SCTP LEEF Fields

Table of Contents

SCTP LEEF Fields

Example SCTP log in LEEF:

Sep 21 07:09:02 gke-standard-cluster-2-pool-3-f004381a-0gw6 1557 <14>1 2021-09-21T07:09:02.763Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|null|alert|	|TimeReceived=2021-09-21 07:09:00.046851	DeviceSN=xxxxxxxxxxxxx	cat=sctp	SubType=	ConfigVersion=	devTime=2021-09-21 07:09:00.046860	src=xxx.xx.x.xx	dst=xxx.xx.x.xx	NATSource=xxx.xx.x.xx	NATDestination=xxx.xx.x.xx	Rule=allow-business-apps	usrName=paloaltonetwork\xxxxx	DestinationUser=paloaltonetworkxxxxx	Application=panorama	VirtualLocation=vsys1	FromZone=corporate	ToZone=untrust	InboundInterface=ethernet1/1	OutboundInterface=ethernet1/2	LogSetting=test	SessionID=391582	RepeatCount=1	srcPort=3033	dstPort=5496	NATSourcePort=26714	NATDestinationPort=15054	proto=tcp	DGHierarchyLevel1=12	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=PA-5220	SequenceNo=6711379990526573312	EndpointAssociationID=2086888838	PayloadProtocolID=-1	VendorSeverity=Critical	SctpChunkType=9	SCTPEventType=Kerberos single sign-on failed	EventCode=3	VerificationTag1=0x3bae3042	VerificationTag2=0x1911015e	SctpCauseCode=0	DiamAppID=-1	DiameterCommandCode=-1	DiamAvpCode=0	StreamID=0	AssocationEndReason=	MapAppCode=0	SccpCallingSSN=0	SccpCallingGt=	SctpFilter=	ChunksTotal=0	ChunksSent=0	ChunksReceived=0	PacketsTotal=0	srcPackets=0	dstPackets=0	RuleUUID=	ContainerID=	ContainerNameSpace=	ContainerName=	SourceEDL=	DestinationEDL=	SourceDynamicAddressGroup=	DestinationDynamicAddressGroup=	TimeGeneratedHighResolution=	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the SCTP field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
EventID	action.value	Header
Application	app	Custom
AssocationEndReason	association_end_reason.value	Custom
ChunksReceived	chunks_received	Custom
ChunksSent	chunks_sent	Custom
ChunksTotal	chunks_total	Custom
ConfigVersion	config_version.value	Custom
ContainerID	container_id	Custom
ContentVersion	content_version	Custom
RepeatCount	count_of_repeats	Custom
CortexDataLakeTenantID	customer_id	Custom
DestinationDeviceClass	dest_device_class	Custom
DestinationDeviceMac	dest_device_mac	Custom
DestinationDeviceModel	dest_device_model	Custom
DestinationDeviceOS	dest_device_os	Custom
DestinationDeviceVendor	dest_device_vendor	Custom
DestinationDynamicAddressGroup	dest_dynamic_address_group	Custom
DestinationEDL	dest_edl	Custom
dst	dest_ip.value	Predefined
DestinationLocation	dest_location	Custom
dstPort	dest_port	Predefined
DestinationUser	dest_user	Custom
DestinationUserDomain	dest_user_info.domain	Custom
DestinationUserName	dest_user_info.name	Custom
DestinationUserUUID	dest_user_info.uuid	Custom
DestinationUUID	dest_uuid	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
DiamAppID	diam_app_id	Custom
DiamAvpCode	diam_avp_code	Custom
DiameterCommandCode	diam_cmd_code	Custom
EndpointAssociationID	ep_assoc_id	Custom
EventCode	event_code	Custom
SCTPEventType	event_type.value	Custom
FromZone	from_zone	Custom
InboundInterface	inbound_if.value	Custom
InboundInterfaceDetailsPort	inbound_if_details.port	Custom
InboundInterfaceDetailsSlot	inbound_if_details.slot	Custom
InboundInterfaceDetailsType	inbound_if_details.type.value	Custom
InboundInterfaceDetailsUnit	inbound_if_details.unit	Custom
CaptivePortal	is_captive_portal	Custom
