Strata Logging Service
Decryption CEF Fields
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
Decryption CEF Fields
Example Decryption log in CEF:
Mar 1 20:35:56 xxx.xx.x.xx 2341 <14>1 2021-03-01T20:35:56.343Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|DECRYPTION|end|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion=null start=Mar 01 2021 20:35:54 src=xxx.xx.x.xx dst=xxx.xx.x.xx sourceTranslatedAddress=xxx.xx.x.xx destinationTranslatedAddress=xxx.xx.x.xx cs1=allow-all-employees cs1Label=Rule suser=paloaltonetwork\\\\xxxxx duser=paloaltonetwork\\\\xxxxx app=gmail-base cs3=vsys1 cs3Label=VirtualLocation cs4=datacenter cs4Label=FromZone cs5=ethernet4Zone-test1 cs5Label=ToZone deviceInboundInterface=ethernet1/1 deviceOutboundInterface=tunnel.901 cs6=test cs6Label=LogSetting PanOSTimeReceivedManagementPlane=Dec 12 2019 22:16:48 cn1=106112 cn1Label=SessionID cnt=1 spt=16524 dpt=20122 sourceTranslatedPort=15856 destinationTranslatedPort=10128 proto=tcp act=deny PanOSTunnel=N/A PanOSSourceUUID= PanOSDestinationUUID= PanOSRuleUUID=fnullacnullnulle1-2c69-4f2b-8293-46ee4c73737e PanOSClientToFirewall=null PanOSFirewallToClient=null PanOSTLSVersion=null PanOSTLSKeyExchange=null PanOSTLSEncryptionAlgorithm=null PanOSTLSAuth=null PanOSPolicyName= PanOSEllipticCurve= PanOSErrorIndex=null PanOSRootStatus=null PanOSChainStatus=null PanOSProxyType=null PanOSCertificateSerial= PanOSFingerprint= PanOSTimeNotBefore=0 PanOSTimeNotAfter=0 PanOSCertificateVersion=null PanOSCertificateSize=0 PanOSCommonNameLength=0 PanOSIssuerNameLength=0 PanOSRootCNLength=0 PanOSSNILength=0 PanOSCertificateFlags=0 PanOSCommonName= PanOSIssuerCommonName= PanOSRootCommonName= PanOSServerNameIndication= PanOSErrorMessage= PanOSContainerID= PanOSContainerNameSpace= PanOSContainerName= PanOSSourceEDL= PanOSDestinationEDL= PanOSSourceDynamicAddressGroup= PanOSDestinationDynamicAddressGroup=test PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSSourceDeviceCategory= PanOSSourceDeviceProfile= PanOSSourceDeviceModel= PanOSSourceDeviceVendor= PanOSSourceDeviceOSFamily= PanOSSourceDeviceOSVersion= PanOSSourceDeviceHost= PanOSSourceDeviceMac= PanOSDestinationDeviceCategory= PanOSDestinationDeviceProfile= PanOSDestinationDeviceModel= PanOSDestinationDeviceVendor= PanOSDestinationDeviceOSFamily= PanOSDestinationDeviceOSVersion= PanOSDestinationDeviceHost= PanOSDestinationDeviceMac= externalId=xxxxxxxxxxxxx
The following table identifies the Decryption field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
|
CEF Name
|
Field Details
|
|---|---|
|
act
|
Query Name: action.value
Header Type: Predefined
Max Length: 63
|
|
app
|
Query Name: app
Header Type: Predefined
Max Length: 31
|
|
PanOSApplicationCategory
|
Query Name: app_category
Header Type: Custom
|
|
PanOSApplicationSubcategory
|
Query Name: app_sub_category
Header Type: Custom
|
|
PanOSCertificateFlags
|
Query Name: cert_flags
Header Type: Custom
|
|
PanOSCertificateSerial
|
Query Name: cert_serial
Header Type: Custom
|
|
PanOSCertificateSize
|
Query Name: certificate_size
Header Type: Custom
|
|
PanOSCertificateVersion
|
Query Name: certificate_version.value
Header Type: Custom
|
|
PanOSChainStatus
|
Query Name: chain_status.value
Header Type: Custom
|
|
PanOSApplicationCharacteristics
|
Query Name: characteristics_of_app
Header Type: Custom
|
|
PanOSClientToFirewall
|
Query Name: client_to_firewall.value
Header Type: Custom
|
|
PanOSCommonName
|
Query Name: cn
Header Type: Custom
|
|
PanOSCommonNameLength
|
Query Name: cn_len
Header Type: Custom
|
|
PanOSConfigVersion
|
Query Name: config_version.value
Header Type: Custom
|
|
PanOSContainerID
|
Query Name: container_id
Header Type: Custom
|
|
PanOSApplicationContainer
|
Query Name: container_of_app
Header Type: Custom
|
|
cnt
|
Query Name: count_of_repeats
Header Type: Predefined
|
|
PanOSCpadding
|
Query Name: cpadding
Header Type: Custom
|
|
PanOSCortexDataLakeTenantID
|
Query Name: customer_id
Header Type: Custom
|
|
PanOSDestinationDeviceCategory
|
Query Name: dest_device_category
Header Type: Custom
|
|
PanOSDestinationDeviceClass
|
Query Name: dest_device_class
Header Type: Custom
|
|
PanOSDestinationDeviceHost
|
Query Name: dest_device_host
Header Type: Custom
|
|
PanOSDestinationDeviceMac
|
Query Name: dest_device_mac
Header Type: Custom
|
|
PanOSDestinationDeviceModel
|
Query Name: dest_device_model
Header Type: Custom
|
|
PanOSDestinationDeviceOS
|
Query Name: dest_device_os
Header Type: Custom
|
|
PanOSDestinationDeviceOSFamily
|
Query Name: dest_device_osfamily
Header Type: Custom
|
|
PanOSDestinationDeviceOSVersion
|
Query Name: dest_device_osversion
Header Type: Custom
|
|
PanOSDestinationDeviceProfile
|
Query Name: dest_device_profile
Header Type: Custom
|
|
PanOSDestinationDeviceVendor
|
Query Name: dest_device_vendor
Header Type: Custom
|
|
PanOSDestinationDynamicAddressGroup
|
Query Name: dest_dynamic_address_group
Header Type: Custom
|
|
PanOSDestinationEDL
|
Query Name: dest_edl
Header Type: Custom
|
|
dst or c6a3
|
Query Name: dest_ip.value
Header Type: Predefined
Label: || c6a3Label
Label Text: || Destination IPv6 Address
|
|
PanOSDestinationLocation
|
Query Name: dest_location
Header Type: Custom
|
|
dpt
|
Query Name: dest_port
Header Type: Predefined
|
|
duser
|
Query Name: dest_user
Header Type: Predefined
Max Length: 1023
|
|
dntdom
|
Query Name: dest_user_info.domain
Header Type: Predefined
Max Length: 255
|
|
dusername
|
Query Name: dest_user_info.name
Header Type: Predefined
Max Length: 255
|
|
duid
|
Query Name: dest_user_info.uuid
Header Type: Predefined
Max Length: 255
|
|
PanOSDestinationUUID
|
Query Name: dest_uuid
Header Type: Custom
|
|
PanOSDGHierarchyLevel1
|
Query Name: dg_hier_level_1
Header Type: Custom
|
|
PanOSDGHierarchyLevel2
|
Query Name: dg_hier_level_2
Header Type: Custom
|
|
PanOSDGHierarchyLevel3
|
Query Name: dg_hier_level_3
Header Type: Custom
|
|
PanOSDGHierarchyLevel4
|
Query Name: dg_hier_level_4
Header Type: Custom
|
|
PanOSDomain
|
Query Name: domain
Header Type: Custom
|
|
PanOSEllipticCurve
|
Query Name: elliptic_curve.value
Header Type: Custom
|
|
PanOSErrorIndex
|
Query Name: error_index.value
Header Type: Custom
|
|
PanOSErrorMessage
|
Query Name: error_message
Header Type: Custom
|
|
PanOSFingerprint
|
Query Name: fingerprint
Header Type: Custom
|
|
PanOSFirewallToClient
|
Query Name: firewall_to_client.value
Header Type: Custom
|
|
cs4
|
Query Name: from_zone
Header Type: Predefined
Label: cs4Label
Label Text: FromZone
Max Length: 4000
|
|
deviceInboundInterface
|
Query Name: inbound_if.value
Header Type: Predefined
Max Length: 128
|
|
PanOSInboundInterfaceDetailsPort
|
Query Name: inbound_if_details.port
Header Type: Custom
|
|
PanOSInboundInterfaceDetailsSlot
|
Query Name: inbound_if_details.slot
Header Type: Custom
|
|
PanOSInboundInterfaceDetailsType
|
Query Name: inbound_if_details.type.value
Header Type: Custom
|
|
PanOSInboundInterfaceDetailsUnit
|
Query Name: inbound_if_details.unit
Header Type: Custom
|
|
PanOSCaptivePortal
|
Query Name: is_captive_portal
Header Type: Custom
|
|
PanOSIsCertECDSA
|
Query Name: is_cert_ECDSA
Header Type: Custom
|
|
PanOSIsCertRSA
|
Query Name: is_cert_RSA
Header Type: Custom
|
|
PanOSIsCertCNTruncated
|
Query Name: is_cert_cn_truncated
Header Type: Custom
|
|
PanOSIsClienttoServer
|
Query Name: is_client_to_server
Header Type: Custom
|
|
PanOSIsContainer
|
Query Name: is_container
Header Type: Custom
|
|
PanOSIsDecryptMirror
|
Query Name: is_decrypt_mirror
Header Type: Custom
|
|
PanOSIsDecrypted
|
Query Name: is_decrypted
Header Type: Custom
|
|
PanOSIsDuplicateLog
|
Query Name: is_dup_log
Header Type: Custom
|
|
PanOSIsEncrypted
|
Query Name: is_encrypted
Header Type: Custom
|
|
PanOSLogExported
|
Query Name: is_exported
Header Type: Custom
|
|
PanOSIsForwarded
|
Query Name: is_forwarded
Header Type: Custom
|
|
PanOSIsIPV6
|
Query Name: is_ipv6
Header Type: Custom
|
|
PanOSIsIssuerCNTruncated
|
Query Name: is_issuer_cn_truncated
Header Type: Custom
|
|
PanOSIsMptcpOn
|
Query Name: is_mptcp_on
Header Type: Custom
|
|
PanOSIsNAT
|
Query Name: is_nat
Header Type: Custom
|
|
PanOSIsNonStandardDestinationPort
|
Query Name: is_non_std_dest_port
Header Type: Custom
|
|
PanOSPacketCapture
|
Query Name: is_packet_capture
Header Type: Custom
|
|
PanOSIsPhishing
|
Query Name: is_phishing
Header Type: Custom
|
|
PanOSIsPrismaNetwork
|
Query Name: is_prisma_branch
Header Type: Custom
|
|
PanOSIsPrismaUsers
|
Query Name: is_prisma_mobile
Header Type: Custom
|
|
PanOSIsProxy
|
Query Name: is_proxy
Header Type: Custom
|
|
PanOSIsReconExcluded
|
Query Name: is_recon_excluded
Header Type: Custom
|
|
PanOSIsResumeSession
|
Query Name: is_resume_session
Header Type: Custom
|
|
PanOSIsRootCNTruncated
|
Query Name: is_root_cn_truncated
Header Type: Custom
|
|
PanOSIsSaaSApplication
|
Query Name: is_saas_app
Header Type: Custom
|
|
PanOSIsServertoClient
|
Query Name: is_server_to_client
Header Type: Custom
|
|
PanOSIsSNITruncated
|
Query Name: is_sni_truncated
Header Type: Custom
|
|
PanOSIsSourceXForwarded
|
Query Name: is_source_x_fwded
Header Type: Custom
|
|
PanOSIsSystemReturn
|
Query Name: is_sym_return
Header Type: Custom
|
|
PanOSIsTransaction
|
Query Name: is_transaction
Header Type: Custom
|
|
PanOSIsTunnelInspected
|
Query Name: is_tunnel_inspected
Header Type: Custom
|
|
PanOSIsURLDenied
|
Query Name: is_url_denied
Header Type: Custom
|
|
PanOSIssuerCommonName
|
Query Name: issuer_cn
Header Type: Custom
|
|
PanOSIssuerNameLength
|
Query Name: issuer_len
Header Type: Custom
|
|
cs6
|
Query Name: log_set
Header Type: Predefined
Label: cs6Label
Label Text: LogSetting
Max Length: 4000
|
|
PanOSLogSource
|
Query Name: log_source
Header Type: Custom
|
|
LogSourceGroupID
|
Query Name: log_source_group_id
Header Type: Custom
Max Length: 255
|
|
PanOSDeviceSN
|
Query Name: log_source_id
Header Type: Custom
|
|
PanOSDeviceName
|
Query Name: log_source_name
Header Type: Custom
|
|
PanOSLogSourceTimeZoneOffset
|
Query Name: log_source_tz_offset
Header Type: Custom
|
|
rt
|
Query Name: log_time
Header Type: Predefined
|
|
Device Event Class ID
|
Query Name: log_type.value
Header Type: Custom
|
|
destinationTranslatedAddress
|
Query Name: nat_dest.value
Header Type: Predefined
|
|
destinationTranslatedPort
|
Query Name: nat_dest_port
Header Type: Predefined
|
|
sourceTranslatedAddress
|
Query Name: nat_source.value
Header Type: Predefined
|
|
sourceTranslatedPort
|
Query Name: nat_source_port
Header Type: Predefined
|
|
PanOSTimeNotAfter
|
Query Name: not_after
Header Type: Custom
|
|
PanOSTimeNotBefore
|
Query Name: not_before
Header Type: Custom
|
|
deviceOutboundInterface
|
Query Name: outbound_if.value
Header Type: Predefined
Max Length: 128
|
|
PanOSOutboundInterfaceDetailsPort
|
Query Name: outbound_if_details.port
Header Type: Custom
|
|
PanOSOutboundInterfaceDetailsSlot
|
Query Name: outbound_if_details.slot
Header Type: Custom
|
|
PanOSOutboundInterfaceDetailsType
|
Query Name: outbound_if_details.type.value
Header Type: Custom
|
|
PanOSOutboundInterfaceDetailsUnit
|
Query Name: outbound_if_details.unit
Header Type: Custom
|
|
PanOSPadding
|
Query Name: padding
Header Type: Custom
|
|
PanOSPadding3
|
Query Name: padding3
Header Type: Custom
|
|
PanOSPanoramaSN
|
Query Name: panorama_serial
Header Type: Custom
|
|
PlatformType
|
Query Name: platform_type
Header Type: Custom
|
|
PanOSContainerName
|
Query Name: pod_name
Header Type: Custom
|
|
PanOSContainerNameSpace
|
Query Name: pod_namespace
Header Type: Custom
|
|
PanOSPolicyName
|
Query Name: policy_name
Header Type: Custom
|
|
proto
|
Query Name: protocol.value
Header Type: Predefined
Max Length: 31
|
|
PanOSProxyType
|
Query Name: proxy_type.value
Header Type: Custom
|
|
PanOSApplicationRisk
|
Query Name: risk_of_app
Header Type: Custom
|
|
PanOSRootCommonName
|
Query Name: root_cn
Header Type: Custom
|
|
PanOSRootCNLength
|
Query Name: root_cn_len
Header Type: Custom
|
|
PanOSRootStatus
|
Query Name: root_status.value
Header Type: Custom
|
|
cs1
|
Query Name: rule_matched
Header Type: Predefined
Label: cs1Label
Label Text: Rule
Max Length: 4000
|
|
PanOSRuleUUID
|
Query Name: rule_matched_uuid
Header Type: Custom
|
|
PanOSSanctionedStateOfApp
|
Query Name: sanctioned_state_of_app
Header Type: Custom
|
|
externalId
|
Query Name: sequence_no
Header Type: Predefined
Max Length: 40
|
|
cn1
|
Query Name: session_id
Header Type: Predefined
Label: cn1Label
Label Text: SessionID
|
|
PanOSServerNameIndication
|
Query Name: sni
Header Type: Custom
|
|
PanOSSNILength
|
Query Name: sni_len
Header Type: Custom
|
|
PanOSSourceDeviceCategory
|
Query Name: source_device_category
Header Type: Custom
|
|
PanOSSourceDeviceClass
|
Query Name: source_device_class
Header Type: Custom
|
|
PanOSSourceDeviceHost
|
Query Name: source_device_host
Header Type: Custom
|
|
PanOSSourceDeviceMac
|
Query Name: source_device_mac
Header Type: Custom
|
|
PanOSSourceDeviceModel
|
Query Name: source_device_model
Header Type: Custom
|
|
PanOSSourceDeviceOS
|
Query Name: source_device_os
Header Type: Custom
|
|
PanOSSourceDeviceOSFamily
|
Query Name: source_device_osfamily
Header Type: Custom
|
|
PanOSSourceDeviceOSVersion
|
Query Name: source_device_osversion
Header Type: Custom
|
|
PanOSSourceDeviceProfile
|
Query Name: source_device_profile
Header Type: Custom
|
|
PanOSSourceDeviceVendor
|
Query Name: source_device_vendor
Header Type: Custom
|
|
PanOSSourceDynamicAddressGroup
|
Query Name: source_dynamic_address_group
Header Type: Custom
|
|
PanOSSourceEDL
|
Query Name: source_edl
Header Type: Custom
|
|
src or c6a2
|
Query Name: source_ip.value
Header Type: Predefined
Label: || c6a2Label
Label Text: || Source IPv6 Address
|
|
PanOSSourceLocation
|
Query Name: source_location
Header Type: Custom
|
|
spt
|
Query Name: source_port
Header Type: Predefined
|
|
suser
|
Query Name: source_user
Header Type: Predefined
Max Length: 1023
|
|
sntdom
|
Query Name: source_user_info.domain
Header Type: Predefined
Max Length: 1023
|
|
susername
|
Query Name: source_user_info.name
Header Type: Predefined
Max Length: 1023
|
|
suid
|
Query Name: source_user_info.uuid
Header Type: Predefined
Max Length: 1023
|
|
PanOSSourceUUID
|
Query Name: source_uuid
Header Type: Custom
|
|
Name
|
Query Name: sub_type.value
Header Type: Custom
|
|
PanOSApplicationTechnology
|
Query Name: technology_of_app
Header Type: Custom
|
|
start
|
Query Name: time_generated
Header Type: Predefined
|
|
PanOSTimeGeneratedHighResolution
|
Query Name: time_generated_high_res
Header Type: Custom
|
|
PanOSTimeReceivedManagementPlane
|
Query Name: time_received_mp
Header Type: Custom
|
|
PanOSTLSAuth
|
Query Name: tls_auth.value
Header Type: Custom
|
|
PanOSTLSEncryptionAlgorithm
|
Query Name: tls_enc_algorithm.value
Header Type: Custom
|
|
PanOSTLSKeyExchange
|
Query Name: tls_keyxchange.value
Header Type: Custom
|
|
PanOSTLSVersion
|
Query Name: tls_version.value
Header Type: Custom
|
|
cs5
|
Query Name: to_zone
Header Type: Predefined
Label: cs5Label
Label Text: ToZone
Max Length: 4000
|
|
PanOSTpadding
|
Query Name: tpadding
Header Type: Custom
|
|
PanOSTunnel
|
Query Name: tunnel.value
Header Type: Custom
|
|
PanOSTunneledApplication
|
Query Name: tunneled_app
Header Type: Custom
|
|
Device Vendor
|
Query Name: vendor_name
Header Type: Custom
|
|
PanOSVpadding
|
Query Name: vpadding
Header Type: Custom
|
|
cs3
|
Query Name: vsys
Header Type: Predefined
Label: cs3Label
Label Text: VirtualLocation
Max Length: 4000
|
|
PanOSVirtualSystemID
|
Query Name: vsys_id
Header Type: Custom
|
|
PanOSVirtualSystemName
|
Query Name: vsys_name
Header Type: Custom
|