Tunnel LEEF Fields

Table of Contents

Tunnel LEEF Fields

Example Tunnel log in LEEF:

Sep 21 02:13:19 xxx.xx.x.xx 2203 <14>1 2021-09-21T02:13:19.109Z stream-logfwd20-b7167985--09201842-8zwj-harness-cc98 logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop||TimeReceived=2021-09-21T02:13:18.000000Z	DeviceSN=xxxxxxxxxxxxx	cat=gtp	SubType=drop	ConfigVersion=10.1	devTime=2021-09-21T02:13:03.000000Z	src=xxx.xx.x.xx	dst=	srcPostNAT=xxx.xx.x.xx	dstPostNAT=xxx.xx.x.xx	Rule=allow-all-employees	usrName=paloaltonetwork\xxxxx	DestinationUser=paloaltonetwork\xxxxx	Application=rlogin	VirtualLocation=vsys1	FromZone=untrust	ToZone=ethernet4Zone-test1	InboundInterface=ethernet1/1	OutboundInterface=ethernet1/1	LogSetting=rs-logging	SessionID=396610	RepeatCount=1	srcPort=20679	dstPort=2619	srcPostNATPort=8544	dstPostNATPort=27147	proto=tcp	TunnelEventType=51	MobileSubscriberISDN=	AccessPointName=	RadioAccessTechnology=11	TunnelMessageType=0	MobileIP=	TunnelEndpointID1=0	TunnelEndpointID2=0	TunnelInterface=0	TunnelCauseCode=0	VendorSeverity=Unused	MobileCountryCode=0	MobileNetworkCode=0	MobileAreaCode=0	MobileBaseStationCode=0	TunnelEventCode=0	SequenceNo=7003061089432915273	SourceLocation=west-coast	DestinationLocation=BR	DGHierarchyLevel1=11	DGHierarchyLevel2=0	DGHierarchyLevel3=0	DGHierarchyLevel4=0	VirtualSystemName=	DeviceName=xxxxx	IMSI=0	IMEI=	ParentSessionID=0	ParentStarttime=1970-01-01T00:00:00.000000Z	Tunnel=HTTP2-CONNECTION	Bytes=7102726800694	srcBytes=58980433922	dstBytes=7043746366772	totalPackets=1632190399	srcPackets=1632190349	dstPackets=50	PacketsDroppedMax=0	PacketsDroppedProtocol=724238337	PacketsDroppedStrict=0	PacketsDroppedTunnel=45	TunnelSessionsCreated=536936689	TunnelSessionsClosed=-1107230720	SessionEndReason=aged-out	ActionSource=	startTime=1970-01-01T00:00:03.000000Z	SessionDuration=-121241600	TunnelInspectionRule=	TunnelRemoteUserIP=	TunnelRemoteIMSIID=0	RuleUUID=d0658a8e-c749-4b1c-a7dc-3247de1c94e7	DynamicUserGroupName=	ContainerID=	ContainerNameSpace=	ContainerName=	SourceEDL=	DestinationEDL=	SourceDynamicAddressGroup=	DestinationDynamicAddressGroup=	TimeGeneratedHighResolution=2021-09-21T02:13:03.915000Z	NSSAINetworkSliceDifferentiator=0	NSSAINetworkSliceType=0	ProtocolDataUnitsessionID=0	devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ

The following table identifies the Tunnel field names that the Log Forwarding app uses when you forward logs using the LEEF log format.

When you create a syslog forwarding profile , you can optionally create a profile token that the Log Forwarding app uses when it sends logs to the syslog server. If you configure a profile token, it appears in the log line immediately after the log type information (for example, TRAFFIC, THREAT, HIPMATCH, and so forth). The token will appear on a parameter called profileToken.

