V 2.0 User ID Messages

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html

Rule Name	Rule Type	Common Event	Classification
V 2.0 User ID Messages	Base Rule	General Authentication Event	Other Audit
V 2.0 User Logon	Sub Rule	User Logon	Authentication Success
V 2.0 User Logoff	Sub Rule	User Logoff	Authentication Success
V 2.0 User Registration Event	Sub Rule	Registration	Information

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Type (type)	<vmid>	Text/String	Specifies the type of log; value is USERID.
Threat/Content Type (subtype)	<action> <tag1>	Text/String	Subtype of User-ID log; values are login, logout, register-tag, and unregister-tag. login—User logged in. logout—User logged out. register-tag—Indicates a tag or tags were registered for the user. unregister-tag—Indicates a tag or tags were unregistered for the user.
Source IP (ip)	<sip>	IP Address	Original session source IP address
User (user)	<domainorigin> <login>	Text/String	Identifies the end user.
Repeat Count (repeatcnt)	<quantity>	Number	Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds
Data Source (datasource)	<subject>	Text/String	Source from which mapping information is collected.
Device Name (device_name)	<objectname>	Text/String	The hostname of the firewall on which the session was logged.

Vendor Documentation