PAN-OS Log Message Field Descriptions

Document created by rkent on May 10, 2015
Version 1Show Document
  • View in full screen mode

 

Note: This document is current to PAN-OS version 6.1

 

This is a list of the standard fields for each of the five log types that are forwarded to an external server. For ease of parsing, the comma is the delimiter; each field is a comma-separated value (CSV) string. The FUTURE_USE tag applies to fields that the devices do not currently implement.

WildFire logs are a subtype of threat logs and use the same Syslog format.

 

 

Traffic Logs

 

Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason *

Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Specifies type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of traffic log; values are start, end, drop, and deny

Start - session started
End - session ended
Drop - session dropped before the application is identified and there is no rule that allows the session.
Deny - session dropped after the application is identified and there is a rule to block or no rule that allows the session.

Generated Time (time_generated)

Time the log was generated on the dataplane

Source IP (src)

Original session source IP address

Destination IP (dst)

Original session destination IP address

NAT Source IP (natsrc)

If Source NAT performed, the post-NAT Source IP address

NAT Destination IP (natdst)

If Destination NAT performed, the post-NAT Destination IP address

Rule Name (rule)

Name of the rule that the session matched

Source User (srcuser)

Username of the user who initiated the session

Destination User (dstuser)

Username of the user to which the session was destined

Application (app)

Application associated with the session

Virtual System (vsys)

Virtual System associated with the session

Source Zone (from)

Zone the session was sourced from

Destination Zone (to)

Zone the session was destined to

Ingress Interface (inbound_if)

Interface that the session was sourced form

Egress Interface (outbound_if)

Interface that the session was destined to

Log Forwarding Profile (logset)

Log Forwarding Profile that was applied to the session

Session ID (sessionid)

An internal numerical identifier applied to each session

Repeat Count (repeatcnt)

Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only

Source Port (sport)

Source port utilized by the session

Destination Port (dport)

Destination port utilized by the session

NAT Source Port (natsport)

Post-NAT source port

NAT Destination Port (natdport)

Post-NAT destination port

Flags (flags)

32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value:
0x80000000 —session has a packet capture (PCAP)
0x02000000 —IPv6 session
0x01000000 —SSL session was decrypted (SSL Proxy)
0x00800000 —session was denied via URL filtering
0x00400000 —session has a NAT translation performed (NAT)
0x00200000 —user information for the session was captured via the captive portal (Captive Portal)
0x00080000 —X-Forwarded-For value from a proxy is in the source user field
0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction)
0x00008000 —session is a container page access (Container Page)
0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above.
0x00000800 —symmetric return was used to forward traffic for this session

Protocol (proto)

IP protocol associated with the session

Action (action)

Action taken for the session; values are allow or deny:
Allow—session was allowed by policy
Deny—session was denied by policy

Bytes (bytes)

Number of total bytes (transmit and receive) for the session

Bytes Sent (bytes_sent)

Number of bytes in the client-to-server direction of the session. Available on all models except the PA-4000 Series

Bytes Received (bytes_received)

Number of bytes in the server-to-client direction of the session. Available on all models except the PA-4000 Series

Packets (packets)

Number of total packets (transmit and receive) for the session

Start Time (start)

Time of session start

Elapsed Time (elapsed)

Elapsed time of the session

Category (category)

URL category associated with the session (if applicable)

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama

Source Location (srcloc)

Source country or Internal region for private addresses; maximum length is 32 bytes

Destination Location (dstloc)

Destination country or Internal region for private addresses. Maximum length is 32 bytes

Packets Sent (pkts_sent)

Number of client-to-server packets for the session. Available on all models except the PA-4000 Series

Packets Received (pkts_received)

Number of server-to-client packets for the session. Available on all models except the PA-4000 Series

Session End Reason (session_end_reason)

New in v6.1!

The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action.

policy-deny—The session matched a security policy with a deny or drop action.

tcp-rst-from-client—The client sent a TCP reset to the server.

tcp-rst-from-server—The server sent a TCP reset to the client.

resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.

tcp-fin - One host or both hosts in the connection sent a TCP FIN message to close the session.

tcp-reuse - A session is reused and the firewall closes the previous session.

decoder - The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.

aged-out - The session aged out.

Unknown - This value applies in the following situations:

Session terminations that the preceding reasons do not cover (for example, a clear session all command).

For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.

In Panorama, logs received from firewalls for which the
PAN-OS version does not support session end reasons will have a value of unknown .

n/a - This value applies when the traffic log type is not end .

 

 

Threat Logs

 


Format : FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_id, Filedigest, Cloud, FUTURE_USE, User Agent * , File Type * , X-Forwarded-For * , Referer * , Sender * , Subject * , Recipient * , Report ID *


 

Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Specifies type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of threat log; values are URL, virus, spyware, vulnerability, file, scan, flood, data, and WildFire:

url—URL filtering log
virus—virus detection
spyware —spyware detection
vulnerability —vulnerability exploit detection
file—file type log
scan—scan detected via Zone Protection Profile
flood—flood detected via Zone Protection Profile
data—data pattern detected from Data Filtering Profile
wildfire —WildFire log

Generated Time (time_generated)

Time the log was generated on the dataplane

Source IP (src)

Original session source IP address

Destination IP (dst)

Original session destination IP address

NAT Source IP (natsrc)

If source NAT performed, the post-NAT source IP address

NAT Destination IP (natdst)

If destination NAT performed, the post-NAT destination IP address

Rule Name (rule)

Name of the rule that the session matched

Source User (srcuser)

Username of the user who initiated the session

Destination User (dstuser)

Username of the user to which the session was destined

Application (app)

Application associated with the session

Virtual System (vsys)

Virtual System associated with the session

Source Zone (from)

Zone the session was sourced from

Destination Zone (to)

Zone the session was destined to

Ingress Interface(inbound_if)

Interface that the session was sourced from

Egress Interface(outbound_if)

Interface that the session was destined to

Log Forwarding Profile(logset)

Log Forwarding Profile that was applied to the session

Session ID (sessionid)

An internal numerical identifier applied to each session

Repeat Count (repeatcnt)

Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only

Source Port (sport)

Source port utilized by the session

Destination Port (dport)

Destination port utilized by the session

NAT Source Port (natsport)

Post-NAT source port

NAT Destination Port (natdport)

Post-NAT destination port

Flags (flags)

32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value:
0x80000000 —session has a packet capture (PCAP)
0x02000000 —IPv6 session
0x01000000 —SSL session was decrypted (SSL Proxy)
0x00800000 —session was denied via URL filtering
0x00400000 —session has a NAT translation performed (NAT)
0x00200000 —user information for the session was captured via the captive portal (Captive Portal)
0x00080000 —X-Forwarded-For value from a proxy is in the source user field
0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction)
0x00008000 —session is a container page access (Container Page)
0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above
0x00000800 —symmetric return was used to forward traffic for this session

Protocol (proto)

IP protocol associated with the session

Action (action)

Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url.
Alert—threat or URL detected but not blocked
Allow— flood detection alert
Deny—flood detection mechanism activated and deny traffic based on configuration
Drop— threat detected and associated session was dropped
Drop-all-packets —threat detected and session remains, but drops all packets
Reset-client —threat detected and a TCP RST is sent to the client
Reset-server —threat detected and a TCP RST is sent to the server
Reset-both —threat detected and a TCP RST is sent to both the client and the server
Block-url —URL request was blocked because it matched a URL category that was set to be blocked

Miscellaneous (misc)

Field with variable length with a maximum of 1023 characters
The actual URI when the subtype is URLFile name or file type when the subtype is fileFile name when the subtype is virusFile name when the subtype is WildFire

Threat ID (threatid)

Palo Alto Networks identifier for the threat. It is a description string followed by a 64-bit numerical identifier in parentheses for some Subtypes:
8000 – 8099— scan detection
8500 – 8599— flood detection
9999— URL filtering log
10000 – 19999 —sypware phone home detection
20000 – 29999 —spyware download detection
30000 – 44999 —vulnerability exploit detection
52000 – 52999— filetype detection
60000 – 69999 —data filtering detection
100000 – 2999999 —virus detection
3000000 – 3999999 —WildFire signature feed
4000000-4999999 —DNS Botnet signatures

Category (category)

For URL Subtype, it is the URL Category;

For WildFire subtype, it is the verdict on the file and is either ‘malicious’ or ‘benign’;

For other subtypes, the value is ‘any’.

Severity (severity)

Severity associated with the threat; values are informational, low, medium, high, critical

Direction (direction)

Indicates the direction of the attack, client-to-server orserver-to-client

0—direction of the threat is client to server
1—direction of the threat is server to client

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially. Each log type has a unique number space. This field is not supported on PA-7050 firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama.

Source Location (srcloc)


Source country or Internal region for private addresses. Maximum length is 32 bytes.

Destination Location (dstloc)

Destination country or Internal region for private addresses. Maximum length is 32 bytes.

Content Type (contenttype)

Applicable only when Subtype is URL.Content type of the HTTP response data. Maximum length 32 bytes.

PCAP ID (pcap_id)

Pcap-ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file.

File Digest (filedigest)

Only for WildFire subtype; all other types do not use this field The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service.

Cloud (cloud)

Only for WildFire subtype; all other types do not use this field. The cloud string displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis.

New in v6.1! User Agent (user_agent)

Only for the URL Filtering subtype; all other types do not use this field. The User Agent field specifies the web browser that the user used to access the URL, for example Internet Explorer. This information is sent in the HTTP request to the server.

New in v6.1! File Type (filetype)

Only for WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis.

New in v6.1! X-Forwarded-For (xff)

Only for the URL Filtering subtype; all other types do not use this field. The X-Forwarded-For field in the HTTP header contains the IP address of the user who requested the web page. It allows you to identify the IP address of the user, which is useful particularly if you have a proxy server on your network that replaces the user IP address with its own address in the source IP address field of the packet header.

New in v6.1! Referer (referer)

Only for the URL Filtering subtype; all other types do not use this field. The Referer field in the HTTP header contains the URL of the web page that linked the user to another web page; it is the source that redirected (referred) the user to the web page that is being requested.

New in v6.1! Sender (sender)

Only for WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.

Subject (subject)New in v6.1!

Only for WildFire subtype; all other types do not use this field. Specifies the subject of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.

Recipient (recipient)New in v6.1!

Only for WildFire subtype; all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall.

Report ID (reportid)New in v6.1!

Only for WildFire subtype; all other types do not use this field. Identifies the analysis request on the WildFire cloud or the WildFire appliance.

 
 

 

HIP Match Logs

 

Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source User, Virtual System, Machine name, OS, Source Address, HIP, Repeat Count, HIP Type, FUTURE_USE, FUTURE_USE, Sequence Number, Action Flags

Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of HIP match log; unused

Generated Time (time_generated)

Time the log was generated on the dataplane

Source User (srcuser)

Username of the user who initiated the session

Virtual System (vsys)

Virtual System associated with the HIP match log

Machine Name (machinename)

Name of the user’s machine

OS

The operating system installed on the user’s machine or device (or on the client system)

Source Address (src)

IP address of the source user

HIP (matchname)

Name of the HIP object or profile

Repeat Count (repeatcnt)

Number of times the HIP profile matched

HIP Type (matchtype)

Whether the hip field represents a HIP object or a HIP profile

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama

 
 

 

Config Logs

 

Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Host, Virtual System, Command, Admin, Client, Result, Configuration Path, Sequence Number, Action Flags, Before Change Detail * , After Change Detail *

Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of configuration log; unused

Generated Time (time_generated)

Time the log was generated on the dataplane

Host (host)

Host name or IP address of the client machine

Virtual System (vsys)

Virtual System associated with the configuration log

Command (cmd)

Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set.

Admin (admin)

Username of the Administrator performing the configuration

Client (client)

Client used by the Administrator; values are Web and CLI

Result (result)

Result of the configuration action; values are Submitted, Succeeded, Failed, and Unauthorized

Configuration Path (path)

The path of the configuration command issued; up to 512 bytes in length

Sequance Number (seqno)

A 64bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama.

Before Change Detail (before_change_detail)New in v6.1!

This field is in custom logs only; it is not in the default format.It contains the full xpath before the configuration change.

After Change Detail (after_change_detail)New in v6.1!

This field is in custom logs only; it is not in the default format.It contains the full xpath after the configuration change.

 
 

 

System Logs

 

Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags

Field Name

Description

Receive Time (receive_time)

Time the log was received at the management plane

Serial Number (serial)

Serial number of the device that generated the log

Type (type)

Type of log; values are traffic, threat, config, system and hip-match

Subtype (subtype)

Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn

Generated Time (time_generated)

Time the log was generated on the dataplane

Virtual System (vsys)

Virtual System associated with the configuration log

Event ID (eventid)

String showing the name of the event

Object (object)

Name of the object associated with the system event

Module (module)

This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis

Severity (severity)

Severity associated with the event; values are informational, low, medium, high, critical

Description (opaque)

Detailed description of the event, up to a maximum of 512 bytes

Sequence Number (seqno)

A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7050 firewalls.

Action Flags (actionflags)

A bit field indicating if the log was forwarded to Panorama

 

 

Syslog Severity

 

The syslog severity is set based on the log type and contents.

Log Type/Severity

Syslog Severity

Traffic

Info

Config

Info

Threat/System—Informational

Info

Threat/System—Low

Notice

Threat/System—Medium

Warning

Threat/System—High

Error

Threat/System—Critical

Critical

 

 

 

Custom Log/Event Format

 

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs. Custom message formats can be configured underDevice > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format.

To achieve ArcSight Common Event Format (CEF) compliant log formatting, refer to the CEF Configuration Guide.

 

Escape Sequences

 

Any field that contains a comma or a double-quote is enclosed in double quotes. Furthermore, if a double-quote appears inside a field it is escaped by preceding it with another double-quote. To maintain backward compatibility, the Misc field in threat log is always enclosed in double-quotes.

Attachments

    Outcomes