Palo Alto Networks · JSON Structure

Strata Logging Forwarding Traffic Log Payload Structure

Schema for a forwarded PAN-OS traffic log entry. Traffic logs capture session metadata for every network connection processed by the firewall, providing comprehensive network visibility for security operations, compliance, and analytics.

Type: object Properties: 30
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR

TrafficLogPayload is a JSON Structure definition published by Palo Alto Networks, describing 30 properties. It conforms to the https://json-structure.org/meta/core/v0/# meta-schema.

Properties

receive_time serial type subtype src dst sport dport proto app action bytes_sent bytes_received session_id rule_name src_zone dst_zone src_user dst_user nat_src nat_dst nat_sport nat_dport packets_sent packets_received session_duration device_name vsys log_forwarding_profile output_format

Meta-schema: https://json-structure.org/meta/core/v0/#

JSON Structure

Raw ↑ 
{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/strata-logging-forwarding-traffic-log-payload-structure.json",
  "name": "TrafficLogPayload",
  "description": "Schema for a forwarded PAN-OS traffic log entry. Traffic logs capture session metadata for every network connection processed by the firewall, providing comprehensive network visibility for security operations, compliance, and analytics.\n",
  "type": "object",
  "properties": {
    "receive_time": {
      "type": "datetime",
      "description": "Timestamp when the log entry was received by Strata Logging Service from the generating firewall device.\n"
    },
    "serial": {
      "type": "string",
      "description": "Serial number of the Palo Alto Networks firewall or Prisma Access node that generated this log entry.\n"
    },
    "type": {
      "type": "string",
      "description": "Log type identifier, always TRAFFIC for traffic log entries.\n",
      "enum": [
        "TRAFFIC"
      ]
    },
    "subtype": {
      "type": "string",
      "description": "Traffic log subtype indicating what session lifecycle event triggered this log entry.\n",
      "enum": [
        "start",
        "end",
        "drop",
        "deny"
      ]
    },
    "src": {
      "type": "string",
      "description": "Source IP address of the network session."
    },
    "dst": {
      "type": "string",
      "description": "Destination IP address of the network session."
    },
    "sport": {
      "type": "int32",
      "description": "Source port number of the network session."
    },
    "dport": {
      "type": "int32",
      "description": "Destination port number of the network session."
    },
    "proto": {
      "type": "string",
      "description": "IP protocol name or number for the session (e.g., tcp, udp, icmp).\n"
    },
    "app": {
      "type": "string",
      "description": "Application identified by PAN-OS App-ID, such as ssl, web-browsing, dns, or a specific SaaS application name.\n"
    },
    "action": {
      "type": "string",
      "description": "Enforcement action applied to the session by the matching security policy rule.\n",
      "enum": [
        "allow",
        "deny",
        "drop",
        "reset-client",
        "reset-server",
        "reset-both"
      ]
    },
    "bytes_sent": {
      "type": "int32",
      "description": "Total bytes sent from client to server in this session."
    },
    "bytes_received": {
      "type": "int32",
      "description": "Total bytes received by client from server in this session."
    },
    "session_id": {
      "type": "string",
      "description": "Unique session identifier assigned by the firewall for this network session.\n"
    },
    "rule_name": {
      "type": "string",
      "description": "Name of the security policy rule that matched and processed this session.\n"
    },
    "src_zone": {
      "type": "string",
      "description": "Source security zone from which the session originated."
    },
    "dst_zone": {
      "type": "string",
      "description": "Destination security zone to which the session is destined.\n"
    },
    "src_user": {
      "type": "string",
      "description": "Source user identity associated with the session if User-ID is enabled on the ingress zone.\n"
    },
    "dst_user": {
      "type": "string",
      "description": "Destination user identity if available."
    },
    "nat_src": {
      "type": "string",
      "description": "Post-NAT source IP address after address translation."
    },
    "nat_dst": {
      "type": "string",
      "description": "Post-NAT destination IP address after address translation."
    },
    "nat_sport": {
      "type": "int32",
      "description": "Post-NAT source port after port address translation."
    },
    "nat_dport": {
      "type": "int32",
      "description": "Post-NAT destination port after port address translation."
    },
    "packets_sent": {
      "type": "int32",
      "description": "Total packets sent from client in this session."
    },
    "packets_received": {
      "type": "int32",
      "description": "Total packets received by client in this session."
    },
    "session_duration": {
      "type": "int32",
      "description": "Total session duration in seconds."
    },
    "device_name": {
      "type": "string",
      "description": "Hostname of the firewall that generated this log entry."
    },
    "vsys": {
      "type": "string",
      "description": "Virtual system name or identifier on the firewall."
    },
    "log_forwarding_profile": {
      "type": "string",
      "description": "Name of the Strata Logging Service log forwarding profile that forwarded this log entry.\n"
    },
    "output_format": {
      "type": "string",
      "description": "Output format in which this log entry was forwarded to the destination.\n",
      "enum": [
        "CSV",
        "LEEF",
        "CEF",
        "JSON",
        "PARQUET"
      ]
    }
  }
}