Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|
| N/A | N/A | N/A | deviceVendor |
| N/A | N/A | N/A | deviceProduct |
| N/A | N/A | N/A | Version |
| N/A | <vmid> | Text/String | LogType |
| N/A | <command> | Text/String | SubType |
| N/A | <severity> | Number | deviceSeverity |
| ProfileToken | N/A | N/A | N/A |
| dtz | N/A | N/A | N/A |
| rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| PanOSDeviceSN | N/A | N/A | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
| PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record, in major.minor format. |
| start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
| src | <sip> | IP Address | Original source IP address. |
| dst | <dip> | IP Address | Original destination IP address. |
| sourceTranslatedAddress | <snatip> | IP Address | If source NAT was performed, the post-NAT source IP address. |
| destinationTranslatedAddress | <dnatip> | IP Address | If destination NAT was performed, the post-NAT destination IP address. |
| cs1 | N/A | N/A | Name of the security policy rule that the network traffic matched. |
| cs1Label | N/A | N/A | N/A |
| susername | <login> | Text/String | The username that initiated the network traffic. |
| dusername | <account> | Text/String | The username to which the network traffic was destined. |
| app | N/A | N/A | Application associated with the network traffic. |
| cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
| cs3Label | N/A | N/A | N/A |
| cs4 | N/A | N/A | The networking zone from which the traffic originated. |
| cs4Label | N/A | N/A | N/A |
| cs5 | N/A | N/A | Networking zone to which the traffic was sent. |
| cs5Label | N/A | N/A | N/A |
| deviceInboundInterface | <sinterface> | Text/String | Interface from which the network traffic was sourced. |
| deviceOutboundInterface | <dinterface> | Text/String | Interface to which the network traffic was destined. |
| cs6 | N/A | N/A | Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
| cs6Label | N/A | N/A | N/A |
| PanOSTimeReceivedManagementPlane | N/A | N/A | Time the log was received in the management plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |
| cn1 | N/A | N/A | Identifies the firewall's internal identifier for a specific network session. |
| cn1Label | N/A | N/A | N/A |
| cnt | N/A | N/A | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
| spt | <sport> | Number | Source port utilized by the session. |
| dpt | <dport> | Number | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
| sourceTranslatedPort | <snatport> | Number | Post-NAT source port. |
| destinationTranslatedPort | <dnatport> | Number | Post-NAT destination port. |
| proto | <protname> | Text/String | IP protocol associated with the session. |
| act | <action> | Text/String | Identifies the action that the firewall took for the network traffic. |
| PanOSTunnel | N/A | N/A | Type of tunnel. |
| PanOSSourceUUID | N/A | N/A | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. |
| PanOSDestinationUUID | N/A | N/A | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. |
| PanOSRuleUUID | N/A | N/A | Unique identifier for the security policy rule that the network traffic matched. |
| PanOSClientToFirewall | N/A | N/A | The direction of the SSL/TLS connection is from the client to the firewall. |
| PanOSFirewallToClient | N/A | N/A | The direction of the SSL/TLS connection is from the firewall to the client. |
| PanOSTLSVersion | N/A | N/A | Version of TLS used for the encrypted session represented as major.minor.patch.build. |
| PanOSTLSKeyExchange |
| N/A | Algorithm used to perform the key exchange. Possible values are: |
| PanOSTLSEncryptionAlgorithm |
| N/A | The algorithm used to encrypt the session data, such as AES-128-CBC, AES-256-GCM, and so forth. |
| PanOSTLSAuth |
| N/A | TLS hash algorithm. |
| PanOSPolicyName | <policy> | Text/String | The name of the Decryption policy associated with the session. |
| PanOSEllipticCurve |
| N/A | The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites. |
| PanOSErrorIndex |
| N/A | The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites. |
| PanOSRootStatus |
| N/A | The status of the root certificate, for example, trusted, untrusted, or uninspected. |
| PanOSChainStatus |
| N/A | The certificate chain verification status. Possible values are: |
| PanOSProxyType |
| N/A | The Decryption proxy type, such as Forward for Forward Proxy, Inbound for Inbound Inspection, No Decrypt for undecrypted traffic, Decryption Broker, GlobalProtect, and so forth. |
| PanOSCertificateSerial |
| N/A | The certificate's serial number. |
| PanOSFingerprint |
| N/A | A hash of the certificate in x509 binary format. |
| PanOSTimeNotBefore |
| N/A | Timestamp date before which the certificate is not yet valid. |
| PanOSTimeNotAfter |
| N/A | Timestamp date after which the certificate is no longer valid. |
| PanOSCertificateVersion |
| N/A | The certificate's version number. |
| PanOSCertificateSize |
| N/A | The size of the certificate. |
| PanOSCommonNameLength |
| N/A | The length of the common name found on the certificate's domain name before truncation (if any). |
| PanOSIssuerNameLength |
| N/A | The length of the issuer's common name before truncation (if any). |
| PanOSRootCNLength |
| N/A | The length of the root CA's common name before truncation (if any). |
| PanOSSNILength |
| N/A | The length of the server name indication (SNI), which is the hostname of the server that the client is trying to reach. This is the full length of the SNI before any truncation might have occurred. |
| PanOSCertificateFlags |
| N/A | Internal use only bit field containing raw decryption information as generated at the firewall. The information in this bit field is reflected in other decryption log fields. |
| PanOSCommonName |
| N/A | The common name found on the certificate's domain name. |
| PanOSIssuerCommonName |
| N/A | The name of the organization that verified the certificate’s contents. |
| PanOSRootCommonName |
| N/A | The name of the root certificate authority. |
| PanOSServerNameIndication |
| N/A | The hostname of the server that the client is trying to contact. |
| PanOSErrorMessage |
| N/A | The error message content. |
| PanOSContainerID |
| N/A | Unknown field. No information is available at this time. |
| PanOSContainerNameSpace |
| N/A | Container namespace. |
| PanOSContainerName |
| N/A | Container name. |
| PanOSSourceEDL |
| N/A | The name of the external dynamic list that contains the source IP address of the traffic. |
| PanOSDestinationEDL |
| N/A | The name of the external dynamic list that contains the destination IP address of the traffic. |
| PanOSSourceDynamicAddressGroup |
| N/A | The dynamic address group that Device-ID identifies as the source of the traffic. |
| PanOSDestinationDynamicAddressGroup |
| N/A | The dynamic address group that Device-ID identifies as the destination for the traffic. |
| PanOSTimeGeneratedHighResolution |
| N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |
| PanOSSourceDeviceCategory |
| N/A | Category of the device from which the session originated. |
| PanOSSourceDeviceProfile |
| N/A | Profile of the device from which the session originated. |
| PanOSSourceDeviceModel |
| N/A | Model of the device from which the session originated. |
| PanOSSourceDeviceVendor |
| N/A | Vendor of the device from which the session originated. |
| PanOSSourceDeviceOSFamily |
| N/A | OS family of the device from which the session originated. |
| PanOSSourceDeviceOSVersion |
| N/A | OS version of the device from which the session originated. |
| PanOSSourceDeviceHost | <sname> | Text/String | Hostname of the device from which the session originated. |
| PanOSSourceDeviceMac | <smac> | Text/String | MAC Address of the device from which the session originated. |
| PanOSDestinationDeviceCategory |
| N/A | Category of the device to which the session was directed. |
| PanOSDestinationDeviceProfile |
| N/A | Profile of the device to which the session was directed. |
| PanOSDestinationDeviceModel |
| N/A | Model of the device to which the session was directed. |
| PanOSDestinationDeviceVendor |
| N/A | Vendor of the device to which the session was directed. |
| PanOSDestinationDeviceOSFamily |
| N/A | OS family of the device to which the session was directed. |
| PanOSDestinationDeviceOSVersion |
| N/A | OS version of the device to which the session was directed. |
| PanOSDestinationDeviceHost | <dname> | Text/String | Hostname of the device to which the session was directed. |
| PanOSDestinationDeviceMac | <dmac> | Text/String | MAC Address of the device to which the session was directed. |
| externalId |
| N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
| PanOSApplicationCategory |
| N/A | Identifies the high-level family of the application. |
| PanOSApplicationSubcategory |
| N/A | Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app. |
| PanOSApplicationCharacteristics |
| N/A | Identifies the behaviorial characteristic of the application associated with the network traffic. |
| PanOSApplicationContainer |
| N/A | Identifies the managing application or parent of the application associated with this network traffic. |
| PanOSCpadding |
| N/A | For internal use only. |
| PanOSCortexDataLakeTenantID |
| N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
| PanOSDestinationDeviceClass |
| N/A | Destination device class. |
| PanOSDestinationDeviceOS |
| N/A | Destination device OS type. |
| PanOSDestinationLocation |
| N/A | Destination country or internal region for private addresses. |
| dntdom | <domainimpacted> | Text/String | Domain to which the Destination User belongs. |
| duid |
| N/A | Unique identifier assigned to the Destination User. |
| PanOSDGHierarchyLevel1 |
| N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel2 |
| N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel3 |
| N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDGHierarchyLevel4 |
| N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
| PanOSDomain |
| N/A | The subject common name; that is, the name of the server that the certificate protects. |
| PanOSInboundInterfaceDetailsPort |
| N/A | Hardware port or socket from which the network traffic was sourced. |
| PanOSInboundInterfaceDetailsSlot |
| N/A | Interface slot from which the network traffic was sourced. |
| PanOSInboundInterfaceDetailsType |
| N/A | The type of interface from which the network traffic was sourced. |
| PanOSInboundInterfaceDetailsUnit |
| N/A | Internal use. |
| PanOSCaptivePortal |
| N/A | Indicates if user information for the session was captured through Captive Portal. |
| PanOSIsCertECDSA |
| N/A | The certificate key exchange algorithm used for the session is ECDSA. |
| PanOSIsCertRSA |
| N/A | The certificate key exchange algorithm used for the session is RSA. |
| PanOSIsCertCNTruncated |
| N/A | Indicates whether the common name found on the certificate has been truncated due to buffer limits. |
| PanOSIsClienttoServer |
| N/A | Indicates if direction of traffic is from client to server. |
| PanOSIsContainer |
| N/A | Indicates if the session is a container page access (Container Page). |
| PanOSIsDecryptMirror |
| N/A | Indicates whether decrypted traffic was sent out in clear text through a mirror port. |
| PanOSIsDecrypted |
| N/A | Flag that indicates that the session is decrypted. |
| PanOSIsDuplicateLog |
| N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
| PanOSIsEncrypted |
| N/A | Flag that indicates that the session is encrypted. |
| PanOSLogExported |
| N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
| PanOSIsForwarded |
| N/A | Internal-use field that indicates if the log is being forwarded. |
| PanOSIsIPV6 |
| N/A | Indicates whether IPV6 was used for the session. |
| PanOSIsIssuerCNTruncated |
| N/A | Indicates whether the common name used by the certificate's issuer has been truncated due to buffer limits. |
| PanOSIsMptcpOn |
| N/A | Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host. |
| PanOSIsNAT |
| N/A | Indicates if the firewall is performing network address translation (NAT) for the logged traffic. |
| PanOSIsNonStandardDestinationPort |
| N/A | Indicates if the destination port is non-standard. |
| PanOSPacketCapture |
| N/A | Indicates whether the session has a packet capture (PCAP). |
| PanOSIsPhishing |
| N/A | Indicates whether enterprise credentials were submitted by an end user. |
| PanOSIsPrismaNetwork |
| N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
| PanOSIsPrismaUsers |
| N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
| PanOSIsProxy |
| N/A | Indicates whether the SSL session is decrypted (SSL Proxy). |
| PanOSIsReconExcluded |
| N/A | Indicates whether source for the flow is on the firewall allow list and not subject to recon protection. |
| PanOSIsResumeSession |
| N/A | Indicates that the decryption session was previously interrupted and is now resuming. |
| PanOSIsRootCNTruncated |
| N/A | Indicates whether the common name used for the root CA has been truncated due to buffer limits. |
| PanOSIsSaaSApplication |
| N/A | Internal use field. Indicates whether the application associated with this network traffic is a SAAS application. |
| PanOSIsServertoClient |
| N/A | Indicates if direction of traffic is from server to client. |
| PanOSIsSNITruncated |
| N/A | Indicates whether the server name indication (SNI), which is the hostname of the server that the client is trying to reach, has been truncated due to buffer limits. |
| PanOSIsSourceXForwarded |
| N/A | Indicates whether the X-Forwarded-For value from a proxy is in the source user field. |
| PanOSIsSystemReturn |
| N/A | Indicates whether symmetric return was used to forward traffic for this session. |
| PanOSIsTransaction |
| N/A | Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction). |
| PanOSIsTunnelInspected | N/A | N/A | Indicates whether the payload for the outer tunnel was inspected. |
| PanOSIsURLDenied | N/A | N/A | Indicates whether the session was denied due to a URL filtering rule. |
| PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
| PanOSDeviceName | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
| PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
| PanOSOutboundInterfaceDetailsPort | N/A | N/A | Hardware port or socket to which the network traffic was sent. |
| PanOSOutboundInterfaceDetailsSlot | N/A | N/A | Interface slot to which the network traffic was sent. |
| PanOSOutboundInterfaceDetailsType | N/A | N/A | The type of interface to which the network traffic was sent. |
| PanOSOutboundInterfaceDetailsUnit | N/A | N/A | Internal use. |
| PanOSPadding | N/A | N/A | For internal use only. |
| PanOSPadding3 | N/A | N/A | For internal use only. |
| PanOSApplicationRisk | N/A | N/A | Indicates how risky the application is from a network security perspective. |
| PanOSSanctionedStateOfApp | N/A | N/A | Indicates whether the application has been flagged as sanctioned by the firewall administrator. |
| PanOSSourceDeviceClass | N/A | N/A | Source device class. |
| PanOSSourceDeviceOS | N/A | N/A | Source device OS type. |
| PanOSSourceLocation | N/A | N/A | Source country or internal region for private addresses. |
| sntdom | <domainorigin> | Text/String | Domain to which the Source User belongs. |
| suid | N/A | N/A | Unique identifier assigned to the Source User. |
| PanOSApplicationTechnology | N/A | N/A | The networking technology used by the identified application. |
| PanOSTpadding | N/A | N/A | For internal use only. |
| PanOSTunneledApplication | N/A | N/A | For internal use only. |
| PanOSVpadding | N/A | N/A | For internal use only. |
| PanOSVirtualSystemID | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
