Strata Logging Service
SCTP LEEF Fields
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
-
-
- Forward Logs to a Syslog Server
- Forward Logs to an HTTPS Server
- Forward Logs to an Email Server
- Forward Logs to Amazon Security Lake
- Forward Logs to AWS S3 Bucket
- Forward Logs to Snowflake
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
SCTP LEEF Fields
Example SCTP log in LEEF:
Sep 21 07:09:02 gke-standard-cluster-2-pool-3-f004381a-0gw6 1557 <14>1 2021-09-21T07:09:02.763Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|alert| |TimeReceived=2021-09-21 07:09:00.046851 DeviceSN=xxxxxxxxxxxxx cat=sctp SubType= ConfigVersion= devTime=2021-09-21 07:09:00.046860 src=xxx.xx.x.xx dst=xxx.xx.x.xx NATSource=xxx.xx.x.xx NATDestination=xxx.xx.x.xx Rule=allow-business-apps usrName=paloaltonetwork\xxxxx DestinationUser=paloaltonetworkxxxxx Application=panorama VirtualLocation=vsys1 FromZone=corporate ToZone=untrust InboundInterface=ethernet1/1 OutboundInterface=ethernet1/2 LogSetting=test SessionID=391582 RepeatCount=1 srcPort=3033 dstPort=5496 NATSourcePort=26714 NATDestinationPort=15054 proto=tcp DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-5220 SequenceNo=6711379990526573312 EndpointAssociationID=2086888838 PayloadProtocolID=-1 VendorSeverity=Critical SctpChunkType=9 SCTPEventType=Kerberos single sign-on failed EventCode=3 VerificationTag1=0x3bae3042 VerificationTag2=0x1911015e SctpCauseCode=0 DiamAppID=-1 DiameterCommandCode=-1 DiamAvpCode=0 StreamID=0 AssocationEndReason= MapAppCode=0 SccpCallingSSN=0 SccpCallingGt= SctpFilter= ChunksTotal=0 ChunksSent=0 ChunksReceived=0 PacketsTotal=0 srcPackets=0 dstPackets=0 RuleUUID= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution= devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the SCTP field names that the Log Forwarding app
uses when you forward logs using the LEEF log format.
When you
create a syslog forwarding profile
,
you can optionally create a profile token that the Log
Forwarding app uses when it sends logs to the syslog server. If you configure a profile token,
it appears in the log line immediately after the log type information (for example,
TRAFFIC, THREAT,
HIPMATCH, and so forth). The token will appear on
a parameter called profileToken.
LEEF Name
|
Query Name
|
Field Type
|
---|---|---|
EventID
|
Header
| |
Application
|
Custom
| |
AssocationEndReason
|
Custom
| |
ChunksReceived
|
Custom
| |
ChunksSent
|
Custom
| |
ChunksTotal
|
Custom
| |
ConfigVersion
|
Custom
| |
ContainerID
|
Custom
| |
ContentVersion
|
Custom
| |
RepeatCount
|
Custom
| |
CortexDataLakeTenantID
|
Custom
| |
DestinationDeviceClass
|
Custom
| |
DestinationDeviceMac
|
Custom
| |
DestinationDeviceModel
|
Custom
| |
DestinationDeviceOS
|
Custom
| |
DestinationDeviceVendor
|
Custom
| |
DestinationDynamicAddressGroup
|
Custom
| |
DestinationEDL
|
Custom
| |
dst
|
Predefined
| |
DestinationLocation
|
Custom
| |
dstPort
|
Predefined
| |
DestinationUser
|
Custom
| |
DestinationUserDomain
|
Custom
| |
DestinationUserName
|
Custom
| |
DestinationUserUUID
|
Custom
| |
DestinationUUID
|
Custom
| |
DGHierarchyLevel1
|
Custom
| |
DGHierarchyLevel2
|
Custom
| |
DGHierarchyLevel3
|
Custom
| |
DGHierarchyLevel4
|
Custom
| |
DiamAppID
|
Custom
| |
DiamAvpCode
|
Custom
| |
DiameterCommandCode
|
Custom
| |
EndpointAssociationID
|
Custom
| |
EventCode
|
Custom
| |
SCTPEventType
|
Custom
| |
FromZone
|
Custom
| |
InboundInterface
|
Custom
| |
InboundInterfaceDetailsPort
|
Custom
| |
InboundInterfaceDetailsSlot
|
Custom
| |
InboundInterfaceDetailsType
|
Custom
| |
InboundInterfaceDetailsUnit
|
Custom
| |
CaptivePortal
|
Custom
| |
IsClienttoServer
|
Custom
| |
IsContainer
|
Custom
| |
IsDecryptMirror
|
Custom
| |
IsDecryptedPayloadForward
|
Custom
| |
IsDecryptedLog
|
Custom
| |
IsDuplicateLog
|
Custom
| |
LogExported
|
Custom
| |
LogForwarded
|
Custom
| |
IsIPV6
|
Custom
| |
IsInspectrionBeforeSession
|
Custom
| |
IsMptcpOn
|
Custom
| |
NAT
|
Custom
| |
IsNonStandardDestinationPort
|
Custom
| |
IsPacketCapture
|
Custom
| |
IsPhishing
|
Custom
| |
IsPrismaNetwork
|
Custom
| |
IsPrismaUsers
|
Custom
| |
IsProxy
|
Custom
| |
IsReconExcluded
|
Custom
| |
IsServertoClient
|
Custom
| |
IsSourceXForwarded
|
Custom
| |
IsSystemReturn
|
Custom
| |
IsTransaction
|
Custom
| |
IsTunnelInspected
|
Custom
| |
IsURLDenied
|
Custom
| |
LogSetting
|
Custom
| |
LogSource
|
Custom
| |
LogSourceGroupID
|
Custom
| |
DeviceSN
|
Custom
| |
DeviceName
|
Custom
| |
LogSourceTimeZoneOffset
|
Custom
| |
TimeReceived
|
Custom
| |
cat
|
Predefined
| |
MapAppCode
|
Custom
| |
NATDestination
|
Custom
| |
NATDestinationPort
|
Custom
| |
NATSource
|
Custom
| |
NATSourcePort
|
Custom
| |
OutboundInterface
|
Custom
| |
OutboundInterfaceDetailsPort
|
Custom
| |
OutboundInterfaceDetailsSlot
|
Custom
| |
OutboundInterfaceDetailsType
|
Custom
| |
OutboundInterfaceDetailsUnit
|
Custom
| |
dstPackets
|
Predefined
| |
srcPackets
|
Predefined
| |
PacketsTotal
|
Custom
| |
PanoramaSN
|
Custom
| |
PayloadProtocolID
|
Custom
| |
PlatformType
|
Custom
| |
ContainerName
|
Custom
| |
ContainerNameSpace
|
Custom
| |
proto
|
Predefined
| |
Rule
|
Custom
| |
RuleUUID
|
Custom
| |
SccpCallingGt
|
Custom
| |
SccpCallingSSN
|
Custom
| |
SctpCauseCode
|
Custom
| |
SctpChunkType
|
Custom
| |
SctpFilter
|
Custom
| |
SequenceNo
|
Custom
| |
SessionOwnerMidx
|
Custom
| |
SessionEndReason
|
Custom
| |
SessionID
|
Custom
| |
SessionTracker
|
Custom
| |
Severity
|
Custom
| |
SourceDeviceClass
|
Custom
| |
SourceDeviceMac
|
Custom
| |
SourceDeviceModel
|
Custom
| |
SourceDeviceOS
|
Custom
| |
SourceDeviceVendor
|
Custom
| |
SourceDynamicAddressGroup
|
Custom
| |
SourceEDL
|
Custom
| |
src
|
Predefined
| |
SourceLocation
|
Custom
| |
srcPort
|
Predefined
| |
usrName
|
Predefined
| |
SourceUserDomain
|
Custom
| |
SourceUserName
|
Custom
| |
SourceUserUUID
|
Custom
| |
SourceUUID
|
Custom
| |
StreamID
|
Custom
| |
SubType
|
Custom
| |
devTime
|
Predefined
| |
TimeGeneratedHighResolution
|
Custom
| |
ToZone
|
Custom
| |
Tunnel
|
Custom
| |
Vendor
|
Header
| |
VendorSeverity
|
Custom
| |
VerificationTag1
|
Custom
| |
VerificationTag2
|
Custom
| |
VirtualLocation
|
Custom
| |
VirtualSystemID
|
Custom
| |
VirtualSystemName
|
Custom
|