Palo Alto Networks Knowledgebase: How does the Log Link Feature Work?
How does the Log Link Feature Work?
Created On 02/07/19 23:53 PM - Last Updated 02/07/19 23:54 PM
The Log Link feature provides links from log data to external systems (for example, trouble-ticketing, PCAP collections systems, security scanning, and so on). The links show up at the bottom of the log detail page in the log viewer, and they open the constructed URL in a new browser window.
Information of the log available for use in constructing the link URL:
src - source IP address
dst - destination IP address
sport - source port
dport - destination port
proto - protocol
recvtime_YYYY - year of receive time
recvtime_MM - month of receive time
recvtime_DD - day of receive time
recvtime_hh - hour of receive time
recvtime_mm - minute of receive time
recvtime_ss - second of receive time
elapsed - elapse time (session time in seconds. available for traffic log only, "" otherwise)
direction - client-to-server or server-to-client (available for threat, data filtering and URL log only, "" otherwise)
suser - source user
duser - destination user
szone - source zone
dzone - destination zone
ingress - ingress interface
egress - egress interface
To enable the log link feature, use the following CLI commands:
Running the above commands using the example URL creates 2 log-links to VirusTotal in the Log Details window (one for the source IP and one for the destination IP):
Multiple links can be set and all show up at the bottom of the log detail window.
Note: The log link configuration is not synchronized between device pairs in a High Availability (HA) environment. Therefore, log link configuration must be manually performed on both Active and Passive boxes.