paloalto-ngfw-traffic-logs
Read traffic logs using PAN-OS XML API.
paloalto-ngfw-traffic-logs [profile=PROFILE] [order=ORDER] [duration=NUM{mon|w|d|h|m|s}] [from=yyyyMMddHHmmss] [to=yyyyMMddHHmmss]
- profile=PROFILE
- The identifier of Palo Alto Networks NGFW
- order=ORDER
- Retrieve direction. desc or asc.
- duration=NUM{mon|w|d|h|m|s}
- Scan only recent data. You should use s(second), m(minute), h(hour), d(day), mon(month) time unit. For example, 10s means data from 10 seconds earlier.
- from=yyyyMMddHHmmss
- Start time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
- to=yyyyMMddHHmmss
- End time of range. yyyyMMddHHmmss format. If you omit time part, it will be padded by zero.
Output Fields
| Field | Type | Name | Description |
|---|---|---|---|
| _time | Date | Time | |
| profile | String | Connect profile | The identifier of Palo Alto Networks NGFW connect profile |
| serial | String | Serial | |
| type | String | Type | e.g. TRAFFIC |
| subtype | String | Subtype | e.g. start, end, drop |
| src_user | String | Source user | |
| src_ip | IP address | Source IP | |
| src_port | Integer | Source port | |
| dst_ip | IP address | Destination IP | |
| dst_port | Integer | Destination port | |
| protocol | String | Protocol | e.g. TCP, UDP, ICMP |
| app | String | App | e.g. incomplete, dns, ldap, ssl, kerberos, web-browsing, ntp |
| category | String | Category | e.g. any, news, internet-portals, computer-and-internet-info |
| policy | String | Policy | |
| action | String | Action | e.g. PERMIT, DROP |
| duration | Integer | Duration | |
| session_end_reason | String | Session end reason | e.g. aged-out, n/a, tcp-fin, tcp-rst-from-server, tcp-rst-from-client, policy-deny |
| tunnel | String | Tunnel | |
| tunnel_id | Integer | Tunnel ID | |
| nat_src_ip | IP address | NAT source IP | |
| nat_src_port | Integer | NAT source port | |
| nat_dst_ip | IP address | NAT destination IP | |
| nat_dst_port | Integer | NAT destination port | |
| total_pkts | Long | Total packets | |
| sent_pkts | Long | Sent packets | |
| rcvd_pkts | Long | Received packets | |
| total_bytes | Long | Total bytes | |
| sent_bytes | Long | Sent bytes | |
| rcvd_bytes | Long | Received bytes | |
| src_zone | String | Source zone | e.g. intranet, untrust |
| dst_zone | String | Destination zone | e.g. intranet, untrust |
| src_iface | String | Source interface | e.g. ethernet1/1 |
| dst_iface | String | Destination interface | e.g. ethernet1/1 |
| total_chunks | String | Total chunks | |
| sent_chunks | Integer | Sent chunks | |
| rcvd_chunks | Integer | Received chunks | |
| src_loc | String | Source location | e.g. 10.0.0.0-10.255.255.255 |
| dst_loc | String | Destination location | e.g. 10.0.0.0-10.255.255.255 |