UserID CEF Fields

Table of Contents

UserID CEF Fields

Example UserID log in CEF:

Mar 1 21:06:03 xxx.xx.x.xx 1324 <14>1 2021-03-01T21:06:03.844Z stream-logfwd20-587718190-03011255-ut6o-harness-5vlj logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|USERID|logout|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 21:06:02 deviceExternalId=xxxxxxxxxxxxx PanOSConfigVersion= dntdom=paloaltonetwork duser=xxxxx duid= PanOSCortexDataLakeTenantID=xxxxxxxxxxxxx PanOSIsDuplicateLog=false PanOSIsDuplicateUser= PanOSIsPrismaNetworks=false PanOSIsPrismaUsers=false PanOSLogExported=false PanOSLogForwarded=true PanOSLogSource=firewall PanOSLogSourceTimeZoneOffset= PanOSUserGroupFound= start=Mar 01 2021 21:06:02 cs3=vsys1 cs3Label=VirtualLocation src=xxx.xx.x.xx dst=xxx.xx.x.xx duser0=paloaltonetworks\\xxxxx cs4=fake-data-source-169 cs4Label=MappingDataSourceName cat=0 cnt=1 cn3=3531 cn3Label=MappingTimeout spt=21015 dpt=49760 cs5=probing cs5Label=MappingDataSource cs6=netbios_probing cs6Label=MappingDataSourceType externalId=xxxxxxxxxxxxx PanOSDGHierarchyLevel1=12 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= dvchost=PA-5220 cn2=1 cn2Label=VirtualSystemID cs1=xxxxx cs1Label=MFAFactorType end=Jul 09 2019 18:15:44 cn1=3 cn1Label=AuthFactorNo PanOSUGFlags=0x100 PanOSUserIdentifiedBySource=xxxxxxxxxxxxxx PanOSTag= PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12

The following table identifies the UserID field names that the Log Forwarding app uses when you forward logs using the CEF log format.

CEF Name	Field Details
end	Query Name: auth_completion_time Header Type: Predefined
cn1	Query Name: auth_factor_num Header Type: Predefined Label: cn1Label Label Text: AuthFactorNo
dntdom	Query Name: authenticated_user_info.domain Header Type: Predefined Max Length: 255
duser	Query Name: authenticated_user_info.name Header Type: Predefined Max Length: 255
duid	Query Name: authenticated_user_info.uuid Header Type: Predefined Max Length: 255
PanOSConfigVersion	Query Name: config_version.value Header Type: Custom
cnt	Query Name: count_of_repeats Header Type: Predefined
PanOSCortexDataLakeTenantID	Query Name: customer_id Header Type: Custom
dpt	Query Name: dest_port Header Type: Predefined
PanOSDGHierarchyLevel1	Query Name: dg_hier_level_1 Header Type: Custom
PanOSDGHierarchyLevel2	Query Name: dg_hier_level_2 Header Type: Custom
PanOSDGHierarchyLevel3	Query Name: dg_hier_level_3 Header Type: Custom
PanOSDGHierarchyLevel4	Query Name: dg_hier_level_4 Header Type: Custom
cat	Query Name: event_id Header Type: Predefined Max Length: 1023
PanOSIsDuplicateLog	Query Name: is_dup_log Header Type: Custom
PanOSIsDuplicateUser	Query Name: is_duplicate_user Header Type: Custom
PanOSLogExported	Query Name: is_exported Header Type: Custom
PanOSLogForwarded	Query Name: is_forwarded Header Type: Custom
PanOSIsPrismaNetworks	Query Name: is_prisma_branch Header Type: Custom
PanOSIsPrismaUsers	Query Name: is_prisma_mobile Header Type: Custom
PanOSLogSource	Query Name: log_source Header Type: Custom
LogSourceGroupID	Query Name: log_source_group_id Header Type: Custom Max Length: 255
deviceExternalId	Query Name: log_source_id Header Type: Predefined Max Length: 255
dvchost	Query Name: log_source_name Header Type: Predefined Max Length: 100
PanOSLogSourceTimeZoneOffset	Query Name: log_source_tz_offset Header Type: Custom
rt	Query Name: log_time Header Type: Predefined
Device Event Class ID	Query Name: log_type.value Header Type: Custom
cs5	Query Name: mapping_data_source.value Header Type: Predefined Label: cs5Label Label Text: MappingDataSource Max Length: 4000
cs4	Query Name: mapping_data_source_name Header Type: Predefined Label: cs4Label Label Text: MappingDataSourceName Max Length: 4000
cs6	Query Name: mapping_data_source_type.value Header Type: Predefined Label: cs6Label Label Text: MappingDataSourceType Max Length: 4000
cn3	Query Name: mapping_timeout Header Type: Predefined Label: cn3Label Label Text: MappingTimeout
cs1	Query Name: mfa_factor_type Header Type: Predefined Label: cs1Label Label Text: MFAFactorType Max Length: 4000
PanOSPanoramaSN	Query Name: panorama_serial Header Type: Custom
PlatformType	Query Name: platform_type Header Type: Custom
externalId	Query Name: sequence_no Header Type: Predefined Max Length: 40
src and dst, or c6a2 and c6a3	Query Name: source_ip.value Header Type: Predefined Label: \|\| c6a2Label && c6a3Label Label Text: \|\| Source IPv6 Address && Destination IPv6 Address
spt	Query Name: source_port Header Type: Predefined
Name	Query Name: sub_type.value Header Type: Custom
PanOSTag	Query Name: tag_name Header Type: Custom
start	Query Name: time_generated Header Type: Predefined
PanOSTimeGeneratedHighResolution	Query Name: time_generated_high_res Header Type: Custom
PanOSUGFlags	Query Name: ug_flags Header Type: Custom
duser	Query Name: user Header Type: Predefined Max Length: 1023
PanOSUserGroupFound	Query Name: user_group_found Header Type: Custom
PanOSUserIdentifiedBySource	Query Name: user_identified_by_source_as Header Type: Custom
Device Vendor	Query Name: vendor_name Header Type: Custom
cs3	Query Name: vsys Header Type: Predefined Label: cs3Label Label Text: VirtualLocation Max Length: 4000
cn2	Query Name: vsys_id Header Type: Predefined Label: cn2Label Label Text: VirtualSystemID
PanOSVirtualSystemName	Query Name: vsys_name Header Type: Custom

UserID Syslog Default Field Order

UserID EMAIL Fields

UserID CEF Fields

UserID CEF Fields

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Agents & Agentless

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner