Skip to main content
Skip table of contents

General System Event

Vendor Documentation

Classification

Rule NameRule TypeClassificationCommon Event
General System EventBase RuleInformationGeneral System Message

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm Schema

Data Type

Schema Description

N/AN/AN/AdeviceVendor
N/AN/AN/AdeviceProduct
N/AN/AN/AVersion
N/AN/AN/ALogType
N/A<vmid>Text/StringSubType
N/A<severity>NumberdeviceSeverity
ProfileTokenN/AN/AN/A
dtzN/AN/AN/A
rtN/AN/ATime the log was received in Cortex Data Lake. This is populated by the platform.
deviceExternalId<serialnumber>Text/String/NumberID that uniquely identifies the source of the log. If the source is a firewall, this is its serial number. If the source is TMS, this is the trapsID.
PanOSConfigVersionN/AN/AConfig version converted to string represented as major.minor.patch.build in value and as hex in ID.
PanOSAgentContentVersionN/AN/AVersion of the agent content that is installed on the endpoint.
PanOSAgentDataCollectionStatusN/AN/AIndicates whether data related to another product (for example, EDR) is being collected by the agent.
PanOSAgentIDN/AN/AUnique identifier for the agent at the endpoint.
PanOSAgentIsolationStatus<result>Text/StringIndicates whether the agent is isolated. Usually, agents are isolated if they have been compromised.
PanOSAgentStatus<status>Text/StringThe protection status set for the endpoint.
PanOSAgentTimeZoneOffsetN/AN/AEffective endpoint time zone offset from UTC, in minutes.
PanOSAgentVersionN/AN/AVersion of the agent at the endpoint.
PanOSEndpointCPUArchitectureN/AN/AThe architecture of the OS type that the endpoint is running.
PanOSEndpointDeviceDomainN/AN/ADomain to which the endpoint belongs.
PanOSEndpointDeviceNameN/AN/AHostname of the endpoint on which the event was logged.
PanOSEndpointIPaddress<dip>IP AddressIP address of the source of the event.
PanOSEndpointOSTypeN/AN/AThe operating system on which the endpoint is running.
PanOSEndpointOSVersionN/AN/AThe version of the operating system running on the endpoint.
PanOSEndpointUserDomain<domainimpacted>Text/StringDomain of the user who was logged into the endpoint at the time of the system event.
PanOSEndpointUserName<account>Text/StringThe name of the user logged into the endpoint at the time of the system event.
PanOSEndpointUserUUIDN/AN/AThe endpoint user's unique ID.
PanOSIsDuplicateLogN/AN/AIndicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsPrismaNetworkN/AN/AIf set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsersN/AN/AIf set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
cat<vendorinfo>Text/StringThe log category.
PanOSLogExportedN/AN/AIndicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwardedN/AN/AIndicates if the log is being forwarded.
PanOSLogSourceN/AN/AIdentifies the origin of the data. That is, the system that produced the data.
PanOSLogSourceTimeZoneOffsetN/AN/ATime Zone offset from GMT of the source of the log.
PanOSSeverityN/AN/ASeverity as defined by the platform.
PanOSTenantIDN/AN/AThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSVDIEndpointN/AN/AIndicates whether the endpoint is a virtual desktop infrastructure (VDI). 0—The endpoint is not a VDI, 1—The endpoint is a VDI.
PanOSVirtualSystemIDN/AN/AA unique identifier for a virtual system on a Palo Alto Networks firewall.
PanOSEventTimeN/AN/ATime when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
cs3N/AN/AString representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3LabelN/AN/AN/A
act<action>Text/StringName of the system event.
fname<object>Text/StringThe component associated with the event. For example, the object from a firewall.
msg<subject>Text/StringDescription of the system event.
externalIdN/AN/AThe log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSDGHierarchyLevel1N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemNameN/AN/AThe name of the virtual system associated with the network traffic.
dvchostN/AN/AName of the source of the log. If the source is a firewall, this is the device_name value. If the source is TMS, this is either the customer or tenant name.
PanOSDeviceGroupN/AN/AThe ID and the name of the device group the firewall is in.
PanOSTemplateN/AN/AThe ID and name of the template/template stack to which the firewall belonged where the log was generated.
PanOSTimeGeneratedHighResolutionN/AN/ATime the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHHMMSS[.DDDDDD]Z.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.