Syslog Field Descriptions
The following topics list the standard fields of each log type that Palo Alto Networks firewalls can forward to an external server, as well as the severity levels, custom formats, and escape sequences. To facilitate parsing, the delimiter is a comma: each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to fields that the firewalls do not currently implement.
WildFire Submissions logs are a subtype of Threat log and use the same syslog format.
Traffic Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Action Source, Source VM UUID, Destination VM UUID, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the firewall that generated the log.
Type Specifies type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type Subtype of traffic log; values are start, end, drop, and deny Start—session started End—session ended Drop—session dropped before the application is identified and there is no rule that allows the session. Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Source Address Original session source IP address.
Destination Address Original session destination IP address.
NAT Source IP If Source NAT performed, the post-NAT Source IP address.
NAT Destination IP If Destination NAT performed, the post-NAT Destination IP address.
Rule Name (Rule) Name of the rule that the session matched.
Source User Username of the user who initiated the session.
Destination User Username of the user to which the session was destined.
Application Application associated with the session.
Virtual System Virtual System associated with the session.
Source Zone Zone the session was sourced from.
Destination Zone Zone the session was destined to.
Inbound Interface Interface that the session was sourced from.
Outbound Interface Interface that the session was destined to.
Log Action Log Forwarding Profile that was applied to the session.
Session ID An internal numerical identifier applied to each session.
Repeat Count Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only.
Source Port Source port utilized by the session.
Destination Port Destination port utilized by the session.
NAT Source Port Post-NAT source port.
NAT Destination Port Post-NAT destination port.
Flags 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured through Captive Portal 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above. 0x00000800 —symmetric return was used to forward traffic for this session
IP Protocol IP protocol associated with the session.
Action Action taken for the session; possible values are: Allow—session was allowed by policy Deny—session was denied by policy Drop—session was dropped silently Drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application Reset both—session was terminated and a TCP reset is sent to both the sides of the connection Reset client—session was terminated and a TCP reset is sent to the client Reset server—session was terminated and a TCP reset is sent to the server
Bytes Number of total bytes (transmit and receive) for the session.
Bytes Sent Number of bytes in the client-to-server direction of the session. Available on all models except the PA-4000 Series.
Bytes Received Number of bytes in the server-to-client direction of the session. Available on all models except the PA-4000 Series.
Packets Number of total packets (transmit and receive) for the session.
Start Time Time of session start.
Elapsed Time (sec) Elapsed time of the session.
Category URL category associated with the session (if applicable).
Sequence Number A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags A bit field indicating if the log was forwarded to Panorama.
Source Country Source country or Internal region for private addresses; maximum length is 32 bytes.
Destination Country Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Packets Sent (pkts_sent) Number of client-to-server packets for the session. Available on all models except the PA-4000 Series.
Packets Received (pkts_received) Number of server-to-client packets for the session. Available on all models except the PA-4000 Series.
Session End Reason (session_end_reason) The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest): threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action. policy-deny—The session matched a security rule with a deny or drop action. decrypt-cert-validation—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED ( SSLv3 only ). decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displays when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure. decrypt-error—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources or the hardware security module (HSM) were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSH errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons. tcp-rst-from-client—The client sent a TCP reset to the server. tcp-rst-from-server—The server sent a TCP reset to the client. resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue. tcp-fin—One host or both hosts in the connection sent a TCP FIN message to close the session. tcp-reuse—A session is reused and the firewall closes the previous session. decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection. aged-out—The session aged out. unknown—This value applies in the following situations: Session terminations that the preceding reasons do not cover (for example, a clear session all command). For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall. In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown . n/a—This value applies when the traffic log type is not end .
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Action Source (action_source) Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
Source VM UUID Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
Destination VM UUID Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
Tunnel ID/IMSI ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Monitor Tag/IMEI Monitor name you configured for the Tunnel Inspection policy rule or the International Mobile Equipment Identity (IMEI) ID of the mobile device.
Parent Session ID ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only.
Parent Start Time (parent_start_time) Year/month/day hours:minutes:seconds that the parent tunnel session began.
Tunnel Type (Tunnel) Type of tunnel, such as GRE or IPSec.
Threat Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_ID, File Digest, Cloud, URL Index, User Agent, File Type, X-Forwarded-For, Referer, Sender, Subject, Recipient, Report ID, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, FUTURE_USE, Source VM UUID, Destination VM UUID, HTTP Method, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel Type, Threat Category, Content Version, FUTURE_USE
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (serial #) Serial number of the firewall that generated the log.
Type Specifies type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type Subtype of threat log. Values include the following: data—Data pattern matching a Data Filtering profile. file—File type matching a File Blocking profile. flood—Flood detected via a Zone Protection profile. packet—Packet-based attack protection triggered by a Zone Protection profile. scan—Scan detected via a Zone Protection profile. spyware —Spyware detected via an Anti-Spyware profile. url—URL filtering log. virus—Virus detected via an Antivirus profile. vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile. wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malicious, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log. wildfire-virus—Virus detected via an Antivirus profile.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Source Address Original session source IP address.
Destination Address Original session destination IP address.
NAT Source IP If source NAT performed, the post-NAT source IP address.
NAT Destination IP If destination NAT performed, the post-NAT destination IP address.
Rule Name (rule) Name of the rule that the session matched.
Source User Username of the user who initiated the session.
Destination User Username of the user to which the session was destined.
Application Application associated with the session.
Virtual System Virtual System associated with the session.
Source Zone Zone the session was sourced from.
Destination Zone Zone the session was destined to.
Inbound Interface Interface that the session was sourced from.
Outbound Interface Interface that the session was destined to.
Log Action Log Forwarding Profile that was applied to the session.
Session ID An internal numerical identifier applied to each session.
Repeat Count Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds; used for ICMP only.
Source Port Source port utilized by the session.
Destination Port Destination port utilized by the session.
NAT Source Port Post-NAT source port.
NAT Destination Port Post-NAT destination port.
Flags 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured through Captive Portal 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above 0x00000800 —symmetric return was used to forward traffic for this session
IP Protocol IP protocol associated with the session.
Action Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. Alert—threat or URL detected but not blocked Allow— flood detection alert Deny—flood detection mechanism activated and deny traffic based on configuration Drop— threat detected and associated session was dropped Drop-all-packets —threat detected and session remains, but drops all packets Reset-client —threat detected and a TCP RST is sent to the client Reset-server —threat detected and a TCP RST is sent to the server Reset-both —threat detected and a TCP RST is sent to both the client and the server Block-url —URL request was blocked because it matched a URL category that was set to be blocked
URL/Filename Field with variable length with a maximum of 1023 characters The actual URI when the subtype is URL File name or file type when the subtype is file File name when the subtype is virus File name when the subtype is WildFire
Threat Content Name Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes: 8000 – 8099— scan detection 8500 – 8599— flood detection 9999— URL filtering log 10000 – 19999 —spyware phone home detection 20000 – 29999 —spyware download detection 30000 – 44999 —vulnerability exploit detection 52000 – 52999— filetype detection 60000 – 69999 —data filtering detection Threat ID ranges for virus detection, WildFire signature feed, and DNS C2 signatures used in previous releases have been replaced with permanent, globally unique IDs. Refer to the Threat/Content Type and Threat Category (thr_category) field names to create updated reports, filter threat logs, and ACC activity.
Category For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’.
Severity Severity associated with the threat; values are informational, low, medium, high, critical.
Direction Indicates the direction of the attack, client-to-server or server-to-client: 0—direction of the threat is client to server 1—direction of the threat is server to client
Sequence Number A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags A bit field indicating if the log was forwarded to Panorama.
Source Country Source country or Internal region for private addresses. Maximum length is 32 bytes.
Destination Country Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Content Type (contenttype) Applicable only when Subtype is URL. Content type of the HTTP response data. Maximum length 32 bytes.
PCAP ID (pcap_id) The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.
File Digest (filedigest) Only for WildFire subtype; all other types do not use this field The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.
Cloud (cloud) Only for WildFire subtype; all other types do not use this field. The cloud string displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.
URL Index (url_idx) Used in URL Filtering and WildFire subtypes. When an application uses TCP keepalives to keep a connection open for a length of time, all the log entries for that session have a single session ID. In such cases, when you have a single threat log (and session ID) that includes multiple URL entries, the url_idx is a counter that allows you to correlate the order of each log entry within the single session. For example, to learn the URL of a file that the firewall forwarded to WildFire for analysis, locate the session ID and the url_idx from the WildFire Submissions log and search for the same session ID and url_idx in your URL filtering logs. The log entry that matches the session ID and url_idx will contain the URL of the file that was forwarded to WildFire.
User Agent (user_agent) Only for the URL Filtering subtype; all other types do not use this field. The User Agent field specifies the web browser that the user used to access the URL, for example Internet Explorer. This information is sent in the HTTP request to the server.
File Type (filetype) Only for WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.
X-Forwarded-For (xff) Only for the URL Filtering subtype; all other types do not use this field. The X-Forwarded-For field in the HTTP header contains the IP address of the user who requested the web page. It allows you to identify the IP address of the user, which is useful particularly if you have a proxy server on your network that replaces the user IP address with its own address in the source IP address field of the packet header.
Referer (referer) Only for the URL Filtering subtype; all other types do not use this field. The Referer field in the HTTP header contains the URL of the web page that linked the user to another web page; it is the source that redirected (referred) the user to the web page that is being requested.
Sender (sender) Only for WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Subject (subject) Only for WildFire subtype; all other types do not use this field. Specifies the subject of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Recipient (recipient) Only for WildFire subtype; all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.
Report ID (reportid) Only for WildFire subtype; all other types do not use this field. Identifies the analysis request on the WildFire cloud or the WildFire appliance.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name (vsys_name) The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name) The hostname of the firewall on which the session was logged.
Source VM UUID Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
Destination VM UUID Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
HTTP Method Only in URL filtering logs. Describes the HTTP Method used in the web request. Only the following methods are logged: Connect, Delete, Get, Head, Options, Post, Put.
Tunnel ID/IMSI ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Monitor Tag/IMEI The user-defined value that groups similar traffic together for logging and reporting. This value is globally defined.
Parent Session ID ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only.
Parent Start Time (parent_start_time) Year/month/day hours:minutes:seconds that the parent tunnel session began.
Tunnel Type (Tunnel) Type of tunnel, such as GRE or IPSec.
Threat Category (thr_category) Describes threat categories used to classify different types of threat signatures.
Content Version (contentver) Applications and Threats version on your firewall when the log was generated.
HIP Match Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source User, Virtual System, Machine name, OS, Source Address, HIP, Repeat Count, HIP Type, FUTURE_USE, FUTURE_USE, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, IPv6 Source Address
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the firewall that generated the log.
Type Type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type Subtype of HIP match log; unused.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Source User Username of the user who initiated the session.
Virtual System Virtual System associated with the HIP match log.
Machine Name (machinename) Name of the user’s machine.
OS The operating system installed on the user’s machine or device (or on the client system).
Source Address IP address of the source user.
HIP (matchname) Name of the HIP object or profile.
Repeat Count Number of times the HIP profile matched.
HIP Type (matchtype) Whether the hip field represents a HIP object or a HIP profile.
Sequence Number A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags A bit field indicating if the log was forwarded to Panorama.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Virtual System ID A unique identifier for a virtual system on a Palo Alto Networks firewall.
IPv6 System Address IPv6 address of the user’s machine or device.
User-ID Log Fields
Format: FUTURE_USER, Receive Time, Serial Number, Sequence Number, Action Flags, Type, Threat/Content Type, FUTURE_USE, Generated Time, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, Virtual System, Source IP, User, Data Source Name, Event ID, Repeat Count, Time Out Threshold, Source Port, Destination Port, Data Source, Data Source Type, FUTURE_USE, FUTURE_USE, Factor Type, Factor Completion Time, Factor Number
Field Name Description
Receive Time (receive_time) Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the firewall that generated the log.
Sequence Number Serial number of the firewall that generated the log.
Action Flags A bit field indicating if the log was forwarded to Panorama.
Type (type) Specifies type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type Subtype of traffic log; values are start, end, drop, and deny "Start-session started "End-session ended "Drop-session dropped before the application is identified and there is no rule that allows the session. "Deny-session dropped after the application is identified and there is a rule to block or no rule that allows the session.
Generated Time (Generate Time) The time the log was generated on the dataplane.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Virtual System ID A unique identifier for a virtual system on a Palo Alto Networks firewall.
Virtual System Virtual System associated with the configuration log.
Source IP Original session source IP address.
User Identifies the end user.
Data Source Name User-ID source that sends the IP (Port)-User Mapping.
Event ID String showing the name of the event.
Repeat Count Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only.
Time Out (timeout) Timeout after which the IP/User Mappings are cleared.
Source Port (beginport) Source port utilized by the session.
Destination Port (endport) Destination port utilized by the session.
Data Source Source from which mapping information is collected.
Data Source Type Mechanism used to identify the IP/User mappings within a data source.
Factor Type Vendor used to authenticate a user when Multi Factor authentication is present.
Factor Completion Time Time the authentication was completed.
Factor Number Indicates the use of primary authentication (1) or additional factors (2, 3).
Tunnel Inspection Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Severity, Sequence Number, Action Flags, Source Location, Destination Location, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel, Bytes, Bytes Sent, Bytes Received, Packets, Packets Sent, Maximum Encapsulation, Unknown Protocol, Strict Check, Tunnel Fragment, Sessions Created, Sessions Closed, Session End Reason, Action Source, Start Time, Elapsed Time
Field Name Description
Receive Time Month, day, and time the log was received at the management plane.
Serial Number (Serial #) Serial number of the firewall that generated the log.
Type Type of log as it pertains to the session: start or end.
Threat/Content Type Subtype of traffic log; values are start, end, drop, and deny Start—session started End—session ended Drop—session dropped before the application is identified and there is no rule that allows the session. Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Source Address Source IP address of packets in the session.
Destination Address Destination IP address of packets in the session.
NAT Source IP If Source NAT performed, the post-NAT Source IP address.
NAT Destination IP If Destination NAT performed, the post-NAT Destination IP address.
Rule Name (Rule) Name of the Security policy rule in effect on the session.
Source User Source User ID of packets in the session.
Destination User Destination User ID of packets in the session.
Application Tunneling protocol used in the session.
Virtual System Virtual System associated with the session.
Source Zone Source zone of packets in the session.
Destination Zone Destination zone of packets in the session.
Inbound Interface Interface that the session was sourced from.
Outbound Interface Interface that the session was destined to.
Log Action Log Forwarding Profile that was applied to the session.
Session ID Session ID of the session being logged.
Repeat Count Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only.
Source Port Source port utilized by the session.
Destination Port Destination port utilized by the session.
NAT Source Port Post-NAT source port.
NAT Destination Port Post-NAT destination port.
Flags 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 —session has a packet capture (PCAP) 0x02000000 —IPv6 session 0x01000000 —SSL session was decrypted (SSL Proxy) 0x00800000 —session was denied via URL filtering 0x00400000 —session has a NAT translation performed (NAT) 0x00200000 —user information for the session was captured via the captive portal (Captive Portal) 0x00080000 —X-Forwarded-For value from a proxy is in the source user field 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 —session is a container page access (Container Page) 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above. 0x00000800 —symmetric return was used to forward traffic for this session
Protocol (IP Protocol) IP protocol associated with the session.
Action Action taken for the session; possible values are: Allow—session was allowed by policy Deny—session was denied by policy Drop—session was dropped silently Drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application Reset both—session was terminated and a TCP reset is sent to both the sides of the connection Reset client—session was terminated and a TCP reset is sent to the client Reset server—session was terminated and a TCP reset is sent to the server
Severity Severity associated with the event; values are informational, low, medium, high, critical.
Sequence Number A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags A bit field indicating if the log was forwarded to Panorama.
Source Location (source country) Source country or Internal region for private addresses; maximum length is 32 bytes.
Destination Location (destination country) Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Tunnel ID/IMSI ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Monitor Tag/IMEI Monitor name you configured for the Tunnel Inspection policy rule or the International Mobile Equipment Identity (IMEI) ID of the mobile device.
Parent Session ID ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only.
Parent Start Time (parent_start_time) Year/month/day hours:minutes:seconds that the parent tunnel session began.
Tunnel Type (Tunnel) Type of tunnel, such as GRE or IPSec.
Bytes Number of bytes in the session.
Bytes Sent Number of bytes in the client-to-server direction of the session.
Bytes Received Number of bytes in the server-to-client direction of the session.
Packets Number of total packets (transmit and receive) for the session.
Packets Sent (pkts_sent) Number of client-to-server packets for the session. Available on all models except the PA-4000 Series.
Packets Received (pkts_received) Number of server-to-client packets for the session. Available on all models except the PA-4000 Series.
Maximum Encapsulation (max_encap) Number of packets the firewall dropped because the packet exceeded the maximum number of encapsulation levels configured in the Tunnel Inspection policy rule (Drop packet if over maximum tunnel inspection level).
Unknown Protocol (unknown_proto) Number of packets the firewall dropped because the packet contains an unknown protocol, as enabled in the Tunnel Inspection policy rule (Drop packet if unknown protocol inside tunnel).
Strict Checking (strict_check) Number of packets the firewall dropped because the tunnel protocol header in the packet failed to comply with the RFC for the tunnel protocol, as enabled in the Tunnel Inspection policy rule ( Drop packet if tunnel protocol fails strict header check).
Tunnel Fragment (tunnel_fragment) Number of packets the firewall dropped because of fragmentation errors.
Sessions Created (sessions_created) Number of inner sessions created.
Sessions Closed (sessions_closed) Number of completed/closed sessions created.
Session End Reason (session_end_reason) The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest): threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action. policy-deny—The session matched a security rule with a deny or drop action. decrypt-cert-validation—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only). decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displays when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure. decrypt-error—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources or the hardware security module (HSM) were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSH errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons. tcp-rst-from-client—The client sent a TCP reset to the server. tcp-rst-from-server—The server sent a TCP reset to the client. resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue. tcp-fin—One host or both hosts in the connection sent a TCP FIN message to close the session. tcp-reuse—A session is reused and the firewall closes the previous session. decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection. aged-out—The session aged out. unknown—This value applies in the following situations: Session terminations that the preceding reasons do not cover (for example, a clear session all command). For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall. In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown . n/a—This value applies when the traffic log type is not end .
Action Source (action_source) Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
Start Time (start) Year/month/day hours:minutes:seconds that the session began.
Elapsed Time (sec) Elapsed time of the session.
Authentication Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Source IP, User, Normalize User, Object, Authentication Policy, Repeat Count, Authentication ID, Vendor, Log Action, Server Profile, desc, Client Type, Event Type, Factor Number, Action Flags, Device Group Hierarchy 1, Device Group Hierarchy 2, Device Group Hierarchy 3, Device Group Hierarchy 4, Virtual System Name, Device Name
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the device that generated the log.
Type Type of log; values are traffic, threat, config, system and hip-match.
Threat/Content Type Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Virtual System Virtual System associated with the session.
Source IP Original session source IP address.
User End user being authenticated.
Normalize User Normalized version of username being authenticated (such as appending a domain name to the username).
Object Name of the object associated with the system event.
Authentication Policy Policy invoked for authentication before allowing access to a protected resource.
Repeat Count Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only.
Authentication ID Unique ID given across primary authentication and additional (multi factor) authentication.
Vendor Vendor providing additional factor authentication.
Log Action Log Forwarding Profile that was applied to the session.
Server Profile (serverprofile) Authentication server used for authentication.
Description (desc) Additional authentication information.
Client Type Type of client used to complete authentication (such as authentication portal).
Event Type Result of the authentication attempt.
Factor Number Indicates the use of primary authentication (1) or additional factors (2, 3).
Sequence Number A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags A bit field indicating if the log was forwarded to Panorama.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Config Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Content/Threat Type, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags, Before Change Detail, After Change Detail, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the device that generated the log.
Type Type of log; values are traffic, threat, config, system and hip-match.
Content/Threat Type Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Host Hostname or IP address of the client machine
Virtual System Virtual System associated with the configuration log
Command (cmd) Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set.
Admin (admin) Username of the Administrator performing the configuration
Client (client) Client used by the Administrator; values are Web and CLI
Result (result) Result of the configuration action; values are Submitted, Succeeded, Failed, and Unauthorized
Configuration Path (path) The path of the configuration command issued; up to 512 bytes in length
Before Change Detail (before_change_detail) This field is in custom logs only; it is not in the default format. It contains the full xpath before the configuration change.
After Change Detail (after_change_detail) This field is in custom logs only; it is not in the default format. It contains the full xpath after the configuration change.
Sequence Number (seqno) A 64bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags) A bit field indicating if the log was forwarded to Panorama.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
System Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Content/Threat Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name
Field Name Description
Receive Time Time the log was received at the management plane
Serial Number (Serial #) Serial number of the firewall that generated the log
Type Type of log; values are traffic, threat, config, system and hip-match
Content/Threat Type Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (Generate Time) Time the log was generated on the dataplane
Virtual System Virtual System associated with the configuration log
Event ID String showing the name of the event
Object Name of the object associated with the system event
Module (module) This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis
Severity Severity associated with the event; values are informational, low, medium, high, critical
Description Detailed description of the event, up to a maximum of 512 bytes
Sequence Number A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags A bit field indicating if the log was forwarded to Panorama
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Correlated Events Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Content/Threat Type, FUTURE_USE, Generated Time, Source Address. Source User, Virtual System, Category, Severity, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Virtual System ID, Object Name, Object ID, Evidence
Field Name Description
Receive Time Time the log was received at the management plane.
Serial Number (Serial #) Serial number of the device that generated the log.
Type Type of log; values are traffic, threat, config, system and hip-match.
Content/Threat Type Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn.
Generated Time (Generate Time) Time the log was generated on the dataplane.
Source Address IP address of the user who initiated the event.
Source User Username of the user who initiated the event.
Virtual System Virtual System associated with the configuration log.
Category A summary of the kind of threat or harm posed to the network, user, or host.
Severity Severity associated with the event; values are informational, low, medium, high, critical.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4) A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods: CLI command in configure mode: show readonly dg-meta-data API query: /api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
Virtual System Name The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name The hostname of the firewall on which the session was logged.
Virtual System ID A unique identifier for a virtual system on a Palo Alto Networks firewall.
Object Name (objectname) Name of the correlation object that was matched on.
Object ID Name of the object associated with the system event.
Evidence A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times).
Syslog Severity
The syslog severity is set based on the log type and contents.
Log Type/Severity Syslog Severity
Traffic Info
Config Info
Threat/System—Informational Info
Threat/System—Low Notice
Threat/System—Medium Warning
Threat/System—High Error
Threat/System—Critical Critical
Custom Log/Event Format
To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured under Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.
To achieve ArcSight Common Event Format (CEF) compliant log formatting, refer to the CEF Configuration Guide.
Escape Sequences
Any field that contains a comma or a double-quote is enclosed in double quotes. Furthermore, if a double-quote appears inside a field it is escaped by preceding it with another double-quote. To maintain backward compatibility, the Misc field in threat log is always enclosed in double-quotes.

Related Documentation