Palo Alto Networks · AsyncAPI Specification

Strata Logging Service Log Forwarding

Version 1.0.0

Strata Logging Service Log Forwarding enables security operations teams to forward security logs from Palo Alto Networks next-generation firewalls, Prisma Access, and other Strata products to external SIEM systems, data lakes, and log management platforms. Log forwarding profiles define which log types are forwarded, in which output format, and to which destination. Supported transport protocols include Syslog over TCP, UDP, and TLS, HTTPS REST endpoints, and Email. Supported output formats include CSV, LEEF (Log Event Extended Format), CEF (Common Event Format), JSON, and PARQUET. Log types available for forwarding include traffic, threat, URL filtering, data, WildFire malware analysis, authentication, decryption, and GlobalProtect logs. Each log type delivers structured security event data enabling comprehensive network visibility, compliance reporting, and security analytics in downstream platforms.

View Spec View on GitHub Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDRAsyncAPIWebhooksEvents

Channels

log/traffic

subscribe onTrafficLog

Forwarded traffic log entry

Channel for forwarded traffic logs. Traffic logs record the start and end of every network session passing through the firewall, including source and destination addresses, ports, protocols, applications identified by App-ID, actions taken, and session byte and packet counters. Traffic logs provide comprehensive network visibility and session tracking for security analytics and compliance reporting. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.

log/threat

subscribe onThreatLog

Forwarded threat detection log entry

Channel for forwarded threat logs. Threat logs record security events detected by the firewall's threat prevention engines including antivirus, anti-spyware, vulnerability protection, DNS security, and custom threat signatures. Each entry identifies the threat, its severity, the action taken, attack direction, and session context. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.

log/url

subscribe onUrlLog

Forwarded URL filtering log entry

Channel for forwarded URL filtering logs. URL filtering logs record web access events evaluated by the URL Filtering security profile. Each entry includes the requested URL, URL category, action taken, HTTP method, content type, and user identity when User-ID is enabled. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.

log/wildfire

subscribe onWildfireLog

Forwarded WildFire file analysis log entry

Channel for forwarded WildFire submission logs. WildFire logs record file analysis results from the WildFire cloud-based sandbox analysis service. Each entry includes the file name, type, SHA-256 hash, final verdict (benign, malware, grayware, phishing), and a link to the analysis report. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.

log/auth

subscribe onAuthLog

Forwarded authentication event log entry

Channel for forwarded authentication logs. Authentication logs record user authentication events processed by the firewall's Authentication Policy, including SAML assertions, Kerberos ticket validations, LDAP binds, RADIUS authentications, and MFA challenges. Each entry captures the authentication method, result, user identity, and policy context. Supported formats: CSV, LEEF, CEF, JSON, PARQUET.

Messages

✉

TrafficLog

Traffic Log Entry

A forwarded traffic log entry representing a network session that passed through or was blocked by the firewall

✉

ThreatLog

Threat Log Entry

A forwarded threat detection log entry for a security event caught by the firewall's threat prevention profiles

✉

UrlLog

URL Filtering Log Entry

A forwarded URL filtering log entry for a web access event evaluated by the URL Filtering security profile

✉

WildfireLog

WildFire Log Entry

A forwarded WildFire file analysis log entry with the malware verdict returned by the WildFire cloud sandbox service

✉

AuthLog

Authentication Log Entry

A forwarded authentication event log entry for a user authentication processed by the firewall's Authentication Policy

Servers

tcp

syslog-tcp {syslogHost}:{syslogPort}

Syslog destination for log forwarding over TCP. Configure the syslog server address and port in Strata Logging Service Settings > Log Forwarding. Supports CEF, LEEF, and CSV output formats. Non-encrypted TCP syslog uses port 514 by default.

tcp

syslog-tls {syslogHost}:{syslogTlsPort}

Syslog destination for log forwarding over TLS-encrypted TCP. TLS encryption is recommended for production deployments and requires uploading the syslog server's CA certificate for mutual authentication. Supports CEF, LEEF, and CSV output formats over TLS transport.

udp

syslog-udp {syslogHost}:{syslogUdpPort}

Syslog destination for log forwarding over UDP. UDP syslog provides lower overhead but without guaranteed delivery. Suitable for high-volume log forwarding in environments where occasional loss is acceptable.

https

https-endpoint {httpsUrl}

HTTPS destination for log forwarding via HTTP POST requests. Configure the HTTPS endpoint URL in Strata Logging Service Settings > Log Forwarding. The endpoint must accept POST requests and return a 2xx response. Supports JSON, CEF, LEEF, and PARQUET output formats. Authentication is configured via custom HTTP headers or OAuth2 client credentials.