GlobalProtect LEEF Fields

Table of Contents

Example GlobalProtect log in LEEF:

Sep 24 20:13:48 gke-standard-cluster-2-default-pool-2c7fa720-n8p0 1365 <14>1 2021-09-24T20:13:48.624Z stream-logfwd20-93a53631--09241148-wcvh-harness-dm5m logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.0|portal-prelogin|	|ProfileToken=xxxxx	TimeReceived=2021-09-24 20:13:46.277651	DeviceSN=xxxxxxxxxxxxx	cat=globalprotect	SubType=globalprotect	ConfigVersion=10.0	devTime=2021-09-24 20:13:46.277654	VirtualSystem=vsys1	Stage=connected	AuthMethod=LDAP	TunnelType=sslvpn	usrName=paloaltonetwork\xxxxx	SourceRegion=US	EndpointDeviceName=machine_name1	PublicIPv4=xxx.xx.x.xx	PublicIPv6=xxx.xx.x.xx	PrivateIPv4=xxx.xx.x.xx	PrivateIPv6=xxx.xx.x.xx	HostID=	EndpointSN=serialno_list-2	GlobalProtectClientVersion=2.4.7	EndpointOSType=Ubuntu	EndpointOSVersion=16.04.5 LTS	CountOfRepeats=16777216	QuarantineReason=Admin	ConnectionError=Device is quarantined	Description=opaque_list-0	EventStatus=success	GlobalProtectGatewayLocation=Palo Alto	LoginDuration=0	ConnectionMethod=connect_method_list-1	ConnectionErrorID=0	Portal=portal_list-2	SequenceNo=117	TimeGeneratedHighResolution=2021-09-24 20:13:46.277649	GatewaySelectionType=select_type-0	SSLResponseTime=59393	GatewayPriority=highest	AttemptedGateways=gateway-0,352,5	Gateway=	DGHierarchyLevel1=11	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=xxxxx	VirtualSystemID=1	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the GlobalProtect field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
AttemptedGateways	attempted_gateways	Custom
AuthMethod	auth_method	Custom
ConfigVersion	config_version.value	Custom
ConnectionMethod	connect_method	Custom
ConnectionErrorID	connection_error.id	Custom
ConnectionError	connection_error.value	Custom
CountOfRepeats	count_of_repeats	Custom
TenantID	customer_id	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
EndpointDeviceName	endpoint_device_name	Custom
GlobalProtectClientVersion	endpoint_gp_version	Custom
EndpointOSType	endpoint_os_type	Custom
EndpointOSVersion	endpoint_os_version	Custom
EndpointSN	endpoint_serial_number	Custom
EventID	event_id.value	Header
Gateway	gateway	Custom
GatewayPriority	gateway_priority.value	Custom
GatewaySelectionType	gateway_selection_type	Custom
GlobalProtectGatewayLocation	gpg_location	Custom
HostID	host_id	Custom
IsDuplicateLog	is_dup_log	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsPrismaNetworks	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
LoginDuration	login_duration	Custom
Description	opaque	Custom
PanoramaSN	panorama_serial	Custom
PlatformType	platform_type	Custom
Portal	portal	Custom
PrivateIPv4	private_ip.value	Custom
PrivateIPv6	private_ipv6.value	Custom
ProjectName	project_name	Custom
PublicIPv4	public_ip.value	Custom
PublicIPv6	public_ipv6.value	Custom
QuarantineReason	quarantine_reason	Custom
SequenceNo	sequence_no	Custom
SourceRegion	source_region	Custom
usrName	source_user	Predefined
SourceUserDomain	source_user_info.domain	Custom
SourceUserName	source_user_info.name	Custom
SourceUserUUID	source_user_info.uuid	Custom
SSLResponseTime	ssl_response_time	Custom
Stage	stage	Custom
EventStatus	status.value	Custom
SubType	sub_type.value	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
TunnelType	tunnel	Custom
Vendor	vendor_name	Header
VirtualSystem	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

GlobalProtect HTTPS Fields

HIP Match

Strata Logging Service Docs

GlobalProtect LEEF Fields

Strata Logging Service Docs

GlobalProtect LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner

Technical Documentation

Company

Legal Notices