Palo Alto Networks Knowledgebase: Traffic Log Time Stamps
Traffic Log Time Stamps
Created On 04/16/19 01:28 AM - Last Updated 04/16/19 01:34 AM
Cortex Data Lake
When creating a security policy, there is the option to log the session information at session start or session end and the logs will be generated accordingly.
In the example log below, the security policy is configured to log at session end. This session began at Start Time 2015/06/22 04:27:41. Generated Time is when the logger received the logged session information at the end of the session at 2015/06/22 04:32:00.
Receive Time is the logging time stamp 2015/06/21 23:27:12. This time is based on what is seen as the local Panorama time.
Specific information regarding the timers is provided below:
Generated Time: This is when the log is first generated. For traffic start log, it will be at session start. For traffic end log, it is Start time + Elapsed Time. For Threat log, it is when we detect a threat (DP).
Start Time: Session Start Time (DP)
Receive Time: The time when the log is received by management server for log forwarding (MP). If the log is forwarded to Panorama, Panorama updates the Receive time to its local time.
Elapsed Time (sec): This is the session duration in seconds since Start Time (measured by DP).
Additionally, sessions that time out due to lack of activity (as opposed to FIN/RST) will have the session timeout added to the Elapsed time value.
Below is an example log entry of a timed-out session with a 3600 second idle timeout value set: