Palo Alto Networks Traffic Log
Records all network traffic sessions passing through the firewall with application identification, user mapping, and security policy actions
Quick Facts
Default Path (Linux)
Syslog receiver (e.g., /var/log/paloalto/traffic.log)Docker
/var/log/pan/traffic.logDefault Format
CSV (Comma-Separated Values)
JSON Native
No
Rotation
Configurable via syslog server or Panorama retention policies
Log Example
Default format: CSV Format (Syslog)
Example Log Entrylog
1,2026/01/02 10:15:32,007654321012,TRAFFIC,end,2560,2026/01/02 10:15:32,192.168.1.100,203.0.113.50,0.0.0.0,0.0.0.0,Allow-Outbound,domain\jsmith,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-to-Panorama,2026/01/02 10:15:32,12345,1,54321,443,0,0,0x400000,tcp,allow,1523,800,723,15,2026/01/02 10:15:00,0,any,0,123456789,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,8,7,aged-out,0,0,0,0,,PA-3260,from-policy,,,0,,0,,N/A,0,0,0,0,1a2b3c4d-5e6f-7890-abcd-ef1234567890,0,0,,,,,,,Structure:
Comma-separated values with 70+ fields depending on PAN-OS versionPaths by Platform
Syslog Server
/var/log/paloalto/traffic.logAvailable Formats
CSV Format (Syslog)
Default
Example:
1,2026/01/02 10:15:32,007654321012,TRAFFIC,end,2560,2026/01/02 10:15:32,192.168.1.100,203.0.113.50,0.0.0.0,0.0.0.0,Allow-Outbound,domain\jsmith,,web-browsing,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-to-Panorama,2026/01/02 10:15:32,12345,1,54321,443,0,0,0x400000,tcp,allow,1523,800,723,15,2026/01/02 10:15:00,0,any,0,123456789,0x8000000000000000,192.168.0.0-192.168.255.255,United States,0,8,7,aged-out,0,0,0,0,,PA-3260,from-policy,,,0,,0,,N/A,0,0,0,0,1a2b3c4d-5e6f-7890-abcd-ef1234567890,0,0,,,,,,,Structure:
Comma-separated values with 70+ fields depending on PAN-OS versionCEF Format
Example:
CEF:0|Palo Alto Networks|PAN-OS|11.0.0|TRAFFIC|end|3|src=192.168.1.100 dst=203.0.113.50 spt=54321 dpt=443 proto=tcp act=allow app=web-browsing cs1=Allow-Outbound cs1Label=RuleStructure:
Common Event Format for SIEM integrationLEEF Format (IBM QRadar)
Example:
LEEF:1.0|Palo Alto Networks|PAN-OS|11.0.0|TRAFFIC|src=192.168.1.100 dst=203.0.113.50 srcPort=54321 dstPort=443 proto=tcp action=allow app=web-browsingStructure:
Log Event Extended Format for IBM QRadarFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
receive_time | datetime | Time the log was received at the management plane | 2026/01/02 10:15:32 |
serial | string | Serial number of the firewall | 007654321012 |
type | string | Log type (always TRAFFIC for traffic logs) | TRAFFIC |
subtype | string | Traffic log subtype | end |
time_generated | datetime | Time the log was generated on the dataplane | 2026/01/02 10:15:32 |
src | ip | Source IP address | 192.168.1.100 |
dst | ip | Destination IP address | 203.0.113.50 |
natsrc | ip | Post-NAT source IP address | 198.51.100.10 |
natdst | ip | Post-NAT destination IP address | 203.0.113.50 |
rule | string | Security policy rule name that matched | Allow-Outbound |
srcuser | string | Source user (from User-ID) | domain\jsmith |
dstuser | string | Destination user | |
app | string | Application identified by App-ID | web-browsing |
vsys | string | Virtual system name | vsys1 |
from | string | Source security zone | trust |
