System LEEF Fields

Table of Contents

System LEEF Fields

Example System log in LEEF:

Sep 21 02:01:01 gke-standard-cluster-2-pool-3-f004381a-0gw6 732 <14>1 2021-09-21T02:01:01.316Z stream-logfwd20-d324e775--09201841-lxtx-harness-0cc4 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|general|	|LogTime=2021-09-21T02:01:00.000000Z	LogSourceID=xxxxxxxxxxxxxx	cat=system	SubType=general	ConfigVersion=10.1	devTime=2021-09-21T02:00:56.000000ZVirtualLocation=	EventComponent=	VendorSeverity=Informational	EventDescription=WildFire update job succeeded  for user Auto update agent	SequenceNo=7003061162447265681	DGHierarchyLevel1=0	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	LogSourceName=xxxxx	DeviceGroup=	Template=	TimeGeneratedHighResolution=2021-09-21T02:00:56.997000Z	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the System field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
AgentContentVersion	agent_content_version	Custom
AgentDataCollectionStatus	agent_data_collection_status.value	Custom
AgentID	agent_id	Custom
AgentIsolationStatus	agent_isolation_status	Custom
AgentStatus	agent_protection_status	Custom
AgentVersion	agent_version	Custom
ConfigVersion	config_version.value	Custom
TenantID	customer_id	Custom
DeviceGroup	device_group.value	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
EndpointCPUArchitecture	endpoint_cpu_architecture.value	Custom
EndpointDeviceDomain	endpoint_device_domain	Custom
EndpointDeviceName	endpoint_device_name	Custom
EndpointIPaddress	endpoint_ip.value	Custom
VDIEndpoint	endpoint_is_vdi	Custom
EndpointOSType	endpoint_os_type.value	Custom
EndpointOSVersion	endpoint_os_version	Custom
AgentTimeZoneOffset	endpoint_tz_offset	Custom
EndpointUserDomain	endpoint_user.domain	Custom
EndpointUserName	endpoint_user.name	Custom
EndpointUserUUID	endpoint_user.uuid	Custom
EventComponent	event_component	Custom
EventDescription	event_description	Custom
EventID	event_name.value	Header
devTime	event_time	Predefined
IsDuplicateLog	is_dup_log	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
LogCategory	log_category.value	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
LogSourceID	log_source_id	Custom
LogSourceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
LogTime	log_time	Custom
cat	log_type.value	Predefined
PanoramaSN	panorama_serial	Custom
PlatformType	platform_type	Custom
SequenceNo	sequence_no	Custom
Severity	severity	Custom
SubType	sub_type.value	Custom
Template	template.value	Custom
TimeGeneratedHighResolution	time_generated_high_res	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

System HTTPS Fields

Endpoint Logs

Strata Logging Service Docs

System LEEF Fields

Strata Logging Service Docs

System LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner