Decryption Syslog Default Field Order
Focus
Focus
Strata Logging Service

Decryption Syslog Default Field Order

Table of Contents

Decryption Syslog Default Field Order

Example Decryption log in Syslog:
Oct 13 01:11:28 gke-standard-cluster-2-pool-1-6ea9f13a-moqf 1124 <142>1 2020-10-13T01:11:28.247Z stream-logfwd20-156653024-10121421-eq28-harness-16kn logforwarder - panwlogs - 1,​2020-10-13T01:11:23.000000Z,​007051000113358,​,​DECRYPTION,​10.0,​2020-10-13T01:11:05.000000Z,​xxx.xx.x.xx,​xxx.xx.x.xx,​xxx.xx.x.xx,​xxx.xx.x.xx,​deny-attackers,​00000000000000000000ffff05050505,​paloaltonetwork\xxxxx,​mcafee-endpoint-encryption,​vsys1,​ethernet4Zone-test3,​datacenter,​,​,​rs-logging,​2020-10-13T01:11:05.000000Z,​999250,​1,​28790,​18368,​31621,​27853,​3072,​tcp,​allow,​GRE,​,​,​,​,​85c1488d-5bbd-42e7-8f28-a19256972c32,​unknown,​unknown,​TLS1.3,​ECDHE,​AES_128_GCM,​SHA256,​,​sect409k1,​None,​Untrusted,​Uninspected,​Broker,​14ff0117d825393ebcad2bbfb94bc282da926a7a,​6263d82e0ec3d57c209151526dc1240cc19ec2e685fbae4c81f394e9819a7699,​1602551466,​1605143466,​V2,​192,​23,​32,​32,​21,​64,​CN = MGMT-GROUP-MGMT-CA,​CN = Thawte Premium Server CA1,​CN = Thawte Premium Server CA1,​devop-host.panw.local,​,​1873cc5c-0d31,​pns_default,​pan-dp-77754f4,​,​,​,​,​2020-10-13T01:11:06.359000Z,​H-Phone,​h-profile,​Pro,​Huawei,​Mate 10,​Android v6.1,​pan-411,​264754728121,​H-Phone,​h-profile,​ANE-LX3,​Huawei,​P20 Lite,​Android v7.1,​pan-431,​496310767571,​111291,​-9223372036854775808
The following identifies the default field order for filters migrated from an earlier version of the log forwarding application. For log filters created after that migration, you specify the field order when you create a log filter by specifying the columns you want to receive.
The fields are identified in the default order that they appear in each log line.
HEADER, log_time, log_source_id, log_type.​value, sub_type.​value, config_version.​value, time_generated, source_ip.​value, dest_ip.​value, nat_source.​value, nat_dest.​value, rule_matched, source_user, dest_user, app, vsys, from_zone, to_zone, inbound_if.​value, outbound_if.​value, log_set, time_received_mp, session_id, count_of_repeats, source_port, dest_port, nat_source_port, nat_dest_port, flags, protocol.​value, action.​value, tunnel.​value, EMPTY, EMPTY, source_uuid, dest_uuid, rule_matched_uuid, client_to_firewall.​value, firewall_to_client.​value, tls_version.​value, tls_keyxchange.​value, tls_enc_algorithm.​value, tls_auth.​value, policy_name, elliptic_curve.​value, error_index.​value, root_status.​value, chain_status.​value, proxy_type.​value, cert_serial, fingerprint, not_before, not_after, certificate_version.​value, certificate_size, cn_len, issuer_len, root_cn_len, sni_len, cert_flags, cn, issuer_cn, root_cn, sni, error_message, container_id, pod_namespace, pod_name, source_edl, dest_edl, source_dynamic_address_group, dest_dynamic_address_group, time_generated_high_res, source_device_category, source_device_profile, source_device_model, source_device_vendor, source_device_osfamily, source_device_osversion, source_device_host, source_device_mac, dest_device_category, dest_device_profile, dest_device_model, dest_device_vendor, dest_device_osfamily, dest_device_osversion, dest_device_host, dest_device_mac, sequence_no, action_flags