asyncapi: 2.6.0 info: title: Strata Logging Service Log Forwarding version: 1.0.0 description: > Strata Logging Service Log Forwarding enables security operations teams to forward security logs from Palo Alto Networks next-generation firewalls, Prisma Access, and other Strata products to external SIEM systems, data lakes, and log management platforms. Log forwarding profiles define which log types are forwarded, in which output format, and to which destination. Supported transport protocols include Syslog over TCP, UDP, and TLS, HTTPS REST endpoints, and Email. Supported output formats include CSV, LEEF (Log Event Extended Format), CEF (Common Event Format), JSON, and PARQUET. Log types available for forwarding include traffic, threat, URL filtering, data, WildFire malware analysis, authentication, decryption, and GlobalProtect logs. Each log type delivers structured security event data enabling comprehensive network visibility, compliance reporting, and security analytics in downstream platforms. contact: name: Palo Alto Networks Developer Support url: https://pan.dev/ email: support@paloaltonetworks.com license: name: Proprietary url: https://www.paloaltonetworks.com/legal servers: syslog-tcp: url: '{syslogHost}:{syslogPort}' protocol: tcp description: > Syslog destination for log forwarding over TCP. Configure the syslog server address and port in Strata Logging Service Settings > Log Forwarding. Supports CEF, LEEF, and CSV output formats. Non-encrypted TCP syslog uses port 514 by default. variables: syslogHost: description: Hostname or IP address of the syslog destination server. syslogPort: description: TCP port for syslog ingestion (default 514). syslog-tls: url: '{syslogHost}:{syslogTlsPort}' protocol: tcp description: > Syslog destination for log forwarding over TLS-encrypted TCP. TLS encryption is recommended for production deployments and requires uploading the syslog server's CA certificate for mutual authentication. Supports CEF, LEEF, and CSV output formats over TLS transport. variables: syslogHost: description: Hostname or IP address of the TLS syslog destination server. syslogTlsPort: description: TLS-encrypted TCP port for syslog ingestion (default 6514). security: - tlsMutualAuth: [] syslog-udp: url: '{syslogHost}:{syslogUdpPort}' protocol: udp description: > Syslog destination for log forwarding over UDP. UDP syslog provides lower overhead but without guaranteed delivery. Suitable for high-volume log forwarding in environments where occasional loss is acceptable. variables: syslogHost: description: Hostname or IP address of the UDP syslog destination server. syslogUdpPort: description: UDP port for syslog ingestion (default 514). https-endpoint: url: '{httpsUrl}' protocol: https description: > HTTPS destination for log forwarding via HTTP POST requests. Configure the HTTPS endpoint URL in Strata Logging Service Settings > Log Forwarding. The endpoint must accept POST requests and return a 2xx response. Supports JSON, CEF, LEEF, and PARQUET output formats. Authentication is configured via custom HTTP headers or OAuth2 client credentials. variables: httpsUrl: description: > The fully-qualified HTTPS endpoint URL for log delivery, such as https://siem.example.com/api/logs. security: - httpsApiKey: [] tags: - name: logs description: Security log forwarding events from Strata products - name: traffic description: Network session traffic log events - name: threat description: Threat detection and prevention log events - name: siem description: Log forwarding to SIEM and data lake destinations defaultContentType: application/json channels: log/traffic: description: > Channel for forwarded traffic logs. Traffic logs record the start and end of every network session passing through the firewall, including source and destination addresses, ports, protocols, applications identified by App-ID, actions taken, and session byte and packet counters. Traffic logs provide comprehensive network visibility and session tracking for security analytics and compliance reporting. Supported formats: CSV, LEEF, CEF, JSON, PARQUET. subscribe: operationId: onTrafficLog summary: Forwarded traffic log entry description: > Fired when a traffic session log is generated by the firewall and forwarded according to the configured log forwarding profile. Each event represents one completed or terminated network session. message: $ref: '#/components/messages/TrafficLog' bindings: http: method: POST log/threat: description: > Channel for forwarded threat logs. Threat logs record security events detected by the firewall's threat prevention engines including antivirus, anti-spyware, vulnerability protection, DNS security, and custom threat signatures. Each entry identifies the threat, its severity, the action taken, attack direction, and session context. Supported formats: CSV, LEEF, CEF, JSON, PARQUET. subscribe: operationId: onThreatLog summary: Forwarded threat detection log entry description: > Fired when a threat prevention event is detected and logged by the firewall's security profiles, then forwarded according to the configured log forwarding profile. message: $ref: '#/components/messages/ThreatLog' bindings: http: method: POST log/url: description: > Channel for forwarded URL filtering logs. URL filtering logs record web access events evaluated by the URL Filtering security profile. Each entry includes the requested URL, URL category, action taken, HTTP method, content type, and user identity when User-ID is enabled. Supported formats: CSV, LEEF, CEF, JSON, PARQUET. subscribe: operationId: onUrlLog summary: Forwarded URL filtering log entry description: > Fired when a URL filtering policy evaluation is logged and forwarded. Captures web browsing activity and policy enforcement decisions for security visibility and compliance. message: $ref: '#/components/messages/UrlLog' bindings: http: method: POST log/wildfire: description: > Channel for forwarded WildFire submission logs. WildFire logs record file analysis results from the WildFire cloud-based sandbox analysis service. Each entry includes the file name, type, SHA-256 hash, final verdict (benign, malware, grayware, phishing), and a link to the analysis report. Supported formats: CSV, LEEF, CEF, JSON, PARQUET. subscribe: operationId: onWildfireLog summary: Forwarded WildFire file analysis log entry description: > Fired when a WildFire file analysis result is received and logged by the firewall, then forwarded according to the configured log forwarding profile. Provides malware verdict and analysis details. message: $ref: '#/components/messages/WildfireLog' bindings: http: method: POST log/auth: description: > Channel for forwarded authentication logs. Authentication logs record user authentication events processed by the firewall's Authentication Policy, including SAML assertions, Kerberos ticket validations, LDAP binds, RADIUS authentications, and MFA challenges. Each entry captures the authentication method, result, user identity, and policy context. Supported formats: CSV, LEEF, CEF, JSON, PARQUET. subscribe: operationId: onAuthLog summary: Forwarded authentication event log entry description: > Fired when an authentication policy evaluation is logged and forwarded. Provides visibility into user authentication activity for identity-based security monitoring and compliance. message: $ref: '#/components/messages/AuthLog' bindings: http: method: POST components: messages: TrafficLog: name: TrafficLog title: Traffic Log Entry summary: > A forwarded traffic log entry representing a network session that passed through or was blocked by the firewall contentType: application/json payload: $ref: '#/components/schemas/TrafficLogPayload' examples: - name: AllowedWebTrafficSession summary: Allowed HTTPS web-browsing session log payload: receive_time: '2024-01-15T10:32:01.000Z' serial: '012345678901' type: TRAFFIC subtype: end src: 10.0.1.100 dst: 203.0.113.50 sport: 54321 dport: 443 proto: tcp app: ssl action: allow bytes_sent: 2048 bytes_received: 15360 session_id: '123456' rule_name: allow-web-outbound src_zone: trust dst_zone: untrust src_user: DOMAIN\jsmith device_name: PA-3260-DC1 vsys: vsys1 log_forwarding_profile: forward-to-siem output_format: JSON x-microcks-default: true ThreatLog: name: ThreatLog title: Threat Log Entry summary: > A forwarded threat detection log entry for a security event caught by the firewall's threat prevention profiles contentType: application/json payload: $ref: '#/components/schemas/ThreatLogPayload' examples: - name: MalwareDownloadBlocked summary: Malware download attempt blocked by antivirus profile payload: receive_time: '2024-01-15T10:45:00.000Z' serial: '012345678901' type: THREAT subtype: virus src: 203.0.113.200 dst: 10.0.1.100 sport: 80 dport: 54322 proto: tcp app: web-browsing threat_name: Trojan-Downloader/Win.Generic severity: high action: reset-both direction: server-to-client threat_id: '52345' rule_name: allow-web-outbound src_zone: untrust dst_zone: trust device_name: PA-3260-DC1 vsys: vsys1 log_forwarding_profile: forward-to-siem output_format: JSON x-microcks-default: true UrlLog: name: UrlLog title: URL Filtering Log Entry summary: > A forwarded URL filtering log entry for a web access event evaluated by the URL Filtering security profile contentType: application/json payload: $ref: '#/components/schemas/UrlLogPayload' examples: - name: MalwareUrlBlocked summary: Access to a malware-categorized URL blocked payload: receive_time: '2024-01-15T10:50:00.000Z' serial: '012345678901' type: URL src: 10.0.1.100 dst: 198.51.100.1 sport: 54323 dport: 80 app: web-browsing url: http://malware-distribution.example.com/payload.exe url_category: malware action: block http_method: GET src_user: DOMAIN\jsmith rule_name: allow-web-outbound device_name: PA-3260-DC1 vsys: vsys1 log_forwarding_profile: forward-to-siem output_format: JSON x-microcks-default: true WildfireLog: name: WildfireLog title: WildFire Log Entry summary: > A forwarded WildFire file analysis log entry with the malware verdict returned by the WildFire cloud sandbox service contentType: application/json payload: $ref: '#/components/schemas/WildfireLogPayload' examples: - name: MalwareVerdictReceived summary: WildFire malware verdict received for submitted PE file payload: receive_time: '2024-01-15T11:00:00.000Z' serial: '012345678901' type: WILDFIRE src: 10.0.1.100 dst: 203.0.113.50 app: web-browsing filename: suspicious_invoice.exe filetype: PE file_hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 file_size: 204800 verdict: malware action: block report_url: 'https://wildfire.paloaltonetworks.com/wildfire/reportlist' src_user: DOMAIN\jsmith rule_name: allow-web-outbound device_name: PA-3260-DC1 vsys: vsys1 log_forwarding_profile: forward-to-siem output_format: JSON x-microcks-default: true AuthLog: name: AuthLog title: Authentication Log Entry summary: > A forwarded authentication event log entry for a user authentication processed by the firewall's Authentication Policy contentType: application/json payload: $ref: '#/components/schemas/AuthLogPayload' examples: - name: SuccessfulSamlAuthentication summary: Successful SAML authentication via GlobalProtect payload: receive_time: '2024-01-15T08:00:00.000Z' serial: '012345678901' type: AUTH subtype: auth-success src: 203.0.113.100 src_user: jsmith@example.com auth_method: SAML auth_source: Okta-SAML-IdP auth_result: success rule_name: gp-authentication-policy auth_profile: saml-auth-profile device_name: PA-3260-DC1 vsys: vsys1 log_forwarding_profile: forward-to-siem output_format: JSON x-microcks-default: true schemas: TrafficLogPayload: type: object description: > Schema for a forwarded PAN-OS traffic log entry. Traffic logs capture session metadata for every network connection processed by the firewall, providing comprehensive network visibility for security operations, compliance, and analytics. properties: receive_time: type: string format: date-time description: > Timestamp when the log entry was received by Strata Logging Service from the generating firewall device. example: '2025-06-04T00:03:58Z' serial: type: string description: > Serial number of the Palo Alto Networks firewall or Prisma Access node that generated this log entry. example: 6D8587EBF924 type: type: string enum: - TRAFFIC description: > Log type identifier, always TRAFFIC for traffic log entries. example: TRAFFIC subtype: type: string enum: - start - end - drop - deny description: > Traffic log subtype indicating what session lifecycle event triggered this log entry. example: deny src: type: string description: Source IP address of the network session. example: example-src dst: type: string description: Destination IP address of the network session. example: example-dst sport: type: integer description: Source port number of the network session. example: 365 dport: type: integer description: Destination port number of the network session. example: 268 proto: type: string description: > IP protocol name or number for the session (e.g., tcp, udp, icmp). example: example-proto app: type: string description: > Application identified by PAN-OS App-ID, such as ssl, web-browsing, dns, or a specific SaaS application name. example: ssh action: type: string enum: - allow - deny - drop - reset-client - reset-server - reset-both description: > Enforcement action applied to the session by the matching security policy rule. example: reset-server bytes_sent: type: integer description: Total bytes sent from client to server in this session. example: 894 bytes_received: type: integer description: Total bytes received by client from server in this session. example: 783 session_id: type: string description: > Unique session identifier assigned by the firewall for this network session. example: '799147' rule_name: type: string description: > Name of the security policy rule that matched and processed this session. example: Staging Gateway 98 src_zone: type: string description: Source security zone from which the session originated. example: internal dst_zone: type: string description: > Destination security zone to which the session is destined. example: untrust src_user: type: string description: > Source user identity associated with the session if User-ID is enabled on the ingress zone. example: example-src_user dst_user: type: string description: Destination user identity if available. example: example-dst_user nat_src: type: string description: Post-NAT source IP address after address translation. example: example-nat_src nat_dst: type: string description: Post-NAT destination IP address after address translation. example: example-nat_dst nat_sport: type: integer description: Post-NAT source port after port address translation. example: 872 nat_dport: type: integer description: Post-NAT destination port after port address translation. example: 184 packets_sent: type: integer description: Total packets sent from client in this session. example: 946 packets_received: type: integer description: Total packets received by client in this session. example: 230 session_duration: type: integer description: Total session duration in seconds. example: 562 device_name: type: string description: Hostname of the firewall that generated this log entry. example: Primary Sensor 02 vsys: type: string description: Virtual system name or identifier on the firewall. example: example-vsys log_forwarding_profile: type: string description: > Name of the Strata Logging Service log forwarding profile that forwarded this log entry. example: Network Printer output_format: type: string enum: - CSV - LEEF - CEF - JSON - PARQUET description: > Output format in which this log entry was forwarded to the destination. example: CSV ThreatLogPayload: type: object description: > Schema for a forwarded PAN-OS threat log entry. Threat logs capture security events detected by the firewall's threat prevention engines, providing detailed information about malware, exploits, spyware, command-and-control traffic, and other detected threats. properties: receive_time: type: string format: date-time description: > Timestamp when the threat log entry was received by Strata Logging Service. example: '2024-09-20T23:03:41Z' serial: type: string description: > Serial number of the Palo Alto Networks device that generated this threat log entry. example: EDB034C66B7A type: type: string enum: - THREAT description: > Log type identifier, always THREAT for threat log entries. example: THREAT subtype: type: string enum: - virus - spyware - vulnerability - url - wildfire - wildfire-virus - data - file - scan - flood description: > Threat log subtype indicating which threat prevention engine or signature category generated the detection event. example: virus src: type: string description: Source IP address of the session in which the threat was detected. example: example-src dst: type: string description: > Destination IP address of the session in which the threat was detected. example: example-dst sport: type: integer description: Source port number of the session. example: 965 dport: type: integer description: Destination port number of the session. example: 926 proto: type: string description: IP protocol of the session. example: example-proto app: type: string description: Application identified by App-ID in the threat session. example: ssl threat_name: type: string description: > Name of the detected threat as defined in the Palo Alto Networks threat database and threat vault. example: Production Sensor 92 severity: type: string enum: - informational - low - medium - high - critical description: > Severity level of the detected threat as defined by the threat signature or detection engine. example: low action: type: string enum: - alert - allow - deny - drop - reset-client - reset-server - reset-both - block-url - block-ip - sinkhole description: > Action taken by the threat prevention engine in response to the detected threat. example: deny direction: type: string enum: - client-to-server - server-to-client description: > Direction of the detected attack relative to the network session flow. example: client-to-server threat_id: type: string description: > Unique numeric identifier for the threat signature from the Palo Alto Networks threat vault. Used for threat intelligence lookup and signature reference. example: '759526' rule_name: type: string description: > Name of the security policy rule that matched the session in which the threat was detected. example: Production Agent 74 src_zone: type: string description: Source security zone of the threat session. example: trust dst_zone: type: string description: Destination security zone of the threat session. example: dmz src_user: type: string description: Source user identity if User-ID is enabled. example: example-src_user url_or_filename: type: string description: > URL or filename associated with the detected threat, depending on the threat subtype. example: Branch Sensor 47 device_name: type: string description: Hostname of the firewall that generated this threat log entry. example: Production Policy 96 vsys: type: string description: Virtual system name or identifier on the firewall. example: example-vsys log_forwarding_profile: type: string description: > Name of the log forwarding profile that forwarded this log entry. example: HVAC Controller output_format: type: string enum: - CSV - LEEF - CEF - JSON - PARQUET description: Output format in which this log entry was forwarded. example: CEF UrlLogPayload: type: object description: > Schema for a forwarded PAN-OS URL filtering log entry. URL logs capture web access events evaluated by the URL Filtering security profile, providing visibility into browsing activity, policy enforcement, and URL category decisions. properties: receive_time: type: string format: date-time description: > Timestamp when the URL log entry was received by Strata Logging Service. example: '2026-04-07T12:35:01Z' serial: type: string description: > Serial number of the Palo Alto Networks device that generated this URL log entry. example: 42D35703AC35 type: type: string enum: - URL description: Log type identifier, always URL for URL filtering log entries. example: URL src: type: string description: Source IP address of the client making the web request. example: example-src dst: type: string description: Destination IP address of the web server being accessed. example: example-dst sport: type: integer description: Source port number of the HTTP/HTTPS session. example: 844 dport: type: integer description: Destination port number of the HTTP/HTTPS session. example: 433 app: type: string description: > Application identified by App-ID for the web session (e.g., web-browsing, ssl, google-base). example: dns url: type: string description: > The full URL that was requested, including protocol, hostname, path, and query parameters if present. example: https://mail.acme-systems.org/11ced5 url_category: type: string description: > URL category classification assigned by PAN-DB URL filtering database (e.g., business-and-economy, malware, social-networking, command-and-control). example: standard action: type: string enum: - allow - block - continue - override - alert description: > Action applied to the URL request by the URL Filtering security profile configured on the matching security policy rule. example: override http_method: type: string enum: - GET - POST - PUT - DELETE - HEAD - OPTIONS - PATCH - CONNECT description: HTTP method of the web request. example: PATCH content_type: type: string description: MIME content type of the HTTP response. example: advanced src_user: type: string description: > Source user identity associated with the web request if User-ID is enabled. example: example-src_user rule_name: type: string description: > Name of the security policy rule that matched the session containing this URL request. example: Staging Sensor 11 device_name: type: string description: Hostname of the firewall that generated this URL log entry. example: Staging Sensor 78 vsys: type: string description: Virtual system name or identifier on the firewall. example: example-vsys log_forwarding_profile: type: string description: > Name of the log forwarding profile that forwarded this log entry. example: HVAC Controller output_format: type: string enum: - CSV - LEEF - CEF - JSON - PARQUET description: Output format in which this log entry was forwarded. example: CSV WildfireLogPayload: type: object description: > Schema for a forwarded PAN-OS WildFire submission log entry. WildFire logs record the results of file analysis by the WildFire cloud-based sandbox malware analysis service, providing verdicts and analysis report links for detected threats. properties: receive_time: type: string format: date-time description: > Timestamp when the WildFire log entry was received by Strata Logging Service. example: '2024-05-07T23:30:25Z' serial: type: string description: > Serial number of the Palo Alto Networks device that submitted the file to WildFire and generated this log entry. example: 1F61A06C3D82 type: type: string enum: - WILDFIRE description: > Log type identifier, always WILDFIRE for WildFire log entries. example: WILDFIRE src: type: string description: Source IP address of the session from which the file was captured. example: example-src dst: type: string description: > Destination IP address of the session from which the file was captured. example: example-dst app: type: string description: > Application identified by App-ID in the session from which the file was captured. example: web-browsing filename: type: string description: Name of the file that was submitted to WildFire for analysis. example: Primary Policy 30 filetype: type: string description: > File type of the submitted file (e.g., PE, PDF, APK, Adobe Flash, Microsoft Office, script, Java Applet). example: custom file_hash: type: string description: > SHA-256 cryptographic hash of the submitted file, used as the unique file identifier in the WildFire cloud database. example: example-file_hash file_size: type: integer description: Size of the submitted file in bytes. example: 360 verdict: type: string enum: - benign - malware - grayware - phishing - pending description: > WildFire analysis verdict for the submitted file indicating whether it is benign, malicious malware, potentially unwanted grayware, a phishing document, or pending analysis completion. example: grayware action: type: string enum: - allow - block description: > Action applied to the file by the WildFire security profile based on the analysis