Strata Logging Service Log Forwarding enables security operations teams to forward security logs from Palo Alto Networks next-generation firewalls, Prisma Access, and other Strata products to external SIEM systems, data lakes, and log management platforms. Log forwarding profiles define which log types are forwarded, in which output format, and to which destination. Supported transport protocols include Syslog over TCP, UDP, and TLS, HTTPS REST endpoints, and Email. Supported output formats include CSV, LEEF (Log Event Extended Format), CEF (Common Event Format), JSON, and PARQUET. Log types available for forwarding include traffic, threat, URL filtering, data, WildFire malware analysis, authentication, decryption, and GlobalProtect logs. Each log type delivers structured security event data enabling comprehensive network visibility, compliance reporting, and security analytics in downstream platforms.
View SpecView on GitHubCloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDRAsyncAPIWebhooksEvents
Channels
log/traffic
subscribeonTrafficLog
Forwarded traffic log entry
Channel for forwarded traffic logs. Traffic logs record the start and end of every network session passing through the firewall, including source and destination addresses, ports, protocols, applications identified by App-ID, actions taken, and session byte and packet counters. Traffic logs provide comprehensive network visibility and session tracking for security analytics and compliance reporting. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
log/threat
subscribeonThreatLog
Forwarded threat detection log entry
Channel for forwarded threat logs. Threat logs record security events detected by the firewall's threat prevention engines including antivirus, anti-spyware, vulnerability protection, DNS security, and custom threat signatures. Each entry identifies the threat, its severity, the action taken, attack direction, and session context. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
log/url
subscribeonUrlLog
Forwarded URL filtering log entry
Channel for forwarded URL filtering logs. URL filtering logs record web access events evaluated by the URL Filtering security profile. Each entry includes the requested URL, URL category, action taken, HTTP method, content type, and user identity when User-ID is enabled. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
log/wildfire
subscribeonWildfireLog
Forwarded WildFire file analysis log entry
Channel for forwarded WildFire submission logs. WildFire logs record file analysis results from the WildFire cloud-based sandbox analysis service. Each entry includes the file name, type, SHA-256 hash, final verdict (benign, malware, grayware, phishing), and a link to the analysis report. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
log/auth
subscribeonAuthLog
Forwarded authentication event log entry
Channel for forwarded authentication logs. Authentication logs record user authentication events processed by the firewall's Authentication Policy, including SAML assertions, Kerberos ticket validations, LDAP binds, RADIUS authentications, and MFA challenges. Each entry captures the authentication method, result, user identity, and policy context. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
Messages
✉
TrafficLog
Traffic Log Entry
A forwarded traffic log entry representing a network session that passed through or was blocked by the firewall
✉
ThreatLog
Threat Log Entry
A forwarded threat detection log entry for a security event caught by the firewall's threat prevention profiles
✉
UrlLog
URL Filtering Log Entry
A forwarded URL filtering log entry for a web access event evaluated by the URL Filtering security profile
✉
WildfireLog
WildFire Log Entry
A forwarded WildFire file analysis log entry with the malware verdict returned by the WildFire cloud sandbox service
✉
AuthLog
Authentication Log Entry
A forwarded authentication event log entry for a user authentication processed by the firewall's Authentication Policy
Servers
tcp
syslog-tcp{syslogHost}:{syslogPort}
Syslog destination for log forwarding over TCP. Configure the syslog server address and port in Strata Logging Service Settings > Log Forwarding. Supports CEF, LEEF, and CSV output formats. Non-encrypted TCP syslog uses port 514 by default.
tcp
syslog-tls{syslogHost}:{syslogTlsPort}
Syslog destination for log forwarding over TLS-encrypted TCP. TLS encryption is recommended for production deployments and requires uploading the syslog server's CA certificate for mutual authentication. Supports CEF, LEEF, and CSV output formats over TLS transport.
udp
syslog-udp{syslogHost}:{syslogUdpPort}
Syslog destination for log forwarding over UDP. UDP syslog provides lower overhead but without guaranteed delivery. Suitable for high-volume log forwarding in environments where occasional loss is acceptable.
https
https-endpoint{httpsUrl}
HTTPS destination for log forwarding via HTTP POST requests. Configure the HTTPS endpoint URL in Strata Logging Service Settings > Log Forwarding. The endpoint must accept POST requests and return a 2xx response. Supports JSON, CEF, LEEF, and PARQUET output formats. Authentication is configured via custom HTTP headers or OAuth2 client credentials.
asyncapi: 2.6.0
info:
title: Strata Logging Service Log Forwarding
version: 1.0.0
description: >
Strata Logging Service Log Forwarding enables security operations teams
to forward security logs from Palo Alto Networks next-generation firewalls,
Prisma Access, and other Strata products to external SIEM systems, data
lakes, and log management platforms. Log forwarding profiles define which
log types are forwarded, in which output format, and to which destination.
Supported transport protocols include Syslog over TCP, UDP, and TLS, HTTPS
REST endpoints, and Email. Supported output formats include CSV, LEEF
(Log Event Extended Format), CEF (Common Event Format), JSON, and PARQUET.
Log types available for forwarding include traffic, threat, URL filtering,
data, WildFire malware analysis, authentication, decryption, and
GlobalProtect logs. Each log type delivers structured security event data
enabling comprehensive network visibility, compliance reporting, and
security analytics in downstream platforms.
contact:
name: Palo Alto Networks Developer Support
url: https://pan.dev/
email: [email protected]
license:
name: Proprietary
url: https://www.paloaltonetworks.com/legal
servers:
syslog-tcp:
url: '{syslogHost}:{syslogPort}'
protocol: tcp
description: >
Syslog destination for log forwarding over TCP. Configure the syslog
server address and port in Strata Logging Service Settings > Log
Forwarding. Supports CEF, LEEF, and CSV output formats. Non-encrypted
TCP syslog uses port 514 by default.
variables:
syslogHost:
description: Hostname or IP address of the syslog destination server.
syslogPort:
description: TCP port for syslog ingestion (default 514).
syslog-tls:
url: '{syslogHost}:{syslogTlsPort}'
protocol: tcp
description: >
Syslog destination for log forwarding over TLS-encrypted TCP. TLS
encryption is recommended for production deployments and requires
uploading the syslog server's CA certificate for mutual authentication.
Supports CEF, LEEF, and CSV output formats over TLS transport.
variables:
syslogHost:
description: Hostname or IP address of the TLS syslog destination server.
syslogTlsPort:
description: TLS-encrypted TCP port for syslog ingestion (default 6514).
security:
- tlsMutualAuth: []
syslog-udp:
url: '{syslogHost}:{syslogUdpPort}'
protocol: udp
description: >
Syslog destination for log forwarding over UDP. UDP syslog provides
lower overhead but without guaranteed delivery. Suitable for high-volume
log forwarding in environments where occasional loss is acceptable.
variables:
syslogHost:
description: Hostname or IP address of the UDP syslog destination server.
syslogUdpPort:
description: UDP port for syslog ingestion (default 514).
https-endpoint:
url: '{httpsUrl}'
protocol: https
description: >
HTTPS destination for log forwarding via HTTP POST requests. Configure
the HTTPS endpoint URL in Strata Logging Service Settings > Log
Forwarding. The endpoint must accept POST requests and return a 2xx
response. Supports JSON, CEF, LEEF, and PARQUET output formats.
Authentication is configured via custom HTTP headers or OAuth2 client
credentials.
variables:
httpsUrl:
description: >
The fully-qualified HTTPS endpoint URL for log delivery,
such as https://siem.example.com/api/logs.
security:
- httpsApiKey: []
tags:
- name: logs
description: Security log forwarding events from Strata products
- name: traffic
description: Network session traffic log events
- name: threat
description: Threat detection and prevention log events
- name: siem
description: Log forwarding to SIEM and data lake destinations
defaultContentType: application/json
channels:
log/traffic:
description: >
Channel for forwarded traffic logs. Traffic logs record the start and
end of every network session passing through the firewall, including
source and destination addresses, ports, protocols, applications
identified by App-ID, actions taken, and session byte and packet
counters. Traffic logs provide comprehensive network visibility and
session tracking for security analytics and compliance reporting.
Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
subscribe:
operationId: onTrafficLog
summary: Forwarded traffic log entry
description: >
Fired when a traffic session log is generated by the firewall and
forwarded according to the configured log forwarding profile. Each
event represents one completed or terminated network session.
message:
$ref: '#/components/messages/TrafficLog'
bindings:
http:
method: POST
log/threat:
description: >
Channel for forwarded threat logs. Threat logs record security events
detected by the firewall's threat prevention engines including
antivirus, anti-spyware, vulnerability protection, DNS security, and
custom threat signatures. Each entry identifies the threat, its
severity, the action taken, attack direction, and session context.
Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
subscribe:
operationId: onThreatLog
summary: Forwarded threat detection log entry
description: >
Fired when a threat prevention event is detected and logged by the
firewall's security profiles, then forwarded according to the
configured log forwarding profile.
message:
$ref: '#/components/messages/ThreatLog'
bindings:
http:
method: POST
log/url:
description: >
Channel for forwarded URL filtering logs. URL filtering logs record
web access events evaluated by the URL Filtering security profile.
Each entry includes the requested URL, URL category, action taken,
HTTP method, content type, and user identity when User-ID is enabled.
Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
subscribe:
operationId: onUrlLog
summary: Forwarded URL filtering log entry
description: >
Fired when a URL filtering policy evaluation is logged and forwarded.
Captures web browsing activity and policy enforcement decisions for
security visibility and compliance.
message:
$ref: '#/components/messages/UrlLog'
bindings:
http:
method: POST
log/wildfire:
description: >
Channel for forwarded WildFire submission logs. WildFire logs record
file analysis results from the WildFire cloud-based sandbox analysis
service. Each entry includes the file name, type, SHA-256 hash, final
verdict (benign, malware, grayware, phishing), and a link to the
analysis report. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
subscribe:
operationId: onWildfireLog
summary: Forwarded WildFire file analysis log entry
description: >
Fired when a WildFire file analysis result is received and logged by
the firewall, then forwarded according to the configured log
forwarding profile. Provides malware verdict and analysis details.
message:
$ref: '#/components/messages/WildfireLog'
bindings:
http:
method: POST
log/auth:
description: >
Channel for forwarded authentication logs. Authentication logs record
user authentication events processed by the firewall's Authentication
Policy, including SAML assertions, Kerberos ticket validations, LDAP
binds, RADIUS authentications, and MFA challenges. Each entry captures
the authentication method, result, user identity, and policy context.
Supported formats: CSV, LEEF, CEF, JSON, PARQUET.
subscribe:
operationId: onAuthLog
summary: Forwarded authentication event log entry
description: >
Fired when an authentication policy evaluation is logged and
forwarded. Provides visibility into user authentication activity for
identity-based security monitoring and compliance.
message:
$ref: '#/components/messages/AuthLog'
bindings:
http:
method: POST
components:
messages:
TrafficLog:
name: TrafficLog
title: Traffic Log Entry
summary: >
A forwarded traffic log entry representing a network session
that passed through or was blocked by the firewall
contentType: application/json
payload:
$ref: '#/components/schemas/TrafficLogPayload'
examples:
- name: AllowedWebTrafficSession
summary: Allowed HTTPS web-browsing session log
payload:
receive_time: '2024-01-15T10:32:01.000Z'
serial: '012345678901'
type: TRAFFIC
subtype: end
src: 10.0.1.100
dst: 203.0.113.50
sport: 54321
dport: 443
proto: tcp
app: ssl
action: allow
bytes_sent: 2048
bytes_received: 15360
session_id: '123456'
rule_name: allow-web-outbound
src_zone: trust
dst_zone: untrust
src_user: DOMAIN\jsmith
device_name: PA-3260-DC1
vsys: vsys1
log_forwarding_profile: forward-to-siem
output_format: JSON
x-microcks-default: true
ThreatLog:
name: ThreatLog
title: Threat Log Entry
summary: >
A forwarded threat detection log entry for a security event caught
by the firewall's threat prevention profiles
contentType: application/json
payload:
$ref: '#/components/schemas/ThreatLogPayload'
examples:
- name: MalwareDownloadBlocked
summary: Malware download attempt blocked by antivirus profile
payload:
receive_time: '2024-01-15T10:45:00.000Z'
serial: '012345678901'
type: THREAT
subtype: virus
src: 203.0.113.200
dst: 10.0.1.100
sport: 80
dport: 54322
proto: tcp
app: web-browsing
threat_name: Trojan-Downloader/Win.Generic
severity: high
action: reset-both
direction: server-to-client
threat_id: '52345'
rule_name: allow-web-outbound
src_zone: untrust
dst_zone: trust
device_name: PA-3260-DC1
vsys: vsys1
log_forwarding_profile: forward-to-siem
output_format: JSON
x-microcks-default: true
UrlLog:
name: UrlLog
title: URL Filtering Log Entry
summary: >
A forwarded URL filtering log entry for a web access event
evaluated by the URL Filtering security profile
contentType: application/json
payload:
$ref: '#/components/schemas/UrlLogPayload'
examples:
- name: MalwareUrlBlocked
summary: Access to a malware-categorized URL blocked
payload:
receive_time: '2024-01-15T10:50:00.000Z'
serial: '012345678901'
type: URL
src: 10.0.1.100
dst: 198.51.100.1
sport: 54323
dport: 80
app: web-browsing
url: http://malware-distribution.example.com/payload.exe
url_category: malware
action: block
http_method: GET
src_user: DOMAIN\jsmith
rule_name: allow-web-outbound
device_name: PA-3260-DC1
vsys: vsys1
log_forwarding_profile: forward-to-siem
output_format: JSON
x-microcks-default: true
WildfireLog:
name: WildfireLog
title: WildFire Log Entry
summary: >
A forwarded WildFire file analysis log entry with the malware
verdict returned by the WildFire cloud sandbox service
contentType: application/json
payload:
$ref: '#/components/schemas/WildfireLogPayload'
examples:
- name: MalwareVerdictReceived
summary: WildFire malware verdict received for submitted PE file
payload:
receive_time: '2024-01-15T11:00:00.000Z'
serial: '012345678901'
type: WILDFIRE
src: 10.0.1.100
dst: 203.0.113.50
app: web-browsing
filename: suspicious_invoice.exe
filetype: PE
file_hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
file_size: 204800
verdict: malware
action: block
report_url: 'https://wildfire.paloaltonetworks.com/wildfire/reportlist'
src_user: DOMAIN\jsmith
rule_name: allow-web-outbound
device_name: PA-3260-DC1
vsys: vsys1
log_forwarding_profile: forward-to-siem
output_format: JSON
x-microcks-default: true
AuthLog:
name: AuthLog
title: Authentication Log Entry
summary: >
A forwarded authentication event log entry for a user authentication
processed by the firewall's Authentication Policy
contentType: application/json
payload:
$ref: '#/components/schemas/AuthLogPayload'
examples:
- name: SuccessfulSamlAuthentication
summary: Successful SAML authentication via GlobalProtect
payload:
receive_time: '2024-01-15T08:00:00.000Z'
serial: '012345678901'
type: AUTH
subtype: auth-success
src: 203.0.113.100
src_user: [email protected]
auth_method: SAML
auth_source: Okta-SAML-IdP
auth_result: success
rule_name: gp-authentication-policy
auth_profile: saml-auth-profile
device_name: PA-3260-DC1
vsys: vsys1
log_forwarding_profile: forward-to-siem
output_format: JSON
x-microcks-default: true
schemas:
TrafficLogPayload:
type: object
description: >
Schema for a forwarded PAN-OS traffic log entry. Traffic logs
capture session metadata for every network connection processed
by the firewall, providing comprehensive network visibility for
security operations, compliance, and analytics.
