Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|
N/A | N/A | N/A | deviceVendor |
N/A | N/A | N/A | deviceProduct |
N/A | N/A | N/A | Version |
N/A | <vmid> | Text/String | LogType |
N/A | N/A | N/A | SubType |
N/A | <severity> | Number | deviceSeverity |
ProfileToken | N/A | N/A | N/A |
dtz | N/A | N/A | N/A |
rt | N/A | N/A | Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
deviceExternalId | <serialnumber> | Text/String/Number | ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log. |
PanOSCaptivePortal | N/A | N/A | Indicates if user information for the session was captured through Captive Portal. |
PanOSContentVersion | N/A | N/A | Version of the content on the firewall. |
PanOSCortexDataLakeTenantID | N/A | N/A | The ID that uniquely identifies the Cortex Data Lake instance which received this log record. |
PanOSDestinationDeviceClass | N/A | N/A | Destination device class. |
PanOSDestinationDeviceMac | <dmac> | Text/String | Destination device MAC address. |
PanOSDestinationDeviceModel | N/A | N/A | Destination device model. |
PanOSDestinationDeviceOS | N/A | N/A | Destination device OS type. |
PanOSDestinationDeviceVendor | N/A | N/A | Destination device vendor. |
PanOSDestinationLocation | N/A | N/A | Destination country or internal region for private addresses. |
PanOSDestinationUUID | N/A | N/A | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. |
PanOSDestinationUserDomain | <domainimpacted> | Text/String | Domain to which the Destination User belongs. |
PanOSDestinationUserName | <account> | Text/String | The Destination User. That is, the username to which the network traffic was destined. |
PanOSDestinationUserUUID | N/A | N/A | Unique identifier assigned to the Destination User. |
PanOSInboundInterfaceDetailsPort | N/A | N/A | Hardware port or socket from which the network traffic was sourced. |
PanOSInboundInterfaceDetailsSlot | N/A | N/A | Interface slot from which the network traffic was sourced. |
PanOSInboundInterfaceDetailsType | N/A | N/A | The type of interface from which the network traffic was sourced. |
PanOSInboundInterfaceDetailsUnit | N/A | N/A | Internal use. |
PanOSIsClienttoServer | N/A | N/A | Indicates if direction of traffic is from client to server. |
PanOSIsContainer | N/A | N/A | Indicates if the session is a container page access (Container Page). |
PanOSIsDecryptMirror | N/A | N/A | Indicates whether decrypted traffic was sent out in clear text through a mirror port. |
PanOSIsDecryptedLog | N/A | N/A | Unknown field. No information is available at this time. |
PanOSIsDecryptedPayloadForward | N/A | N/A | Unknown field. No information is available at this time. |
PanOSIsDuplicateLog | N/A | N/A | Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector. |
PanOSIsIPV6 | N/A | N/A | Indicates whether IPV6 was used for the session. |
PanOSIsInspectrionBeforeSession | N/A | N/A | Unknown field. No information is available at this time. |
PanOSIsMptcpOn | N/A | N/A | Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host. |
PanOSIsNonStandardDestinationPort | N/A | N/A | Indicates if the destination port is non-standard. |
PanOSIsPacketCapture | N/A | N/A | Indicates whether the session has a packet capture (PCAP). |
PanOSIsPhishing | N/A | N/A | Indicates whether enterprise credentials were submitted by an end user. |
PanOSIsPrismaNetwork | N/A | N/A | Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise. |
PanOSIsPrismaUsers | N/A | N/A | Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise. |
PanOSIsProxy | N/A | N/A | Indicates whether the SSL session is decrypted (SSL Proxy). |
PanOSIsReconExcluded | N/A | N/A | Indicates whether source for the flow is on the firewall allow list and not subject to recon protection. |
PanOSIsServertoClient | N/A | N/A | Indicates if direction of traffic is from server to client. |
PanOSIsSourceXForwarded | N/A | N/A | Indicates whether the X-Forwarded-For value from a proxy is in the source user field. |
PanOSIsSystemReturn | N/A | N/A | Indicates whether symmetric return was used to forward traffic for this session. |
PanOSIsTransaction | N/A | N/A | Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction). |
PanOSIsTunnelInspected | N/A | N/A | Indicates whether the payload for the outer tunnel was inspected. |
