Strata Logging Service
HIP Match LEEF Fields
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
-
-
- Forward Logs to a Syslog Server
- Forward Logs to an HTTPS Server
- Forward Logs to an Email Server
- Forward Logs to Amazon Security Lake
- Forward Logs to AWS S3 Bucket
- Forward Logs to Snowflake
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
HIP Match LEEF Fields
Example HIP Match log in LEEF:
Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2| |profileToken=Palotoken VirtualSystemID=1 SequenceNo=6711379990526558208 SourceDeviceClass= src=xxx.xx.x.xx VirtualSystemName= devTime=2020-10-13T03:31:40.000000Z DeviceSN=xxxxxxxxxxxxx UUID= Source= identHostName=machine_name1 DeviceName=PA-5220 LogExported=false TimeGeneratedHighResolution= SourceDeviceModel= HostID=e777947f-d92e-4815-9222-89438203bc2b TimeReceived=2020-10-13T03:31:40.000000Z SourceDeviceVendor= EndpointSerialNumber=xxxxxxxxxxxxxx VirtualLocation=vsys1 SourceDeviceHost= TimestampDeviceIdentification= IsPrismaUsers=false EventID=HIPMATCH SourceUserUUID= SourceUserDomain=xxxxx SourceIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx HipMatchName=match_name1 IsDuplicateLog=false LogForwarded=true CountOfRepeats=1 usrName="xxxxx\\xxxxx xxxxx" LogSourceTimeZoneOffset= TenantID=xxxxxxxxxxxxx SourceUserName=xxxxx xxxxx SourceDeviceMac= SourceDeviceOSVersion= IsPrismaNetworks=false EndpointOSType=iOS HipMatchType=HIP Profile SourceDeviceOSFamily= LogSource=firewall SourceDeviceCategory= SourceDeviceProfile= Vendor=Palo Alto Networks cat= SourceDeviceOS= devTimeFormat=YYYY-MM-DDTHH:MM:SSZ
The following table identifies the HIP Match field names that the Log Forwarding app
uses when you forward logs using the LEEF log format.
When you
create a syslog forwarding profile
,
you can optionally create a profile token that the Log
Forwarding app uses when it sends logs to the syslog server. If you configure a profile token,
it appears in the log line immediately after the log type information (for example,
TRAFFIC, THREAT,
HIPMATCH, and so forth). The token will appear on
a parameter called profileToken.
|
LEEF Name
|
Query Name
|
Field Type
|
|---|---|---|
|
ConfigVersion
|
Custom
| |
|
CountOfRepeats
|
Custom
| |
|
TenantID
|
Custom
| |
|
DGHierarchyLevel1
|
Custom
| |
|
DGHierarchyLevel2
|
Custom
| |
|
DGHierarchyLevel3
|
Custom
| |
|
DGHierarchyLevel4
|
Custom
| |
|
identHostName
|
Predefined
| |
|
EndpointOSType
|
Custom
| |
|
EndpointSerialNumber
|
Custom
| |
|
EventID
|
Header
| |
|
header_event_id
|
Predefined
| |
|
HostID
|
Custom
| |
|
IsDuplicateLog
|
Custom
| |
|
LogExported
|
Custom
| |
|
LogForwarded
|
Custom
| |
|
IsPrismaNetworks
|
Custom
| |
|
IsPrismaUsers
|
Custom
| |
|
LogSource
|
Custom
| |
|
LogSourceGroupID
|
Custom
| |
|
DeviceSN
|
Custom
| |
|
DeviceName
|
Custom
| |
|
LogSourceTimeZoneOffset
|
Custom
| |
|
TimeReceived
|
Custom
| |
|
cat
|
Predefined
| |
|
PanoramaSN
|
Custom
| |
|
PlatformType
|
Custom
| |
|
SequenceNo
|
Custom
| |
|
Source
|
Custom
| |
|
SourceDeviceCategory
|
Custom
| |
|
SourceDeviceClass
|
Custom
| |
|
SourceDeviceHost
|
Custom
| |
|
SourceDeviceMac
|
Custom
| |
|
SourceDeviceModel
|
Custom
| |
|
SourceDeviceOS
|
Custom
| |
|
SourceDeviceOSFamily
|
Custom
| |
|
SourceDeviceOSVersion
|
Custom
| |
|
SourceDeviceProfile
|
Custom
| |
|
SourceDeviceVendor
|
Custom
| |
|
src
|
Predefined
| |
|
SourceIPv6
|
Custom
| |
|
usrName
|
Predefined
| |
|
SourceUserDomain
|
Custom
| |
|
SourceUserName
|
Custom
| |
|
SourceUserUUID
|
Custom
| |
|
SubType
|
Custom
| |
|
devTime
|
Predefined
| |
|
TimeGeneratedHighResolution
|
Custom
| |
|
TimestampDeviceIdentification
|
Custom
| |
|
UUID
|
Custom
| |
|
Vendor
|
Header
| |
|
VirtualLocation
|
Custom
| |
|
VirtualSystemID
|
Custom
| |
|
VirtualSystemName
|
Custom
|