Palo Alto
Integration of Palo Alto's System, Configuration, Traffic and Threat logs into XpoLog.
Prerequisites:
A. Open the relevant ports (TCP\UDP) on the XpoLog machine.
B. Create a syslog listener on the listeners tab in XpoLog that will listen and collect the log from the Palo Alto machine.
Palo Alto Configurations:
1. Open the relevant port on the Palo Alto Machine:
I. Login to the GUI of the Palo Alto machine, and then enter to Objects->Services->Add.
II. During the creation of the service, you have to determine the name for the service, the format\protocol in which the service will send the data (ie TCP or UDP), source port and the destination port (which you have already configured in XpoLog’s listener).
2. Create new syslog device which will send the system and configuration logs into XpoLog:
I. From the GUI of the Palo Alto, enter to Devices->Server Profiles->Syslog->Add.
II. During the creation of the device, you have to determine the name for the syslog server profile, and also to configure the values for the following fields.
- Name—Unique name for the server profile.
- Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server (in case that DNS server was configured)
- Transport—Select TCP, UDP, or SSL (TLS) as the protocol for communicating with the syslog server. For SSL, the firewall supports only TLSv1.2.
- Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
- Format—Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
- Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
3. Configure the 'Log Settings' for your System and Configuration logs:
I. From the GUI of your Palo Alto, enter to Devices->Log Settings, and add new log setting under the relevant tab (system\configuration\traffic'threat).
II. Please grant a name for the log setting and under the 'syslog\ tab, choose the syslog devices that you have already configured in section 2 and add them.
4. Create a 'Log Forwarder' for your logs.
I. From the GUI of the Palo Alto, enter to Objects - > Log Forwarding - > Add.
II. Name the log forwarder. Then from the syslog tab, choose the devices that you have already configured in section 2 and add them.
5. Commit all these configuration changes - from the top left part of the GUI, press on the ‘commit’ button in order that the configuration changes will take effect.
XpoLog Configurations (edit the syslog logs that were generated for the Palo Alto machine):
System Log -
I. For the syslog of the system log, set the logTypes of the syslog to ‘syslog,paloalto,system,audit’.
II. Apply the following pattern on the log (default pattern)
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{text:Device,ftype=device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:Time Generated,yyyy/MM/dd HH:mm:ss},{block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true},{text:Event ID,ftype=eventName},{block,start,emptiness=true}{text:Object,ftype=object}{block,end,emptiness=true},{text:fmt,ftype=fmt},{text:ID,ftype=id},{text:Module,ftype=module},{priority:Severity,ftype=status;High;Medium;Low;Informational},"{text:Description,ftype=message;,}"{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:SourceIP,ftype=sourceip;refName=Description,(From: |from )[XPLG_PARAM([^\s]\d+\.\d+\.\d+.\d+)].*}{regexp:logout,ftype=logout;refName=Description,logged out},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename}{eoe}
Configuration Log -
I. For the syslog of the configuration log, set the logTypes of this log to 'syslog,paloalto,configuration.audit'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Device} {text:Domain,ftype=domain;,},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:Time Generated,yyyy/MM/dd HH:mm:ss},{geoip:Host,ftype=sourceip;type=country:region:city;,},{text:Virtual System,ftype=virtualsystem},{choice:CMD,ftype=command,add,clone.commit,delete,edit,move,rename,set},{text:Admin,ftype=username},{choice:Client,ftype=client,Web,CLI},{choice:Result,ftype=status,Submitted,Succeeded,Failed,Unauthorized},{text:Configuration-path,ftype=path}{regexp:Event Name,ftype=eventName;refName=configuration-path,config mgt-config users|config shared local-user-database user |config shared local-user-database user-group|config shared admin-role|config shared authentication-profile|config mgt-config password-profile}{regexp:Audited_Object,ftype=auditedobject;refName=configuration-path,(config mgt-config users|config shared local-user-database user |config shared local-user-database user-group |config shared admin-role |config shared authentication-profile |config mgt-config password-profile )[XPLG_PARAM([^,]+)]},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename}{eoe}
Threat Log -
I. For the syslog of the threat log, set the logTypes of this log to 'syslog,paloalto,threat'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Device,ftype=device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:CEF-Formatted-Time-Generated,yyyy/MM/dd HH:mm:ss},{ip:SourceIP,ftype=sourceip},{ip:Destination IP,ftype=targetip},{ip:Nat SourceIP,ftype=natsourceip},{ip:Nat Destination IP,ftype=nattargetip},{text:Rule Name,ftype=rulename},{text:Source User,ftype=username},{text:Destination User,ftype=dstusername},{text:Application,ftype=application},{block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true},{text:Source Zone,ftype=srczone},{text:Destination Zone,ftype=dstzone},{text:Inbound Interface,ftype=srcintf},{text:Outbound Interface,ftype=dstintf},{text:Log Action,ftype=logaction},{date:Time Logged,yyyy/MM/dd HH:mm:ss},{text:SessionID,ftype=sessionid},{text:Repeat Count,ftype=repeatcount},{number:Source Port,ftype=sourceport},{number:Destination Port,ftype=dstport},{number:Nat Source Port,ftype=natsrcport},{number:Nat Destination Port,ftype=natdstport},{text:Flags,ftype=flags},{text:IP Protocol,ftype=ipprotocol},{text:Action,ftype=eventName},{url:URL,paramsFtype=querystring;ftype=requrl;paramsName=Query;,},{text:Threat/Content Name,ftype=threatcontentname},{text:Category,ftype=category},{priority:Severity,ftype=status;Critical;High;Medium;Low;Informational},{text:Direction,ftype=direction},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:Source Country,ftype=srccountry},{text:Destination Country,ftype=dstcountry},{text:cpadding,ftype=cpadding},{text:Content Type,ftype=contenttype},{text:PCAP ID,ftype=pcapap},{text:File Digest,ftype=filedigest},{text:Cloud,ftype=cloud},{text:URL Index,ftype=urlindex},{text:User Agent,ftype=useragent},{text:File Type,ftype=filetype},{text:X-Forwarded-For,ftype=forwardedforip},{text:RefererQuery,ftype=refererquery;,}{regexp:Referer,ftype=referer;refName=RefererQuery,^([w-]+://[^?]+|/[^?]+)},{text:Sender,ftype=sender},{text:Subject,ftype=subject},{text:Recipient,ftype=recipient},{text:Report ID,ftype=reportid},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename},{url:URL,paramsFtype=querystring;ftype=requrl;paramsName=Query;,},{text:Source VM UUID,ftype=sourcevmuuid},{text:Destination VM UUID,ftype=targetvmuuid},{choice:Method,ftype=reqmethod;,Connect;Delete;Get;Head;Options;Post;Put},{text:Tunnel ID/IMSI,ftype=tunnelid},{text:Monitor Tag/IMEI,ftype=monitortag},{text:Parent Session ID,ftype=parentsessionid},{text:Parent Start Time,ftype=parentstarttime},{text:Tunnel Type,ftype=tunneltype},{text:Threat Category,ftype=threatcategory},{text:Content Version,ftype=contentversion},{text:SIG_Flags,ftype=sigflafs},{text:SCTP Assoication ID,ftype=sctpassociationid},{text:Payload Protocol ID,ftype=payloadprotocolid},{text:HTTP Headers,ftype=httpheaders}{eoe}
Traffic Log -
I. For the syslog of the traggic log, set the logTypes of this log to 'syslog,paloalto,traffic'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Device,ftype=device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:CEF-Formatted-Time-Generated,yyyy/MM/dd HH:mm:ss},{ip:SourceIP,ftype=sourceip},{ip:Destination IP,ftype=targetip},{ip:Nat SourceIP,ftype=natsourceip},{ip:Nat Destination IP,ftype=nattargetip},{text:Rule Name,ftype=rulename},{text:Source User,ftype=username},{text:Destination User,ftype=dstusername},{text:Application,ftype=application},{block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true},{text:Source Zone,ftype=srczone},{text:Destination Zone,ftype=dstzone},{text:Inbound Interface,ftype=srcintf},{text:Outbound Interface,ftype=dstintf},{text:Log Action,ftype=logaction},{date:Time Logged,yyyy/MM/dd HH:mm:ss},{text:SessionID,ftype=sessionid},{text:Repeat Count,ftype=repeatcount},{number:Source