Palo Alto Networks
Palo Alto firewall logs: traffic, threats, URL filtering, WildFire verdicts, GlobalProtect VPN and system status.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (280)
| Field | Type |
|---|---|
paloalto.panorama.serial | plong |
paloalto.panorama.type | string |
paloalto.panorama.subtype | string |
paloalto.panorama.time_generated | pdate |
paloalto.panorama.src | string |
paloalto.panorama.srcuser | string |
paloalto.panorama.vsys | string |
paloalto.panorama.category | string |
paloalto.panorama.severity | string |
paloalto.panorama.dg_hier_level1 | plong |
paloalto.panorama.dg_hier_level2 | plong |
paloalto.panorama.dg_hier_level3 | plong |
paloalto.panorama.dg_hier_level4 | plong |
paloalto.panorama.vsys_name | string |
paloalto.panorama.device_name | string |
paloalto.panorama.vsys_id | string |
paloalto.panorama.objectname | string |
paloalto.panorama.evidence | text_general |
paloalto.panorama.dst | string |
paloalto.panorama.rule | text_general |
paloalto.panorama.from | string |
paloalto.panorama.to | string |
paloalto.panorama.inbound_if | string |
paloalto.panorama.outbound_if | string |
paloalto.panorama.logset | string |
paloalto.panorama.sessionid | plong |
paloalto.panorama.repeatcnt | pint |
paloalto.panorama.sport | pint |
paloalto.panorama.dport | pint |
paloalto.panorama.proto | string |
paloalto.panorama.action | string |
paloalto.panorama.seqno | plong |
paloalto.panorama.assoc_id | plong |
paloalto.panorama.ppid | plong |
paloalto.panorama.sctp_chunk_type | string |
paloalto.panorama.verif_tag1 | string |
paloalto.panorama.verif_tag2 | string |
paloalto.panorama.sctp_cause_code | string |
paloalto.panorama.diam_app_id | string |
paloalto.panorama.diam_cmd_code | string |
paloalto.panorama.diam_avp_code | string |
paloalto.panorama.stream_id | string |
paloalto.panorama.assoc_end_reason | string |
paloalto.panorama.op_code | string |
paloalto.panorama.sccp_calling_ssn | string |
paloalto.panorama.sccp_calling_gt | string |
paloalto.panorama.sctp_filter | string |
paloalto.panorama.chunks | plong |
paloalto.panorama.chunks_sent | plong |
paloalto.panorama.chunks_received | plong |
paloalto.panorama.packets | plong |
paloalto.panorama.pkts_sent | plong |
paloalto.panorama.pkts_received | plong |
paloalto.panorama.rule_uuid | string |
paloalto.panorama.high_res_timestamp | pdate |
paloalto.panorama.app | string |
paloalto.panorama.event_type | string |
paloalto.panorama.msisdn | string |
paloalto.panorama.apn | string |
paloalto.panorama.rat | string |
paloalto.panorama.msg_type | string |
paloalto.panorama.end_ip_adr | string |
paloalto.panorama.teid1 | string |
paloalto.panorama.teid2 | string |
paloalto.panorama.gtp_interface | string |
paloalto.panorama.cause_code | string |
paloalto.panorama.mcc | string |
paloalto.panorama.mnc | string |
paloalto.panorama.area_code | string |
paloalto.panorama.cell_id | string |
paloalto.panorama.event_code | string |
paloalto.panorama.srcloc | string |
paloalto.panorama.dstloc | string |
paloalto.panorama.imsi | string |
paloalto.panorama.imei | plong |
paloalto.panorama.start | pdate |
paloalto.panorama.elapsed | plong |
paloalto.panorama.tunnel_insp_rule | string |
paloalto.panorama.remote_user_ip | string |
paloalto.panorama.remote_user_id | string |
paloalto.panorama.pcap_id | plong |
paloalto.panorama.nsdsai_sst | string |
paloalto.panorama.nsdsai_sd | string |
paloalto.panorama.subcategory_of_app | string |
paloalto.panorama.category_of_app | string |
paloalto.panorama.technology_of_app | string |
paloalto.panorama.risk_of_app | plong |
paloalto.panorama.characteristic_of_app | string [] |
paloalto.panorama.container_of_app | string |
paloalto.panorama.is_saas_of_app | string |
paloalto.panorama.sanctioned_state_of_app | string |
paloalto.panorama.machinename | string |
paloalto.panorama.os | string |
paloalto.panorama.matchname | string |
paloalto.panorama.matchtype | string |
paloalto.panorama.actionflags | string |
paloalto.panorama.srcipv6 | string |
paloalto.panorama.hostid | string |
paloalto.panorama.serialnumber | string |
paloalto.panorama.mac | string |
paloalto.panorama.cluster_name | string |
paloalto.panorama.tag_name | string |
paloalto.panorama.timeout | pint |
paloalto.panorama.datasourcename | string |
paloalto.panorama.datasource_subtype | string |
paloalto.panorama.natsrc | string |
paloalto.panorama.natdst | string |
paloalto.panorama.dstuser | string |
paloalto.panorama.natsport | pint |
paloalto.panorama.natdport | pint |
paloalto.panorama.flags | string |
paloalto.panorama.bytes | plong |
paloalto.panorama.bytes_received | plong |
paloalto.panorama.session_end_reason | string |
paloalto.panorama.action_source | string |
paloalto.panorama.src_uuid | string |
paloalto.panorama.dst_uuid | string |
paloalto.panorama.tunnelid | string |
paloalto.panorama.monitortag | string |
paloalto.panorama.parent_session_id | string |
paloalto.panorama.parent_start_time | pdate |
paloalto.panorama.tunnel | string |
paloalto.panorama.http2_connection | plong |
paloalto.panorama.link_change_count | plong |
paloalto.panorama.policy_id | string |
paloalto.panorama.link_switches | string |
paloalto.panorama.sdwan_cluster | string |
paloalto.panorama.sdwan_device_type | string |
paloalto.panorama.sdwan_cluster_type | string |
paloalto.panorama.dynusergroup_name | string |
paloalto.panorama.xff_ip | string |
paloalto.panorama.src_category | string |
paloalto.panorama.src_profile | string |
paloalto.panorama.src_model | string |
paloalto.panorama.src_vendor | string |
paloalto.panorama.src_osfamily | string |
paloalto.panorama.src_osversion | string |
paloalto.panorama.src_host | string |
paloalto.panorama.src_mac | string |
paloalto.panorama.dst_category | string |
paloalto.panorama.dst_profile | string |
paloalto.panorama.dst_model | string |
paloalto.panorama.dst_vendor | string |
paloalto.panorama.dst_osfamily | string |
paloalto.panorama.dst_osversion | string |
paloalto.panorama.dst_host | string |
paloalto.panorama.dst_mac | string |
paloalto.panorama.container_id | string |
paloalto.panorama.pod_namespace | string |
paloalto.panorama.pod_name | string |
paloalto.panorama.src_edl | text_general |
paloalto.panorama.dst_edl | text_general |
paloalto.panorama.src_dag | string |
paloalto.panorama.dst_dag | string |
paloalto.panorama.session_owner | string |
paloalto.panorama.tunneled_app | string |
paloalto.panorama.offloaded | string |
paloalto.panorama.flow_type | string |
paloalto.panorama.max_encap | plong |
paloalto.panorama.unknown_proto | plong |
paloalto.panorama.strict_check | plong |
paloalto.panorama.tunnel_fragment | plong |
paloalto.panorama.sessions_created | plong |
paloalto.panorama.sessions_closed | plong |
paloalto.panorama.nssai_sd | string |
paloalto.panorama.pdu_session_id | string |
paloalto.panorama.ip | string |
paloalto.panorama.user | string |
paloalto.panorama.eventid | string |
paloalto.panorama.beginport | pint |
paloalto.panorama.endport | pint |
paloalto.panorama.datasource | string |
paloalto.panorama.datasourcetype | string |
paloalto.panorama.factortype | string |
paloalto.panorama.factorcompletiontime | pdate |
paloalto.panorama.factorno | string |
paloalto.panorama.ugflags | string |
paloalto.panorama.userbysource | string |
paloalto.panorama.origindatasource | string |
paloalto.panorama.host | string |
paloalto.panorama.cmd | string |
paloalto.panorama.admin | string |
paloalto.panorama.client | string |
paloalto.panorama.result | string |
paloalto.panorama.path | string |
paloalto.panorama.before_change_detail | string |
paloalto.panorama.after_change_detail | string |
paloalto.panorama.dg_id | string |
paloalto.panorama.comment | text_general |
paloalto.panorama.config_ver | string |
paloalto.panorama.hs_stage_c2f | string |
paloalto.panorama.hs_stage_f2s | string |
paloalto.panorama.tls_version | string |
paloalto.panorama.tls_keyxchg | string |
paloalto.panorama.tls_enc | string |
paloalto.panorama.tls_auth | string |
paloalto.panorama.policy_name | string |
paloalto.panorama.ec_curve | string |
paloalto.panorama.err_index | string |
paloalto.panorama.root_status | string |
paloalto.panorama.chain_status | string |
paloalto.panorama.proxy_type | string |
paloalto.panorama.cert_serial | string |
paloalto.panorama.fingerprint | string |
paloalto.panorama.notbefore | pdate |
paloalto.panorama.notafter | pdate |
paloalto.panorama.cert_ver | string |
paloalto.panorama.cert_size | pint |
paloalto.panorama.cn_len | pint |
paloalto.panorama.issuer_len | pint |
paloalto.panorama.rootcn_len | pint |
paloalto.panorama.sni_len | pint |
paloalto.panorama.cert_flags | string |
paloalto.panorama.cn | string |
paloalto.panorama.issuer_cn | string |
paloalto.panorama.root_cn | string |
paloalto.panorama.sni | string |
paloalto.panorama.error | text_general |
paloalto.panorama.stage | string |
paloalto.panorama.auth_method | string |
paloalto.panorama.tunnel_type | string |
paloalto.panorama.srcregion | string |
paloalto.panorama.public_ip | string |
paloalto.panorama.public_ipv6 | string |
paloalto.panorama.private_ip | string |
paloalto.panorama.private_ipv6 | string |
paloalto.panorama.client_ver | string |
paloalto.panorama.client_os | string |
paloalto.panorama.client_os_ver | string |
paloalto.panorama.reason | text_general |
paloalto.panorama.opaque | text_general |
paloalto.panorama.status | string |
paloalto.panorama.location | string |
paloalto.panorama.login_duration | pint |
paloalto.panorama.connect_method | string |
paloalto.panorama.error_code | plong |
paloalto.panorama.portal | string |
paloalto.panorama.selection_type | string |
paloalto.panorama.response_time | pint |
paloalto.panorama.priority | pint |
paloalto.panorama.attempted_gateways | string [] |
paloalto.panorama.gateway | string |
paloalto.panorama.normalize_user | string |
paloalto.panorama.object | string |
paloalto.panorama.authpolicy | string |
paloalto.panorama.authid | string |
paloalto.panorama.vendor | string |
paloalto.panorama.serverprofile | string |
paloalto.panorama.desc | text_general |
paloalto.panorama.clienttype | string |
paloalto.panorama.event | string |
paloalto.panorama.authproto | string |
paloalto.panorama.region | string |
paloalto.panorama.user_agent | string |
paloalto.panorama.module | string |
paloalto.panorama.misc | string |
paloalto.panorama.threatid | text_general |
paloalto.panorama.direction | string |
paloalto.panorama.contenttype | string |
paloalto.panorama.filedigest | string |
paloalto.panorama.cloud | string |
paloalto.panorama.url_idx | pint |
paloalto.panorama.filetype | string |
paloalto.panorama.xff | string |
paloalto.panorama.referer | string |
paloalto.panorama.sender | string |
paloalto.panorama.subject | text_general |
paloalto.panorama.recipient | string |
paloalto.panorama.reportid | plong |
paloalto.panorama.http_method | string |
paloalto.panorama.tunnel_id | string |
paloalto.panorama.thr_category | string |
paloalto.panorama.contentver | string |
paloalto.panorama.http_headers | string |
paloalto.panorama.url_category_list | string |
paloalto.panorama.domain_edl | string |
paloalto.panorama.partial_hash | string |
paloalto.panorama.justification | string |
paloalto.panorama.nssai_sst | string |
paloalto.panorama.cloud_reportid | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.