Syslog Field Descriptions
This is a list of the standard fields for each of the five log types that are forwarded to an external server. For ease of parsing, the comma is the delimiter; each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to fields that the devices do not currently implement.
WildFire logs are a subtype of threat logs and use the same Syslog format.
Traffic Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason *
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the device that generated the log
Type (type) Specifies type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of traffic log are as follows: start—session started end—session ended drop—session dropped before the application is identified and there is no rule that allows the session. deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
Generated Time (time_generated) Time the log was generated on the dataplane
Source IP (src) Original session source IP address
Destination IP (dst) Original session destination IP address
NAT Source IP (natsrc) If Source NAT performed, the post-NAT Source IP address
NAT Destination IP (natdst) If Destination NAT performed, the post-NAT Destination IP address
Rule Name (rule) Name of the rule that the session matched
Source User (srcuser) Username of the user who initiated the session
Destination User (dstuser) Username of the user to which the session was destined
Application (app) Application associated with the session
Virtual System (vsys) Virtual System associated with the session
Source Zone (from) Zone the session was sourced from
Destination Zone (to) Zone the session was destined to
Ingress Interface (inbound_if) Interface that the session was sourced form
Egress Interface (outbound_if) Interface that the session was destined to
Log Forwarding Profile (logset) Log Forwarding Profile that was applied to the session
Session ID (sessionid) An internal numerical identifier applied to each session
Repeat Count (repeatcnt) Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
Source Port (sport) Source port utilized by the session
Destination Port (dport) Destination port utilized by the session
NAT Source Port (natsport) Post-NAT source port
NAT Destination Port (natdport) Post-NAT destination port
Flags (flags) 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured via the captive portal (Captive Portal) 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above. 0x00000800 —symmetric return was used to forward traffic for this session
Protocol (proto) IP protocol associated with the session
Action (action) Action taken for the session; values are allow or deny: Allow—session was allowed by policy Deny—session was denied by policy
Bytes (bytes) Number of total bytes (transmit and receive) for the session
Bytes Sent (bytes_sent) Number of bytes in the client-to-server direction of the session Available on all models except the PA-4000 Series
Bytes Received (bytes_received) Number of bytes in the server-to-client direction of the session Available on all models except the PA-4000 Series
Packets (packets) Number of total packets (transmit and receive) for the session
Start Time (start) Time of session start
Elapsed Time (elapsed) Elapsed time of the session
Category (category) URL category associated with the session (if applicable)
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama
Source Location (srcloc) Source country or Internal region for private addresses; maximum length is 32 bytes
Destination Location (dstloc) Destination country or Internal region for private addresses. Maximum length is 32 bytes
Packets Sent (pkts_sent) Number of client-to-server packets for the session Available on all models except the PA-4000 Series
Packets Received (pkts_received) Number of server-to-client packets for the session Available on all models except the PA-4000 Series
Session End Reason (session_end_reason) New in v6.1! The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest): threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action. policy-deny—The session matched a security policy with a deny or drop action. tcp-rst-from-client—The client sent a TCP reset to the server. tcp-rst-from-server—The server sent a TCP reset to the client. resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue. tcp-fin—One host or both hosts in the connection sent a TCP FIN message to close the session. tcp-reuse—A session is reused and the firewall closes the previous session. decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection. aged-out—The session aged out. unknown—This value applies in the following situations: Session terminations that the preceding reasons do not cover (for example, a clear session all command). For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall. In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown. n/a—This value applies when the traffic log type is not end.
Threat Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_id, Filedigest, Cloud, FUTURE_USE, User Agent * , File Type * , X-Forwarded-For * , Referer * , Sender * , Subject * , Recipient * , Report ID *
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the device that generated the log
Type (type) Specifies type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of threat log. Values include the following: data—Data pattern matching a Data Filtering profile. file—File type matching a File Blocking profile. flood—Flood detected via a Zone Protection profile. packet—Packet-based attack protection triggered by a Zone Protection profile. scan—Scan detected via a Zone Protection profile. spyware —Spyware detected via an Anti-Spyware profile. url—URL filtering log. virus—Virus detected via an Antivirus profile. vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile. wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malicious, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log. wildfire-virus—Virus detected via an Antivirus profile.
Generated Time (time_generated) Time the log was generated on the dataplane
Source IP (src) Original session source IP address
Destination IP (dst) Original session destination IP address
NAT Source IP (natsrc) If source NAT performed, the post-NAT source IP address
NAT Destination IP (natdst) If destination NAT performed, the post-NAT destination IP address
Rule Name (rule) Name of the rule that the session matched
Source User (srcuser) Username of the user who initiated the session
Destination User (dstuser) Username of the user to which the session was destined
Application (app) Application associated with the session
Virtual System (vsys) Virtual System associated with the session
Source Zone (from) Zone the session was sourced from
Destination Zone (to) Zone the session was destined to
Ingress Interface (inbound_if) Interface that the session was sourced from
Egress Interface (outbound_if) Interface that the session was destined to
Log Forwarding Profile (logset) Log Forwarding Profile that was applied to the session
Session ID (sessionid) An internal numerical identifier applied to each session
Repeat Count (repeatcnt) Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
Source Port (sport) Source port utilized by the session
Destination Port (dport) Destination port utilized by the session
NAT Source Port (natsport) Post-NAT source port
NAT Destination Port (natdport) Post-NAT destination port
Flags (flags) 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured via the captive portal (Captive Portal) 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above 0x00000800 —symmetric return was used to forward traffic for this session
Protocol (proto) IP protocol associated with the session
Action (action) Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. alert—threat or URL detected but not blocked allow— flood detection alert deny—traffic is blocked drop— flood detection mechanism activated and deny traffic based on configuration reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-url —URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue override-lockout (URL subtype only)—too failed admin override pass code attempts from the source IP. IP is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed forward (Wildfire only)—file matching a file-blocking profile forwrad action wildfire-upload-success (Wildfire only)—file was uploaded to Wildfire successfully wildfire-upload-fail (Wildfire only)—file upload failed wildfire-upload-skip (Wildfire only)—duplicate file upload is skipped because block (Wildfire only)—file was blocked by the firewall and uploaded to Wildfire
Miscellaneous (misc) Field with variable length with a maximum of 1023 characters The actual URI when the subtype is URL File name or file type when the subtype is file File name when the subtype is virus File name when the subtype is WildFire
Threat ID (threatid) Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes: 8000 – 8099— scan detection 8500 – 8599— flood detection 9999— URL filtering log 10000 – 19999 —spyware phone home detection 20000 – 29999 —spyware download detection 30000 – 44999 —vulnerability exploit detection 52000 – 52999— filetype detection 60000 – 69999 —data filtering detection 100000 – 2999999 —virus detection 3000000 – 3999999 —WildFire signature feed 4000000-4999999 —DNS Botnet signatures
Category (category) For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’ or ‘benign’; For other subtypes, the value is ‘any’.
Severity (severity) Severity associated with the threat; values are informational, low, medium, high, critical
Direction (direction) Indicates the direction of the attack, client-to-server or server-to-client 0—direction of the threat is client to server 1—direction of the threat is server to client
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. This field is not supported on PA-7050 firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama.
Source Location (srcloc) Source country or Internal region for private addresses. Maximum length is 32 bytes.
Destination Location (dstloc) Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Content Type (contenttype) Applicable only when Subtype is URL. Content type of the HTTP response data. Maximum length 32 bytes.
PCAP ID (pcap_id) Pcap-ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
File Digest (filedigest) Only for WildFire subtype; all other types do not use this field The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Cloud (cloud) Only for WildFire subtype; all other types do not use this field. The cloud string displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
New in v6.1! User Agent (user_agent) Only for the URL Filtering subtype; all other types do not use this field. The User Agent field specifies the web browser that the user used to access the URL, for example Internet Explorer. This information is sent in the HTTP request to the server.
New in v6.1! File Type (filetype) Only for WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
New in v6.1! X-Forwarded-For (xff) Only for the URL Filtering subtype; all other types do not use this field. The X-Forwarded-For field in the HTTP header contains the IP address of the user who requested the web page. It allows you to identify the IP address of the user, which is useful particularly if you have a proxy server on your network that replaces the user IP address with its own address in the source IP address field of the packet header.
New in v6.1! Referer (referer) Only for the URL Filtering subtype; all other types do not use this field. The Referer field in the HTTP header contains the URL of the web page that linked the user to another web page; it is the source that redirected (referred) the user to the web page that is being requested.
New in v6.1! Sender (sender) Only for WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Subject (subject) New in v6.1! Only for WildFire subtype; all other types do not use this field. Specifies the subject of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Recipient (recipient) New in v6.1! Only for WildFire subtype; all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Report ID (reportid) New in v6.1! Only for WildFire subtype; all other types do not use this field. Identifies the analysis request on the WildFire cloud or the WildFire appliance.
HIP Match Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source User, Virtual System, Machine name, OS, Source Address, HIP, Repeat Count, HIP Type, FUTURE_USE, FUTURE_USE, Sequence Number, Action Flags
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the device that generated the log
Type (type) Type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of HIP match log; unused
Generated Time (time_generated) Time the log was generated on the dataplane
Source User (srcuser) Username of the user who initiated the session
Virtual System (vsys) Virtual System associated with the HIP match log
Machine Name (machinename) Name of the user’s machine
OS The operating system installed on the user’s machine or device (or on the client system)
Source Address (src) IP address of the source user
HIP (matchname) Name of the HIP object or profile
Repeat Count (repeatcnt) Number of times the HIP profile matched
HIP Type (matchtype) Whether the hip field represents a HIP object or a HIP profile
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama
Config Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags, Before Change Detail * , After Change Detail *
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the device that generated the log
Type (type) Type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of configuration log; unused
Generated Time (time_generated) Time the log was generated on the dataplane
Host (host) Host name or IP address of the client machine
Virtual System (vsys) Virtual System associated with the configuration log
Command (cmd) Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set.
Admin (admin) Username of the Administrator performing the configuration
Client (client) Client used by the Administrator; values are Web and CLI
Result (result) Result of the configuration action; values are Submitted, Succeeded, Failed, and Unauthorized
Configuration Path (path) The path of the configuration command issued; up to 512 bytes in length
Sequance Number (seqno) A 64bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama.
Before Change Detail (before_change_detail) New in v6.1! This field is in custom logs only; it is not in the default format. It contains the full xpath before the configuration change.
After Change Detail (after_change_detail) New in v6.1! This field is in custom logs only; it is not in the default format. It contains the full xpath after the configuration change.
System Logs
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the device that generated the log
Type (type) Type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn
Generated Time (time_generated) Time the log was generated on the dataplane
Virtual System (vsys) Virtual System associated with the configuration log
Event ID (eventid) String showing the name of the event
Object (object) Name of the object associated with the system event
Module (module) This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis
Severity (severity) Severity associated with the event; values are informational, low, medium, high, critical
Description (opaque) Detailed description of the event, up to a maximum of 512 bytes
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama
Syslog Severity
The syslog severity is set based on the log type and contents.
Log Type/Severity Syslog Severity
Traffic Info
Config Info
Threat/System—Informational Info
Threat/System—Low Notice
Threat/System—Medium Warning
Threat/System—High Error
Threat/System—Critical Critical
Custom Log/Event Format
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
To achieve ArcSight Common Event Format (CEF) compliant log formatting, refer to the CEF Configuration Guide.
Escape Sequences
Any field that contains a comma or a double-quote is enclosed in double quotes. Furthermore, if a double-quote appears inside a field it is escaped by preceding it with another double-quote. To maintain backward compatibility, the Misc field in threat log is always enclosed in double-quotes.

Related Documentation