Syslog Field Descriptions
The following topics list the standard fields of each log type that Palo Alto Networks firewalls can forward to an external server, as well as the severity levels, custom formats, and escape sequences. To facilitate parsing, the delimiter is a comma: each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to fields that the firewalls do not currently implement.
WildFire Submissions logs are a subtype of Threat log and use the same syslog format.
Traffic Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the firewall that generated the log
Type (type) Specifies type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of traffic log; values are start, end, drop, and deny start—session started end—session ended drop—session dropped before the application is identified and there is no rule that allows the session. deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
Generated Time (time_generated) Time the log was generated on the dataplane
Source IP (src) Original session source IP address
Destination IP (dst) Original session destination IP address
NAT Source IP (natsrc) If Source NAT performed, the post-NAT Source IP address
NAT Destination IP (natdst) If Destination NAT performed, the post-NAT Destination IP address
Rule Name (rule) Name of the rule that the session matched
Source User (srcuser) Username of the user who initiated the session
Destination User (dstuser) Username of the user to which the session was destined
Application (app) Application associated with the session
Virtual System (vsys) Virtual System associated with the session
Source Zone (from) Zone the session was sourced from
Destination Zone (to) Zone the session was destined to
Ingress Interface (inbound_if) Interface that the session was sourced form
Egress Interface (outbound_if) Interface that the session was destined to
Log Forwarding Profile (logset) Log Forwarding Profile that was applied to the session
Session ID (sessionid) An internal numerical identifier applied to each session
Repeat Count (repeatcnt) Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
Source Port (sport) Source port utilized by the session
Destination Port (dport) Destination port utilized by the session
NAT Source Port (natsport) Post-NAT source port
NAT Destination Port (natdport) Post-NAT destination port
Flags (flags) 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured via the captive portal (Captive Portal) 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above. 0x00000800 —symmetric return was used to forward traffic for this session
Protocol (proto) IP protocol associated with the session
Action (action) Action taken for the session; possible values are: allow—session was allowed by policy deny—session was denied by policy drop—session was dropped silently drop-icmp—session was silently dropped with an ICMP unreachable message to the host or application reset-both—session was terminated and a TCP reset is sent to both the sides of the connection reset-client—session was terminated and a TCP reset is sent to the client reset-server—session was terminated and a TCP reset is sent to the server
Bytes (bytes) Number of total bytes (transmit and receive) for the session
Bytes Sent (bytes_sent) Number of bytes in the client-to-server direction of the session Available on all models except the PA-4000 Series
Bytes Received (bytes_received) Number of bytes in the server-to-client direction of the session Available on all models except the PA-4000 Series
Packets (packets) Number of total packets (transmit and receive) for the session
Start Time (start) Time of session start
Elapsed Time (elapsed) Elapsed time of the session
Category (category) URL category associated with the session (if applicable)
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama
Source Location (srcloc) Source country or Internal region for private addresses; maximum length is 32 bytes
Destination Location (dstloc) Destination country or Internal region for private addresses. Maximum length is 32 bytes
Packets Sent (pkts_sent) Number of client-to-server packets for the session Available on all models except the PA-4000 Series
Packets Received (pkts_received) Number of server-to-client packets for the session Available on all models except the PA-4000 Series
Session End Reason (session_end_reason) The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest): threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action. policy-deny—The session matched a security rule with a deny or drop action. decrypt-cert-validation—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only). decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displays when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure. decrypt-error—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources or the hardware security module (HSM) were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSH errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons. tcp-rst-from-client—The client sent a TCP reset to the server. tcp-rst-from-server—The server sent a TCP reset to the client. resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue. tcp-fin—One host or both hosts in the connection sent a TCP FIN message to close the session. tcp-reuse—A session is reused and the firewall closes the previous session. decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection. aged-out—The session aged out. unknown—This value applies in the following situations: Session terminations that the preceding reasons do not cover (for example, a clear session all command). For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall. In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown . n/a—This value applies when the traffic log type is not end .
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
Action Source (action_source) Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
Threat Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_id, Filedigest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE,
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the firewall that generated the log
Type (type) Specifies type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of threat log. Values include the following: data—Data pattern matching a Data Filtering profile. file—File type matching a File Blocking profile. flood—Flood detected via a Zone Protection profile. packet—Packet-based attack protection triggered by a Zone Protection profile. scan—Scan detected via a Zone Protection profile. spyware —Spyware detected via an Anti-Spyware profile. url—URL filtering log. virus—Virus detected via an Antivirus profile. vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile. wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malicious, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log. wildfire-virus—Virus detected via an Antivirus profile.
Generated Time (time_generated) Time the log was generated on the dataplane
Source IP (src) Original session source IP address
Destination IP (dst) Original session destination IP address
NAT Source IP (natsrc) If source NAT performed, the post-NAT source IP address
NAT Destination IP (natdst) If destination NAT performed, the post-NAT destination IP address
Rule Name (rule) Name of the rule that the session matched
Source User (srcuser) Username of the user who initiated the session
Destination User (dstuser) Username of the user to which the session was destined
Application (app) Application associated with the session
Virtual System (vsys) Virtual System associated with the session
Source Zone (from) Zone the session was sourced from
Destination Zone (to) Zone the session was destined to
Ingress Interface (inbound_if) Interface that the session was sourced from
Egress Interface (outbound_if) Interface that the session was destined to
Log Forwarding Profile (logset) Log Forwarding Profile that was applied to the session
Session ID (sessionid) An internal numerical identifier applied to each session
Repeat Count (repeatcnt) Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only
Source Port (sport) Source port utilized by the session
Destination Port (dport) Destination port utilized by the session
NAT Source Port (natsport) Post-NAT source port
NAT Destination Port (natdport) Post-NAT destination port
Flags (flags) 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured via the captive portal (Captive Portal) 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above 0x00000800 —symmetric return was used to forward traffic for this session
Protocol (proto) IP protocol associated with the session
Action (action) Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. alert—threat or URL detected but not blocked allow— flood detection alert deny—file is blocked drop— threat detected and associated session was dropped reset-client —threat detected and a TCP RST is sent to the client reset-server —threat detected and a TCP RST is sent to the server reset-both —threat detected and a TCP RST is sent to both the client and the server block-url —URL request was blocked because it matched a URL category that was set to be blocked block-ip—threat detected and client IP is blocked random-drop—flood detected and packet was randomly dropped sinkhole—DNS sinkhole activated syncookie-sent—syncookie alert block-continue (URL subtype only)—a HTTP request is blocked and redirected to a Continue page with a button for confirmation to proceed continue (URL subtype only)—response to a block-continue URL continue page indicating a block-continue request was allowed to proceed block-override (URL subtype only)—a HTTP request is blocked and redirected to an Admin override page that requires a pass code from the firewall administrator to continue override-lockout (URL subtype only)—too many failed admin override pass code attempts from the source IP and is now blocked from the block-override redirect page override (URL subtype only)—response to a block-override page where a correct pass code is provided and the request is allowed
Miscellaneous (misc) Field with variable length with a maximum of 1023 characters The actual URI when the subtype is URL File name or file type when the subtype is file File name when the subtype is virus File name when the subtype is WildFire
Threat ID (threatid) Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes: 8000 – 8099— scan detection 8500 – 8599— flood detection 9999— URL filtering log 10000 – 19999 —sypware phone home detection 20000 – 29999 —spyware download detection 30000 – 44999 —vulnerability exploit detection 52000 – 52999— filetype detection 60000 – 69999 —data filtering detection 100000 – 2999999 —virus detection 3000000 – 3999999 —WildFire signature feed 4000000-4999999 —DNS Botnet signatures
Category (category) For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity (severity) Severity associated with the threat; values are informational, low, medium, high, critical
Direction (direction) Indicates the direction of the attack, client-to-server or server-to-client: 0—direction of the threat is client to server 1—direction of the threat is server to client
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama.
Source Location (srcloc) Source country or Internal region for private addresses. Maximum length is 32 bytes.
Destination Location (dstloc) Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Content Type (contenttype) Applicable only when Subtype is URL. Content type of the HTTP response data. Maximum length 32 bytes.
PCAP ID (pcap_id) The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
File Digest (filedigest) Only for WildFire subtype; all other types do not use this field The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Cloud (cloud) Only for WildFire subtype; all other types do not use this field. The cloud string displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
URL Index (url_idx) Used in URL Filtering and WildFire subtypes. When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session. For example, to learn the URL of a file that the firewall forwarded to WildFire for analysis, locate the session ID and the url_idx from the WildFire Submissions log and search for the same session ID and url_idx in your URL filtering logs. The log entry that matches the session ID and url_idx will contain the URL of the file that was forwarded to WildFire.
User Agent (user_agent) Only for the URL Filtering subtype; all other types do not use this field. The User Agent field specifies the web browser that the user used to access the URL, for example Internet Explorer. This information is sent in the HTTP request to the server.
File Type (filetype) Only for WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
X-Forwarded-For (xff) Only for the URL Filtering subtype; all other types do not use this field. The X-Forwarded-For field in the HTTP header contains the IP address of the user who requested the web page. It allows you to identify the IP address of the user, which is useful particularly if you have a proxy server on your network that replaces the user IP address with its own address in the source IP address field of the packet header.
Referer (referer) Only for the URL Filtering subtype; all other types do not use this field. The Referer field in the HTTP header contains the URL of the web page that linked the user to another web page; it is the source that redirected (referred) the user to the web page that is being requested.
Sender (sender) Only for WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Subject (subject) Only for WildFire subtype; all other types do not use this field. Specifies the subject of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Recipient (recipient) Only for WildFire subtype; all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Report ID (reportid) Only for WildFire subtype; all other types do not use this field. Identifies the analysis request on the WildFire cloud or the WildFire appliance.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
HIP Match Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source User, Virtual System, Machine name, OS, Source Address, HIP, Repeat Count, HIP Type, FUTURE_USE, FUTURE_USE, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the firewall that generated the log
Type (type) Type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of HIP match log; unused
Generated Time (time_generated) Time the log was generated on the dataplane
Source User (srcuser) Username of the user who initiated the session
Virtual System (vsys) Virtual System associated with the HIP match log
Machine Name (machinename) Name of the user’s machine
OS The operating system installed on the user’s machine or device (or on the client system)
Source Address (src) IP address of the source user
HIP (matchname) Name of the HIP object or profile
Repeat Count (repeatcnt) Number of times the HIP profile matched
HIP Type (matchtype) Whether the hip field represents a HIP object or a HIP profile
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
Config Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags, Before Change Detail, After Change Detail, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the device that generated the log
Type (type) Type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of configuration log; unused
Generated Time (time_generated) Time the log was generated on the dataplane
Host (host) Hostname or IP address of the client machine
Virtual System (vsys) Virtual System associated with the configuration log
Command (cmd) Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set.
Admin (admin) Username of the Administrator performing the configuration
Client (client) Client used by the Administrator; values are Web and CLI
Result (result) Result of the configuration action; values are Submitted, Succeeded, Failed, and Unauthorized
Configuration Path (path) The path of the configuration command issued; up to 512 bytes in length
Sequence Number (seqno) A 64bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama.
Before Change Detail (before_change_detail) This field is in custom logs only; it is not in the default format. It contains the full xpath before the configuration change.
After Change Detail (after_change_detail) This field is in custom logs only; it is not in the default format. It contains the full xpath after the configuration change.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
System Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane
Serial Number (serial) Serial number of the firewall that generated the log
Type (type) Type of log; values are traffic, threat, config, system and hip-match
Subtype (subtype) Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn
Generated Time (time_generated) Time the log was generated on the dataplane
Virtual System (vsys) Virtual System associated with the configuration log
Event ID (eventid) String showing the name of the event
Object (object) Name of the object associated with the system event
Module (module) This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis
Severity (severity) Severity associated with the event; values are informational, low, medium, high, critical
Description (opaque) Detailed description of the event, up to a maximum of 512 bytes
Sequence Number (seqno) A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
Correlated Events Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Source User, Virtual System, Category, Severity, Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, Object Name, Object ID, Evidence
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the device that generated the log.
Type Type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Source Address IP address of the user who initiated the event.
Source User Username of the user who initiated the event.
Virtual System Virtual System associated with the configuration log.
Category For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity Severity associated with the event; values are informational, low, medium, high, critical
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the sessions; only valid on firewalls enabled with multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Virtual System ID A unique identifier for a virtual system on a Palo Alto Networks firewall.
Object Name Name of the correlation object that was matched on.
Object ID Name of the object associated with the system event.
Evidence A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times).
Syslog Severity
The syslog severity is set based on the log type and contents.
Log Type/Severity Syslog Severity
Traffic Info
Config Info
Threat/System—Informational Info
Threat/System—Low Notice
Threat/System—Medium Warning
Threat/System—High Error
Threat/System—Critical Critical
Custom Log/Event Format
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
To achieve ArcSight Common Event Format (CEF) compliant log formatting, refer to the CEF Configuration Guide.
Escape Sequences
Any field that contains a comma or a double-quote is enclosed in double quotes. Furthermore, if a double-quote appears inside a field it is escaped by preceding it with another double-quote. To maintain backward compatibility, the Misc field in threat log is always enclosed in double-quotes.

Related Documentation