{
  "$schema": "https://json-structure.org/meta/core/v0/#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/strata-logging-forwarding-url-log-payload-structure.json",
  "name": "UrlLogPayload",
  "description": "Schema for a forwarded PAN-OS URL filtering log entry. URL logs capture web access events evaluated by the URL Filtering security profile, providing visibility into browsing activity, policy enforcement, and URL category decisions.\n",
  "type": "object",
  "properties": {
    "receive_time": {
      "type": "datetime",
      "description": "Timestamp when the URL log entry was received by Strata Logging Service.\n"
    },
    "serial": {
      "type": "string",
      "description": "Serial number of the Palo Alto Networks device that generated this URL log entry.\n"
    },
    "type": {
      "type": "string",
      "description": "Log type identifier, always URL for URL filtering log entries.",
      "enum": [
        "URL"
      ]
    },
    "src": {
      "type": "string",
      "description": "Source IP address of the client making the web request."
    },
    "dst": {
      "type": "string",
      "description": "Destination IP address of the web server being accessed."
    },
    "sport": {
      "type": "int32",
      "description": "Source port number of the HTTP/HTTPS session."
    },
    "dport": {
      "type": "int32",
      "description": "Destination port number of the HTTP/HTTPS session."
    },
    "app": {
      "type": "string",
      "description": "Application identified by App-ID for the web session (e.g., web-browsing, ssl, google-base).\n"
    },
    "url": {
      "type": "string",
      "description": "The full URL that was requested, including protocol, hostname, path, and query parameters if present.\n"
    },
    "url_category": {
      "type": "string",
      "description": "URL category classification assigned by PAN-DB URL filtering database (e.g., business-and-economy, malware, social-networking, command-and-control).\n"
    },
    "action": {
      "type": "string",
      "description": "Action applied to the URL request by the URL Filtering security profile configured on the matching security policy rule.\n",
      "enum": [
        "allow",
        "block",
        "continue",
        "override",
        "alert"
      ]
    },
    "http_method": {
      "type": "string",
      "description": "HTTP method of the web request.",
      "enum": [
        "GET",
        "POST",
        "PUT",
        "DELETE",
        "HEAD",
        "OPTIONS",
        "PATCH",
        "CONNECT"
      ]
    },
    "content_type": {
      "type": "string",
      "description": "MIME content type of the HTTP response."
    },
    "src_user": {
      "type": "string",
      "description": "Source user identity associated with the web request if User-ID is enabled.\n"
    },
    "rule_name": {
      "type": "string",
      "description": "Name of the security policy rule that matched the session containing this URL request.\n"
    },
    "device_name": {
      "type": "string",
      "description": "Hostname of the firewall that generated this URL log entry."
    },
    "vsys": {
      "type": "string",
      "description": "Virtual system name or identifier on the firewall."
    },
    "log_forwarding_profile": {
      "type": "string",
      "description": "Name of the log forwarding profile that forwarded this log entry.\n"
    },
    "output_format": {
      "type": "string",
      "description": "Output format in which this log entry was forwarded.",
      "enum": [
        "CSV",
        "LEEF",
        "CEF",
        "JSON",
        "PARQUET"
      ]
    }
  }
}