IsClienttoServer	is_client_to_server	Custom
IsContainer	is_container	Custom
IsDecryptMirror	is_decrypt_mirror	Custom
IsDecryptedPayloadForward	is_decrypted_payload_fwded	Custom
IsDecryptedLog	is_decryption_log	Custom
IsDuplicateLog	is_dup_log	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsIPV6	is_ipv6	Custom
IsInspectrionBeforeSession	is_l7_inspection_b4_session	Custom
IsMptcpOn	is_mptcp_on	Custom
NAT	is_nat	Custom
IsNonStandardDestinationPort	is_non_std_dest_port	Custom
IsPacketCapture	is_packet_capture	Custom
IsPhishing	is_phishing	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
IsProxy	is_proxy	Custom
IsReconExcluded	is_recon_excluded	Custom
IsServertoClient	is_server_to_client	Custom
IsSourceXForwarded	is_source_x_fwded	Custom
IsSystemReturn	is_sym_return	Custom
IsTransaction	is_transaction	Custom
IsTunnelInspected	is_tunnel_inspected	Custom
IsURLDenied	is_url_denied	Custom
LogSetting	log_set	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
MapAppCode	map_op_code	Custom
NATDestination	nat_dest.value	Custom
NATDestinationPort	nat_dest_port	Custom
NATSource	nat_source.value	Custom
NATSourcePort	nat_source_port	Custom
OutboundInterface	outbound_if.value	Custom
OutboundInterfaceDetailsPort	outbound_if_details.port	Custom
OutboundInterfaceDetailsSlot	outbound_if_details.slot	Custom
OutboundInterfaceDetailsType	outbound_if_details.type.value	Custom
OutboundInterfaceDetailsUnit	outbound_if_details.unit	Custom
dstPackets	packets_received	Predefined
srcPackets	packets_sent	Predefined
PacketsTotal	packets_total	Custom
PanoramaSN	panorama_serial	Custom
PayloadProtocolID	payload_protocol_id	Custom
PlatformType	platform_type	Custom
ContainerName	pod_name	Custom
ContainerNameSpace	pod_namespace	Custom
proto	protocol.value	Predefined
Rule	rule_matched	Custom
RuleUUID	rule_matched_uuid	Custom
SccpCallingGt	sccp_calling_gt	Custom
SccpCallingSSN	sccp_calling_ssn	Custom
SctpCauseCode	sctp_cause_code	Custom
SctpChunkType	sctp_chunk_type	Custom
SctpFilter	sctp_filter	Custom
SequenceNo	sequence_no	Custom
SessionOwnerMidx	sess_owner_rt_midx	Custom
SessionEndReason	session_end_reason.value	Custom
SessionID	session_id	Custom
SessionTracker	session_tracker	Custom
Severity	severity	Custom
SourceDeviceClass	source_device_class	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOS	source_device_os	Custom
SourceDeviceVendor	source_device_vendor	Custom
SourceDynamicAddressGroup	source_dynamic_address_group	Custom
SourceEDL	source_edl	Custom
src	source_ip.value	Predefined
SourceLocation	source_location	Custom
srcPort	source_port	Predefined
usrName	source_user	Predefined
SourceUserDomain	source_user_info.domain	Custom
SourceUserName	source_user_info.name	Custom
SourceUserUUID	source_user_info.uuid	Custom
SourceUUID	source_uuid	Custom
StreamID	stream_id	Custom
SubType	sub_type.value	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
ToZone	to_zone	Custom
Tunnel	tunnel.value	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom
VerificationTag1	verification_tag_1	Custom
VerificationTag2	verification_tag_2	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

SCTP HTTPS Fields

Threat

Strata Logging Service Docs

SCTP LEEF Fields

Strata Logging Service Docs

SCTP LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner