Reference: CEF Fields Required by Illumio Insights
Firewall traffic logs that are sent to Illumio Insights must be in CEF format.
Field Name | Description | Required |
|---|---|---|
deviceVendor | The vendor of the device that is generating the log | Yes |
deviceExternalId | The external identifier for the device | Yes |
cs1Label | Custom string 1 label (tenant identification) | Yes |
act | The action taken by the device or application | Yes |
src | Source IP address of the connection | Yes |
dst | Destination IP address of the connection | Yes |
proto | Protocol number used | Yes |
spt | Source port number | Yes |
dpt | Destination port number | Yes |
out | Bytes sent from source to destination | Yes |
in | Bytes received at destination | Yes |
conn_direction | Direction of the connection | Yes |
outzone | Network security zone of the destination | Yes |
inzone | Network security zone of the source | Yes |
rule_uid | Primary key for rule metadata lookup | Yes |
cs2Label | Rule Name indicator Use cs2Label and cs2 for Rule Name | Yes |
cs2 | Rule Name Use cs2 for Rule Name | Yes |
cs3Label | Policy Name indicator Use c3Label and cs3 for Policy Name | Yes |
cs3 | Actual Policy Name Use cs3 for Policy Name | Yes |
For more information about the fields available for Check Point, Fortinet, or Palo Alto Networks, see the documentation:
Check Point: Check Point
Fortinet: Fortinet
Palo Alto Networks: Common Event Format (CEF) Configuration Guides