>
    Authentication LEEF Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Network Logs
    4. Authentication
    5. Authentication LEEF Fields
    Download PDF
    Strata Logging Service

    Authentication LEEF Fields

    Table of Contents

    Authentication LEEF Fields

    Example Authentication log in LEEF: 
    Sep 21 07:25:05 gke-standard-cluster-2-pool-3-f004381a-0gw6 1412 <14>1 2021-09-21T07:25:05.173Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|authentication success|	|TimeReceived=2021-09-21 07:25:01.057423	DeviceSN=xxxxxxxxxxxxx	cat=auth	SubType=Unknown	ConfigVersion=	devTime=2021-09-21 07:25:01.057449	VirtualLocation=vsys1	src=xxx.xx.x.xx	User=	usrName=paloaltonetworkxxxxx	Object=Authentication object5	AuthenticationPolicy=Captive Portal	CountOfRepeats=1	MFAAuthenticationID=1112	MFAVendor=xxxxx	LogSetting=test	AuthServerProfile=deny-time-wasters	AuthenticationDescription=www.this.is.another.wannabe.long.url.com/and/it/is/getting/there/by/adding/some/junk/at/the/end/of/the/url/dsakjhfskdjhfksjdhfkhk235hk2jh2kjhkhk23jhk5jh2435kjh45k3jh5k3j4h5k3h45kjh34kj5hkjhkj34hk5jh34k5jhk3j4h5k3jh45kjh34k5jhk34jh5kj34h5kjh43kj5hk34jh5k3j4h5k3j4hghhg4j5h3g	ClientType=Unknown	AuthFactorNo=0	SequenceNo=6711379990526558227	DGHierarchyLevel1=12	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=PA-5220	VirtualSystemID=1	AuthenticationProtocol=PAP	RuleMatchedUUID=	TimeGeneratedHighResolution=	SourceDeviceCategory=	SourceDeviceProfile=	SourceDeviceModel=	SourceDeviceVendor=	SourceDeviceOSFamily=	SourceDeviceOSVersion=	SourceDeviceHost=	SourceDeviceMac=	AuthCacheServiceRegion=	UserAgentString=	SessionID=	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
    The following table identifies the Authentication field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
    When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.
    LEEF Name
    Query Name
    Field Type
    AuthenticationDescription
    auth_description
    Custom
    EventID
    auth_event_name.​value
    Header
    AuthFactorNo
    auth_factor_num
    Custom
    AuthenticationPolicy
    auth_policy
    Custom
    AuthenticationProtocol
    auth_proto
    Custom
    AuthServerProfile
    auth_server_profile
    Custom
    AuthenticatedUserDomain
    authenticated_user_info.​domain
    Custom
    AuthenticatedUserName
    authenticated_user_info.​name
    Custom
    AuthenticatedUserUUID
    authenticated_user_info.​uuid
    Custom
    ClientType
    client_type
    Custom
    ClientTypeName
    client_type_name.​value
    Custom
    ConfigVersion
    config_version.​value
    Custom
    CountOfRepeats
    count_of_repeats
    Custom
    CortexDataLakeTenantID
    customer_id
    Custom
    DGHierarchyLevel1
    dg_hier_level_1
    Custom
    DGHierarchyLevel2
    dg_hier_level_2
    Custom
    DGHierarchyLevel3
    dg_hier_level_3
    Custom
    DGHierarchyLevel4
    dg_hier_level_4
    Custom
    IsDuplicateLog
    is_dup_log
    Custom
    LogExported
    is_exported
    Custom
    LogForwarded
    is_forwarded
    Custom
    IsPrismaNetworks
    is_prisma_branch
    Custom
    IsPrismaUsers
    is_prisma_mobile
    Custom
    Location
    location
    Custom
    LogSetting
    log_set
    Custom
    LogSource
    log_source
    Custom
    LogSourceGroupID
    log_source_group_id
    Custom
    DeviceSN
    log_source_id
    Custom
    DeviceName
    log_source_name
    Custom
    LogSourceTimeZoneOffset
    log_source_tz_offset
    Custom
    TimeReceived
    log_time
    Custom
    cat
    log_type.​value
    Predefined
    MFAAuthenticationID
    mfa_auth_id
    Custom
    MFAVendor
    mfa_vendor
    Custom
    usrName
    normalize_user
    Predefined
    Object
    object
    Custom
    PanoramaSN
    panorama_serial
    Custom
    PlatformType
    platform_type
    Custom
    RuleMatched
    rule_matched
    Custom
    RuleMatchedUUID
    rule_matched_uuid
    Custom
    SequenceNo
    sequence_no
    Custom
    AuthCacheServiceRegion
    service_region
    Custom
    SessionID
    session_id
    Custom
    SourceDeviceCategory
    source_device_category
    Custom
    SourceDeviceHost
    source_device_host
    Custom
    SourceDeviceMac
    source_device_mac
    Custom
    SourceDeviceModel
    source_device_model
    Custom
    SourceDeviceOSFamily
    source_device_osfamily
    Custom
    SourceDeviceOSVersion
    source_device_osversion
    Custom
    SourceDeviceProfile
    source_device_profile
    Custom
    SourceDeviceVendor
    source_device_vendor
    Custom
    src
    source_ip.​value
    Predefined
    SubType
    sub_type.​value
    Custom
    devTime
    time_generated
    Predefined
    TimeGeneratedHighResolution
    time_generated_high_res
    Custom
    User
    user
    Custom
    UserAgentString
    user_agent
    Custom
    Vendor
    vendor_name
    Header
    VirtualLocation
    vsys
    Custom
    VirtualSystemID
    vsys_id
    Custom
    VirtualSystemName
    vsys_name
    Custom

    © 2024 Palo Alto Networks, Inc. All rights reserved.