Strata Logging Service
Traffic LEEF Fields
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
Traffic LEEF Fields
Example Traffic log in LEEF:
Sep 21 01:47:21 gke-standard-cluster-2-pool-3-f004381a-0gw6 2557 <14>1 2021-09-21T01:47:21.059Z stream-logfwd20-d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop-reset| |TimeReceived=2021-09-21T01:47:20.000000Z DeviceSN=xxxxxxxxxxxxx cat=traffic SubType=end ConfigVersion=10.1 devTime=2021-09-21T01:47:18.000000Z src=xxx.xx.x.xx dst=xxx.xx.x.xx srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=deny-attackers usrName=paloaltonetwork\xxxxx DestinationUser=paloaltonetwork\xxxxx Application=kik VirtualLocation=vsys1 FromZone=ethernet4Zone-test1 ToZone=dmz InboundInterface=ethernet1/1 OutboundInterface=ethernet1/1 LogSetting=rs-logging SessionID=378400 RepeatCount=1 srcPort=30217 dstPort=19224 srcPostNATPort=30495 dstPostNATPort=26496 proto=tcp Bytes=1662791 srcBytes=1011460 dstBytes=651331 totalPackets=1296 SessionStartTime=2021-09-21T01:46:47.000000Z SessionDuration=21 URLCategory=travel SequenceNo=7003061085139304175 SourceLocation=CN DestinationLocation=AU srcPackets=773 dstPackets=523 SessionEndReason=unknown DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx ActionSource=unknown SourceUUID=DestinationUUID= IMSI=1625217256995207 IMEI= ParentSessionID=0 ParentStarttime=2021-09-21T01:46:47.000000Z Tunnel=N/A EndpointAssociationID=-7926053869195362181 ChunksTotal=2388 ChunksSent=1194 ChunksReceived=1194 RuleUUID=017e4d76-2003-47f4-8afc-1d35c808c615 HTTP2Connection=378400 LinkChangeCount=0 SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName=test-dynug-5 X-Forwarded-ForIP=xxx.xx.x.xx SourceDeviceCategory=N-Phone SourceDeviceProfile=n-profile SourceDeviceModel=Nexus SourceDeviceVendor=Google SourceDeviceOSFamily=LG-H790 SourceDeviceOSVersion=Android v6 SourceDeviceHost=pan-301 SourceDeviceMac=839147449905 DestinationDeviceCategory=N-Phone DestinationDeviceProfile=n-profile DestinationDeviceModel=Nexus DestinationDeviceVendor=Google DestinationDeviceOSFamily=H1511 DestinationDeviceOSVersion=Android v7 DestinationDeviceHost=pan-355 DestinationDeviceMac=530589561221 ContainerID=1873cc5c-0d31 ContainerNameSpace=pns_default ContainerName=pan-dp-77754f4 SourceEDL= DestinationEDL= GPHostID=3030303030EndpointSerialNumber=xxxxxxxxxxxxxx SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner=session_owner-2 TimeGeneratedHighResolution=2021-09-21T01:47:18.730000Z NSSAINetworkSliceType=39 NSSAINetworkSliceDifferentiator=ca1d devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the Traffic field names that the Log Forwarding app
uses when you forward logs using the LEEF log format.
When you
create a syslog forwarding profile
,
you can optionally create a profile token that the Log
Forwarding app uses when it sends logs to the syslog server. If you configure a profile token,
it appears in the log line immediately after the log type information (for example,
TRAFFIC, THREAT,
HIPMATCH, and so forth). The token will appear on
a parameter called profileToken.
|
LEEF Name
|
Query Name
|
Field Type
|
|---|---|---|