> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/data-onboarding/supported-logs/paloaltongfw.md). # Palo Alto Next-Generation Firewall Logs ## Overview Panther supports ingesting Palo Alto Networks Next-Generation Firewall (NGFW) logs from appliances running PAN-OS. {% hint style="info" %} *Panther supports common PAN-OS releases in active deployment, specifically version 10.2+ up to 12.1. Newer PAN-OS versions may introduce extra fields; Panther automatically omits undocumented fields until a future integration release updates the core schema.* {% endhint %} When logs are formatted as CSV, PAN-OS devices can export them via Syslog to [Panther Log Forwarder](https://docs.panther.com/data-onboarding/panther-log-forwarder) or a collector of your choice, which can then forward the logs to Panther using a supported [Data Transport](/data-onboarding/data-transports.md). ## How to onboard Palo Alto Next Generation Firewall logs to Panther ### Step 1: Create a new Palo Alto Next Generation Firewall log source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for “Palo Alto” then click its tile. 4. In the **Transport Mechanism** drop-down, select the Data Transport method you wish to use for this integration.\ ![](/files/yRgaMNmzWE27QEmV9d4k)
5. Click **Start Setup**. 6. Follow Panther's instructions for configuring the selected [Data Transport](/data-onboarding/data-transports.md) method. ### Step 2: Configure your collector You can use [Panther Log Forwarder](https://docs.panther.com/data-onboarding/panther-log-forwarder) or a [log forwarder of your choice](https://docs.panther.com/data-onboarding/data-pipeline-tools). ### Step 3: Configure Palo Alto Syslog Monitoring Configure your Palo Alto environment to export logs in **CSV format** via Syslog to a log collector or forwarding service. The logs can then be delivered to Panther through a supported Data Transport. For configuration instructions, refer to the [PAN-OS Syslog Monitoring Guide](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/configure-syslog-monitoring#configure-syslog-monitoring-pan-os). ## Supported log types ### PaloAltoNGFW\.Audit Audit logs record administrative actions performed on the firewall or Panorama, including CLI commands, web interface navigation, and REST API calls. Reference: [Palo Alto documentation on Audit log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields) ```yaml schema: PaloAltoNGFW.Audit description: Audit logs record administrative actions performed on the firewall or Panorama, including CLI commands, web interface navigation, and REST API calls. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/audit-log-fields fields: - name: serial description: Serial number of the firewall or Panorama that generated the log. type: string indicators: - serial_number - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: subtype description: 'Threat/Content Type (subtype): specifies the type of log; value is AUDIT. Audit logs are a subtype of System logs.' type: string - name: eventid description: 'Event ID: source of the command that generated the audit log. Values include cli (firewall or Panorama command line), gui (web interface), gui-op (operational command from the web interface), gnmi (OpenConfig plugin), rest (PAN-OS REST API).' type: string - name: object description: Name of the administrator which executed the command that generated the log. type: string indicators: - username - name: cli_command description: Command executed that generated the log. type: string - name: severity description: Completion status for the command that generated the log; value can be none, success, or failure. type: string ``` ### PaloAltoNGFW\.Authentication Authentication logs record user authentication attempts and outcomes including policy, factors, server profile, and Device-ID context. Reference: [Palo Alto documentation on Authentication log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields) ```yaml schema: PaloAltoNGFW.Authentication description: Authentication logs record user authentication attempts and outcomes including policy, factors, server profile, and Device-ID context. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/authentication-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the device that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is AUTHENTICATION. type: string - name: subtype description: Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: vsys description: Virtual System associated with the session. type: string - name: ip description: Original session source IP address. type: string indicators: - ip - name: user description: End user being authenticated. type: string indicators: - username - name: normalize_user description: Normalized version of username being authenticated (such as appending a domain name to the username). type: string indicators: - username - name: object description: Name of the object associated with the system event. type: string - name: authpolicy description: Policy invoked for authentication before allowing access to a protected resource. type: string - name: repeatcnt description: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. type: bigint - name: authid description: Unique ID given across primary authentication and additional (multi factor) authentication. type: string - name: vendor description: Vendor providing additional factor authentication. type: string - name: logset description: Log Forwarding Profile that was applied to the session. type: string - name: serverprofile description: Authentication server used for authentication. type: string indicators: - hostname - name: desc description: Additional authentication information. type: string - name: clienttype description: Type of client used to complete authentication (such as authentication portal). type: string - name: event description: Result of the authentication attempt. type: string - name: factorno description: Indicates the use of primary authentication (1) or additional factors (2, 3). type: bigint - name: seqno description: A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. type: string - name: actionflags description: A bit field indicating if the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: A unique identifier for a virtual system on a Palo Alto Networks firewall. type: string - name: authproto description: Indicates the authentication protocol used by the server. For example, PEAP with GTC. type: string - name: rule_uuid description: The UUID that permanently identifies the rule. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane (PAN-OS 11.1+ for managed firewalls; older releases may show a placeholder timestamp). type: timestamp timeFormats: - rfc3339 - name: src_category description: The category for the device that Device-ID identifies as the source of the traffic. type: string - name: src_profile description: The device profile for the device that Device-ID identifies as the source of the traffic. type: string - name: src_model description: The model of the device that Device-ID identifies as the source of the traffic. type: string - name: src_vendor description: The vendor of the device that Device-ID identifies as the source of the traffic. type: string - name: src_osfamily description: The operating system type for the device that Device-ID identifies as the source of the traffic. type: string - name: src_osversion description: The version of the operating system for the device that Device-ID identifies as the source of the traffic. type: string - name: src_host description: The hostname of the device that Device-ID identifies as the source of the traffic. type: string indicators: - hostname - name: src_mac description: The MAC address for the device that Device-ID identifies as the source of the traffic. type: string indicators: - mac - name: region description: The geographical region where the traffic originates. type: string - name: user_agent description: The string from the HTTP request header User-Agent. type: string - name: sessionid description: A string that uniquely identifies the traffic session. type: string - name: cluster_name description: Name of the CN-Series firewall cluster (PAN-OS 11.1+). type: string ``` ### PaloAltoNGFW\.Config Configuration logs record changes to the firewall or Panorama configuration (commits, edits, policy updates). Reference: [Palo Alto documentation on Config log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields) ```yaml schema: PaloAltoNGFW.Config description: Configuration logs record changes to the firewall or Panorama configuration (commits, edits, policy updates). referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/config-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the device that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is CONFIG. type: string - name: subtype description: Subtype of the configuration log (often unused). type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: host description: Hostname or IP address of the client machine. type: string indicators: - hostname - name: vsys description: Virtual System associated with the configuration log. type: string - name: cmd description: Command performed by the admin; values include add, clone, commit, delete, edit, move, rename, set. type: string - name: admin description: Username of the administrator performing the configuration. type: string indicators: - username - name: client description: Client used by the administrator; values include Web and CLI. type: string - name: result description: Result of the configuration action (Submitted, Succeeded, Failed, Unauthorized). type: string - name: path description: Path of the configuration command issued. type: string - name: seqno description: 64-bit log entry identifier for this log type. type: string - name: actionflags description: Bit field indicating if the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: Name of the virtual system when multi-VSYS is enabled. type: string - name: device_name description: Hostname of the firewall on which the log was recorded. type: string indicators: - hostname - name: dg_id description: Device group when managed by Panorama. type: string - name: comment description: Audit comment on policy rule configuration changes. type: string - name: high_res_timestamp description: High-resolution receive time at the management plane (PAN-OS 10.0+). type: timestamp timeFormats: - rfc3339 ``` ### PaloAltoNGFW\.Correlation Correlation logs record correlated events generated by the firewall when a host matches conditions defined in a correlation object, summarizing potential threats to the network, user, or host. Reference: [Palo Alto documentation on Correlation log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields) ```yaml schema: PaloAltoNGFW.Correlation description: Correlation logs record correlated events generated by the firewall when a host matches conditions defined in a correlation object, summarizing potential threats to the network, user, or host. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/correlated-events-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the device that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is CORRELATION. type: string - name: subtype description: Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: IP address of the user who initiated the event. type: string indicators: - ip - name: srcuser description: Username of the user who initiated the event. type: string indicators: - username - name: vsys description: Virtual System associated with the configuration log. type: string - name: category description: A summary of the kind of threat or harm posed to the network, user, or host. type: string - name: severity description: Severity associated with the event; values are informational, low, medium, high, critical. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: A unique identifier for a virtual system on a Palo Alto Networks firewall. type: string - name: objectname description: Name of the correlation object that was matched on. type: string - name: object_id description: Name of the object associated with the system event. type: string - name: evidence description: A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times). type: string ``` ### PaloAltoNGFW\.Decryption Decryption logs record SSL/TLS decryption inspection outcomes including handshake stages, certificate metadata, proxy type, policy, and session context. Reference: [Palo Alto documentation on Decryption log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields) ```yaml schema: PaloAltoNGFW.Decryption description: Decryption logs record SSL/TLS decryption inspection outcomes including handshake stages, certificate metadata, proxy type, policy, and session context. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is DECRYPTION. type: string - name: subtype description: 'Threat/Content Type (subtype): not used in the Decryption log.' type: string - name: config_ver description: The software version. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: Original session source IP address. type: string indicators: - ip - name: dst description: Original session destination IP address. type: string indicators: - ip - name: natsrc description: If Source NAT performed, the post-NAT Source IP address. type: string indicators: - ip - name: natdst description: If Destination NAT performed, the post-NAT Destination IP address. type: string indicators: - ip - name: rule description: Security policy rule that controls the session traffic. type: string - name: srcuser description: Username of the user who initiated the session. type: string indicators: - username - name: dstuser description: Username of the user to which the session was destined. type: string indicators: - username - name: app description: Application associated with the session. type: string - name: vsys description: Virtual System associated with the session. type: string - name: from description: Zone the session was sourced from. type: string - name: to description: Zone the session was destined to. type: string - name: inbound_if description: Interface that the session was sourced from. type: string - name: outbound_if description: Interface that the session was destined to. type: string - name: logset description: Log Forwarding profile applied to the session. type: string - name: time_received description: The time the log was received. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: sessionid description: An internal numerical identifier applied to each session. type: string - name: repeatcnt description: Number of sessions with the same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds. type: bigint - name: sport description: Source port utilized by the session. type: bigint - name: dport description: Destination port utilized by the session. type: bigint - name: natsport description: Post-NAT source port. type: bigint - name: natdport description: Post-NAT destination port. type: bigint - name: flags description: 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value. type: string - name: proto description: IP protocol associated with the session. type: string - name: action description: Action taken for the session; possible values are allow, deny, drop, drop ICMP, reset both, reset client, and reset server. type: string - name: tunnel description: Type of tunnel. type: string - name: src_uuid description: The source universal unique identifier for a guest virtual machine in the VMware NSX environment. type: string - name: dst_uuid description: The destination universal unique identifier for a guest virtual machine in the VMware NSX environment. type: string - name: rule_uuid description: The UUID that permanently identifies the rule. type: string - name: hs_stage_c2f description: The stage of the TLS handshake from the client to the firewall, for example, Client Hello, Server Hello, Certificate, Client/Server key exchange, etc. type: string - name: hs_stage_f2s description: The stage of the TLS handshake from the firewall to the server. type: string - name: tls_version description: The version of TLS protocol used for the session. type: string - name: tls_keyxchg description: The key exchange algorithm used for the session. type: string - name: tls_enc description: The algorithm used to encrypt the session data, such as AES-128-CBC, AES-256-GCM, etc. type: string - name: tls_auth description: The authentication algorithm used for the session, for example, SHA, SHA256, SHA384, etc. type: string - name: policy_name description: The name of the Decryption policy associated with the session. type: string - name: ec_curve description: The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites. type: string - name: err_index description: 'The type of error that occurred: Cipher, Resource, Resume, Version, Protocol, Certificate, Feature, or HSM.' type: string - name: root_status description: The status of the root certificate, for example, trusted, untrusted, or uninspected. type: string - name: chain_status description: Whether the chain is trusted. Values are Uninspected, Untrusted, Trusted, or Incomplete. type: string - name: proxy_type description: The Decryption proxy type, such as Forward for Forward Proxy, Inbound for Inbound Inspection, No Decrypt for undecrypted traffic, GlobalProtect, etc. type: string - name: cert_serial description: The unique identifier of the certificate (generated by the certificate issuer). type: string - name: fingerprint description: A hash of the certificate in x509 binary format. type: string - name: notbefore description: The time the certificate became valid (certificate is invalid before this time). type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: notafter description: The time the certificate expires (certificate becomes invalid after this time). type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: cert_ver description: The certificate version (V1, V2, or V3). type: string - name: cert_size description: The certificate key size. type: string - name: cn_len description: The length of the subject common name. type: bigint - name: issuer_len description: The length of the issuer common name. type: bigint - name: rootcn_len description: The length of the root common name. type: bigint - name: sni_len description: The length of the Server Name Indication (hostname). type: bigint - name: cert_flags description: 'The certificate flags can return seven values: Session is resumed (b_resume_session); Certificate (subject) common name is truncated (b_cert_cn_truncated); Issuer common name is truncated (b_issuer_cn_truncated); Root common name is truncated (b_root_cn_truncated); Server Name Indication (SNI) is truncated (b_sni_truncated); Certificate type, RSA or ECDSA (b_cert_type); Unused (padding3).' type: string - name: cn description: The domain name (the name of the server that the certificate protects). type: string indicators: - hostname - name: issuer_cn description: The name of the organization that verified the certificate's contents. type: string - name: root_cn description: The name of the root certificate authority. type: string - name: sni description: The hostname of the server that the client is trying to contact. Using SNIs enables a server to host multiple websites and present multiple certificates on the same IP address and TCP port because each website has a unique SNI. type: string indicators: - hostname - name: error description: A string showing the error that has occurred in the event. type: string - name: container_id description: A unique alphanumeric string that identifies the container if the firewall runs in a cloud container. type: string - name: pod_namespace description: The name of the Kubernetes pod namespace. type: string - name: pod_name description: The name of the kubernetes pod. type: string - name: src_edl description: The name of the external dynamic list that contains the source IP address of the traffic. type: string - name: dst_edl description: The name of the external dynamic list that contains the destination IP address of the traffic. type: string - name: src_dag description: The dynamic address group that Device-ID identifies as the source of the traffic. type: string - name: dst_dag description: The dynamic address group that Device-ID identifies as the destination for the traffic. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane (PAN-OS 10.0+; RFC3339 with fractional seconds). type: timestamp timeFormats: - rfc3339 - name: src_category description: The category for the device that Device-ID identifies as the source of the traffic. type: string - name: src_profile description: The device profile for the device that Device-ID identifies as the source of the traffic. type: string - name: src_model description: The model of the device that Device-ID identifies as the source of the traffic. type: string - name: src_vendor description: The vendor of the device that Device-ID identifies as the source of the traffic. type: string - name: src_osfamily description: The operating system type for the device that Device-ID identifies as the source of the traffic. type: string - name: src_osversion description: The version of the operating system for the device that Device-ID identifies as the source of the traffic. type: string - name: src_host description: The hostname of the device that Device-ID identifies as the source of the traffic. type: string indicators: - hostname - name: src_mac description: The MAC address for the device that Device-ID identifies as the source of the traffic. type: string indicators: - mac - name: dst_category description: The category for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_profile description: The device profile for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_model description: The model of the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_vendor description: The vendor of the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_osfamily description: The operating system type for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_osversion description: The version of the operating system for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_host description: The hostname of the device that Device-ID identifies as the destination for the traffic. type: string indicators: - hostname - name: dst_mac description: The MAC address for the device that Device-ID identifies as the destination for the traffic. type: string indicators: - mac - name: seqno description: A 64-bit log entry identifier incremented sequentially; each log type has unique number space. type: string - name: actionflags description: A bit field indicating if the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: A unique identifier for a virtual system on a Palo Alto Networks firewall. type: string - name: subcategory_of_app description: The application subcategory specified in the application configuration properties. type: string - name: category_of_app description: The application category specified in the application configuration properties. type: string - name: technology_of_app description: The application technology specified in the application configuration properties. type: string - name: risk_of_app description: Risk level associated with the application (1=lowest to 5=highest). type: string - name: characteristic_of_app description: Comma-separated list of applicable characteristic of the application. type: string - name: container_of_app description: The parent application for an application. type: string - name: is_saas_of_app description: Displays 1 if a SaaS application or 0 if not a SaaS application. type: string - name: sanctioned_state_of_app description: Displays 1 if application is sanctioned or 0 if application is not sanctioned. type: string - name: cluster_name description: (PAN-OS 11.1 and later releases) Name of the CN-Series firewall cluster. type: string ``` ### PaloAltoNGFW\.GlobalProtect GlobalProtect logs record VPN portal and gateway lifecycle events including authentication, tunnel stages, endpoint context, and gateway selection. Reference: [Palo Alto documentation on GlobalProtect log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields) ```yaml schema: PaloAltoNGFW.GlobalProtect description: GlobalProtect logs record VPN portal and gateway lifecycle events including authentication, tunnel stages, endpoint context, and gateway selection. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/globalprotect-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is GLOBALPROTECT. type: string - name: subtype description: Subtype of threat log; GlobalProtect may reuse threat subtype values where applicable. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: vsys description: Virtual System associated with the session. type: string - name: eventid description: String showing the name of the event. type: string - name: stage description: Stage of the connection (for example, before-login, login, or tunnel). type: string - name: auth_method description: Authentication type, such as LDAP, RADIUS, or SAML. type: string - name: tunnel_type description: Tunnel type (either SSLVPN or IPSec). type: string - name: srcuser description: Username of the user who initiated the session. type: string indicators: - username - name: srcregion description: Region for the user who initiated the session. type: string - name: machinename description: Name of the user's machine. type: string indicators: - hostname - name: public_ip description: Public IP address for the user who initiated the session. type: string indicators: - ip - name: public_ipv6 description: Public IPv6 address for the user who initiated the session. type: string indicators: - ip - name: private_ip description: Private IP address for the user who initiated the session. type: string indicators: - ip - name: private_ipv6 description: Private IPv6 address for the user who initiated the session. type: string indicators: - ip - name: hostid description: Unique ID that GlobalProtect assigns to identify the host. type: string - name: serialnumber description: Serial number of the user's machine or device. type: string indicators: - serial_number - name: client_ver description: Client's GlobalProtect app version. type: string - name: client_os description: Client device's OS type (for example, Windows or Linux). type: string - name: client_os_ver description: Client device's OS version. type: string - name: repeatcnt description: Number of matching sessions GlobalProtect detected within the last five seconds. type: bigint - name: reason description: Reason for the quarantine. type: string - name: error description: Error that has occurred in any event. type: string - name: opaque description: Additional information for any event that has occurred. type: string - name: status description: Status (success or failure) of the event. type: string - name: location description: Administrator-defined location of the GlobalProtect portal or gateway. type: string - name: login_duration description: Seconds the user is connected to the gateway from login to logout. type: bigint - name: connect_method description: How the GlobalProtect app connects to the gateway (for example, on-demand or user-logon). type: string - name: error_code description: Integer associated with any errors that occurred. type: string - name: portal description: Name of the GlobalProtect portal or gateway. type: string indicators: - hostname - name: seqno description: 64-bit log entry identifier for this log type. type: string - name: actionflags description: Bit field indicating if the log was forwarded to Panorama. type: string - name: high_res_timestamp description: High-resolution receive time at the management plane. type: timestamp timeFormats: - rfc3339 - name: selection_type description: Connection method selected to connect to the gateway (manual, preferred, or auto). type: string - name: response_time description: SSL response time of the selected gateway in milliseconds on the endpoint during tunnel setup. type: bigint - name: priority description: Priority order of the gateway (numeric ranks or labels such as medium, depending on PAN-OS export). type: string - name: attempted_gateways description: Per-gateway connection attempt details (name, SSL response time, priority); entries separated by semicolons. type: string - name: gateway description: Name of the gateway specified on the portal configuration. type: string indicators: - hostname - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: Virtual system name when multi-VSYS is enabled. type: string - name: device_name description: Hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: Unique identifier for a virtual system on the firewall. type: string - name: cluster_name description: Name of the CN-Series firewall cluster (PAN-OS 11.1+). type: string ``` ### PaloAltoNGFW\.GTP GTP logs record GPRS Tunneling Protocol session and inspection events including subscriber identifiers, tunnel endpoints, GTP message context, and policy outcomes when GTP security is applied. Reference: [Palo Alto documentation on GTP log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields) ```yaml schema: PaloAltoNGFW.GTP description: GTP logs record GPRS Tunneling Protocol session and inspection events including subscriber identifiers, tunnel endpoints, GTP message context, and policy outcomes when GTP security is applied. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/gtp-log-fields fields: - name: receive_time description: Month, Day and time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is GTP. type: string - name: subtype description: Subtype of traffic log; values are start, end, drop, and deny. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: Source IP address of packets in the session. type: string indicators: - ip - name: dst description: Destination IP address of packets in the session. type: string indicators: - ip - name: rule description: Name of the Security policy rule in effect on the session. type: string - name: app description: Tunneling protocol used in the session. type: string - name: vsys description: Virtual System associated with the session. type: string - name: from description: Source zone of packets in the session. type: string - name: to description: Destination zone of packets in the session. type: string - name: inbound_if description: Interface that the session was sourced from. type: string - name: outbound_if description: Interface that the session was destined to. type: string - name: logset description: Log Forwarding Profile that was applied to the session. type: string - name: sessionid description: Session ID of the session being logged. type: string - name: sport description: Source port utilized by the session. type: bigint - name: dport description: Destination port utilized by the session. type: bigint - name: proto description: IP protocol associated with the session. type: string - name: action description: Action taken for the session; possible values are allow (session was allowed by policy) and deny (session was denied by policy). type: string - name: event_type description: Defines event triggered by a GTP message when checks in GTP protection profile are applied to the GTP traffic. Also triggered by the start or end of a GTP session. type: string - name: msisdn description: Service identity associated with the mobile subscriber composed of a Country Code, National Destination Code and a Subscriber. Consists of decimal digits (0-9) only with a maximum of 15 digits. type: string - name: apn description: Reference to a Packet Data Network Data Gateway (PGW)/ Gateway GPRS Support Node in a mobile network. Composed of a mandatory APN Network Identifier and an optional APN Operator Identifier. type: string - name: rat description: Type of technology used for radio access. For example, EUTRAN, WLAN, Virtual, HSPA Evolution, GAN and GERAN. type: string - name: msg_type description: Indicates the GTP message type. type: string - name: end_ip_adr description: IP address of a mobile subscriber allocated by a PGW/GGSN. type: string indicators: - ip - name: teid1 description: Identifies the GTP tunnel in the network node. TEID1 is the first TEID in the GTP message. type: string - name: teid2 description: Identifies the GTP tunnel in the network node. TEID2 is the second TEID in the GTP message. type: string - name: gtp_interface description: 3GPP interface from which a GTP message is received. type: string - name: cause_code description: GTP cause value in logs responses which contain an Information Element that provides information about acceptance or rejection of GTP requests by a network node. type: string - name: severity description: Severity associated with the event; values are informational, low, medium, high, critical. type: string - name: mcc description: Mobile country code of serving core network operator. type: string - name: mnc description: Mobile network code of serving core network operator. type: string - name: area_code description: Area within a Public Land Mobile Network (PLMN). type: string - name: cell_id description: Base station within an area code. type: string - name: event_code description: Event code describing the GTP event. type: string - name: srcloc description: Source country or Internal region for private addresses; maximum length is 32 bytes. type: string - name: dstloc description: Destination country or Internal region for private addresses; maximum length is 32 bytes. type: string - name: imsi description: International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI shall consist of decimal digits (0 through 9) only and maximum number of digits allowed are 15. type: string - name: imei description: International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. type: string - name: start description: Time of session start. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: elapsed description: Elapsed time of the session. type: bigint - name: tunnel_insp_rule description: Name of the tunnel inspection rule matching the cleartext tunnel traffic. type: string - name: remote_user_ip description: IPv4 or IPv6 address used by a remote user. type: string indicators: - ip - name: remote_user_id description: IMSI identity of a remote user, and if available, one IMEI identity and/or one MSISDN identity. type: string - name: rule_uuid description: Universally Unique ID for rule. type: string - name: pcap_id description: Unique packet capture ID that is used to locate the pcap file saved on the firewall. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. type: timestamp timeFormats: - rfc3339 - name: nsdsai_sst description: The A Slice Service Type of the Network Slice ID. type: string - name: nsdsai_sd description: The A Slice Differentiator of the Network Slice ID. type: string - name: subcategory_of_app description: The application subcategory specified in the application configuration properties. type: string - name: category_of_app description: The application category specified in the application configuration properties. type: string - name: technology_of_app description: The application technology specified in the application configuration properties. type: string - name: risk_of_app description: Risk level associated with the application (1=lowest to 5=highest). type: string - name: characteristic_of_app description: Comma-separated list of applicable characteristic of the application. type: string - name: container_of_app description: The parent application for an application. type: string - name: is_saas_of_app description: Displays 1 if a SaaS application or 0 if not a SaaS application. type: string - name: sanctioned_state_of_app description: Displays 1 if application is sanctioned or 0 if application is not sanctioned. type: string ``` ### PaloAltoNGFW\.HIPMatch HIP match logs record GlobalProtect Host Information Profile (HIP) evaluation outcomes used to enforce HIP-based security rules. Reference: [Palo Alto documentation on HIP Match log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields) ```yaml schema: PaloAltoNGFW.HIPMatch description: HIP match logs record GlobalProtect Host Information Profile (HIP) evaluation outcomes used to enforce HIP-based security rules. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/hip-match-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is HIP-MATCH. type: string - name: subtype description: Subtype of HIP match log; unused. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: srcuser description: Username of the user who initiated the session. type: string indicators: - username - name: vsys description: Virtual System associated with the HIP match log. type: string - name: machinename description: Name of the user's machine. type: string indicators: - hostname - name: os description: The operating system installed on the user's machine. type: string - name: src description: IP address of the source user. type: string indicators: - ip - name: matchname description: Name of the HIP object or profile. type: string - name: repeatcnt description: Number of times the HIP profile matched. type: bigint - name: matchtype description: Whether the HIP field represents a HIP object or a HIP profile. type: string - name: seqno description: A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. type: string - name: actionflags description: A bit field indicating if the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: A unique identifier for a virtual system on a Palo Alto Networks firewall. type: string - name: srcipv6 description: IPv6 address of the user's machine. type: string indicators: - ip - name: hostid description: Unique ID GlobalProtect assigns to identify the host. type: string - name: serialnumber description: Serial number of the user's machine or device. type: string indicators: - serial_number - name: mac description: The MAC address of the user's machine. type: string indicators: - mac - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. type: timestamp timeFormats: - rfc3339 - name: cluster_name description: Name of the CN-Series firewall cluster (PAN-OS 11.1+). type: string ``` ### PaloAltoNGFW\.IPTag IP-tag logs record IP address-to-tag mapping events including tag name, timeout, and data source metadata. Reference: [Palo Alto documentation on IP-Tag log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields) ```yaml schema: PaloAltoNGFW.IPTag description: IP-tag logs record IP address-to-tag mapping events including tag name, timeout, and data source metadata. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/ip-tag-log-fields fields: - name: receive_time description: The time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: The serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is IPTAG. type: string - name: subtype description: The subtype of the HIP match log; unused. type: string - name: time_generated description: The time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: vsys description: The virtual system associated with the HIP match log. type: string - name: src description: The IP address of the source user. type: string indicators: - ip - name: tag_name description: The tag mapped to the source IP address. type: string - name: eventid description: A string showing the name of the event. type: string - name: repeatcnt description: The number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. type: bigint - name: timeout description: The amount of time before the IP address-to-tag mapping expires for the source IP address. type: bigint - name: datasourcename description: The name of the source from which mapping information is collected. type: string - name: datasource_type description: The source from which mapping information is collected. type: string - name: datasource_subtype description: The mechanism used to identify the IP address-to-username mappings within a data source. type: string - name: seqno description: A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. type: string - name: actionflags description: A bit field indicating whether the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: A unique identifier for a virtual system on a Palo Alto Networks firewall. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. type: timestamp timeFormats: - rfc3339 - name: cluster_name description: Name of the CN-Series firewall cluster (PAN-OS 11.1+). type: string ``` ### PaloAltoNGFW\.SCTP SCTP logs record Stream Control Transmission Protocol (SCTP) session and association events including policy action, verification tags, diameter-related fields, and chunk or association lifecycle details when SCTP inspection is enabled. Reference: [Palo Alto documentation on SCTP log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields) ```yaml schema: PaloAltoNGFW.SCTP description: SCTP logs record Stream Control Transmission Protocol (SCTP) session and association events including policy action, verification tags, diameter-related fields, and chunk or association lifecycle details when SCTP inspection is enabled. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/sctp-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is SCTP. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: Original session source IP address. type: string indicators: - ip - name: dst description: Original session destination IP address. type: string indicators: - ip - name: rule description: Name of the Security policy rule in effect on the session. type: string - name: vsys description: Virtual System associated with the session. type: string - name: from description: Zone the session was sourced from. type: string - name: to description: Zone the session was destined to. type: string - name: inbound_if description: Interface that the session was sourced from. type: string - name: outbound_if description: Interface that the session was destined to. type: string - name: logset description: Log Forwarding Profile that was applied to the session. type: string - name: sessionid description: An internal numerical identifier applied to each session. type: string - name: repeatcnt description: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. type: bigint - name: sport description: Source port utilized by the session. type: bigint - name: dport description: Destination port utilized by the session. type: bigint - name: proto description: IP protocol associated with the session. type: string - name: action description: Action taken for the session; possible values are allow (session was allowed by the policy) and deny (session was denied by the policy). type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: seqno description: A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. type: string - name: assoc_id description: An internal 56-bit numerical logical identifier applied to each SCTP association. type: string - name: ppid description: Identifies the Payload Protocol ID (PPID) in the data chunk which triggered this event. PPID is assigned by Internet Assigned Numbers Authority (IANA). type: string - name: severity description: Severity associated with the event; values are informational, low, medium, high, critical. type: string - name: sctp_chunk_type description: Describes the type of information contained in a chunk, such as control or data. type: string - name: sctp_event_type description: Defines the event triggered per SCTP chunk or packet when SCTP protection profile is applied to the SCTP traffic. It is also triggered by start or end of a SCTP association. type: string - name: verif_tag_1 description: Used by endpoint1 which initiates the association to verify if the SCTP packet received belongs to current SCTP association and validate the endpoint2. type: string - name: verif_tag_2 description: Used by endpoint2 to verify if the SCTP packet received belongs to current SCTP association and validate the endpoint1. type: string - name: sctp_cause_code description: Sent by an endpoint to specify reason for an error condition to other endpoint of same SCTP association. type: string - name: diam_app_id description: The diameter application in the data chunk which triggered the event. Diameter Application ID is assigned by Internet Assigned Numbers Authority (IANA). type: string - name: diam_cmd_code description: The diameter command code in the data chunk which triggered the event. Diameter Command Code is assigned by Internet Assigned Numbers Authority (IANA). type: string - name: diam_avp_code description: The diameter AVP code in the data chunk which triggered the event. type: string - name: stream_id description: ID of the stream which carries the data chunk which triggered the event. type: string - name: assoc_end_reason description: Reason an association was terminated. If the termination had multiple causes, the highest priority reason is displayed. The possible session end reasons in descending priority are shutdown-from-endpoint (highest, endpoint sends out SHUTDOWN), abort-from-endpoint (endpoint sends out ABORT), and unknown (lowest, the association aged out, or association termination reason is not covered by one of the previous reasons, for example a clear session all command). type: string - name: op_code description: Identifies the operation code of application layer SS7 protocols, like MAP or CAP, in the data chunk which triggered the event. type: string - name: sccp_calling_ssn description: The Signaling Connection Control Part (SCCP) calling party subsystem number (SSN) in the data chunk which triggered the event. type: string - name: sccp_calling_gt description: The Signaling Connection Control Part (SCCP) calling party global title (GT) in the data chunk which triggered the event. type: string - name: sctp_filter description: Name of the filter that the SCTP chunk matched. type: string - name: chunks description: Number of total chunks (transmit and receive) for the association. type: bigint - name: chunks_sent description: Number of endpoint1 (which initiates association)-to-endpoint2 chunks for the association. type: bigint - name: chunks_received description: Number of endpoint2-to-endpoint1 (which initiates association) chunks for the association. type: bigint - name: packets description: Number of total packets (transmit and receive) for the session. type: bigint - name: pkts_sent description: Number of client-to-server packets for the session. type: bigint - name: pkts_received description: Number of server-to-client packets for the session. type: bigint - name: rule_uuid description: The UUID that permanently identifies the rule. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. The High Resolution Timestamp is supported for logs received from managed firewalls running PAN-OS 11.1 and later releases. type: timestamp timeFormats: - rfc3339 ``` ### PaloAltoNGFW\.System System logs record platform events such as daemons, HA, routing, authentication, upgrades, and chassis events. Reference: [Palo Alto documentation on System log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields) ```yaml schema: PaloAltoNGFW.System description: System logs record platform events such as daemons, HA, routing, authentication, upgrades, and chassis events. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/system-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is SYSTEM. type: string - name: subtype description: Subtype of the system log (daemon family), e.g. general, ha, routing. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: vsys description: Virtual system associated with the log. type: string - name: eventid description: Name of the event. type: string - name: object description: Name of the object associated with the system event. type: string - name: module description: 'When subtype is general: subsystem (management, auth, ha, etc.).' type: string - name: severity description: Severity of the event (informational, low, medium, high, critical). type: string - name: description description: Detailed description of the event. type: string - name: seqno description: 64-bit log entry identifier for this log type. type: string - name: actionflags description: Bit field indicating if the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: Virtual system name when multi-VSYS is enabled. type: string - name: device_name description: Hostname of the firewall that logged the event. type: string indicators: - hostname - name: high_res_timestamp description: High-resolution receive time at the management plane (PAN-OS 11.1+). type: timestamp timeFormats: - rfc3339 ``` ### PaloAltoNGFW\.Threat Threat logs record security events detected by Threat Prevention, WildFire, URL filtering, Anti-Spyware, Vulnerability Protection, and related profiles. Reference: [Palo Alto documentation on Threat log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields) ```yaml schema: PaloAltoNGFW.Threat description: Threat logs record security events detected by Threat Prevention, WildFire, URL filtering, Anti-Spyware, Vulnerability Protection, and related profiles. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/threat-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is THREAT. type: string - name: subtype description: Subtype of threat log (data, file, flood, packet, scan, spyware, url, virus, vulnerability, wildfire, wildfire-virus, ml-virus, etc.). type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: Original session source IP address. type: string indicators: - ip - name: dst description: Original session destination IP address. type: string indicators: - ip - name: natsrc description: If source NAT performed, the post-NAT source IP address. type: string indicators: - ip - name: natdst description: If destination NAT performed, the post-NAT destination IP address. type: string indicators: - ip - name: rule description: Name of the rule that the session matched. type: string - name: srcuser description: Username of the user who initiated the session. type: string indicators: - username - name: dstuser description: Username of the user to which the session was destined. type: string indicators: - username - name: app description: Application associated with the session. type: string - name: vsys description: Virtual System associated with the session. type: string - name: from description: Zone the session was sourced from. type: string - name: to description: Zone the session was destined to. type: string - name: inbound_if description: Interface that the session was sourced from. type: string - name: outbound_if description: Interface that the session was destined to. type: string - name: logset description: Log Forwarding Profile that was applied to the session. type: string - name: sessionid description: An internal numerical identifier applied to each session. type: string - name: repeatcnt description: Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds. type: bigint - name: sport description: Source port utilized by the session. type: bigint - name: dport description: Destination port utilized by the session. type: bigint - name: natsport description: Post-NAT source port. type: bigint - name: natdport description: Post-NAT destination port. type: bigint - name: flags description: 32-bit field that provides details on session; decode by AND-ing with logged value. type: string - name: proto description: IP protocol associated with the session. type: string - name: action description: Action taken for the session (alert, allow, deny, drop, reset-client, reset-server, reset-both, block-url, block-ip, etc.). type: string - name: misc description: 'Variable-length field: URI for url subtype, file name or type for file/virus/wildfire subtypes, URL or file name for vulnerability when applicable, or spoofed SNI for certain detections.' type: string indicators: - hostname - name: threatid description: Palo Alto Networks identifier for known and custom threats (description string and optional 64-bit id in parentheses). type: string - name: category description: 'For URL subtype: URL category; for WildFire subtype: verdict (malware, phishing, grayware, benign); for other subtypes often any.' type: string - name: severity description: Severity associated with the threat (informational, low, medium, high, critical). type: string - name: direction description: 'Direction of the attack: 0 client-to-server, 1 server-to-client.' type: string - name: seqno description: 64-bit log entry identifier incremented sequentially; each log type has a unique number space. type: string - name: actionflags description: Bit field indicating if the log was forwarded to Panorama. type: string - name: srcloc description: Source country or Internal region for private addresses; maximum length is 32 bytes. type: string - name: dstloc description: Destination country or Internal region for private addresses; maximum length is 32 bytes. type: string - name: contenttype description: Content type of the HTTP response data when Subtype is URL; maximum length 32 bytes. type: string - name: pcap_id description: Packet capture ID correlating threat pcap files with extended pcaps (0 when none). type: string - name: filedigest description: Binary hash of the file sent to WildFire for analysis (WildFire subtype). type: string - name: cloud description: FQDN of the WildFire appliance or cloud from which the file was uploaded (WildFire subtype). type: string indicators: - hostname - name: url_idx description: Counter correlating multiple URL entries within the same session (URL filtering and WildFire subtypes). type: string - name: user_agent description: User-Agent string from the HTTP request (URL filtering subtype). type: string - name: filetype description: Type of file forwarded for WildFire analysis (WildFire subtype). type: string - name: xff description: X-Forwarded-For header value (URL filtering subtype); may contain non-IP values depending on appliance. type: string indicators: - hostname - name: referer description: Referer header URL (URL filtering subtype). type: string indicators: - hostname - name: sender description: Name of the sender of an email. type: string - name: subject description: Subject of an email. type: string - name: recipient description: Name of the receiver of an email. type: string - name: reportid description: Identifies the analysis request (Data Filtering and WildFire subtypes). type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: Name of the virtual system associated with the session when multi-VSYS is enabled. type: string - name: device_name description: Hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: src_uuid description: Source universal unique identifier for a guest VM in VMware NSX. type: string - name: dst_uuid description: Destination universal unique identifier for a guest VM in VMware NSX. type: string - name: http_method description: HTTP method used in the web request for URL filtering logs. type: string - name: tunnelid description: International Mobile Subscriber Identity (IMSI); decimal digits, up to 15. type: string - name: monitortag description: International Mobile Equipment Identity (IMEI); unique 15 or 16 digit equipment id. type: string - name: parent_session_id description: ID of the session in which this session is tunneled. type: string - name: parent_start_time description: Date/time the parent tunnel session began. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: tunnel description: Type of tunnel, such as GRE or IPSec. type: string - name: thr_category description: Threat categories classifying signatures; domain-edl when a domain external dynamic list generated the log. type: string - name: contentver description: Applications and Threats content version on the firewall when the log was generated. type: string - name: assoc_id description: Identifies all connections for an SCTP association. type: string - name: ppid description: Payload protocol ID in SCTP data chunks. type: string - name: http_headers description: Inserted HTTP header in URL log entries. type: string - name: url_category_list description: URL filtering categories used to enforce policy. type: string - name: rule_uuid description: UUID that permanently identifies the rule; HTTP/2 indicated by non-zero TCP connection session id vs 0. type: string - name: http2_connection description: Whether traffic used HTTP/2 (TCP connection session id vs 0 for non-HTTP/2). type: string - name: dynusergroup_name description: Dynamic user group containing the user who initiated the session. type: string - name: xff_ip description: IP of the requesting user or upstream device from XFF; may contain non-IP values. type: string indicators: - hostname - name: src_category description: Device-ID category for the source of the traffic. type: string - name: src_profile description: Device-ID profile for the source of the traffic. type: string - name: src_model description: Device-ID model for the source of the traffic. type: string - name: src_vendor description: Device-ID vendor for the source of the traffic. type: string - name: src_osfamily description: Device-ID OS family for the source of the traffic. type: string - name: src_osversion description: Device-ID OS version for the source of the traffic. type: string - name: src_host description: Device-ID hostname for the source of the traffic. type: string indicators: - hostname - name: src_mac description: Device-ID MAC address for the source of the traffic. type: string indicators: - mac - name: dst_category description: Device-ID category for the destination of the traffic. type: string - name: dst_profile description: Device-ID profile for the destination of the traffic. type: string - name: dst_model description: Device-ID model for the destination of the traffic. type: string - name: dst_vendor description: Device-ID vendor for the destination of the traffic. type: string - name: dst_osfamily description: Device-ID OS family for the destination of the traffic. type: string - name: dst_osversion description: Device-ID OS version for the destination of the traffic. type: string - name: dst_host description: Device-ID hostname for the destination of the traffic. type: string indicators: - hostname - name: dst_mac description: Device-ID MAC address for the destination of the traffic. type: string indicators: - mac - name: container_id description: PAN-NGFW pod container ID on the Kubernetes node. type: string - name: pod_namespace description: Namespace of the application POD being secured. type: string - name: pod_name description: Application POD being secured. type: string - name: src_edl description: External dynamic list containing the session source IP. type: string - name: dst_edl description: External dynamic list containing the session destination IP. type: string - name: hostid description: Unique ID GlobalProtect assigns to identify the host. type: string - name: serialnumber description: Serial number of the user's machine or device. type: string indicators: - serial_number - name: domain_edl description: External dynamic list containing the domain name of the traffic. type: string indicators: - hostname - name: src_dag description: Original session source dynamic address group. type: string - name: dst_dag description: Original session destination dynamic address group. type: string - name: partial_hash description: Machine learning partial hash. type: string - name: high_res_timestamp description: High-resolution receive time at the management plane (PAN-OS 11.1+); RFC3339-style with fractional seconds. type: timestamp timeFormats: - rfc3339 - name: reason description: Reason for Data Filtering action. type: string - name: justification description: Justification for Data Filtering action. type: string - name: nssai_sst description: A Slice Service Type of the Network Slice ID. type: string - name: subcategory_of_app description: Application subcategory from application configuration. type: string - name: category_of_app description: Application category from application configuration (business-systems, collaboration, general-internet, media, networking, saas). type: string - name: technology_of_app description: Application technology from configuration (browser-based, client-server, network-protocol, peer-to-peer). type: string - name: risk_of_app description: Application risk level (1=lowest to 5=highest). type: string - name: characteristic_of_app description: Comma-separated application characteristics. type: string - name: container_of_app description: Parent application for an application. type: string - name: tunneled_app description: Tunneled application name when applicable. type: string - name: is_saas_of_app description: 1 if SaaS application, 0 otherwise. type: string - name: sanctioned_state_of_app description: 1 if application is sanctioned, 0 otherwise. type: string - name: cloud_reportid description: Unique ID for a file scanned by the DLP cloud service. type: string - name: flow_type description: Proxy type for traffic (Explicit Proxy, Transparent Proxy, NonProxyTraffic). type: string - name: cluster_name description: CN-Series firewall cluster name (PAN-OS 11.1+). type: string ``` ### PaloAltoNGFW\.Traffic Traffic logs record firewall session flow metadata including endpoints, NAT, application, zones, policy action, and byte/packet counters. Reference: [Palo Alto documentation on Traffic log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields) ```yaml schema: PaloAltoNGFW.Traffic description: Traffic logs record firewall session flow metadata including endpoints, NAT, application, zones, policy action, and byte/packet counters. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is TRAFFIC. type: string - name: subtype description: Subtype of traffic log; values are start, end, drop, and deny. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: Original session source IP address. type: string indicators: - ip - name: dst description: Original session destination IP address. type: string indicators: - ip - name: natsrc description: If Source NAT performed, the post-NAT Source IP address. type: string indicators: - ip - name: natdst description: If Destination NAT performed, the post-NAT Destination IP address. type: string indicators: - ip - name: rule description: Name of the rule that the session matched. type: string - name: srcuser description: Username of the user who initiated the session. type: string indicators: - username - name: dstuser description: Username of the user to which the session was destined. type: string indicators: - username - name: app description: Application associated with the session. type: string - name: vsys description: Virtual System associated with the session. type: string - name: from description: Zone the session was sourced from. type: string - name: to description: Zone the session was destined to. type: string - name: inbound_if description: Interface that the session was sourced from. type: string - name: outbound_if description: Interface that the session was destined to. type: string - name: logset description: Log Forwarding Profile that was applied to the session. type: string - name: sessionid description: An internal numerical identifier applied to each session. type: string - name: repeatcnt description: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. type: bigint - name: sport description: Source port utilized by the session. type: bigint - name: dport description: Destination port utilized by the session. type: bigint - name: natsport description: Post-NAT source port. type: bigint - name: natdport description: Post-NAT destination port. type: bigint - name: flags description: 32-bit field that provides details on session; decode by AND-ing with logged value. type: string - name: proto description: IP protocol associated with the session. type: string - name: action description: Action taken for the session (allow, deny, drop, reset client, reset server, reset both, drop ICMP). type: string - name: bytes description: Number of total bytes (transmit and receive) for the session. type: bigint - name: bytes_sent description: Number of bytes in the client-to-server direction of the session. type: bigint - name: bytes_received description: Number of bytes in the server-to-client direction of the session. type: bigint - name: packets description: Number of total packets (transmit and receive) for the session. type: bigint - name: start description: Time of session start. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: elapsed description: Elapsed time of the session. type: bigint - name: category description: URL category associated with the session (if applicable). type: string - name: seqno description: A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. type: string - name: actionflags description: A bit field indicating if the log was forwarded to Panorama. type: string - name: srcloc description: Source country or Internal region for private addresses; maximum length is 32 bytes. type: string - name: dstloc description: Destination country or Internal region for private addresses. Maximum length is 32 bytes. type: string - name: pkts_sent description: Number of client-to-server packets for the session. type: bigint - name: pkts_received description: Number of server-to-client packets for the session. type: bigint - name: session_end_reason description: The reason a session terminated (highest priority reason if multiple causes). type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: action_source description: Specifies whether the action taken to allow or block an application was defined in the application or in policy. type: string - name: src_uuid description: Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. type: string - name: dst_uuid description: Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. type: string - name: tunnelid description: International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system. type: string - name: monitortag description: International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. type: string - name: parent_session_id description: ID of the session in which this session is tunneled. type: string - name: parent_start_time description: Year/month/day hours:minutes:seconds that the parent tunnel session began. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: tunnel description: Type of tunnel, such as GRE or IPSec. type: string - name: assoc_id description: Number that identifies all connections for an association between two SCTP endpoints. type: string - name: chunks description: Sum of SCTP chunks sent and received for an association. type: bigint - name: chunks_sent description: Number of SCTP chunks sent for an association. type: bigint - name: chunks_received description: Number of SCTP chunks received for an association. type: bigint - name: rule_uuid description: The UUID that permanently identifies the rule. type: string - name: http2_connection description: Identifies if traffic used an HTTP/2 Connection (parent session ID vs 0 for SSL session). type: string - name: link_change_count description: Number of link flaps that occurred during the session. type: bigint - name: policy_id description: Name of the SD-WAN policy. type: string - name: link_switches description: Contains up to four link flap entries with link metadata and health. type: string - name: sdwan_cluster description: Name of the SD-WAN cluster. type: string - name: sdwan_device_type description: Type of device (hub or branch). type: string - name: sdwan_cluster_type description: Type of cluster (mesh or hub-spoke). type: string - name: sdwan_site description: Name of the SD-WAN site. type: string - name: dynusergroup_name description: Name of the dynamic user group that contains the user who initiated the session. type: string - name: xff_ip description: The IP address of the user who requested the web page or the IP address of the next to last device that the request traversed; may contain non-IP values. type: string indicators: - hostname - name: src_category description: The category for the device that Device-ID identifies as the source of the traffic. type: string - name: src_profile description: The device profile for the device that Device-ID identifies as the source of the traffic. type: string - name: src_model description: The model of the device that Device-ID identifies as the source of the traffic. type: string - name: src_vendor description: The vendor of the device that Device-ID identifies as the source of the traffic. type: string - name: src_osfamily description: The operating system type for the device that Device-ID identifies as the source of the traffic. type: string - name: src_osversion description: The version of the operating system for the device that Device-ID identifies as the source of the traffic. type: string - name: src_host description: The hostname of the device that Device-ID identifies as the source of the traffic. type: string indicators: - hostname - name: src_mac description: The MAC address for the device that Device-ID identifies as the source of the traffic. type: string indicators: - mac - name: dst_category description: The category for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_profile description: The device profile for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_model description: The model of the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_vendor description: The vendor of the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_osfamily description: The operating system type for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_osversion description: The version of the operating system for the device that Device-ID identifies as the destination for the traffic. type: string - name: dst_host description: The hostname of the device that Device-ID identifies as the destination for the traffic. type: string indicators: - hostname - name: dst_mac description: The MAC address for the device that Device-ID identifies as the destination for the traffic. type: string indicators: - mac - name: container_id description: The container ID of the PAN-NGFW pod on the Kubernetes node where the application POD is deployed. type: string - name: pod_namespace description: The namespace of the application POD being secured. type: string - name: pod_name description: The application POD being secured. type: string - name: src_edl description: The name of the external dynamic list that contains the source IP address of the traffic. type: string - name: dst_edl description: The name of the external dynamic list that contains the destination IP address of the traffic. type: string - name: hostid description: Unique ID GlobalProtect assigns to identify the host. type: string - name: serialnumber description: Serial number of the user's machine or device. type: string indicators: - serial_number - name: src_dag description: Original session source dynamic address group. type: string - name: dst_dag description: Original destination source dynamic address group. type: string - name: session_owner description: The original high availability (HA) peer session owner in an HA cluster from which the session table data was synchronized upon HA failover. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. type: timestamp timeFormats: - rfc3339 - name: nssai_sst description: The A Slice Service Type of the Network Slice ID. type: string - name: nssai_sd description: The A Slice Differentiator of the Network Slice ID. type: string - name: subcategory_of_app description: The application subcategory specified in the application configuration properties. type: string - name: category_of_app description: The application category specified in the application configuration properties. type: string - name: technology_of_app description: The application technology specified in the application configuration properties. type: string - name: risk_of_app description: Risk level associated with the application (1=lowest to 5=highest). type: string - name: characteristic_of_app description: Comma-separated list of applicable characteristic of the application. type: string - name: container_of_app description: The parent application for an application. type: string - name: tunneled_app description: Name of the tunneled application. type: string - name: is_saas_of_app description: Displays 1 if a SaaS application or 0 if not a SaaS application. type: string - name: sanctioned_state_of_app description: Displays 1 if application is sanctioned or 0 if application is not sanctioned. type: string - name: offloaded description: Displays 1 if traffic flow has been offloaded or 0 if traffic flow was not offloaded. type: string - name: flow_type description: Identifies the type of proxy used for traffic (Explicit Proxy, Transparent Proxy, or NonProxyTraffic). type: string - name: cluster_name description: Name of the CN-Series firewall cluster. type: string - name: ai_traffic description: Indicates whether the network session is being processed by AI-driven security services. type: string - name: ai_fwd_error description: Indicates whether an error was encountered during traffic forwarding by the AI engine. type: string - name: k8s_cluster_id description: The unique identifier of the Kubernetes cluster that is the source of the traffic. type: string - name: tcp_rtt_c2s description: 'TCP telemetry (internal use): client-to-server RTT.' type: string - name: tcp_rtt_s2c description: 'TCP telemetry (internal use): server-to-client RTT.' type: string - name: total_n_ooseq_c2s description: 'TCP telemetry (internal use): total out-of-order count client-to-server.' type: string - name: total_n_ooseq_s2c description: 'TCP telemetry (internal use): total out-of-order count server-to-client.' type: string - name: tcp_retransit_cnt_c2s description: 'TCP telemetry (internal use): retransmit count client-to-server.' type: string - name: tcp_retransit_cnt_s2c description: 'TCP telemetry (internal use): retransmit count server-to-client.' type: string - name: tcp_zero_window_cnt_c2s description: 'TCP telemetry (internal use): zero-window count client-to-server.' type: string - name: tcp_zero_window_cnt_s2c description: 'TCP telemetry (internal use): zero-window count server-to-client.' type: string - name: src_adv_dev_id description: The unique identifier for the endpoint initiating the session (advanced Device-ID). type: string - name: dst_adv_dev_id description: The unique identifier for the endpoint receiving the session (advanced Device-ID). type: string ``` ### PaloAltoNGFW\.Tunnel Tunnel Inspection logs record cleartext tunnel session lifecycle events (START/END) including tunnel type, endpoints, inner-session counters, and tunnel inspection policy outcomes. Reference: [Palo Alto documentation on Tunnel log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/tunnel-inspection-log-fields) ```yaml schema: PaloAltoNGFW.Tunnel description: Tunnel Inspection logs record cleartext tunnel session lifecycle events (START/END) including tunnel type, endpoints, inner-session counters, and tunnel inspection policy outcomes. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/tunnel-inspection-log-fields fields: - name: receive_time description: Month, day, and time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: 'Type of log as it pertains to the session: START or END.' type: string - name: subtype description: Subtype of traffic log; values are start, end, drop, and deny. type: string - name: time_generated description: Time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: src description: Source IP address of packets in the session. type: string indicators: - ip - name: dst description: Destination IP address of packets in the session. type: string indicators: - ip - name: natsrc description: If Source NAT performed, the post-NAT Source IP address. type: string indicators: - ip - name: natdst description: If Destination NAT performed, the post-NAT Destination IP address. type: string indicators: - ip - name: rule description: Name of the Security policy rule in effect on the session. type: string - name: srcuser description: Source User ID of packets in the session. type: string indicators: - username - name: dstuser description: Destination User ID of packets in the session. type: string indicators: - username - name: app description: Tunneling protocol used in the session. type: string - name: vsys description: Virtual System associated with the session. type: string - name: from description: Source zone of packets in the session. type: string - name: to description: Destination zone of packets in the session. type: string - name: inbound_if description: Interface that the session was sourced from. type: string - name: outbound_if description: Interface that the session was destined to. type: string - name: logset description: Log Forwarding Profile that was applied to the session. type: string - name: sessionid description: Session ID of the session being logged. type: string - name: repeatcnt description: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. type: bigint - name: sport description: Source port utilized by the session. type: bigint - name: dport description: Destination port utilized by the session. type: bigint - name: natsport description: Post-NAT source port. type: bigint - name: natdport description: Post-NAT destination port. type: bigint - name: flags description: 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value. type: string - name: proto description: IP protocol associated with the session. type: string - name: action description: Action taken for the session; possible values are allow, deny, drop, drop ICMP, reset both, reset client, and reset server. type: string - name: severity description: Severity associated with the event; values are informational, low, medium, high, critical. type: string - name: seqno description: A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls. type: string - name: actionflags description: A bit field indicating if the log was forwarded to Panorama. type: string - name: srcloc description: Source country or Internal region for private addresses; maximum length is 32 bytes. type: string - name: dstloc description: Destination country or Internal region for private addresses. Maximum length is 32 bytes. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: tunnelid description: ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user. type: string - name: monitortag description: Monitor name you configured for the Tunnel Inspection policy rule or the International Mobile Equipment Identity (IMEI) ID of the mobile device. type: string - name: parent_session_id description: ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only. type: string - name: parent_start_time description: Year/month/day hours:minutes:seconds that the parent tunnel session began. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: tunnel description: Type of tunnel, such as GRE or IPSec. type: string - name: bytes description: Number of bytes in the session. type: bigint - name: bytes_sent description: Number of bytes in the client-to-server direction of the session. type: bigint - name: bytes_received description: Number of bytes in the server-to-client direction of the session. type: bigint - name: packets description: Number of total packets (transmit and receive) for the session. type: bigint - name: pkts_sent description: Number of client-to-server packets for the session. type: bigint - name: pkts_received description: Number of server-to-client packets for the session. type: bigint - name: max_encap description: Number of packets the firewall dropped because the packet exceeded the maximum number of encapsulation levels configured in the Tunnel Inspection policy rule (Drop packet if over maximum tunnel inspection level). type: bigint - name: unknown_proto description: Number of packets the firewall dropped because the packet contains an unknown protocol, as enabled in the Tunnel Inspection policy rule (Drop packet if unknown protocol inside tunnel). type: bigint - name: strict_check description: Number of packets the firewall dropped because the tunnel protocol header in the packet failed to comply with the RFC for the tunnel protocol, as enabled in the Tunnel Inspection policy rule (Drop packet if tunnel protocol fails strict header check). type: bigint - name: tunnel_fragment description: Number of packets the firewall dropped because of fragmentation errors. type: bigint - name: sessions_created description: Number of inner sessions created. type: bigint - name: sessions_closed description: Number of completed/closed sessions created. type: bigint - name: session_end_reason description: The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. type: string - name: action_source description: Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset-server, reset-client or reset-both for the session. type: string - name: start description: Year/month/day hours:minutes:seconds that the session began. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: elapsed description: Elapsed time of the session. type: bigint - name: tunnel_insp_rule description: Name of the tunnel inspection rule matching the cleartext tunnel traffic. type: string - name: remote_user_ip description: IPv4 or IPv6 address of a remote user. type: string indicators: - ip - name: remote_user_id description: IMSI identity of a remote user, and if available, one IMEI identity or one MSISDN identity. type: string - name: rule_uuid description: The UUID that permanently identifies the rule. type: string - name: pcap_id description: Unique packet capture ID that defines the location of the pcap file on the firewall. type: string - name: dynusergroup_name description: The name of the dynamic user group that contains the user who initiated the session. type: string - name: src_edl description: The name of the external dynamic list that contains the source IP address of the traffic. type: string - name: dst_edl description: The name of the external dynamic list that contains the destination IP address of the traffic. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. The High Resolution Timestamp is supported for logs received from managed firewalls running PAN-OS 11.1 and later releases. type: timestamp timeFormats: - rfc3339 - name: nssai_sd description: The A Slice Differentiator of the Network Slice ID. type: string - name: nssai_sst description: The A Slice Service Type of the Network Slice ID. type: string - name: pdu_session_id description: Session ID for the collection of L4 segments inside a tunnel. type: string - name: subcategory_of_app description: The application subcategory specified in the application configuration properties. type: string - name: category_of_app description: The application category specified in the application configuration properties. type: string - name: technology_of_app description: The application technology specified in the application configuration properties. type: string - name: risk_of_app description: Risk level associated with the application (1=lowest to 5=highest). type: string - name: characteristic_of_app description: Comma-separated list of applicable characteristic of the application. type: string - name: container_of_app description: The parent application for an application. type: string - name: is_saas_of_app description: Displays 1 if a SaaS application or 0 if not a SaaS application. type: string - name: sanctioned_state_of_app description: Displays 1 if application is sanctioned or 0 if application is not sanctioned. type: string - name: cluster_name description: (11.1 and later releases) Name of the CN-Series firewall cluster. type: string ``` ### PaloAltoNGFW\.UserID User-ID logs record IP address-to-user mapping lifecycle events including login, logout, and dynamic tag registration sourced from User-ID agents and integrations. Reference: [Palo Alto documentation on User-ID log fields and Versioning](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields) ```yaml schema: PaloAltoNGFW.UserID description: User-ID logs record IP address-to-user mapping lifecycle events including login, logout, and dynamic tag registration sourced from User-ID agents and integrations. referenceURL: https://docs.paloaltonetworks.com/ngfw/administration/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/user-id-log-fields fields: - name: receive_time description: Time the log was received at the management plane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: serial description: Serial number of the firewall that generated the log. type: string indicators: - serial_number - name: type description: Specifies the type of log; value is USERID. type: string - name: subtype description: Subtype of User-ID log; values are login, logout, register-tag, and unregister-tag. type: string - name: time_generated description: The time the log was generated on the dataplane. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' isEventTime: true - name: vsys description: Virtual System associated with the configuration log. type: string - name: ip description: Original session source IP address. type: string indicators: - ip - name: user description: Identifies the end user. type: string indicators: - username - name: datasourcename description: User-ID source that sends the IP (Port)-User Mapping. type: string - name: eventid description: String showing the name of the event. type: string - name: repeatcnt description: Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds. type: bigint - name: timeout description: Timeout after which the IP/User Mappings are cleared. type: bigint - name: beginport description: Source port utilized by the session. type: bigint - name: endport description: Destination port utilized by the session. type: bigint - name: datasource description: Source from which mapping information is collected. type: string indicators: - hostname - name: datasourcetype description: Mechanism used to identify the IP/User mappings within a data source. type: string - name: seqno description: A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. type: string - name: actionflags description: A bit field indicating if the log was forwarded to Panorama. type: string - name: dg_hier_level_1 description: Device group hierarchy level 1 identifier. type: string - name: dg_hier_level_2 description: Device group hierarchy level 2 identifier. type: string - name: dg_hier_level_3 description: Device group hierarchy level 3 identifier. type: string - name: dg_hier_level_4 description: Device group hierarchy level 4 identifier. type: string - name: vsys_name description: The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: string - name: device_name description: The hostname of the firewall on which the session was logged. type: string indicators: - hostname - name: vsys_id description: A unique identifier for a virtual system on a Palo Alto Networks firewall. type: string - name: factortype description: Vendor used to authenticate a user when Multi Factor authentication is present. type: string - name: factorcompletiontime description: Time the authentication was completed. type: timestamp timeFormats: - '%Y/%m/%d %H:%M:%S' - name: factorno description: Indicates the use of primary authentication (1) or additional factors (2, 3). type: bigint - name: ugflags description: 'Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.' type: string - name: userbysource description: Indicates the username received from the source through IP address-to-username mapping. type: string indicators: - username - name: tag_name description: Name of the tag associated with the dynamic user group associated with the User Group the user is mapped to. type: string - name: high_res_timestamp description: Time in milliseconds the log was received at the management plane. The format for this new field is YYYY-MM-DDThh:mm:ss.sssTZD. The High Resolution Timestamp is supported for logs received from managed firewalls running PAN-OS 11.1 and later releases. Logs received from managed firewalls running PAN-OS 9.1 and earlier releases display a 1969-12-31T16:00:00:000-8:00 timestamp regardless of when the log was received. type: timestamp timeFormats: - rfc3339 - name: origindatasource description: Source where the User-ID mapping originated. type: string indicators: - hostname - name: cluster_name description: Name of the CN-Series firewall cluster (PAN-OS 11.1+). type: string ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/paloaltongfw.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.