PanOSIsURLDenied | N/A | N/A | Indicates whether the session was denied due to a URL filtering rule. |
PanOSLogExported | N/A | N/A | Indicates if this log was exported from the firewall using the firewall's log export function. |
PanOSLogForwarded | N/A | N/A | Internal-use field that indicates if the log is being forwarded. |
PanOSLogSource | N/A | N/A | Identifies the origin of the data. That is, the system that produced the data. |
PanOSLogSourceTimeZoneOffset | N/A | N/A | Time Zone offset from GMT of the source of the log. |
PanOSNAT | N/A | N/A | Indicates if the firewall is performing network address translation (NAT) for the logged traffic. |
PanOSOutboundInterfaceDetailsPort | N/A | N/A | Hardware port or socket to which the network traffic was sent. |
PanOSOutboundInterfaceDetailsSlot | N/A | N/A | Interface slot to which the network traffic was sent. |
PanOSOutboundInterfaceDetailsType | N/A | N/A | The type of interface to which the network traffic was sent. |
PanOSOutboundInterfaceDetailsUnit | N/A | N/A | Internal use. |
PanOSSessionEndReason | <reason> | Text/String | The reason a session terminated. |
PanOSSessionOwnerMidx | N/A | N/A | Unknown field. No information is available at this time. |
PanOSSessionTracker | N/A | N/A | Unknown field. No information is available at this time. |
PanOSSeverity | N/A | N/A | Severity as defined by the platform. |
PanOSSourceDeviceClass | N/A | N/A | Source device class. |
PanOSSourceDeviceMac | <smac> | Text/String | Source device MAC address. |
PanOSSourceDeviceModel | N/A | N/A | Source device model. |
PanOSSourceDeviceOS | N/A | N/A | Source device OS type. |
PanOSSourceDeviceVendor | N/A | N/A | Source device vendor. |
PanOSSourceLocation | N/A | N/A | Source country or internal region for private addresses. |
PanOSSourceUUID | N/A | N/A | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. |
PanOSSourceUserDomain | <domainorigin> | Text/String | Domain to which the Source User belongs. |
PanOSSourceUserName | <login> | Text/String | The Source User. That is, the username that initiated the network traffic. |
PanOSSourceUserUUID | N/A | N/A | Unique identifier assigned to the Source User. |
PanOSTunnel | N/A | N/A | Type of tunnel. |
PanOSVirtualSystemID | N/A | N/A | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
PanOSConfigVersion | N/A | N/A | Version number of the firewall operating system that wrote this log record. |
start | N/A | N/A | Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch. |
src | <sip> | IP Address | Original source IP address. |
dst | <dip> | IP Address | Original destination IP address. |
PanOSNATSource | <snatip> | IP Address | If source NAT was performed, the post-NAT source IP address. |
PanOSNATDestination | <dnatip> | IP Address | If destination NAT performed, the post-NAT destination IP address. |
cs1 | <policy> | Text/String | Name of the security policy rule that the network traffic matched. |
cs1Label | N/A | N/A |
|
PanOSSourceUser | N/A | N/A | The username that initiated the network traffic. |
PanOSDestinationUser | N/A | N/A | The username to which the network traffic was destined. |
PanOSApplication | N/A | N/A | Application associated with the network traffic. |
cs3 | N/A | N/A | String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall. |
cs3Label | N/A | N/A |
|
cs4 | N/A | N/A | The networking zone from which the traffic originated. |
cs4Label | N/A | N/A |
|
cs5 | N/A | N/A | Networking zone to which the traffic was sent. |
cs5Label | N/A | N/A |
|
PanOSInboundInterface | <sinterface> | Text/String | Interface from which the network traffic was sourced. |
deviceOutboundInterface | <dinterface> | Text/String | Interface to which the network traffic was destined. |
cs6 | N/A | N/A | Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator. |
cs6Label | N/A | N/A |
|
PanOSSessionID | <session> | Number | Identifies the firewall's internal identifier for a specific network session. |
cnt | <quantity> | Number | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval. |
spt | <sport> | Number | Source port utilized by the session. |
dpt | <dport> | Number | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
PanOSNATSourcePort | <snatport> | Number | Post-NAT source port. |
PanOSNATDestinationPort | <dnatport> | Number | Post-NAT destination port. |
proto | <protname> | Text/String | IP protocol associated with the session. |
act | <action> <tag1> | Text/String | Identifies the action that the firewall took for the network traffic. |
PanOSDGHierarchyLevel1 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel2 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel3 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSDGHierarchyLevel4 | N/A | N/A | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. |
PanOSVirtualSystemName | N/A | N/A | The name of the virtual system associated with the network traffic. |
dvchost | N/A | N/A | Name of the source of the log. That is, the hostname of the firewall that logged the network traffic. |
externalId | N/A | N/A | The log entry identifier, which is incremented sequentially. Each log type has a unique number space. |
PanOSEndpointAssociationID | N/A | N/A | The ID assigned to the endpoint association used for the SCTP network traffic. |
PanOSPayloadProtocolID | N/A | N/A | The Payload Protocol Identifier (PPID) associated with the SCTP data chunk. |
PanOSSctpChunkType | N/A | N/A | Type of information contained in the SCTP data chunk. |
PanOSSCTPEventType | <subject> | Text/String | The SCTP event notification type set for this message. |
PanOSEventCode | N/A | N/A | The SCTP event notification code set for this message. |
PanOSVerificationTag1 | N/A | N/A | The verification tag set for the SCTP packet. |
PanOSVerificationTag2 | N/A | N/A | The verification tag set for the SCTP packet. |
PanOSSctpCauseCode | N/A | N/A | The error cause code found in the SCTP message. |
PanOSDiamAppID | N/A | N/A | The IANA ID assigned to the Diameter application associated with this network traffic. |
PanOSDiameterCommandCode | N/A | N/A | The Diameter command code used by this network traffic. |
PanOSDiamAvpCode | N/A | N/A | The AVP code used by the Diameter application associated with this network traffic. |
PanOSStreamID | N/A | N/A | Identifies the firewall's internal identifier for the SCTP stream. |
PanOSAssocationEndReason | N/A | N/A | The reason the session terminated. If the termination had multiple reasons, only the highest priority reason is identified here. |
PanOSMapAppCode | N/A | N/A | Mobile Application Part (MAP) operation code used for this network traffic. |
PanOSSccpCallingSSN | N/A | N/A | The subsystem number (SSN) specified in the called party address used for this SCCP protocol message. |
PanOSSccpCallingGt | N/A | N/A | The Global Title (GT) specified in the called party address used for this SCCP protocol message. |
PanOSSctpFilter | N/A | N/A | The SCTP filter that the firewall applied to this network traffic. |
PanOSChunksTotal | N/A | N/A | The total number of SCTP data chunks in the network traffic. |
PanOSChunksSent | N/A | N/A | The total number of SCTP data chunks in the client-to-server network traffic. |
PanOSChunksReceived | N/A | N/A | The total number of SCTP data chunks in the server-to-client network traffic. |
PanOSPacketsTotal | N/A | N/A | Number of total packets (transmit and receive) seen for the session. |
PanOSPacketsSent | <packetsin> | Number | Number of client-to-server packets for the session. |
PanOSPacketsReceived | <packetsout> | Number | Number of server-to-client packets for the session. |
PanOSRuleUUID | N/A | N/A | Unique identifier for the security policy rule that the network traffic matched. |
PanOSContainerID | N/A | N/A | Unknown field. No information is available at this time. |
PanOSContainerNameSpace | N/A | N/A | Container namespace. |
PanOSContainerName | N/A | N/A | Container name. |
PanOSSourceEDL | N/A | N/A | The name of the external dynamic list that contains the source IP address of the traffic. |
PanOSDestinationEDL | N/A | N/A | The name of the external dynamic list that contains the destination IP address of the traffic. |
PanOSSourceDynamicAddressGroup | N/A | N/A | The dynamic address group that Device-ID identifies as the source of the traffic. |
PanOSDestinationDynamicAddressGroup | N/A | N/A | The dynamic address group that Device-ID identifies as the destination for the traffic. |
PanOSTimeGeneratedHighResolution | N/A | N/A | Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z. |
PanOSVendorSeverity | N/A | N/A | Severity associated with the event. |