{
  "$schema": "https://json-schema.org/draft/2020-12/schema",
  "title": "TrafficLogPayload",
  "description": "Schema for a forwarded PAN-OS traffic log entry. Traffic logs capture session metadata for every network connection processed by the firewall, providing comprehensive network visibility for security operations, compliance, and analytics.\n",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/strata-logging-forwarding-traffic-log-payload-schema.json",
  "type": "object",
  "properties": {
    "receive_time": {
      "type": "string",
      "format": "date-time",
      "description": "Timestamp when the log entry was received by Strata Logging Service from the generating firewall device.\n"
    },
    "serial": {
      "type": "string",
      "description": "Serial number of the Palo Alto Networks firewall or Prisma Access node that generated this log entry.\n"
    },
    "type": {
      "type": "string",
      "enum": [
        "TRAFFIC"
      ],
      "description": "Log type identifier, always TRAFFIC for traffic log entries.\n"
    },
    "subtype": {
      "type": "string",
      "enum": [
        "start",
        "end",
        "drop",
        "deny"
      ],
      "description": "Traffic log subtype indicating what session lifecycle event triggered this log entry.\n"
    },
    "src": {
      "type": "string",
      "description": "Source IP address of the network session."
    },
    "dst": {
      "type": "string",
      "description": "Destination IP address of the network session."
    },
    "sport": {
      "type": "integer",
      "description": "Source port number of the network session."
    },
    "dport": {
      "type": "integer",
      "description": "Destination port number of the network session."
    },
    "proto": {
      "type": "string",
      "description": "IP protocol name or number for the session (e.g., tcp, udp, icmp).\n"
    },
    "app": {
      "type": "string",
      "description": "Application identified by PAN-OS App-ID, such as ssl, web-browsing, dns, or a specific SaaS application name.\n"
    },
    "action": {
      "type": "string",
      "enum": [
        "allow",
        "deny",
        "drop",
        "reset-client",
        "reset-server",
        "reset-both"
      ],
      "description": "Enforcement action applied to the session by the matching security policy rule.\n"
    },
    "bytes_sent": {
      "type": "integer",
      "description": "Total bytes sent from client to server in this session."
    },
    "bytes_received": {
      "type": "integer",
      "description": "Total bytes received by client from server in this session."
    },
    "session_id": {
      "type": "string",
      "description": "Unique session identifier assigned by the firewall for this network session.\n"
    },
    "rule_name": {
      "type": "string",
      "description": "Name of the security policy rule that matched and processed this session.\n"
    },
    "src_zone": {
      "type": "string",
      "description": "Source security zone from which the session originated."
    },
    "dst_zone": {
      "type": "string",
      "description": "Destination security zone to which the session is destined.\n"
    },
    "src_user": {
      "type": "string",
      "description": "Source user identity associated with the session if User-ID is enabled on the ingress zone.\n"
    },
    "dst_user": {
      "type": "string",
      "description": "Destination user identity if available."
    },
    "nat_src": {
      "type": "string",
      "description": "Post-NAT source IP address after address translation."
    },
    "nat_dst": {
      "type": "string",
      "description": "Post-NAT destination IP address after address translation."
    },
    "nat_sport": {
      "type": "integer",
      "description": "Post-NAT source port after port address translation."
    },
    "nat_dport": {
      "type": "integer",
      "description": "Post-NAT destination port after port address translation."
    },
    "packets_sent": {
      "type": "integer",
      "description": "Total packets sent from client in this session."
    },
    "packets_received": {
      "type": "integer",
      "description": "Total packets received by client in this session."
    },
    "session_duration": {
      "type": "integer",
      "description": "Total session duration in seconds."
    },
    "device_name": {
      "type": "string",
      "description": "Hostname of the firewall that generated this log entry."
    },
    "vsys": {
      "type": "string",
      "description": "Virtual system name or identifier on the firewall."
    },
    "log_forwarding_profile": {
      "type": "string",
      "description": "Name of the Strata Logging Service log forwarding profile that forwarded this log entry.\n"
    },
    "output_format": {
      "type": "string",
      "enum": [
        "CSV",
        "LEEF",
        "CEF",
        "JSON",
        "PARQUET"
      ],
      "description": "Output format in which this log entry was forwarded to the destination.\n"
    }
  }
}