LEEF Name	Query Name	Field Type
AccessPointName	access_point_name	Custom
EventID	action.value	Header
ActionSource	action_source.value	Custom
Application	app	Custom
ApplicationCategory	app_category	Custom
ApplicationSubcategory	app_sub_category	Custom
dstBytes	bytes_received	Predefined
srcBytes	bytes_sent	Predefined
Bytes	bytes_total	Custom
ConfigVersion	config_version.value	Custom
ContainerID	container_id	Custom
ApplicationContainer	container_of_app	Custom
ContentVersion	content_version	Custom
RepeatCount	count_of_repeats	Custom
LoggingServiceID	customer_id	Custom
DestinationDeviceClass	dest_device_class	Custom
DestinationDeviceMac	dest_device_mac	Custom
DestinationDeviceModel	dest_device_model	Custom
DestinationDeviceOS	dest_device_os	Custom
DestinationDeviceVendor	dest_device_vendor	Custom
DestinationDynamicAddressGroup	dest_dynamic_address_group	Custom
DestinationEDL	dest_edl	Custom
dst	dest_ip.value	Predefined
DestinationLocation	dest_location	Custom
dstPort	dest_port	Predefined
DestinationUser	dest_user	Custom
DestinationUserDomain	dest_user_info.domain	Custom
DestinationUserName	dest_user_info.name	Custom
DestinationUserUUID	dest_user_info.uuid	Custom
DestinationUUID	dest_uuid	Custom
DGHierarchyLevel1	dg_hier_level_1	Custom
DGHierarchyLevel2	dg_hier_level_2	Custom
DGHierarchyLevel3	dg_hier_level_3	Custom
DGHierarchyLevel4	dg_hier_level_4	Custom
DynamicUserGroupName	dynusergroup_name	Custom
FromZone	from_zone	Custom
InboundInterface	inbound_if.value	Custom
InboundInterfaceDetailsPort	inbound_if_details.port	Custom
InboundInterfaceDetailsSlot	inbound_if_details.slot	Custom
InboundInterfaceDetailsType	inbound_if_details.type.value	Custom
InboundInterfaceDetailsUnit	inbound_if_details.unit	Custom
CaptivePortal	is_captive_portal	Custom
IsClienttoServer	is_client_to_server	Custom
IsContainer	is_container	Custom
IsDecryptMirror	is_decrypt_mirror	Custom
IsDecryptedPayloadForward	is_decrypted_payload_fwded	Custom
IsDecryptedLog	is_decryption_log	Custom
IsDuplicateLog	is_dup_log	Custom
LogExported	is_exported	Custom
LogForwarded	is_forwarded	Custom
IsIPV6	is_ipv6	Custom
IsInspectionBeforeSession	is_l7_inspection_b4_session	Custom
IsMptcpOn	is_mptcp_on	Custom
NAT	is_nat	Custom
IsNonStandardDestinationPort	is_non_std_dest_port	Custom
IsPacketCapture	is_packet_capture	Custom
IsPhishing	is_phishing	Custom
IsPrismaNetwork	is_prisma_branch	Custom
IsPrismaUsers	is_prisma_mobile	Custom
IsProxy	is_proxy	Custom
IsReconExcluded	is_recon_excluded	Custom
IsSaaSApplication	is_saas_app	Custom
IsServertoClient	is_server_to_client	Custom
IsSourceXForwarded	is_source_x_fwded	Custom
IsSystemReturn	is_sym_return	Custom
IsTransaction	is_transaction	Custom
IsTunnelInspected	is_tunnel_inspected	Custom
IsURLDenied	is_url_denied	Custom
LogSetting	log_set	Custom
LogSource	log_source	Custom
LogSourceGroupID	log_source_group_id	Custom
DeviceSN	log_source_id	Custom
DeviceName	log_source_name	Custom
LogSourceTimeZoneOffset	log_source_tz_offset	Custom
TimeReceived	log_time	Custom
cat	log_type.value	Predefined
MobileAreaCode	mobile_area_code	Custom
MobileBaseStationCode	mobile_base_station_code	Custom
MobileCountryCode	mobile_country_code	Custom
MobileIP	mobile_ip.value	Custom
MobileNetworkCode	mobile_network_code	Custom
MobileSubscriberISDN	mobile_subscriber_isdn	Custom
IMEI	monitor_tag_imei	Custom
dstPostNAT	nat_dest.value	Predefined
dstPostNATPort	nat_dest_port	Predefined
srcPostNAT	nat_source.value	Predefined
srcPostNATPort	nat_source_port	Predefined