Port,ftype=sourceport},{number:Destination Port,ftype=dstport},{number:Nat Source Port,ftype=natsourceport},{number:Nat Destination Port,ftype=natdstport},{text:Flags,ftype=flags},{text:IP Protocol,ftype=ipprotocol},{text:Action,ftype=eventName},{number:Bytes,ftype=bytes},{text:Bytes Sent,ftype=bytesent},{text:Bytes Received,ftype=bytesreceived},{number:Packets,ftype=packets},{text:Start,ftype=start},{number:Elapsed Time(sec),ftype=elapsedtime},{text:Category,ftype=category},{text:tpadding,ftype=tpadding},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:Source Country,ftype=srccountry},{text:Destination Country,ftype=dstcountry},{text:cpadding,ftype=cpadding},{number:Sent Packets,ftype=sentpkt},{number:Received Packets,ftype=rcvdpkt},{text:Session End Reason,ftype=sessionendreason},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename},{text:Action Source,ftype=actionsource},{text:Source VM UUID,ftype=sourcevmuuid},{text:Destination VM UUID,ftype=targetvmuuid},{text:Tunnel ID,ftype=tunnelid},{text:Monitor Tag,ftype=monitortag},{text:Parent Session ID,ftype=parentsessionid},{text:Parent Start Time,ftype=parentstarttime},{text:Tunnel Type,ftype=tunneltype},{text:SCTP Assoication ID,ftype=sctpassociationid},{number:SCTP Chunks,ftype=chunks},{number:SCTP Chunks Sent,ftype=chunkssent},{number:SCTP Chunks Received,ftype=chunksreceived}{eoe}
For more information about the system log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
| $dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
| $configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} |
|
$vsys | Virtual System associated with the system log. | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
$eventid | String showing the name of the event. | {text:Event ID,ftype=eventName} | eventName |
$object | Name of the object associated with the system event | {block,start,emptiness=true}{text:Object,ftype=object}{block,end,emptiness=true} | object |
| $fmt | {text:fmt,ftype=fmt} | fmt | |
| $id | {text:ID,ftype=id} | id | |
$module | This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis. | {text:Module,ftype=module} | module |
$severity | Severity associated with the event; values are informational, low, medium, high, critical | {priority:Severity,ftype=status;High;Medium;Low;Informational} | status |
| $opaque | Detailed description of the event, up to a maximum of 512 bytes | "{text:Description,ftype=message;,}"{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:SourceIP,ftype=sourceip;refName=Description,(From: |from )[XPLG_PARAM([^\s]\d+\.\d+\.\d+.\d+)].*}{regexp:logout,ftype=logout;refName=Description,logged out} | message username sourceip logout |
$seqno | A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. | {{text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags | A bit field indicating if the log was forwarded to Panorama | {text:Action Flags,ftype=actionflags} | actionflags |
$dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
| $cef-formatted-receive_time | {date:CEF-Formatted-Receive-Time,MMM dd yyyy HH:mm:ss z} | ||
| $cef-formatted-time_generated | {date:CEF-Formatted-Time-Generated,MMM dd yyyy HH:mm:ss z} | ||
| $cef-number-of-severity | {number:CEF-Number-Of-Severity,ftype=cefnumberofseverity} | cefnumberofseverity | |
| $number-of-severity | {number:Number-Of-Severity,ftype=numberofseverity} | numberofseverity | |
| $sender_sw_version | {text:Sender_Sw_Version,ftype=senderswversion} | senderswversion | |
| $vsys_id | {block,start,emptiness=true}{text:Virtual System ID,ftype=virtualsystemid}{block,end,emptiness=true} | virtualsystemid |
For more information about the configuration log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
| $dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
| $configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} | |
$host | Hostname or IP address of the client machine | {geoip:Host,ftype=sourceip;type=country:region:city;,} | sourceip |
$vsys | Virtual System associated with the configuration log | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
$cmd | Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set. | {choice:CMD,ftype=command,add,clone.commit,delete,edit,move,rename,set} | command |
$admin | Username of the Administrator performing the configuration | {text:Admin,ftype=username} | username |
$client | Client used by the Administrator; values are Web and CLI | {choice:Client,ftype=client,Web,CLI} | client |
$result |
| {choice:Result,ftype=status,Submitted,Succeeded,Failed,Unauthorized} | status |
$path |
| {{text:Configuration-path,ftype=path}{regexp:Event Name,ftype=eventName;refName=configuration-path,config mgt-config users|config shared local-user-database user |config shared local-user-database user-group|config shared admin-role|config shared authentication-profile|config mgt-config password-profile}{regexp:Audited_Object,ftype=auditedobject;refName=configuration-path,(config mgt-config users|config shared local-user-database user |config shared local-user-database user-group |config shared admin-role |config shared authentication-profile |config mgt-config password-profile )[XPLG_PARAM([^,]+)]} | path eventName auditedobject |
| $before-change-detail | This field is in custom logs only; it is not in the default format. It contains the full xpath before the configuration change. | {text:Before-Change-Detail,ftype=beforechangedetail} | beforechangedetail |
| $after-change-detail | This field is in custom logs only; it is not in the default format. It contains the full xpath after the configuration change. | {text:After-Change-Detail,ftype=afterchangedetail} | afterchangedetail |
$seqno | A 64bit log entry identifier incremented sequentially; each log type has a unique number space. | {text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags |
| {text:Action Flags,ftype=actionflags} | actionflags |
Device Group Hierarchy $dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
| $cef-formatted-receive_time | {date:CEF-Formatted-Receive-Time,MMM dd yyyy HH:mm:ss z} | ||
| $cef-formatted-time_generated | {date:CEF-Formatted-Time-Generated,MMM dd yyyy HH:mm:ss z} | ||
| $sender_sw_version | {text:Sender_Sw_Version,ftype=senderswversion} | senderswversion | |
| $vsys_id | {block,start,emptiness=true}{text:Virtual System ID,ftype=virtualsystemid}{block,end,emptiness=true} | virtualsystemid |
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
| $dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
| $configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} |
|
$vsys | Virtual System associated with the system log. | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
$eventid | String showing the name of the event. | {text:Event ID,ftype=eventName} | eventName |
$object | Name of the object associated with the system event | {block,start,emptiness=true}{text:Object,ftype=object}{block,end,emptiness=true} | object |
| $fmt | {text:fmt,ftype=fmt} | fmt | |
| $id | {text:ID,ftype=id} | id | |
$module | This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis. | {text:Module,ftype=module} | module |
$severity | Severity associated with the event; values are informational, low, medium, high, critical | {priority:Severity,ftype=status;High;Medium;Low;Informational} | status |
| $opaque | Detailed description of the event, up to a maximum of 512 bytes | "{text:Description,ftype=message;,}"{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:SourceIP,ftype=sourceip;refName=Description,(From: |from )[XPLG_PARAM([^\s]\d+\.\d+\.\d+.\d+)].*}{regexp:logout,ftype=logout;refName=Description,logged out} | message username sourceip logout |
$seqno | A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. | {{text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags | A bit field indicating if the log was forwarded to Panorama | {text:Action Flags,ftype=actionflags} | actionflags |
$dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
| $cef-formatted-receive_time | {date:CEF-Formatted-Receive-Time,MMM dd yyyy HH:mm:ss z} | ||
| $cef-formatted-time_generated | {date:CEF-Formatted-Time-Generated,MMM dd yyyy HH:mm:ss z} | ||
| $cef-number-of-severity | {number:CEF-Number-Of-Severity,ftype=cefnumberofseverity} | cefnumberofseverity | |
| $number-of-severity | {number:Number-Of-Severity,ftype=numberofseverity} | numberofseverity | |
| $sender_sw_version | {text:Sender_Sw_Version,ftype=senderswversion} | senderswversion | |
| $vsys_id | {block,start,emptiness=true}{text:Virtual System ID,ftype=virtualsystemid}{block,end,emptiness=true} | virtualsystemid |
For more information about the threat log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
| $dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
| $configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} | |
$src | Original session source IP address | {ip:SourceIP,ftype=sourceip} | sourceip |
$dst | Original session destination IP address. | {ip:DetinationIP,ftype=targetip} | targetip |
$natsrc | If source NAT performed, the post-NAT source IP address. | {ip:Nat SourceIP,ftype=natsourceip} | natsourceip |
$natdst | If destination NAT performed, the post-NAT destination IP address. | {ip:Nat DestinationIP,ftype=natdestinationip} | natdestinationip |
$rule | Name of the rule that the session matched. | {text:Rule Name,ftype=rulename} | rulename |
$srcuser | Username of the user who initiated the session. | {text:Source User,ftype=username} | username |
| $dstuser | Username of the user to which the session was destined. | {text:Destination User,ftype=dstusername} | dstusername |
| $app | Application associated with the session. | {text:Application,ftype=application} | application |
| $vsys | Virtual System associated with the session. | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
| $srczone | Zone the session was sourced from. | {text:Source Zone,ftype=srczone} | srczone |
| $dstzone | Zone the session was destined to. | {text:Destination Zone,ftype=dstzone} | dstzone |
| $inbound_if | Interface that the session was sourced from. | {text:Inbound Interface,ftype=srcintf} | srcintf |
| $outbound_if | Interface that the session was destined to. | {text:Outbound Interface,ftype=dstntf} | dstintf |
| $logset | Log Forwarding Profile that was applied to the session. | {text:Log Action,ftype=logaction} | logaction |
| $time_logged | {date:Time Logged,yyyy/MM/dd HH:mm:ss} | ||
| $sessionid | An internal numerical identifier applied to each session. | {text:Session ID,ftype=sessionid} | sessionid |
| $repeatcnt | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds. | {text:Repeat Count,ftype=repeatcount} | repeatcnt |
| $sport | Source port utilized by the session. | {text:Source Port,ftype=srcport} | srcport |
| $dport | Destination port utilized by the session. | {text:Destination Port,ftype=dstport} | dstport |
| $natsport | Post-NAT source port. | {text:Nat Source Port,ftype=natsrcport} | natsrcport |
| $natdport | Post-NAT destination port. | {text:Nat Destinationport,ftype=natdstport} | natdstport |
| $flags | 32-bit field that provides details on session; | {text:Flags,ftype=flags} | flags |
| $proto | IP protocol associated with the session. | {text:IP Protocol,ftype=ipprotocol} | ipprotocol |
| $action | Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. | {text:Action,ftype=eventName} | eventName |
| $file_url | Field with variable length. A Filename has a maximum of 63 characters. A URL has a maximum of 1023 characters | "{text:URL/Filename,ftype=requrl}" | requrl |
| $contentname | Palo Alto Networks identifier for the threat. | {text:Threat/Content Name,ftype=threatcontentname} | threatcontentname |
| $category | For URL Subtype, it is the URL Category; For WildFire subtype, it is the verdict on the file and is either ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; For other subtypes, the value is ‘any’. | {text:Category,ftype=category} | category |
| $severity | Severity associated with the threat; values are informational, low, medium, high, critical. | {priority:Severity,ftype=status;High;Medium;Low;Informational} | status |
| $direction | Indicates the direction of the attack, client-to-server or server-to-client:
| {text:Direction,ftype=direction} | direction |
$seqno | A 64bit log entry identifier incremented sequentially; each log type has a unique number space. | {text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags |
| {text:Action Flags,ftype=actionflags} | actionflags |
| $srcloc | Source country or Internal region for private addresses. Maximum length is 32 bytes. | {text:Source Country,ftype=srcountry} | srccountry |
$dstloc | Destination country or Internal region for private addresses. Maximum length is 32 bytes. | {text:Destination Country,ftype=dstcountry} | dstcountry |
| $padding | {text:cpadding,ftype=cpadding} | cpadding | |
| $contenttype | Applicable only when Subtype is URL. Content type of the HTTP response data. Maximum length 32 bytes. | {text:Content Type,ftype=contenttype} | contenttype |
| $pcap_id | The packet capture (pcap) ID is a 64 bit unsigned integral denoting an ID to correlate threat pcap files with extended pcaps taken as a part of that flow. All threat logs will contain either a pcap_id of 0 (no associated pcap), or an ID referencing the extended pcap file. | {text:PCAP ID,ftype=pcapid} | pcapid |
| $filedigest | Only for WildFire subtype; all other types do not use this field The filedigest string shows the binary hash of the file sent to be analyzed by the WildFire service. | {text:File Digest,ftype=filedigest} | filedigest |
| $cloud | Only for WildFire subtype; all other types do not use this field. The cloud string displays the FQDN of either the WildFire appliance (private) or the WildFire cloud (public) from where the file was uploaded for analysis. | {text:Cloud,ftype=cloud} | cloud |
| $url_idx | Used in URL Filtering and WildFire subtypes. | {text:URL Index,ftype=urlindex} | urlindex |
| $user_agent | Only for the URL Filtering subtype; all other types do not use this field. | {text:User Agent,ftype=useragent} | useragent |
| $filetype | Only for WildFire subtype; all other types do not use this field. Specifies the type of file that the firewall forwarded for WildFire analysis. | {text:File Type,ftype=filetype} | filetype |
| $xff | Only for the URL Filtering subtype; all other types do not use this field. The X-Forwarded-For field in the HTTP header contains the IP address of the user who requested the web page. It allows you to identify the IP address of the user, which is useful particularly if you have a proxy server on your network that replaces the user IP address with its own address in the source IP address field of the packet header. | {text:X-Forwarded-For,ftype=forwardedforip} | forwardedforip |
| $referer | Only for the URL Filtering subtype; all other types do not use this field. The Referer field in the HTTP header contains the URL of the web page that linked the user to another web page; it is the source that redirected (referred) the user to the web page that is being requested. | {text:RefererQuery,ftype=refererquery;,}{regexp:Referer,ftype=referer;refName=RefererQuery,^([\w-]+://[^?]+|/[^?]+)} | refererquery referer |
| $sender | Only for WildFire subtype; all other types do not use this field. Specifies the name of the sender of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. | {text:Sender,ftype=sender} | sender |
| $subject | Only for WildFire subtype; all other types do not use this field. Specifies the subject of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. | {text:Subject,ftype=subject} | subject |
| $recipient | Only for WildFire subtype; all other types do not use this field. Specifies the name of the receiver of an email that WildFire determined to be malicious when analyzing an email link forwarded by the firewall. | {text:Recipient,ftype=recipient} | recipient |
| $reportid | Only for WildFire subtype; all other types do not use this field. Identifies the analysis request on the WildFire cloud or the WildFire appliance. | {text:Report ID,ftype=reportid} | reportid |
Device Group Hierarchy $dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
| $file_url | {text:URL/Filename,ftype=requrl} | requrl | |
| $src_uuid | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. | {text:Source VM UUID,ftype=sourcevmuuid} | sourcevmuuid |
| $dst_uuid | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. | {text:Destination VM UUID,ftype=targetvmuuid} | targetvmuuid |
| $http_method | Only in URL filtering logs. Describes the HTTP Method used in the web request. Only the following methods are logged: Connect, Delete, Get, Head, Options, Post, Put. | {choice:Method,ftype=reqmethod;,Connect;Delete;Get;Head;Options;Post;Put}, | reqmethod |
| $tunnelid | International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI shall consist of decimal digits (0 through 9) only and maximum number of digits allowed are 15. | {text:Tunnel ID,ftype=tunnelid} | tunnelid |
| $imei | International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. | {text:Monitor Tag,ftype=monitortag} | monitortag |
| $parent_session_id | ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only. | {text:Parent Session ID,ftype=parentsessionid} | parentsessionid |
| $parent_start_time | Year/month/day hours:minutes:seconds that the parent tunnel session began. | {text:Parent Session Start Time,ftype=parentstarttime} | parentstarttime |
| $tunnel | Type of tunnel, such as GRE or IPSec. | {text:Tunnel Type,ftype=tunneltype} | tunneltype |
| $thr_category | Describes threat categories used to classify different types of threat signatures. | {text:Threat Category,ftype=threatcategory} | threatcategory |
| $contentver | Applications and Threats version on your firewall when the log was generated. | {text:Content Version,ftype=contentversion} | contentversion |
| $sig_flags | {text:SIG_Flags,ftype=sigflags} | sigflags | |
| $assoc_id | Number that identifies all connections for an association between two SCTP endpoints. | {text:SCTP Assoication ID,ftype=sctpassociationid} | sctoassociationid |
| $ppid | ID of the protocol for the payload in the data portion of the data chunk. | {text:Payload Protocol ID,ftype=payloadprotocoolid} | payloadprotocolid |
| $http_headers | Indicates the inserted HTTP header in the URL log entries on the firewall. | {text:HTTP Headers,ftype=httpheaders} | httpheaders |
For more information about the traffic log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
| $dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
| $configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} | |
$src | Original session source IP address | {ip:SourceIP,ftype=sourceip} | sourceip |
$dst | Original session destination IP address. | {ip:DetinationIP,ftype=targetip} | targetip |
$natsrc | If source NAT performed, the post-NAT source IP address. | {ip:Nat SourceIP,ftype=natsourceip} | natsourceip |
$natdst | If destination NAT performed, the post-NAT destination IP address. | {ip:Nat DestinationIP,ftype=natdestinationip} | natdestinationip |
$rule | Name of the rule that the session matched. | {text:Rule Name,ftype=rulename} | rulename |
$srcuser | Username of the user who initiated the session. | {text:Source User,ftype=username} | username |
| $dstuser | Username of the user to which the session was destined. | {text:Destination User,ftype=dstusername} | dstusername |
| $app | Application associated with the session. | {text:Application,ftype=application} | application |
| $vsys | Virtual System associated with the session. | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
| $srczone | Zone the session was sourced from. | {text:Source Zone,ftype=srczone} | srczone |
| $dstzone | Zone the session was destined to. | {text:Destination Zone,ftype=dstzone} | dstzone |
| $inbound_if | Interface that the session was sourced from. | {text:Inbound Interface,ftype=srcintf} | srcintf |
| $outbound_if | Interface that the session was destined to. | {text:Outbound Interface,ftype=dstntf} | dstintf |
| $logset | Log Forwarding Profile that was applied to the session. | {text:Log Action,ftype=logaction} | logaction |
| $time_logged | {date:Time Logged,yyyy/MM/dd HH:mm:ss} | ||
| $sessionid | An internal numerical identifier applied to each session. | {text:Session ID,ftype=sessionid} | sessionid |
| $repeatcnt | Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds. | {text:Repeat Count,ftype=repeatcount} | repeatcnt |
| $sport | Source port utilized by the session. | {text:Source Port,ftype=srcport} | srcport |
| $dport | Destination port utilized by the session. | {text:Destination Port,ftype=dstport} | dstport |
| $natsport | Post-NAT source port. | {text:Nat Source Port,ftype=natsrcport} | natsrcport |
| $natdport | Post-NAT destination port. | {text:Nat Destinationport,ftype=natdstport} | natdstport |
| $flags | 32-bit field that provides details on session; | {text:Flags,ftype=flags} | flags |
| $proto | IP protocol associated with the session. | {text:IP Protocol,ftype=ipprotocol} | ipprotocol |
| $action | Action taken for the session; values are alert, allow, deny, drop, drop-all-packets, reset-client, reset-server, reset-both, block-url. | {text:Action,ftype=eventName} | eventName |
| $bytes | Number of total bytes (transmit and receive) for the session. | {number:Bytes,ftype=bytes} | bytes |
| $bytes_sent | Number of bytes in the client-to-server direction of the session. Available on all models except the PA-4000 Series. | {number:Bytes Sent,ftype=bytesent} | bytesent |
| $bytes_received | Number of bytes in the server-to-client direction of the session. Available on all models except the PA-4000 Series. | {number:Bytes Received,ftype=bytesreceived} | bytesreceived |
| $packets | Number of total packets (transmit and receive) for the session. | {number:Packets,ftype=packets} | packets |
| $start | Time of session start. | {date:Start Time,yyyy/MM/dd HH:mm:ss} | |
| $elapsed | Elapsed time of the session. | {number:Elapsed Time(sec),ftype=elapsedtime} | elapsedtime |
| $category | URL category associated with the session (if applicable). | {text:Category,ftype=category} | category |
$seqno | A 64bit log entry identifier incremented sequentially; each log type has a unique number space. | {text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags |
| {text:Action Flags,ftype=actionflags} | actionflags |
| $srcloc | Source country or Internal region for private addresses. Maximum length is 32 bytes. | {text:Source Country,ftype=srcountry} | srccountry |
$dstloc | Destination country or Internal region for private addresses. Maximum length is 32 bytes. | {text:Destination Country,ftype=dstcountry} | dstcountry |
| $padding | {text:cpadding,ftype=cpadding} | cpadding | |
| $pkts_sent | Number of client-to-server packets for the session. Available on all models except the PA-4000 Series. | {number:Sent Packets,ftype=sentpkt} | sentpkt |
| $pkts_received | Number of server-to-client packets for the session. Available on all models except the PA-4000 Series. | {numberReceived Packets,ftype=rcvdpkt} | rcvdpkt |
| $session_end_reason | The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. | {text:Session End Reason,ftype=sessionendreason} | sessionendreason |
Device Group Hierarchy $dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
| $action_source | Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session. | {text:Action Source,ftype=actionsource} | actionsource |
| $src_uuid | Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment. | {text:Source VM UUID,ftype=sourcevmuuid} | sourcevmuuid |
| $dst_uuid | Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment. | {text:Destination VM UUID,ftype=targetvmuuid} | targetvmuuid |
| $tunnelid | International Mobile Subscriber Identity (IMSI) is a unique number allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI shall consist of decimal digits (0 through 9) only and maximum number of digits allowed are 15. | {text:Tunnel ID,ftype=tunnelid} | tunnelid |
| $imei | International Mobile Equipment Identity (IMEI) is a unique 15 or 16 digit number allocated to each mobile station equipment. | {text:Monitor Tag,ftype=monitortag} | monitortag |
| $parent_session_id | ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only. | {text:Parent Session ID,ftype=parentsessionid} | parentsessionid |
| $parent_start_time | Year/month/day hours:minutes:seconds that the parent tunnel session began. | {text:Parent Session Start Time,ftype=parentstarttime} | parentstarttime |
| $tunnel | Type of tunnel, such as GRE or IPSec. | {text:Tunnel Type,ftype=tunneltype} | tunneltype |
| $thr_category | Describes threat categories used to classify different types of threat signatures. | {text:Threat Category,ftype=threatcategory} | threatcategory |
| $assoc_id | Number that identifies all connections for an association between two SCTP endpoints. | {text:SCTP Assoication ID,ftype=sctpassociationid} | sctoassociationid |
| $chunks | Sum of SCTP chunks sent and received for an association. | {text:SCTP Chunks,ftype=chunks} | chunks |
| $chunks_received | Number of SCTP chunks sent for an association. | {text:SCTP Chunks Sent,ftype=chunkssent} | sentchunks |
| $chunks_sent | Number of SCTP chunks received for an association. | {text:SCTP Chunks Received,ftype=chunksreceived} | receivedchunks |
.