GlobalProtect LEEF Fields
Focus
Focus
Strata Logging Service

GlobalProtect LEEF Fields

Table of Contents

GlobalProtect LEEF Fields

Example GlobalProtect log in LEEF:
Sep 24 20:13:48 gke-standard-cluster-2-default-pool-2c7fa720-n8p0 1365 <14>1 2021-09-24T20:13:48.624Z stream-logfwd20-93a53631--09241148-wcvh-harness-dm5m logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.0|portal-prelogin| |ProfileToken=xxxxx TimeReceived=2021-09-24 20:13:46.277651 DeviceSN=xxxxxxxxxxxxx cat=globalprotect SubType=globalprotect ConfigVersion=10.0 devTime=2021-09-24 20:13:46.277654 VirtualSystem=vsys1 Stage=connected AuthMethod=LDAP TunnelType=sslvpn usrName=paloaltonetwork\xxxxx SourceRegion=US EndpointDeviceName=machine_name1 PublicIPv4=xxx.xx.x.xx PublicIPv6=xxx.xx.x.xx PrivateIPv4=xxx.xx.x.xx PrivateIPv6=xxx.xx.x.xx HostID= EndpointSN=serialno_list-2 GlobalProtectClientVersion=2.4.7 EndpointOSType=Ubuntu EndpointOSVersion=16.04.5 LTS CountOfRepeats=16777216 QuarantineReason=Admin ConnectionError=Device is quarantined Description=opaque_list-0 EventStatus=success GlobalProtectGatewayLocation=Palo Alto LoginDuration=0 ConnectionMethod=connect_method_list-1 ConnectionErrorID=0 Portal=portal_list-2 SequenceNo=117 TimeGeneratedHighResolution=2021-09-24 20:13:46.277649 GatewaySelectionType=select_type-0 SSLResponseTime=59393 GatewayPriority=highest AttemptedGateways=gateway-0,​352,​5 Gateway= DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx VirtualSystemID=1 devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the GlobalProtect field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.
LEEF Name
Query Name
Field Type
AttemptedGateways
Custom
AuthMethod
Custom
ConfigVersion
Custom
ConnectionMethod
Custom
ConnectionErrorID
Custom
ConnectionError
Custom
CountOfRepeats
Custom
TenantID
Custom
DGHierarchyLevel1
Custom
DGHierarchyLevel2
Custom
DGHierarchyLevel3
Custom
DGHierarchyLevel4
Custom
EndpointDeviceName
Custom
GlobalProtectClientVersion
Custom
EndpointOSType
Custom
EndpointOSVersion
Custom
EndpointSN
Custom
EventID
Header
Gateway
Custom
GatewayPriority
Custom
GatewaySelectionType
Custom
GlobalProtectGatewayLocation
Custom
HostID
Custom
IsDuplicateLog
Custom
LogExported
Custom
LogForwarded
Custom
IsPrismaNetworks
Custom
IsPrismaUsers
Custom
LogSource
Custom
LogSourceGroupID
Custom
DeviceSN
Custom
DeviceName
Custom
LogSourceTimeZoneOffset
Custom
TimeReceived
Custom
cat
Predefined
LoginDuration
Custom
Description
Custom
PanoramaSN
Custom
PlatformType
Custom
Portal
Custom
PrivateIPv4
Custom
PrivateIPv6
Custom
ProjectName
Custom
PublicIPv4
Custom
PublicIPv6
Custom
QuarantineReason
Custom
SequenceNo
Custom
SourceRegion
Custom
usrName
Predefined
SourceUserDomain
Custom
SourceUserName
Custom
SourceUserUUID
Custom
SSLResponseTime
Custom
Stage
Custom
EventStatus
Custom
SubType
Custom
devTime
Predefined
TimeGeneratedHighResolution
Custom
TunnelType
Custom
Vendor
Header
VirtualSystem
Custom
VirtualSystemID
Custom
VirtualSystemName
Custom