UserID LEEF Fields

Table of Contents

UserID LEEF Fields

Example UserID log in LEEF:

Sep 21 01:47:20 xxx.xx.x.xx 2368 <14>1 2021-09-21T01:47:20.990Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|2|	|profileToken=Palotoken VirtualSystemID=1	AuthFactorNo=3	DeviceName=PA-5220	dstPort=49760	MappingDataSourceType=netbios_probing	MappingDataSource=probing	SequenceNo=6711379990526558750	MFAFactorType=xxxxx	LogExported=false	src=xxx.xx.x.xx	VirtualSystemName=	DeviceSN=xxxxxxxxxxxxx	TimeGeneratedHighResolution=	usrName="paloaltonetworks\\xxxxx"	UserIdentifiedBySource=xxxxxxxxxxxxxx	IsDuplicateUser=	TimeReceived=2020-10-13T03:31:40.000000Z	MappingDataSourceName=fake-data-source-169	UGFlags=256	IsPrismaNetworks=false	AuthenticatedUserUUID=	AuthCompletionTime=2019-07-09T18:15:44.000000Z	IsDuplicateLog=false	UserGroupFound=	LogForwarded=true	CountofRepeats=1	EventID=0	VirtualLocation=vsys1	MappingTimeout=3531	AuthenticatedUserName=xxxxx	LogSource=firewall	devTime=2020-10-13T03:31:40.000000Z	Vendor=Palo	Alto	Networks	AuthenticatedUserDomain=paloaltonetwork	Tag=	LogSourceTimeZoneOffset=	cat=logout	srcPort=21015	CortexDataLakeTenantID=xxxxxxxxxxxxx	IsPrismaUsers=false	LogType=USERID	devTimeFormat=YYYY-MM-DDTHH:MM:SSZ

The following table identifies the UserID field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
AuthCompletionTime	auth_completion_time	Custom
AuthFactorNo	auth_factor_num	Custom
AuthenticatedUserDomain	authenticated_user_info.domain	Custom
AuthenticatedUserName	authenticated_user_info.name	Custom
AuthenticatedUserUUID	authenticated_user_info.uuid	Custom
ConfigVersion	config_version.value	Custom
CountofRepeats	count_of_repeats	Custom
CortexDataLakeTenantID	customer_id	Custom
dstPort	dest_port	Predefined
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
EventIdName	event_id	Custom
IsDuplicateLog	is_dup_log	Custom
IsDuplicateUser	is_duplicate_user	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsPrismaNetworks	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
MappingDataSource	mapping_data_source.value	Custom
MappingDataSourceName	mapping_data_source_name	Custom
MappingDataSourceType	mapping_data_source_type.value	Custom
MappingTimeout	mapping_timeout	Custom
MFAFactorType	mfa_factor_type	Custom
PanoramaSN	panorama_serial	Custom
PlatformType	platform_type	Custom
SequenceNo	sequence_no	Custom
src	source_ip.value	Predefined
srcPort	source_port	Predefined
EventID	sub_type.value	Header
Tag	tag_name	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
UGFlags	ug_flags	Custom
usrName	user	Predefined
UserGroupFound	user_group_found	Custom
UserIdentifiedBySource	user_identified_by_source_as	Custom
Vendor	vendor_name	Header
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

UserID HTTPS Fields

Strata Logging Service Docs

UserID LEEF Fields

Strata Logging Service Docs

UserID LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner