| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
pan_alert_direction
|
keyword | Indicates the direction of the attack, client-to-server or server-to-client: 0—direction of the threat is client to server. 1—direction of the threat is server to client | |
pan_after_change_detail
|
keyword | This field is in custom logs only; it is not in the default format. - It contains the full xpath after the configuration change. | |
pan_assoc_id
|
keyword | Number to idetify all connections for an association between to SCTP endpoints | |
pan_auth_method
|
keyword | A string showing the authentication type, such as LDAP, RADIUS or SAML | |
pan_before_change_detail
|
keyword | This field is in custom logs only; it is not in the default format. - It contains the full xpath after the configuration change. | |
pan_cloud_hostname
|
keyword | FQDN of WildFire appliance or Cloud where file was uploaded | |
pan_dev_group_level_[1-4]
|
keyword | ID Numbers that indicate the device groups location within DG Hierarchy | |
pan_dynusergroup_name
|
keyword | Name of the dynamic user group that contains the user who initiated the session. | |
pan_event_name
|
keyword | String showing the name of the event. | |
pan_event_object
|
keyword | Name of the object associated with the system event. | |
pan_evidence
|
keyword | A summary statement that indicates how many times the host has matched against the conditions defined in the correlation object. For example, Host visited known malware URl (19 times). | |
pan_flags
|
keyword | 32-bit field that provides details on session | |
pan_gp_client_version
|
keyword | The client’s GlobalProtect app version. | |
pan_gp_connect_method
|
keyword | A string showing the how the GlobalProtect app connects to Gateway, (for example, on-demand or user-login) | |
pan_gp_error
|
keyword | A string showing that error that has occurred in any event. | |
pan_gp_error_code
|
keyword | An integer associated with any errors that occurred | |
pan_gp_error_extended
|
keyword | Additional information for any event that has occurred. | |
pan_gp_hostname
|
keyword | The name of the GlobalProtect portal or gateway. | |
pan_gp_hostid
|
keyword | Unique ID GlobalProtect assigns to identify the host. | |
pan_gp_location_name
|
keyword | A string showing the administrator-defined location of the GlobalProtect portal or gateway. | |
pan_gp_reason
|
keyword | A string that shows the reason for the quarantine | |
pan_hip
|
keyword | Name of the HIP object or profile. | |
pan_hip_type
|
keyword | Whether the hip field represents a HIP object or a HIP profile. | |
pan_http2
|
keyword | Identifies if traffic used an HTTP/2 Connection by displaying one of the following values: Parent session ID—HTTP/2 connection. OR. 0—SSL session | |
pan_link_changes
|
keyword | Number of link flaps during session | |
pan_link_switches
|
keyword | Contains up to four link flap entries, with each entry containing the link name, link tag, link type, physical interface, timestamp, bytes read, bytes written, link health, and link flap cause. | |
pan_log_action
|
keyword | Log Forwarding Profile Applied to Session | |
pan_log_panorama
|
keyword | A bit field indicating if the log was forwarded to Panorama | |
pan_log_subtype
|
keyword | Subtype of Given Log | |
pan_module
|
keyword | It provides additional information about the sub-system generating the log | |
pan_monitor_tag
|
keyword | IMEI 15/16 Digit number | |
pan_object_id
|
keyword | Name of the object associated with the system event. | |
pan_objectname
|
keyword | Name of the correlation object that was matched on. | |
pan_parent_session_id
|
keyword | ID of the session in which this session is tunneled | |
pan_parent_start_time
|
keyword | Time the Tunnel Session began | |
pan_pcap_id
|
keyword | Packet Capture ID | |
pan_ppid
|
keyword | ID of the protocol for the payload of the data chunk | |
pan_sctp_chunks_sum
|
keyword | Sum of SCTP chunks sent and received for an association. | |
pan_sctp_chunks_tx
|
keyword | Number of SCTP chunks sent for an association. | |
pan_sctp_chunks_rx
|
keyword | Number of SCTP chunks received for an association. | |
pan_sdwan_cluster
|
keyword | Name of the SD-WAN cluster. | |
pan_sdwan_cluster_type
|
keyword | Type of cluster (mesh or hub-spoke) | |
pan_sdwan_device_type
|
keyword | Type of device (hub or branch) | |
pan_sdwan_policy_id
|
keyword | Name of the SD-WAN policy. | |
pan_sdwan_site_name
|
keyword | Name of the SD-WAN site | |
pan_session_end_reason
|
The reason the session was terminated | ||
pan_source_region
|
keyword | The region for the user who initiated the session. | |
pan_tunnel_id
|
keyword | International Mobile Subscriber Identity Number | |
pan_tunnel_stage
|
keyword | A string showing the stage of the connection (for example, before-login, login, or tunnel) | |
pan_url_index
|
keyword | Counter allowing you to correlate order of log entries in URL Filtering/WildFire | |
pan_wildfire_hash
|
keyword | Binary Hash of file sent to WildFire | |
pan_wildfire_report_id
|
keyword | Identifies the analysis request on Wildfire Cloud/Appliance |
The following content is part of the Graylog Illuminate 6.3 documentation. If you are using another version of Illuminate, please switch to your version. For versions prior to 4.0, please see the legacy documentation.
