>
    HIP Match LEEF Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Network Logs
    4. HIP Match
    5. HIP Match LEEF Fields
    Download PDF
    Strata Logging Service

    HIP Match LEEF Fields

    Table of Contents

    HIP Match LEEF Fields

    Example HIP Match log in LEEF: 
    Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2|	|profileToken=Palotoken VirtualSystemID=1	SequenceNo=6711379990526558208	SourceDeviceClass=	src=xxx.xx.x.xx	VirtualSystemName=	devTime=2020-10-13T03:31:40.000000Z	DeviceSN=xxxxxxxxxxxxx	UUID=	Source=	identHostName=machine_name1	DeviceName=PA-5220	LogExported=false	TimeGeneratedHighResolution=	SourceDeviceModel=	HostID=e777947f-d92e-4815-9222-89438203bc2b	TimeReceived=2020-10-13T03:31:40.000000Z	SourceDeviceVendor=	EndpointSerialNumber=xxxxxxxxxxxxxx	VirtualLocation=vsys1	SourceDeviceHost=	TimestampDeviceIdentification=	IsPrismaUsers=false	EventID=HIPMATCH	SourceUserUUID=	SourceUserDomain=xxxxx	SourceIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx	HipMatchName=match_name1	IsDuplicateLog=false	LogForwarded=true	CountOfRepeats=1	usrName="xxxxx\\xxxxx	xxxxx"	LogSourceTimeZoneOffset=	TenantID=xxxxxxxxxxxxx	SourceUserName=xxxxx	xxxxx	SourceDeviceMac=	SourceDeviceOSVersion=	IsPrismaNetworks=false	EndpointOSType=iOS	HipMatchType=HIP	Profile	SourceDeviceOSFamily=	LogSource=firewall	SourceDeviceCategory=	SourceDeviceProfile=	Vendor=Palo	Alto	Networks	cat=	SourceDeviceOS=	devTimeFormat=YYYY-MM-DDTHH:MM:SSZ
    The following table identifies the HIP Match field names that the Log Forwarding app uses when you forward logs using the LEEF log format.
    When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.
    LEEF Name
    Query Name
    Field Type
    ConfigVersion
    config_version.​value
    Custom
    CountOfRepeats
    count_of_repeats
    Custom
    TenantID
    customer_id
    Custom
    DGHierarchyLevel1
    dg_hier_level_1
    Custom
    DGHierarchyLevel2
    dg_hier_level_2
    Custom
    DGHierarchyLevel3
    dg_hier_level_3
    Custom
    DGHierarchyLevel4
    dg_hier_level_4
    Custom
    identHostName
    endpoint_device_name
    Predefined
    EndpointOSType
    endpoint_os_type
    Custom
    EndpointSerialNumber
    endpoint_serial_number
    Custom
    EventID
    hip_match_name
    Header
    header_event_id
    hip_match_type.​value
    Predefined
    HostID
    host_id
    Custom
    IsDuplicateLog
    is_dup_log
    Custom
    LogExported
    is_exported
    Custom
    LogForwarded
    is_forwarded
    Custom
    IsPrismaNetworks
    is_prisma_branch
    Custom
    IsPrismaUsers
    is_prisma_mobile
    Custom
    LogSource
    log_source
    Custom
    LogSourceGroupID
    log_source_group_id
    Custom
    DeviceSN
    log_source_id
    Custom
    DeviceName
    log_source_name
    Custom
    LogSourceTimeZoneOffset
    log_source_tz_offset
    Custom
    TimeReceived
    log_time
    Custom
    cat
    log_type.​value
    Predefined
    PanoramaSN
    panorama_serial
    Custom
    PlatformType
    platform_type
    Custom
    SequenceNo
    sequence_no
    Custom
    Source
    source
    Custom
    SourceDeviceCategory
    source_device_category
    Custom
    SourceDeviceClass
    source_device_class
    Custom
    SourceDeviceHost
    source_device_host
    Custom
    SourceDeviceMac
    source_device_mac
    Custom
    SourceDeviceModel
    source_device_model
    Custom
    SourceDeviceOS
    source_device_os
    Custom
    SourceDeviceOSFamily
    source_device_osfamily
    Custom
    SourceDeviceOSVersion
    source_device_osversion
    Custom
    SourceDeviceProfile
    source_device_profile
    Custom
    SourceDeviceVendor
    source_device_vendor
    Custom
    src
    source_ip.​value
    Predefined
    SourceIPv6
    source_ip_v6.​value
    Custom
    usrName
    source_user
    Predefined
    SourceUserDomain
    source_user_info.​domain
    Custom
    SourceUserName
    source_user_info.​name
    Custom
    SourceUserUUID
    source_user_info.​uuid
    Custom
    SubType
    sub_type.​value
    Custom
    devTime
    time_generated
    Predefined
    TimeGeneratedHighResolution
    time_generated_high_res
    Custom
    TimestampDeviceIdentification
    timestamp_device_identification
    Custom
    UUID
    uuid
    Custom
    Vendor
    vendor_name
    Header
    VirtualLocation
    vsys
    Custom
    VirtualSystemID
    vsys_id
    Custom
    VirtualSystemName
    vsys_name
    Custom

    © 2024 Palo Alto Networks, Inc. All rights reserved.