properties:
receive_time:
type: string
format: date-time
description: >
Timestamp when the log entry was received by Strata Logging
Service from the generating firewall device.
example: '2025-06-04T00:03:58Z'
serial:
type: string
description: >
Serial number of the Palo Alto Networks firewall or Prisma
Access node that generated this log entry.
example: 6D8587EBF924
type:
type: string
enum:
- TRAFFIC
description: >
Log type identifier, always TRAFFIC for traffic log entries.
example: TRAFFIC
subtype:
type: string
enum:
- start
- end
- drop
- deny
description: >
Traffic log subtype indicating what session lifecycle event
triggered this log entry.
example: deny
src:
type: string
description: Source IP address of the network session.
example: example-src
dst:
type: string
description: Destination IP address of the network session.
example: example-dst
sport:
type: integer
description: Source port number of the network session.
example: 365
dport:
type: integer
description: Destination port number of the network session.
example: 268
proto:
type: string
description: >
IP protocol name or number for the session (e.g., tcp, udp,
icmp).
example: example-proto
app:
type: string
description: >
Application identified by PAN-OS App-ID, such as ssl,
web-browsing, dns, or a specific SaaS application name.
example: ssh
action:
type: string
enum:
- allow
- deny
- drop
- reset-client
- reset-server
- reset-both
description: >
Enforcement action applied to the session by the matching
security policy rule.
example: reset-server
bytes_sent:
type: integer
description: Total bytes sent from client to server in this session.
example: 894
bytes_received:
type: integer
description: Total bytes received by client from server in this session.
example: 783
session_id:
type: string
description: >
Unique session identifier assigned by the firewall for this
network session.
example: '799147'
rule_name:
type: string
description: >
Name of the security policy rule that matched and processed
this session.
example: Staging Gateway 98
src_zone:
type: string
description: Source security zone from which the session originated.
example: internal
dst_zone:
type: string
description: >
Destination security zone to which the session is destined.
example: untrust
src_user:
type: string
description: >
Source user identity associated with the session if User-ID
is enabled on the ingress zone.
example: example-src_user
dst_user:
type: string
description: Destination user identity if available.
example: example-dst_user
nat_src:
type: string
description: Post-NAT source IP address after address translation.
example: example-nat_src
nat_dst:
type: string
description: Post-NAT destination IP address after address translation.
example: example-nat_dst
nat_sport:
type: integer
description: Post-NAT source port after port address translation.
example: 872
nat_dport:
type: integer
description: Post-NAT destination port after port address translation.
example: 184
packets_sent:
type: integer
description: Total packets sent from client in this session.
example: 946
packets_received:
type: integer
description: Total packets received by client in this session.
example: 230
session_duration:
type: integer
description: Total session duration in seconds.
example: 562
device_name:
type: string
description: Hostname of the firewall that generated this log entry.
example: Primary Sensor 02
vsys:
type: string
description: Virtual system name or identifier on the firewall.
example: example-vsys
log_forwarding_profile:
type: string
description: >
Name of the Strata Logging Service log forwarding profile that
forwarded this log entry.
example: Network Printer
output_format:
type: string
enum:
- CSV
- LEEF
- CEF
- JSON
- PARQUET
description: >
Output format in which this log entry was forwarded to the
destination.
example: CSV
ThreatLogPayload:
type: object
description: >
Schema for a forwarded PAN-OS threat log entry. Threat logs capture
security events detected by the firewall's threat prevention engines,
providing detailed information about malware, exploits, spyware,
command-and-control traffic, and other detected threats.
properties:
receive_time:
type: string
format: date-time
description: >
Timestamp when the threat log entry was received by Strata
Logging Service.
example: '2024-09-20T23:03:41Z'
serial:
type: string
description: >
Serial number of the Palo Alto Networks device that generated
this threat log entry.
example: EDB034C66B7A
type:
type: string
enum:
- THREAT
description: >
Log type identifier, always THREAT for threat log entries.
example: THREAT
subtype:
type: string
enum:
- virus
- spyware
- vulnerability
- url
- wildfire
- wildfire-virus
- data
- file
- scan
- flood
description: >
Threat log subtype indicating which threat prevention engine
or signature category generated the detection event.
example: virus
src:
type: string
description: Source IP address of the session in which the threat was detected.
example: example-src
dst:
type: string
description: >
Destination IP address of the session in which the threat was
detected.
example: example-dst
sport:
type: integer
description: Source port number of the session.
example: 965
dport:
type: integer
description: Destination port number of the session.
example: 926
proto:
type: string
description: IP protocol of the session.
example: example-proto
app:
type: string
description: Application identified by App-ID in the threat session.
example: ssl
threat_name:
type: string
description: >
Name of the detected threat as defined in the Palo Alto Networks
threat database and threat vault.
example: Production Sensor 92
severity:
type: string
enum:
- informational
- low
- medium
- high
- critical
description: >
Severity level of the detected threat as defined by the threat
signature or detection engine.
example: low
action:
type: string
enum:
- alert
- allow
- deny
- drop
- reset-client
- reset-server
- reset-both
- block-url
- block-ip
- sinkhole
description: >
Action taken by the threat prevention engine in response to the
detected threat.
example: deny
direction:
type: string
enum:
- client-to-server
- server-to-client
description: >
Direction of the detected attack relative to the network session
flow.
example: client-to-server
threat_id:
type: string
description: >
Unique numeric identifier for the threat signature from the Palo
Alto Networks threat vault. Used for threat intelligence lookup
and signature reference.
example: '759526'
rule_name:
type: string
description: >
Name of the security policy rule that matched the session in
which the threat was detected.
example: Production Agent 74
src_zone:
type: string
description: Source security zone of the threat session.
example: trust
dst_zone:
type: string
description: Destination security zone of the threat session.
example: dmz
src_user:
type: string
description: Source user identity if User-ID is enabled.
example: example-src_user
url_or_filename:
type: string
description: >
URL or filename associated with the detected threat, depending
on the threat subtype.
example: Branch Sensor 47
device_name:
type: string
description: Hostname of the firewall that generated this threat log entry.
example: Production Policy 96
vsys:
type: string
description: Virtual system name or identifier on the firewall.
example: example-vsys
log_forwarding_profile:
type: string
description: >
Name of the log forwarding profile that forwarded this log entry.
example: HVAC Controller
output_format:
type: string
enum:
- CSV
- LEEF
- CEF
- JSON
- PARQUET
description: Output format in which this log entry was forwarded.
example: CEF
UrlLogPayload:
type: object
description: >
Schema for a forwarded PAN-OS URL filtering log entry. URL logs
capture web access events evaluated by the URL Filtering security
profile, providing visibility into browsing activity, policy
enforcement, and URL category decisions.
properties:
receive_time:
type: string
format: date-time
description: >
Timestamp when the URL log entry was received by Strata Logging
Service.
example: '2026-04-07T12:35:01Z'
serial:
type: string
description: >
Serial number of the Palo Alto Networks device that generated
this URL log entry.
example: 42D35703AC35
type:
type: string
enum:
- URL
description: Log type identifier, always URL for URL filtering log entries.
example: URL
src:
type: string
description: Source IP address of the client making the web request.
example: example-src
dst:
type: string
description: Destination IP address of the web server being accessed.
example: example-dst
sport:
type: integer
description: Source port number of the HTTP/HTTPS session.
example: 844
dport:
type: integer
description: Destination port number of the HTTP/HTTPS session.
example: 433
app:
type: string
description: >
Application identified by App-ID for the web session (e.g.,
web-browsing, ssl, google-base).
example: dns
url:
type: string
description: >
The full URL that was requested, including protocol, hostname,
path, and query parameters if present.
example: https://mail.acme-systems.org/11ced5
url_category:
type: string
description: >
URL category classification assigned by PAN-DB URL filtering
database (e.g., business-and-economy, malware,
social-networking, command-and-control).
example: standard
action:
type: string
enum:
- allow
- block
- continue
- override
- alert
description: >
Action applied to the URL request by the URL Filtering security
profile configured on the matching security policy rule.
example: override
http_method:
type: string
enum:
- GET
- POST
- PUT
- DELETE
- HEAD
- OPTIONS
- PATCH
- CONNECT
description: HTTP method of the web request.
example: PATCH
content_type:
type: string
description: MIME content type of the HTTP response.
example: advanced
src_user:
type: string
description: >
Source user identity associated with the web request if User-ID
is enabled.
example: example-src_user
rule_name:
type: string
description: >
Name of the security policy rule that matched the session
containing this URL request.
example: Staging Sensor 11
device_name:
type: string
description: Hostname of the firewall that generated this URL log entry.
example: Staging Sensor 78
vsys:
type: string
description: Virtual system name or identifier on the firewall.
example: example-vsys
log_forwarding_profile:
type: string
description: >
Name of the log forwarding profile that forwarded this log entry.
example: HVAC Controller
output_format:
type: string
enum:
- CSV
- LEEF
- CEF
- JSON
- PARQUET
description: Output format in which this log entry was forwarded.
example: CSV
WildfireLogPayload:
type: object
description: >
Schema for a forwarded PAN-OS WildFire submission log entry.
WildFire logs record the results of file analysis by the WildFire
cloud-based sandbox malware analysis service, providing verdicts
and analysis report links for detected threats.
properties:
receive_time:
type: string
format: date-time
description: >
Timestamp when the WildFire log entry was received by Strata
Logging Service.
example: '2024-05-07T23:30:25Z'
serial:
type: string
description: >
Serial number of the Palo Alto Networks device that submitted
the file to WildFire and generated this log entry.
example: 1F61A06C3D82
type:
type: string
enum:
- WILDFIRE
description: >
Log type identifier, always WILDFIRE for WildFire log entries.
example: WILDFIRE
src:
type: string
description: Source IP address of the session from which the file was captured.
example: example-src
dst:
type: string
description: >
Destination IP address of the session from which the file was
captured.
example: example-dst
app:
type: string
description: >
Application identified by App-ID in the session from which the
file was captured.
example: web-browsing
filename:
type: string
description: Name of the file that was submitted to WildFire for analysis.
example: Primary Policy 30
filetype:
type: string
description: >
File type of the submitted file (e.g., PE, PDF, APK, Adobe Flash,
Microsoft Office, script, Java Applet).
example: custom
file_hash:
type: string
description: >
SHA-256 cryptographic hash of the submitted file, used as the
unique file identifier in the WildFire cloud database.
example: example-file_hash
file_size:
type: integer
description: Size of the submitted file in bytes.
example: 360
verdict:
type: string
enum:
- benign
- malware
- grayware
- phishing
- pending
description: >
WildFire analysis verdict for the submitted file indicating
whether it is benign, malicious malware, potentially unwanted
grayware, a phishing document, or pending analysis completion.
example: grayware
action:
type: string
enum:
- allow
- block
description: >
Action applied to the file by the WildFire security profile
based on the analysis verdict.
example: block
report_url:
type: string
format: uri
description: >
URL to the full WildFire analysis report in the Palo Alto
Networks WildFire portal, providing deta
# --- truncated at 32 KB (38 KB total) ---
# Full source: https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/asyncapi/palo-alto-strata-logging-forwarding-asyncapi-original.yml