NonStandardDestinationPort	non_standard_dest_port	Custom
NSSAINetworkSliceDifferentiator	nssai_network_slice_differentiator.value	Custom
NSSAINetworkSliceType	nssai_network_slice_type.value	Custom
OutboundInterface	outbound_if.value	Custom
OutboundInterfaceDetailsPort	outbound_if_details.port	Custom
OutboundInterfaceDetailsSlot	outbound_if_details.slot	Custom
OutboundInterfaceDetailsType	outbound_if_details.type.value	Custom
OutboundInterfaceDetailsUnit	outbound_if_details.unit	Custom
PacketsDroppedMax	packets_dropped_max_encap	Custom
PacketsDroppedStrict	packets_dropped_strict_check	Custom
PacketsDroppedTunnel	packets_dropped_tunnel_frag	Custom
PacketsDroppedProtocol	packets_dropped_ukn_proto	Custom
dstPackets	packets_received	Predefined
srcPackets	packets_sent	Predefined
totalPackets	packets_total	Predefined
PanoramaSN	panorama_serial	Custom
ParentSessionID	parent_session_id	Custom
ParentStarttime	parent_start_time	Custom
ProtocolDataUnitsessionID	pdu_session_id	Custom
PlatformType	platform_type	Custom
ContainerName	pod_name	Custom
ContainerNameSpace	pod_namespace	Custom
proto	protocol.value	Predefined
RadioAccessTechnology	radio_access_technology	Custom
ApplicationRisk	risk_of_app	Custom
Rule	rule_matched	Custom
RuleUUID	rule_matched_uuid	Custom
SanctionedStateofApp	sanctioned_state_of_app	Custom
SequenceNo	sequence_no	Custom
SessionOwnerMidx	sess_owner_rt_midx	Custom
SessionEndReason	session_end_reason.value	Custom
SessionID	session_id	Custom
startTime	session_start_time	Predefined
SessionTracker	session_tracker	Custom
Severity	severity	Custom
SourceDeviceClass	source_device_class	Custom
SourceDeviceMac	source_device_mac	Custom
SourceDeviceModel	source_device_model	Custom
SourceDeviceOS	source_device_os	Custom
SourceDeviceVendor	source_device_vendor	Custom
SourceDynamicAddressGroup	source_dynamic_address_group	Custom
SourceEDL	source_edl	Custom
src	source_ip.value	Predefined
SourceLocation	source_location	Custom
srcPort	source_port	Predefined
usrName	source_user	Predefined
SourceUserDomain	source_user_info.domain	Custom
SourceUserName	source_user_info.name	Custom
SourceUserUUID	source_user_info.uuid	Custom
SourceUUID	source_uuid	Custom
StandardPortsOfApp	standard_ports_of_app	Custom
SubType	sub_type.value	Custom
ApplicationTechnology	technology_of_app	Custom
devTime	time_generated	Predefined
TimeGeneratedHighResolution	time_generated_high_res	Custom
ToZone	to_zone	Custom
SessionDuration	total_time_elapsed	Custom
Tunnel	tunnel.value	Custom
TunnelCauseCode	tunnel_cause_code	Custom
TunnelEndpointID1	tunnel_endpoint_id_1	Custom
TunnelEndpointID2	tunnel_endpoint_id_2	Custom
TunnelEventCode	tunnel_event_code	Custom
TunnelEventType	tunnel_event_type	Custom
TunnelInspectionRule	tunnel_inspection_rule	Custom
TunnelInterface	tunnel_interface	Custom
TunnelMessageType	tunnel_message_type	Custom
TunnelRemoteIMSIID	tunnel_remote_imsi_id	Custom
TunnelRemoteUserIP	tunnel_remote_user_ip.value	Custom
TunnelSessionsClosed	tunnel_sessions_closed	Custom
TunnelSessionsCreated	tunnel_sessions_created	Custom
TunneledApplication	tunneled_app	Custom
IMSI	tunnelid_imsi	Custom
URLCategory	url_category.value	Custom
Users	users	Custom
Vendor	vendor_name	Header
VendorSeverity	vendor_severity.value	Custom
VirtualLocation	vsys	Custom
VirtualSystemID	vsys_id	Custom
VirtualSystemName	vsys_name	Custom

Tunnel HTTPS Fields

URL

Strata Logging Service Docs

Tunnel LEEF Fields

Strata Logging Service Docs

Tunnel LEEF Fields

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner