Strata Logging Service
Tunnel LEEF Fields
Table of Contents
Expand All
|
Collapse All
Strata Logging Service Docs
-
-
- Forward Logs to a Syslog Server
- Forward Logs to an HTTPS Server
- Forward Logs to an Email Server
- Forward Logs to Amazon Security Lake
- Forward Logs to AWS S3 Bucket
- Forward Logs to Snowflake
- Create Log Filters
- Server Certificate Validation
- List of Trusted Certificates for Syslog and HTTPS Forwarding
- Log Forwarding Errors
- Forward Logs With Log Replay
Tunnel LEEF Fields
Example Tunnel log in LEEF:
Sep 21 02:13:19 xxx.xx.x.xx 2203 <14>1 2021-09-21T02:13:19.109Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop||TimeReceived=2021-09-21T02:13:18.000000Z DeviceSN=xxxxxxxxxxxxx cat=gtp SubType=drop ConfigVersion=10.1 devTime=2021-09-21T02:13:03.000000Z src=xxx.xx.x.xx dst= srcPostNAT=xxx.xx.x.xx dstPostNAT=xxx.xx.x.xx Rule=allow-all-employees usrName=paloaltonetwork\xxxxx DestinationUser=paloaltonetwork\xxxxx Application=rlogin VirtualLocation=vsys1 FromZone=untrust ToZone=ethernet4Zone-test1 InboundInterface=ethernet1/1 OutboundInterface=ethernet1/1 LogSetting=rs-logging SessionID=396610 RepeatCount=1 srcPort=20679 dstPort=2619 srcPostNATPort=8544 dstPostNATPort=27147 proto=tcp TunnelEventType=51 MobileSubscriberISDN= AccessPointName= RadioAccessTechnology=11 TunnelMessageType=0 MobileIP= TunnelEndpointID1=0 TunnelEndpointID2=0 TunnelInterface=0 TunnelCauseCode=0 VendorSeverity=Unused MobileCountryCode=0 MobileNetworkCode=0 MobileAreaCode=0 MobileBaseStationCode=0 TunnelEventCode=0 SequenceNo=7003061089432915273 SourceLocation=west-coast DestinationLocation=BR DGHierarchyLevel1=11 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=xxxxx IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=HTTP2-CONNECTION Bytes=7102726800694 srcBytes=58980433922 dstBytes=7043746366772 totalPackets=1632190399 srcPackets=1632190349 dstPackets=50 PacketsDroppedMax=0 PacketsDroppedProtocol=724238337 PacketsDroppedStrict=0 PacketsDroppedTunnel=45 TunnelSessionsCreated=536936689 TunnelSessionsClosed=-1107230720 SessionEndReason=aged-out ActionSource= startTime=1970-01-01T00:00:03.000000Z SessionDuration=-121241600 TunnelInspectionRule= TunnelRemoteUserIP= TunnelRemoteIMSIID=0 RuleUUID=d0658a8e-c749-4b1c-a7dc-3247de1c94e7 DynamicUserGroupName= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-09-21T02:13:03.915000Z NSSAINetworkSliceDifferentiator=0 NSSAINetworkSliceType=0 ProtocolDataUnitsessionID=0 devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
The following table identifies the Tunnel field names that the Log Forwarding app
uses when you forward logs using the LEEF log format.
When you
create a syslog forwarding profile
,
you can optionally create a profile token that the Log
Forwarding app uses when it sends logs to the syslog server. If you configure a profile token,
it appears in the log line immediately after the log type information (for example,
TRAFFIC, THREAT,
HIPMATCH, and so forth). The token will appear on
a parameter called profileToken.
LEEF Name
|
Query Name
|
Field Type
|
---|---|---|
AccessPointName
|
Custom
| |
EventID
|
Header
| |
ActionSource
|
Custom
| |
Application
|
Custom
| |
ApplicationCategory
|
Custom
| |
ApplicationSubcategory
|
Custom
| |
dstBytes
|
Predefined
| |
srcBytes
|
Predefined
| |
Bytes
|
Custom
| |
ConfigVersion
|
Custom
| |
ContainerID
|
Custom
| |
ApplicationContainer
|
Custom
| |
ContentVersion
|
Custom
| |
RepeatCount
|
Custom
| |
LoggingServiceID
|
Custom
| |
DestinationDeviceClass
|
Custom
| |
DestinationDeviceMac
|
Custom
| |
DestinationDeviceModel
|
Custom
| |
DestinationDeviceOS
|
Custom
| |
DestinationDeviceVendor
|
Custom
| |
DestinationDynamicAddressGroup
|
Custom
| |
DestinationEDL
|
Custom
| |
dst
|
Predefined
| |
DestinationLocation
|
Custom
| |
dstPort
|
Predefined
| |
DestinationUser
|
Custom
| |
DestinationUserDomain
|
Custom
| |
DestinationUserName
|
Custom
| |
DestinationUserUUID
|
Custom
| |
DestinationUUID
|
Custom
| |
DGHierarchyLevel1
|
Custom
| |
DGHierarchyLevel2
|
Custom
| |
DGHierarchyLevel3
|
Custom
| |
DGHierarchyLevel4
|
Custom
| |
DynamicUserGroupName
|
Custom
| |
FromZone
|
Custom
| |
InboundInterface
|
Custom
| |
InboundInterfaceDetailsPort
|
Custom
| |
InboundInterfaceDetailsSlot
|
Custom
| |
InboundInterfaceDetailsType
|
Custom
| |
InboundInterfaceDetailsUnit
|
Custom
| |
CaptivePortal
|
Custom
| |
IsClienttoServer
|
Custom
| |
IsContainer
|
Custom
| |
IsDecryptMirror
|
Custom
| |
IsDecryptedPayloadForward
|
Custom
| |
IsDecryptedLog
|
Custom
| |
IsDuplicateLog
|
Custom
| |
LogExported
|
Custom
| |
LogForwarded
|
Custom
| |
IsIPV6
|
Custom
| |
IsInspectionBeforeSession
|
Custom
| |
IsMptcpOn
|
Custom
| |
NAT
|
Custom
| |
IsNonStandardDestinationPort
|
Custom
| |
IsPacketCapture
|
Custom
| |
IsPhishing
|
Custom
| |
IsPrismaNetwork
|
Custom
| |
IsPrismaUsers
|
Custom
| |
IsProxy
|
Custom
| |
IsReconExcluded
|
Custom
| |
IsSaaSApplication
|
Custom
| |
IsServertoClient
|
Custom
| |
IsSourceXForwarded
|
Custom
| |
IsSystemReturn
|
Custom
| |
IsTransaction
|
Custom
| |
IsTunnelInspected
|
Custom
| |
IsURLDenied
|
Custom
| |
LogSetting
|
Custom
| |
LogSource
|
Custom
| |
LogSourceGroupID
|
Custom
| |
DeviceSN
|
Custom
| |
DeviceName
|
Custom
| |
LogSourceTimeZoneOffset
|
Custom
| |
TimeReceived
|
Custom
| |
cat
|
Predefined
| |
MobileAreaCode
|
Custom
| |
MobileBaseStationCode
|
Custom
| |
MobileCountryCode
|
Custom
| |
MobileIP
|
Custom
| |
MobileNetworkCode
|
Custom
| |
MobileSubscriberISDN
|
Custom
| |
IMEI
|
Custom
| |
dstPostNAT
|
Predefined
| |
dstPostNATPort
|
Predefined
| |
srcPostNAT
|
Predefined
| |
srcPostNATPort
|
Predefined
| |
NonStandardDestinationPort
|
Custom
| |
NSSAINetworkSliceDifferentiator
|
Custom
| |
NSSAINetworkSliceType
|
Custom
| |
OutboundInterface
|
Custom
| |
OutboundInterfaceDetailsPort
|
Custom
| |
OutboundInterfaceDetailsSlot
|
Custom
| |
OutboundInterfaceDetailsType
|
Custom
| |
OutboundInterfaceDetailsUnit
|
Custom
| |
PacketsDroppedMax
|
Custom
| |
PacketsDroppedStrict
|
Custom
| |
PacketsDroppedTunnel
|
Custom
| |
PacketsDroppedProtocol
|
Custom
| |
dstPackets
|
Predefined
| |
srcPackets
|
Predefined
| |
totalPackets
|
Predefined
| |
PanoramaSN
|
Custom
| |
ParentSessionID
|
Custom
| |
ParentStarttime
|
Custom
| |
ProtocolDataUnitsessionID
|
Custom
| |
PlatformType
|
Custom
| |
ContainerName
|
Custom
| |
ContainerNameSpace
|
Custom
| |
proto
|
Predefined
| |
RadioAccessTechnology
|
Custom
| |
ApplicationRisk
|
Custom
| |
Rule
|
Custom
| |
RuleUUID
|
Custom
| |
SanctionedStateofApp
|
Custom
| |
SequenceNo
|
Custom
| |
SessionOwnerMidx
|
Custom
| |
SessionEndReason
|
Custom
| |
SessionID
|
Custom
| |
startTime
|
Predefined
| |
SessionTracker
|
Custom
| |
Severity
|
Custom
| |
SourceDeviceClass
|
Custom
| |
SourceDeviceMac
|
Custom
| |
SourceDeviceModel
|
Custom
| |
SourceDeviceOS
|
Custom
| |
SourceDeviceVendor
|
Custom
| |
SourceDynamicAddressGroup
|
Custom
| |
SourceEDL
|
Custom
| |
src
|
Predefined
| |
SourceLocation
|
Custom
| |
srcPort
|
Predefined
| |
usrName
|
Predefined
| |
SourceUserDomain
|
Custom
| |
SourceUserName
|
Custom
| |
SourceUserUUID
|
Custom
| |
SourceUUID
|
Custom
| |
StandardPortsOfApp
|
Custom
| |
SubType
|
Custom
| |
ApplicationTechnology
|
Custom
| |
devTime
|
Predefined
| |
TimeGeneratedHighResolution
|
Custom
| |
ToZone
|
Custom
| |
SessionDuration
|
Custom
| |
Tunnel
|
Custom
| |
TunnelCauseCode
|
Custom
| |
TunnelEndpointID1
|
Custom
| |
TunnelEndpointID2
|
Custom
| |
TunnelEventCode
|
Custom
| |
TunnelEventType
|
Custom
| |
TunnelInspectionRule
|
Custom
| |
TunnelInterface
|
Custom
| |
TunnelMessageType
|
Custom
| |
TunnelRemoteIMSIID
|
Custom
| |
TunnelRemoteUserIP
|
Custom
| |
TunnelSessionsClosed
|
Custom
| |
TunnelSessionsCreated
|
Custom
| |
TunneledApplication
|
Custom
| |
IMSI
|
Custom
| |
URLCategory
|
Custom
| |
Users
|
Custom
| |
Vendor
|
Header
| |
VendorSeverity
|
Custom
| |
VirtualLocation
|
Custom
| |
VirtualSystemID
|
Custom
| |
VirtualSystemName
|
Custom
|