceRegion	Query Name: service_region Header Type: Custom
PanOSSessionID	Query Name: session_id Header Type: Custom
PanOSSourceDeviceCategory	Query Name: source_device_category Header Type: Custom
PanOSSourceDeviceHost	Query Name: source_device_host Header Type: Custom
PanOSSourceDeviceMac	Query Name: source_device_mac Header Type: Custom
PanOSSourceDeviceModel	Query Name: source_device_model Header Type: Custom
PanOSSourceDeviceOSFamily	Query Name: source_device_osfamily Header Type: Custom
PanOSSourceDeviceOSVersion	Query Name: source_device_osversion Header Type: Custom
PanOSSourceDeviceProfile	Query Name: source_device_profile Header Type: Custom
PanOSSourceDeviceVendor	Query Name: source_device_vendor Header Type: Custom
src and dst, or c6a2 and c6a3	Query Name: source_ip.value Header Type: Predefined Label: \|\| c6a2Label && c6a3Label Label Text: \|\| Source IPv6 Address && Destination IPv6 Address
Name	Query Name: sub_type.value Header Type: Custom
start	Query Name: time_generated Header Type: Predefined
PanOSTimeGeneratedHighResolution	Query Name: time_generated_high_res Header Type: Custom
duser	Query Name: user Header Type: Predefined Max Length: 1023
PanOSUserAgentString	Query Name: user_agent Header Type: Custom
Device Vendor	Query Name: vendor_name Header Type: Custom
cs3	Query Name: vsys Header Type: Predefined Label: cs3Label Label Text: VirtualLocation Max Length: 4000
PanOSVirtualSystemID	Query Name: vsys_id Header Type: Custom
PanOSVirtualSystemName	Query Name: vsys_name Header Type: Custom

Authentication Syslog Default Field Order

Authentication EMAIL Fields

Authentication CEF Fields

Authentication CEF Fields

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Agents & Agentless

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner