Palo Alto
Integration of Palo Alto's System, Configuration, Traffic and Threat logs into XpoLog.
Prerequisites:
A. Open the relevant ports (TCP\UDP) on the XpoLog machine.
B. Create a syslog listener on the listeners tab in XpoLog that will listen and collect the log from the Palo Alto machine.
Palo Alto Configurations:
1. Open the relevant port on the Palo Alto Machine:
I. Login to the GUI of the Palo Alto machine, and then enter to Objects->Services->Add.
II. During the creation of the service, you have to determine the name for the service, the format\protocol in which the service will send the data (ie TCP or UDP), source port and the destination port (which you have already configured in XpoLog’s listener).
2. Create new syslog device which will send the system and configuration logs into XpoLog:
I. From the GUI of the Palo Alto, enter to Devices->Server Profiles->Syslog->Add.
II. During the creation of the device, you have to determine the name for the syslog server profile, and also to configure the values for the following fields.
Name—Unique name for the server profile.
Syslog Server—IP address or fully qualified domain name (FQDN) of the syslog server (in case that DNS server was configured)
Transport—Select TCP, UDP, or SSL (TLS) as the protocol for communicating with the syslog server. For SSL, the firewall supports only TLSv1.2.
Port—The port number on which to send syslog messages (default is UDP on port 514); you must use the same port number on the firewall and the syslog server.
Format—Select the syslog message format to use: BSD (the default) or IETF. Traditionally, BSD format is over UDP and IETF format is over TCP or SSL/TLS.
Facility—Select a syslog standard value (default is LOG_USER) to calculate the priority (PRI) field in your syslog server implementation. Select the value that maps to how you use the PRI field to manage your syslog messages.
3. Configure the 'Log Settings' for your System and Configuration logs:
I. From the GUI of your Palo Alto, enter to Devices->Log Settings, and add new log setting under the relevant tab (system\configuration\traffic'threat).
II. Please grant a name for the log setting and under the 'syslog\ tab, choose the syslog devices that you have already configured in section 2 and add them.
4. Create a 'Log Forwarder' for your logs.
I. From the GUI of the Palo Alto, enter to Objects - > Log Forwarding - > Add.
II. Name the log forwarder. Then from the syslog tab, choose the devices that you have already configured in section 2 and add them.
5. Commit all these configuration changes - from the top left part of the GUI, press on the ‘commit’ button in order that the configuration changes will take effect.
XpoLog Configurations (edit the syslog logs that were generated for the Palo Alto machine):
System Log -
I. For the syslog of the system log, set the logTypes of the syslog to ‘syslog,paloalto,system,audit’.
II. Apply the following pattern on the log (default pattern)
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility}] [{priority:Level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device}] {block,start,emptiness=true}{text:Application Name}[{text:Process Id}]: {block,end,emptiness=true}{text:Device,ftype=device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:Time Generated,yyyy/MM/dd HH:mm:ss},{block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true},{text:Event ID,ftype=eventName},{block,start,emptiness=true}{text:Object,ftype=object}{block,end,emptiness=true},{text:fmt,ftype=fmt},{text:ID,ftype=id},{text:Module,ftype=module},{priority:Severity,ftype=status;High;Medium;Low;Informational},"{text:Description,ftype=message;,}"{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:SourceIP,ftype=sourceip;refName=Description,(From: |from )[XPLG_PARAM([^\s]\d+\.\d+\.\d+.\d+)].*}{regexp:logout,ftype=logout;refName=Description,logged out},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename}{eoe}
Configuration Log -
I. For the syslog of the configuration log, set the logTypes of this log to 'syslog,paloalto,configuration.audit'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Device} {text:Domain,ftype=domain;,},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:Time Generated,yyyy/MM/dd HH:mm:ss},{geoip:Host,ftype=sourceip;type=country:region:city;,},{text:Virtual System,ftype=virtualsystem},{choice:CMD,ftype=command,add,clone.commit,delete,edit,move,rename,set},{text:Admin,ftype=username},{choice:Client,ftype=client,Web,CLI},{choice:Result,ftype=status,Submitted,Succeeded,Failed,Unauthorized},{text:Configuration-path,ftype=path}{regexp:Event Name,ftype=eventName;refName=configuration-path,config mgt-config users|config shared local-user-database user |config shared local-user-database user-group|config shared admin-role|config shared authentication-profile|config mgt-config password-profile}{regexp:Audited_Object,ftype=auditedobject;refName=configuration-path,(config mgt-config users|config shared local-user-database user |config shared local-user-database user-group |config shared admin-role |config shared authentication-profile |config mgt-config password-profile )[XPLG_PARAM([^,]+)]},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename}{eoe}
Threat Log -
I. For the syslog of the threat log, set the logTypes of this log to 'syslog,paloalto,threat'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Device,ftype=device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:CEF-Formatted-Time-Generated,yyyy/MM/dd HH:mm:ss},{ip:SourceIP,ftype=sourceip},{ip:Destination IP,ftype=targetip},{ip:Nat SourceIP,ftype=natsourceip},{ip:Nat Destination IP,ftype=nattargetip},{text:Rule Name,ftype=rulename},{text:Source User,ftype=username},{text:Destination User,ftype=dstusername},{text:Application,ftype=application},{block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true},{text:Source Zone,ftype=srczone},{text:Destination Zone,ftype=dstzone},{text:Inbound Interface,ftype=srcintf},{text:Outbound Interface,ftype=dstintf},{text:Log Action,ftype=logaction},{date:Time Logged,yyyy/MM/dd HH:mm:ss},{text:SessionID,ftype=sessionid},{text:Repeat Count,ftype=repeatcount},{number:Source Port,ftype=sourceport},{number:Destination Port,ftype=dstport},{number:Nat Source Port,ftype=natsrcport},{number:Nat Destination Port,ftype=natdstport},{text:Flags,ftype=flags},{text:IP Protocol,ftype=ipprotocol},{text:Action,ftype=eventName},{url:URL,paramsFtype=querystring;ftype=requrl;paramsName=Query;,},{text:Threat/Content Name,ftype=threatcontentname},{text:Category,ftype=category},{priority:Severity,ftype=status;Critical;High;Medium;Low;Informational},{text:Direction,ftype=direction},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:Source Country,ftype=srccountry},{text:Destination Country,ftype=dstcountry},{text:cpadding,ftype=cpadding},{text:Content Type,ftype=contenttype},{text:PCAP ID,ftype=pcapap},{text:File Digest,ftype=filedigest},{text:Cloud,ftype=cloud},{text:URL Index,ftype=urlindex},{text:User Agent,ftype=useragent},{text:File Type,ftype=filetype},{text:X-Forwarded-For,ftype=forwardedforip},{text:RefererQuery,ftype=refererquery;,}{regexp:Referer,ftype=referer;refName=RefererQuery,^([w-]+://[^?]+|/[^?]+)},{text:Sender,ftype=sender},{text:Subject,ftype=subject},{text:Recipient,ftype=recipient},{text:Report ID,ftype=reportid},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename},{url:URL,paramsFtype=querystring;ftype=requrl;paramsName=Query;,},{text:Source VM UUID,ftype=sourcevmuuid},{text:Destination VM UUID,ftype=targetvmuuid},{choice:Method,ftype=reqmethod;,Connect;Delete;Get;Head;Options;Post;Put},{text:Tunnel ID/IMSI,ftype=tunnelid},{text:Monitor Tag/IMEI,ftype=monitortag},{text:Parent Session ID,ftype=parentsessionid},{text:Parent Start Time,ftype=parentstarttime},{text:Tunnel Type,ftype=tunneltype},{text:Threat Category,ftype=threatcategory},{text:Content Version,ftype=contentversion},{text:SIG_Flags,ftype=sigflafs},{text:SCTP Assoication ID,ftype=sctpassociationid},{text:Payload Protocol ID,ftype=payloadprotocolid},{text:HTTP Headers,ftype=httpheaders}{eoe}
Traffic Log -
I. For the syslog of the traggic log, set the logTypes of this log to 'syslog,paloalto,traffic'.
II. Apply the following pattern on the log:
XPLG:[{timestamp:Timestamp,MM/dd/yyyy HH:mm:ss.SSS}] [{text:Facility,ftype=facility}] [{priority:Level,ftype=level,DEBUG;INFO;WARN;ERROR;FATAL}] [{text:Source Device,ftype=source-device}] {block,start,emptiness=true}{text:Application Name,ftype=app-name}[{text:Process Id,ftype=pid}]: {block,end,emptiness=true}{text:Device,ftype=device} {text:Domain,ftype=domain},{date:Receive Time,yyyy/MM/dd HH:mm:ss},{text:Serial#,ftype=serial},{text:Type,ftype=eventSource},{text:Subtype,ftype=subtype},{text:Config Version,ftype=configversion},{date:CEF-Formatted-Time-Generated,yyyy/MM/dd HH:mm:ss},{ip:SourceIP,ftype=sourceip},{ip:Destination IP,ftype=targetip},{ip:Nat SourceIP,ftype=natsourceip},{ip:Nat Destination IP,ftype=nattargetip},{text:Rule Name,ftype=rulename},{text:Source User,ftype=username},{text:Destination User,ftype=dstusername},{text:Application,ftype=application},{block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true},{text:Source Zone,ftype=srczone},{text:Destination Zone,ftype=dstzone},{text:Inbound Interface,ftype=srcintf},{text:Outbound Interface,ftype=dstintf},{text:Log Action,ftype=logaction},{date:Time Logged,yyyy/MM/dd HH:mm:ss},{text:SessionID,ftype=sessionid},{text:Repeat Count,ftype=repeatcount},{number:Source Port,ftype=sourceport},{number:Destination Port,ftype=dstport},{number:Nat Source Port,ftype=natsourceport},{number:Nat Destination Port,ftype=natdstport},{text:Flags,ftype=flags},{text:IP Protocol,ftype=ipprotocol},{text:Action,ftype=eventName},{number:Bytes,ftype=bytes},{text:Bytes Sent,ftype=bytesent},{text:Bytes Received,ftype=bytesreceived},{number:Packets,ftype=packets},{text:Start,ftype=start},{number:Elapsed Time(sec),ftype=elapsedtime},{text:Category,ftype=category},{text:tpadding,ftype=tpadding},{text:Sequence Number,ftype=sequencenumber},{text:Action Flags,ftype=actionflags},{text:Source Country,ftype=srccountry},{text:Destination Country,ftype=dstcountry},{text:cpadding,ftype=cpadding},{number:Sent Packets,ftype=sentpkt},{number:Received Packets,ftype=rcvdpkt},{text:Session End Reason,ftype=sessionendreason},{text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4},{text:Virtual System Name,ftype=vsysname},{text:Device Name,ftype=devicename},{text:Action Source,ftype=actionsource},{text:Source VM UUID,ftype=sourcevmuuid},{text:Destination VM UUID,ftype=targetvmuuid},{text:Tunnel ID,ftype=tunnelid},{text:Monitor Tag,ftype=monitortag},{text:Parent Session ID,ftype=parentsessionid},{text:Parent Start Time,ftype=parentstarttime},{text:Tunnel Type,ftype=tunneltype},{text:SCTP Assoication ID,ftype=sctpassociationid},{number:SCTP Chunks,ftype=chunks},{number:SCTP Chunks Sent,ftype=chunkssent},{number:SCTP Chunks Received,ftype=chunksreceived}{eoe}
For more information about the system log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
$dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
$configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} |
|
$vsys | Virtual System associated with the system log. | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
$eventid | String showing the name of the event. | {text:Event ID,ftype=eventName} | eventName |
$object | Name of the object associated with the system event | {block,start,emptiness=true}{text:Object,ftype=object}{block,end,emptiness=true} | object |
$fmt |
| {text:fmt,ftype=fmt} | fmt |
$id |
| {text:ID,ftype=id} | id |
$module | This field is valid only when the value of the Subtype field is general. It provides additional information about the sub-system generating the log; values are general, management, auth, ha, upgrade, chassis. | {text:Module,ftype=module} | module |
$severity | Severity associated with the event; values are informational, low, medium, high, critical | {priority:Severity,ftype=status;High;Medium;Low;Informational} | status |
$opaque | Detailed description of the event, up to a maximum of 512 bytes | "{text:Description,ftype=message;,}"{regexp:Username,ftype=username;refName=Description,(Failed password for |User |for user \u0027|Password changed for user |failed authentication for user \u0027 |authenticated for user \u0027)[XPLG_PARAM([^\u0027\s]+)].*}{regexp:SourceIP,ftype=sourceip;refName=Description,(From: |from )[XPLG_PARAM([^\s]\d+\.\d+\.\d+.\d+)].*}{regexp:logout,ftype=logout;refName=Description,logged out} | message username sourceip logout |
$seqno | A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. | {{text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags | A bit field indicating if the log was forwarded to Panorama | {text:Action Flags,ftype=actionflags} | actionflags |
$dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
$cef-formatted-receive_time |
| {date:CEF-Formatted-Receive-Time,MMM dd yyyy HH:mm:ss z} |
|
$cef-formatted-time_generated |
| {date:CEF-Formatted-Time-Generated,MMM dd yyyy HH:mm:ss z} |
|
$cef-number-of-severity |
| {number:CEF-Number-Of-Severity,ftype=cefnumberofseverity} | cefnumberofseverity |
$number-of-severity |
| {number:Number-Of-Severity,ftype=numberofseverity} | numberofseverity |
$sender_sw_version |
| {text:Sender_Sw_Version,ftype=senderswversion} | senderswversion |
$vsys_id |
| {block,start,emptiness=true}{text:Virtual System ID,ftype=virtualsystemid}{block,end,emptiness=true} | virtualsystemid |
For more information about the configuration log fields, see below the format Conversion Table:
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
$dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
$configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |
$time_generated | Time the log was generated on the dataplane. | {date:Time Generated,yyyy/MM/dd HH:mm:ss} |
|
$host | Hostname or IP address of the client machine | {geoip:Host,ftype=sourceip;type=country:region:city;,} | sourceip |
$vsys | Virtual System associated with the configuration log | {block,start,emptiness=true}{text:Virtual System,ftype=virtualsystem}{block,end,emptiness=true} | virtualsystem |
$cmd | Command performed by the Admin; values are add, clone, commit, delete, edit, move, rename, set. | {choice:CMD,ftype=command,add,clone.commit,delete,edit,move,rename,set} | command |
$admin | Username of the Administrator performing the configuration | {text:Admin,ftype=username} | username |
$client | Client used by the Administrator; values are Web and CLI | {choice:Client,ftype=client,Web,CLI} | client |
$result |
| {choice:Result,ftype=status,Submitted,Succeeded,Failed,Unauthorized} | status |
$path |
| {{text:Configuration-path,ftype=path}{regexp:Event Name,ftype=eventName;refName=configuration-path,config mgt-config users|config shared local-user-database user |config shared local-user-database user-group|config shared admin-role|config shared authentication-profile|config mgt-config password-profile}{regexp:Audited_Object,ftype=auditedobject;refName=configuration-path,(config mgt-config users|config shared local-user-database user |config shared local-user-database user-group |config shared admin-role |config shared authentication-profile |config mgt-config password-profile )[XPLG_PARAM([^,]+)]} | path eventName auditedobject |
$before-change-detail | This field is in custom logs only; it is not in the default format. It contains the full xpath before the configuration change. | {text:Before-Change-Detail,ftype=beforechangedetail} | beforechangedetail |
$after-change-detail | This field is in custom logs only; it is not in the default format. It contains the full xpath after the configuration change. | {text:After-Change-Detail,ftype=afterchangedetail} | afterchangedetail |
$seqno | A 64bit log entry identifier incremented sequentially; each log type has a unique number space. | {text:Sequence Number,ftype=sequencenumber} | sequencenumber |
$actionflags |
| {text:Action Flags,ftype=actionflags} | actionflags |
Device Group Hierarchy $dg_hier_level_1 $dg_hier_level_2 $dg_hier_level_3 $dg_hier_level_4 | A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
| {text:dg_hier_level_1,ftype=dghierlevel1},{text:dg_hier_level_2,ftype=dghierlevel2},{text:dg_hier_level_3,ftype=dghierlevel3},{text:dg_hier_level_4,ftype=dghierlevel4} | dghierlevel1 dghierlevel2 dghierlevel3 dghierlevel4 |
$vsys_name | The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. | {text:Virtual System Name,ftype=vsysname} | vsysname |
$device_name | The hostname of the firewall on which the session was logged. | {text:Device Name,ftype=devicename} | devicename |
$cef-formatted-receive_time |
| {date:CEF-Formatted-Receive-Time,MMM dd yyyy HH:mm:ss z} |
|
$cef-formatted-time_generated |
| {date:CEF-Formatted-Time-Generated,MMM dd yyyy HH:mm:ss z} |
|
$sender_sw_version |
| {text:Sender_Sw_Version,ftype=senderswversion} | senderswversion |
$vsys_id |
| {block,start,emptiness=true}{text:Virtual System ID,ftype=virtualsystemid}{block,end,emptiness=true} | virtualsystemid |
Field Name | Description | XpoLog Pattern | Ftype |
$domain | The domain which the messages were sent from. | {text:Domain,ftype=domain} | domain |
$dev | The device which the messages were sent from. | {text:Device,ftype=device} | device |
$receive_time | Time the log was received at the management plane | {date:Receive Time,yyyy/MM/dd HH:mm:ss} |
|
$serial | Serial number of the firewall that generated the log | {text:Serial#,ftype=serial} | serial |
$type | Type of log; values are traffic, threat, config, system and hip-match | {text:Type,ftype=eventSource} | eventSource |
$subtype | Subtype of the system log; refers to the system daemon generating the log; values are crypto, dhcp, dnsproxy, dos, general, global-protect, ha, hw, nat, ntpd, pbf, port, pppoe, ras, routing, satd, sslmgr, sslvpn, userid, url-filtering, vpn. | {text:Subtype,ftype=subtype} | subtype |
$configversion | Config Version associated with the system log. | {text:Config Version,ftype=configversion} | configversion |