Decryption CEF Fields
Focus
Focus
Strata Logging Service

Decryption CEF Fields

Table of Contents

Decryption CEF Fields

Example Decryption log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 2341 <14>1 2021-03-01T20:35:56.343Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\xxxxx duser=paloaltonetwork\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx
The following table identifies the Decryption field names that the Log Forwarding app uses when you forward logs using the CEF log format.
CEF Name
Field Details
act
Query Name: action.​value
Header Type: Predefined
Max Length: 63
app
Query Name: app
Header Type: Predefined
Max Length: 31
PanOSApplicationCategory
Query Name: app_category
Header Type: Custom
PanOSApplicationSubcategory
Query Name: app_sub_category
Header Type: Custom
PanOSCertificateFlags
Query Name: cert_flags
Header Type: Custom
PanOSCertificateSerial
Query Name: cert_serial
Header Type: Custom
PanOSCertificateSize
Query Name: certificate_size
Header Type: Custom
PanOSCertificateVersion
Header Type: Custom
PanOSChainStatus
Header Type: Custom
PanOSApplicationCharacteristics
Header Type: Custom
PanOSClientToFirewall
Header Type: Custom
PanOSCommonName
Query Name: cn
Header Type: Custom
PanOSCommonNameLength
Query Name: cn_len
Header Type: Custom
PanOSConfigVersion
Header Type: Custom
PanOSContainerID
Query Name: container_id
Header Type: Custom
PanOSApplicationContainer
Query Name: container_of_app
Header Type: Custom
cnt
Query Name: count_of_repeats
Header Type: Predefined
PanOSCpadding
Query Name: cpadding
Header Type: Custom
PanOSCortexDataLakeTenantID
Query Name: customer_id
Header Type: Custom
PanOSDestinationDeviceCategory
Header Type: Custom
PanOSDestinationDeviceClass
Query Name: dest_device_class
Header Type: Custom
PanOSDestinationDeviceHost
Query Name: dest_device_host
Header Type: Custom
PanOSDestinationDeviceMac
Query Name: dest_device_mac
Header Type: Custom
PanOSDestinationDeviceModel
Query Name: dest_device_model
Header Type: Custom
PanOSDestinationDeviceOS
Query Name: dest_device_os
Header Type: Custom
PanOSDestinationDeviceOSFamily
Header Type: Custom
PanOSDestinationDeviceOSVersion
Header Type: Custom
PanOSDestinationDeviceProfile
Header Type: Custom
PanOSDestinationDeviceVendor
Query Name: dest_device_vendor
Header Type: Custom
PanOSDestinationDynamicAddressGroup
Header Type: Custom
PanOSDestinationEDL
Query Name: dest_edl
Header Type: Custom
dst or c6a3
Query Name: dest_ip.​value
Header Type: Predefined
Label: || c6a3Label
Label Text: || Destination IPv6 Address
PanOSDestinationLocation
Query Name: dest_location
Header Type: Custom
dpt
Query Name: dest_port
Header Type: Predefined
duser
Query Name: dest_user
Header Type: Predefined
Max Length: 1023
dntdom
Header Type: Predefined
Max Length: 255
dusername
Header Type: Predefined
Max Length: 255
duid
Header Type: Predefined
Max Length: 255
PanOSDestinationUUID
Query Name: dest_uuid
Header Type: Custom
PanOSDGHierarchyLevel1
Query Name: dg_hier_level_1
Header Type: Custom
PanOSDGHierarchyLevel2
Query Name: dg_hier_level_2
Header Type: Custom
PanOSDGHierarchyLevel3
Query Name: dg_hier_level_3
Header Type: Custom
PanOSDGHierarchyLevel4
Query Name: dg_hier_level_4
Header Type: Custom
PanOSDomain
Query Name: domain
Header Type: Custom
PanOSEllipticCurve
Header Type: Custom
PanOSErrorIndex
Header Type: Custom
PanOSErrorMessage
Query Name: error_message
Header Type: Custom
PanOSFingerprint
Query Name: fingerprint
Header Type: Custom
PanOSFirewallToClient
Header Type: Custom
cs4
Query Name: from_zone
Header Type: Predefined
Label: cs4Label
Label Text: FromZone
Max Length: 4000
deviceInboundInterface
Header Type: Predefined
Max Length: 128
PanOSInboundInterfaceDetailsPort
Header Type: Custom
PanOSInboundInterfaceDetailsSlot
Header Type: Custom
PanOSInboundInterfaceDetailsType
Header Type: Custom
PanOSInboundInterfaceDetailsUnit
Header Type: Custom
PanOSCaptivePortal
Query Name: is_captive_portal
Header Type: Custom
PanOSIsCertECDSA
Query Name: is_cert_ECDSA
Header Type: Custom
PanOSIsCertRSA
Query Name: is_cert_RSA
Header Type: Custom
PanOSIsCertCNTruncated
Header Type: Custom
PanOSIsClienttoServer
Header Type: Custom
PanOSIsContainer
Query Name: is_container
Header Type: Custom
PanOSIsDecryptMirror
Query Name: is_decrypt_mirror
Header Type: Custom
PanOSIsDecrypted
Query Name: is_decrypted
Header Type: Custom
PanOSIsDuplicateLog
Query Name: is_dup_log
Header Type: Custom
PanOSIsEncrypted
Query Name: is_encrypted
Header Type: Custom
PanOSLogExported
Query Name: is_exported
Header Type: Custom
PanOSIsForwarded
Query Name: is_forwarded
Header Type: Custom
PanOSIsIPV6
Query Name: is_ipv6
Header Type: Custom
PanOSIsIssuerCNTruncated
Header Type: Custom
PanOSIsMptcpOn
Query Name: is_mptcp_on
Header Type: Custom
PanOSIsNAT
Query Name: is_nat
Header Type: Custom
PanOSIsNonStandardDestinationPort
Header Type: Custom
PanOSPacketCapture
Query Name: is_packet_capture
Header Type: Custom
PanOSIsPhishing
Query Name: is_phishing
Header Type: Custom
PanOSIsPrismaNetwork
Query Name: is_prisma_branch
Header Type: Custom
PanOSIsPrismaUsers
Query Name: is_prisma_mobile
Header Type: Custom
PanOSIsProxy
Query Name: is_proxy
Header Type: Custom
PanOSIsReconExcluded
Query Name: is_recon_excluded
Header Type: Custom
PanOSIsResumeSession
Query Name: is_resume_session
Header Type: Custom
PanOSIsRootCNTruncated
Header Type: Custom
PanOSIsSaaSApplication
Query Name: is_saas_app
Header Type: Custom
PanOSIsServertoClient
Header Type: Custom
PanOSIsSNITruncated
Query Name: is_sni_truncated
Header Type: Custom
PanOSIsSourceXForwarded
Query Name: is_source_x_fwded
Header Type: Custom
PanOSIsSystemReturn
Query Name: is_sym_return
Header Type: Custom
PanOSIsTransaction
Query Name: is_transaction
Header Type: Custom
PanOSIsTunnelInspected
Header Type: Custom
PanOSIsURLDenied
Query Name: is_url_denied
Header Type: Custom
PanOSIssuerCommonName
Query Name: issuer_cn
Header Type: Custom
PanOSIssuerNameLength
Query Name: issuer_len
Header Type: Custom
cs6
Query Name: log_set
Header Type: Predefined
Label: cs6Label
Label Text: LogSetting
Max Length: 4000
PanOSLogSource
Query Name: log_source
Header Type: Custom
LogSourceGroupID
Header Type: Custom
Max Length: 255
PanOSDeviceSN
Query Name: log_source_id
Header Type: Custom
PanOSDeviceName
Query Name: log_source_name
Header Type: Custom
PanOSLogSourceTimeZoneOffset
Header Type: Custom
rt
Query Name: log_time
Header Type: Predefined
Device Event Class ID
Query Name: log_type.​value
Header Type: Custom
destinationTranslatedAddress
Query Name: nat_dest.​value
Header Type: Predefined
destinationTranslatedPort
Query Name: nat_dest_port
Header Type: Predefined
sourceTranslatedAddress
Header Type: Predefined
sourceTranslatedPort
Query Name: nat_source_port
Header Type: Predefined
PanOSTimeNotAfter
Query Name: not_after
Header Type: Custom
PanOSTimeNotBefore
Query Name: not_before
Header Type: Custom
deviceOutboundInterface
Header Type: Predefined
Max Length: 128
PanOSOutboundInterfaceDetailsPort
Header Type: Custom
PanOSOutboundInterfaceDetailsSlot
Header Type: Custom
PanOSOutboundInterfaceDetailsType
Header Type: Custom
