Authentication LEEF Fields

Table of Contents

Example Authentication log in LEEF:

Sep 21 07:25:05 gke-standard-cluster-2-pool-3-f004381a-0gw6 1412 <14>1 2021-09-21T07:25:05.173Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|authentication success|	|TimeReceived=2021-09-21 07:25:01.057423	DeviceSN=xxxxxxxxxxxxx	cat=auth	SubType=Unknown	ConfigVersion=	devTime=2021-09-21 07:25:01.057449	VirtualLocation=vsys1	src=xxx.xx.x.xx	User=	usrName=paloaltonetworkxxxxx	Object=Authentication object5	AuthenticationPolicy=Captive Portal	CountOfRepeats=1	MFAAuthenticationID=1112	MFAVendor=xxxxx	LogSetting=test	AuthServerProfile=deny-time-wasters	AuthenticationDescription=www.this.is.another.wannabe.long.url.com/and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hkjhkj34hk5jh34k5jhk3j4h5k3jh45kjh34k5jhk34jh5kj34h5kjh43kj5hk34jh5k3j4h5k3j4hghhg4j5h3g	ClientType=Unknown	AuthFactorNo=0	SequenceNo=6711379990526558227	DGHierarchyLevel1=12	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=PA-5220	VirtualSystemID=1	AuthenticationProtocol=PAP	RuleMatchedUUID=	TimeGeneratedHighResolution=	SourceDeviceCategory=	SourceDeviceProfile=	SourceDeviceModel=	SourceDeviceVendor=	SourceDeviceOSFamily=	SourceDeviceOSVersion=	SourceDeviceHost=	SourceDeviceMac=	AuthCacheServiceRegion=	UserAgentString=	SessionID=	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
AuthenticationDescription	auth_description	Custom
EventID	auth_event_name.value	Header
AuthFactorNo	auth_factor_num	Custom
AuthenticationPolicy	auth_policy	Custom
AuthenticationProtocol	auth_proto	Custom
AuthServerProfile	auth_server_profile	Custom
AuthenticatedUserDomain	authenticated_user_info.domain	Custom
AuthenticatedUserName	authenticated_user_info.name	Custom
AuthenticatedUserUUID	authenticated_user_info.uuid	Custom
ClientType	client_type	Custom
ClientTypeName	client_type_name.value	Custom
ConfigVersion	config_version.value	Custom
CountOfRepeats	count_of_repeats	Custom
CortexDataLakeTenantID	customer_id	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
IsDuplicateLog	is_dup_log	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsPrismaNetworks	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
Location	location	Custom
LogSetting	log_set	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
MFAAuthenticationID	mfa_auth_id	Custom
MFAVendor	mfa_vendor	Custom
usrName	normalize_user	Predefined
Object	object	Custom
PanoramaSN	panorama_serial	Custom
PlatformType	platform_type	Custom
RuleMatched	rule_matched	Custom
RuleMatchedUUID	rule_matched_uuid	Custom
SequenceNo	sequence_no	Custom
AuthCacheServiceRegion	service_region	Custom
SessionID	session_id	Custom
SourceDeviceCategory	source_device_category	Custom
SourceDeviceHost	source_device_host	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOSFamily	source_device_osfamily	Custom
SourceDeviceOSVersion	source_device_osversion	Custom
SourceDeviceProfile	source_device_profile	Custom
SourceDeviceVendor	source_device_vendor	Custom
src	source_ip.value	Predefined
SubType	sub_type.value	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
User	user	Custom
UserAgentString	user_agent	Custom
Vendor	vendor_name	Header
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

Authentication HTTPS Fields

DNS Security

Strata Logging Service Docs

Authentication LEEF Fields

Strata Logging Service Docs

Authentication LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner

Technical Documentation

Company

Legal Notices