Palo Alto Networks · Schema
AuthLogPayload
Schema for a forwarded PAN-OS authentication log entry. Authentication logs capture user authentication events processed by the firewall's Authentication Policy, providing identity-based visibility for security monitoring, compliance, and zero-trust enforcement.
Cloud SecurityCybersecurityFirewallNetwork SecuritySASESOARThreat IntelligenceXDR
Properties
| Name | Type | Description |
|---|---|---|
| receive_time | string | Timestamp when the authentication log entry was received by Strata Logging Service. |
| serial | string | Serial number of the Palo Alto Networks device that generated this authentication log entry. |
| type | string | Log type identifier, always AUTH for authentication log entries. |
| subtype | string | Authentication log subtype indicating the outcome of the authentication event. |
| src | string | Source IP address of the authenticating client. |
| src_user | string | Username or user principal name presented during authentication. |
| auth_method | string | Authentication protocol or method used to authenticate the user. |
| auth_source | string | The name of the authentication source, server profile, or identity provider (e.g., Okta-SAML, corp-ldap, radius-server). |
| auth_result | string | The result of the authentication attempt indicating whether it succeeded, failed, required an additional challenge, or timed out. |
| mfa_vendor | string | Multi-factor authentication vendor name if MFA was triggered during authentication (e.g., Duo, Okta, PingID, RSA SecurID). |
| mfa_result | string | Result of the MFA challenge if multi-factor authentication was triggered as part of the authentication flow. |
| rule_name | string | Name of the Authentication Policy rule that triggered the authentication challenge for this session. |
| auth_profile | string | Name of the authentication profile configured on the firewall that was used to process this authentication event. |
| device_name | string | Hostname of the firewall that generated this authentication log entry. |
| vsys | string | Virtual system name or identifier on the firewall. |
| log_forwarding_profile | string | Name of the log forwarding profile that forwarded this log entry. |
| output_format | string | Output format in which this log entry was forwarded. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "AuthLogPayload",
"description": "Schema for a forwarded PAN-OS authentication log entry. Authentication logs capture user authentication events processed by the firewall's Authentication Policy, providing identity-based visibility for security monitoring, compliance, and zero-trust enforcement.\n",
"$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-schema/strata-logging-forwarding-auth-log-payload-schema.json",
"type": "object",
"properties": {
"receive_time": {
"type": "string",
"format": "date-time",
"description": "Timestamp when the authentication log entry was received by Strata Logging Service.\n"
},
"serial": {
"type": "string",
"description": "Serial number of the Palo Alto Networks device that generated this authentication log entry.\n"
},
"type": {
"type": "string",
"enum": [
"AUTH"
],
"description": "Log type identifier, always AUTH for authentication log entries.\n"
},
"subtype": {
"type": "string",
"enum": [
"auth-success",
"auth-fail",
"auth-challenge",
"auth-timeout"
],
"description": "Authentication log subtype indicating the outcome of the authentication event.\n"
},
"src": {
"type": "string",
"description": "Source IP address of the authenticating client."
},
"src_user": {
"type": "string",
"description": "Username or user principal name presented during authentication.\n"
},
"auth_method": {
"type": "string",
"enum": [
"SAML",
"Kerberos",
"LDAP",
"RADIUS",
"TACACS+",
"local-database",
"client-certificate",
"MFA"
],
"description": "Authentication protocol or method used to authenticate the user.\n"
},
"auth_source": {
"type": "string",
"description": "The name of the authentication source, server profile, or identity provider (e.g., Okta-SAML, corp-ldap, radius-server).\n"
},
"auth_result": {
"type": "string",
"enum": [
"success",
"failure",
"challenge",
"timeout"
],
"description": "The result of the authentication attempt indicating whether it succeeded, failed, required an additional challenge, or timed out.\n"
},
"mfa_vendor": {
"type": "string",
"description": "Multi-factor authentication vendor name if MFA was triggered during authentication (e.g., Duo, Okta, PingID, RSA SecurID).\n"
},
"mfa_result": {
"type": "string",
"enum": [
"success",
"failure",
"timeout",
"bypass"
],
"description": "Result of the MFA challenge if multi-factor authentication was triggered as part of the authentication flow.\n"
},
"rule_name": {
"type": "string",
"description": "Name of the Authentication Policy rule that triggered the authentication challenge for this session.\n"
},
"auth_profile": {
"type": "string",
"description": "Name of the authentication profile configured on the firewall that was used to process this authentication event.\n"
},
"device_name": {
"type": "string",
"description": "Hostname of the firewall that generated this authentication log entry.\n"
},
"vsys": {
"type": "string",
"description": "Virtual system name or identifier on the firewall."
},
"log_forwarding_profile": {
"type": "string",
"description": "Name of the log forwarding profile that forwarded this log entry.\n"
},
"output_format": {
"type": "string",
"enum": [
"CSV",
"LEEF",
"CEF",
"JSON",
"PARQUET"
],
"description": "Output format in which this log entry was forwarded."
}
}
}