PanOSOutboundInterfaceDetailsUnit
Header Type: Custom
PanOSPadding
Query Name: padding
Header Type: Custom
PanOSPadding3
Query Name: padding3
Header Type: Custom
PanOSPanoramaSN
Query Name: panorama_serial
Header Type: Custom
PlatformType
Query Name: platform_type
Header Type: Custom
PanOSContainerName
Query Name: pod_name
Header Type: Custom
PanOSContainerNameSpace
Query Name: pod_namespace
Header Type: Custom
PanOSPolicyName
Query Name: policy_name
Header Type: Custom
proto
Query Name: protocol.​value
Header Type: Predefined
Max Length: 31
PanOSProxyType
Header Type: Custom
PanOSApplicationRisk
Query Name: risk_of_app
Header Type: Custom
PanOSRootCommonName
Query Name: root_cn
Header Type: Custom
PanOSRootCNLength
Query Name: root_cn_len
Header Type: Custom
PanOSRootStatus
Header Type: Custom
cs1
Query Name: rule_matched
Header Type: Predefined
Label: cs1Label
Label Text: Rule
Max Length: 4000
PanOSRuleUUID
Query Name: rule_matched_uuid
Header Type: Custom
PanOSSanctionedStateOfApp
Header Type: Custom
externalId
Query Name: sequence_no
Header Type: Predefined
Max Length: 40
cn1
Query Name: session_id
Header Type: Predefined
Label: cn1Label
Label Text: SessionID
PanOSServerNameIndication
Query Name: sni
Header Type: Custom
PanOSSNILength
Query Name: sni_len
Header Type: Custom
PanOSSourceDeviceCategory
Header Type: Custom
PanOSSourceDeviceClass
Header Type: Custom
PanOSSourceDeviceHost
Query Name: source_device_host
Header Type: Custom
PanOSSourceDeviceMac
Query Name: source_device_mac
Header Type: Custom
PanOSSourceDeviceModel
Header Type: Custom
PanOSSourceDeviceOS
Query Name: source_device_os
Header Type: Custom
PanOSSourceDeviceOSFamily
Header Type: Custom
PanOSSourceDeviceOSVersion
Header Type: Custom
PanOSSourceDeviceProfile
Header Type: Custom
PanOSSourceDeviceVendor
Header Type: Custom
PanOSSourceDynamicAddressGroup
Header Type: Custom
PanOSSourceEDL
Query Name: source_edl
Header Type: Custom
src or c6a2
Query Name: source_ip.​value
Header Type: Predefined
Label: || c6a2Label
Label Text: || Source IPv6 Address
PanOSSourceLocation
Query Name: source_location
Header Type: Custom
spt
Query Name: source_port
Header Type: Predefined
suser
Query Name: source_user
Header Type: Predefined
Max Length: 1023
sntdom
Header Type: Predefined
Max Length: 1023
susername
Header Type: Predefined
Max Length: 1023
suid
Header Type: Predefined
Max Length: 1023
PanOSSourceUUID
Query Name: source_uuid
Header Type: Custom
Name
Query Name: sub_type.​value
Header Type: Custom
PanOSApplicationTechnology
Query Name: technology_of_app
Header Type: Custom
start
Query Name: time_generated
Header Type: Predefined
PanOSTimeGeneratedHighResolution
Header Type: Custom
PanOSTimeReceivedManagementPlane
Query Name: time_received_mp
Header Type: Custom
PanOSTLSAuth
Query Name: tls_auth.​value
Header Type: Custom
PanOSTLSEncryptionAlgorithm
Header Type: Custom
PanOSTLSKeyExchange
Header Type: Custom
PanOSTLSVersion
Header Type: Custom
cs5
Query Name: to_zone
Header Type: Predefined
Label: cs5Label
Label Text: ToZone
Max Length: 4000
PanOSTpadding
Query Name: tpadding
Header Type: Custom
PanOSTunnel
Query Name: tunnel.​value
Header Type: Custom
PanOSTunneledApplication
Query Name: tunneled_app
Header Type: Custom
Device Vendor
Query Name: vendor_name
Header Type: Custom
PanOSVpadding
Query Name: vpadding
Header Type: Custom
cs3
Query Name: vsys
Header Type: Predefined
Label: cs3Label
Label Text: VirtualLocation
Max Length: 4000
PanOSVirtualSystemID
Query Name: vsys_id
Header Type: Custom
PanOSVirtualSystemName
Query Name: vsys_name
Header Type: Custom