verdict. example: block report_url: type: string format: uri description: > URL to the full WildFire analysis report in the Palo Alto Networks WildFire portal, providing detailed behavioral analysis results. example: https://mail.example.com/7c4906 src_user: type: string description: Source user identity if User-ID is enabled. example: example-src_user rule_name: type: string description: > Name of the security policy rule under which the file was captured and submitted to WildFire. example: Primary Agent 35 device_name: type: string description: > Hostname of the firewall that captured the file and generated this WildFire log entry. example: Branch Sensor 48 vsys: type: string description: Virtual system name or identifier on the firewall. example: example-vsys log_forwarding_profile: type: string description: > Name of the log forwarding profile that forwarded this log entry. example: HVAC Controller output_format: type: string enum: - CSV - LEEF - CEF - JSON - PARQUET description: Output format in which this log entry was forwarded. example: CEF AuthLogPayload: type: object description: > Schema for a forwarded PAN-OS authentication log entry. Authentication logs capture user authentication events processed by the firewall's Authentication Policy, providing identity-based visibility for security monitoring, compliance, and zero-trust enforcement. properties: receive_time: type: string format: date-time description: > Timestamp when the authentication log entry was received by Strata Logging Service. example: '2026-03-09T23:01:25Z' serial: type: string description: > Serial number of the Palo Alto Networks device that generated this authentication log entry. example: 8BDA37E5A54A type: type: string enum: - AUTH description: > Log type identifier, always AUTH for authentication log entries. example: AUTH subtype: type: string enum: - auth-success - auth-fail - auth-challenge - auth-timeout description: > Authentication log subtype indicating the outcome of the authentication event. example: auth-challenge src: type: string description: Source IP address of the authenticating client. example: example-src src_user: type: string description: > Username or user principal name presented during authentication. example: example-src_user auth_method: type: string enum: - SAML - Kerberos - LDAP - RADIUS - TACACS+ - local-database - client-certificate - MFA description: > Authentication protocol or method used to authenticate the user. example: Kerberos auth_source: type: string description: > The name of the authentication source, server profile, or identity provider (e.g., Okta-SAML, corp-ldap, radius-server). example: example-auth_source auth_result: type: string enum: - success - failure - challenge - timeout description: > The result of the authentication attempt indicating whether it succeeded, failed, required an additional challenge, or timed out. example: failure mfa_vendor: type: string description: > Multi-factor authentication vendor name if MFA was triggered during authentication (e.g., Duo, Okta, PingID, RSA SecurID). example: Palo Alto Networks mfa_result: type: string enum: - success - failure - timeout - bypass description: > Result of the MFA challenge if multi-factor authentication was triggered as part of the authentication flow. example: success rule_name: type: string description: > Name of the Authentication Policy rule that triggered the authentication challenge for this session. example: Staging Sensor 05 auth_profile: type: string description: > Name of the authentication profile configured on the firewall that was used to process this authentication event. example: IP Camera device_name: type: string description: > Hostname of the firewall that generated this authentication log entry. example: Staging Policy 77 vsys: type: string description: Virtual system name or identifier on the firewall. example: example-vsys log_forwarding_profile: type: string description: > Name of the log forwarding profile that forwarded this log entry. example: HVAC Controller output_format: type: string enum: - CSV - LEEF - CEF - JSON - PARQUET description: Output format in which this log entry was forwarded. example: CEF securitySchemes: tlsMutualAuth: type: X509 description: > TLS mutual authentication for encrypted syslog forwarding. The Strata Logging Service presents a client certificate and validates the syslog server's certificate against the configured CA certificate. Upload the syslog server CA certificate in the log forwarding profile configuration to enable mutual TLS authentication. httpsApiKey: type: httpApiKey description: > API key or custom header authentication for HTTPS log forwarding endpoints. Configure authentication headers in the Strata Logging Service HTTPS log forwarding profile settings. Supports custom header names and Bearer token authentication for SIEM and data lake endpoints. name: Authorization in: header