to | string | Destination security zone | untrust |
inbound_if | string | Inbound interface | ethernet1/2 |
outbound_if | string | Outbound interface | ethernet1/1 |
sessionid | integer | Unique session identifier | 12345 |
sport | integer | Source port | 54321 |
dport | integer | Destination port | 443 |
natsport | integer | Post-NAT source port | 54321 |
natdport | integer | Post-NAT destination port | 443 |
proto | string | IP protocol | tcp |
action | string | Action taken on the session | allow |
bytes | integer | Total bytes transferred (sent + received) | 1523 |
bytes_sent | integer | Bytes sent from client to server | 800 |
bytes_received | integer | Bytes received from server to client | 723 |
packets | integer | Total packets in the session | 15 |
start | datetime | Session start time | 2026/01/02 10:15:00 |
elapsed | integer (seconds) | Session duration in seconds | 32 |
category | string | URL category (if URL filtering enabled) | business-and-economy |
session_end_reason | string | Reason for session termination | aged-out |
device_name | string | Firewall hostname | PA-3260 |
action_source | string | Source of the action (from-policy, from-application) | from-policy |
Parsing Patterns
Grok Patterns
csv:
%{INT:future_use1},%{TIMESTAMP_ISO8601:receive_time},%{DATA:serial},%{WORD:type},%{WORD:subtype},%{INT:future_use2},%{TIMESTAMP_ISO8601:time_generated},%{IP:src},%{IP:dst},%{IP:natsrc},%{IP:natdst},%{DATA:rule},%{DATA:srcuser},%{DATA:dstuser},%{DATA:app},%{DATA:vsys},%{DATA:from},%{DATA:to},%{DATA:inbound_if},%{DATA:outbound_if},%{DATA:log_action},%{TIMESTAMP_ISO8601:time_logged},%{INT:sessionid},%{INT:repeat},%{INT:sport},%{INT:dport},%{INT:natsport},%{INT:natdport},%{DATA:flags},%{WORD:proto},%{WORD:action},%{INT:bytes},%{INT:bytes_sent},%{INT:bytes_received},%{INT:packets},%{TIMESTAMP_ISO8601:start},%{INT:elapsed},%{DATA:category}Regular Expressions
csv:
^(?P<future_use1>\d+),(?P<receive_time>[^,]+),(?P<serial>[^,]+),(?P<type>TRAFFIC),(?P<subtype>[^,]+),(?P<future_use2>\d+),(?P<time_generated>[^,]+),(?P<src>[^,]+),(?P<dst>[^,]+),(?P<natsrc>[^,]+),(?P<natdst>[^,]+),(?P<rule>[^,]*),(?P<srcuser>[^,]*),(?P<dstuser>[^,]*),(?P<app>[^,]+),(?P<vsys>[^,]+),(?P<from>[^,]+),(?P<to>[^,]+),(?P<inbound_if>[^,]+),(?P<outbound_if>[^,]+),(?P<log_action>[^,]*),(?P<time_logged>[^,]+),(?P<sessionid>\d+),(?P<repeat>\d+),(?P<sport>\d+),(?P<dport>\d+),(?P<natsport>\d+),(?P<natdport>\d+),(?P<flags>[^,]*),(?P<proto>[^,]+),(?P<action>[^,]+),(?P<bytes>\d+),(?P<bytes_sent>\d+),(?P<bytes_received>\d+),(?P<packets>\d+),(?P<start>[^,]+),(?P<elapsed>\d+),(?P<category>[^,]*)Collector Configurations
splunkyaml
1# Splunk TA for Palo Alto Networks2[pan:traffic]3TIME_FORMAT = %Y/%m/%d %H:%M:%S4TIME_PREFIX = ^[^,]*,5MAX_TIMESTAMP_LOOKAHEAD = 446SHOULD_LINEMERGE = false7TRUNCATE = 81928pulldown_type = true910# props.conf for syslog input11[source::udp:514]12TRANSFORMS-pan = pan_traffic13sourcetype = pan:trafficConfiguration
Enable Logging
Enable traffic logging in security policy rules
# CLI commands to enable traffic logging
configure
set rulebase security rules <rule-name> log-start yes
set rulebase security rules <rule-name> log-end yes
set rulebase security rules <rule-name> log-setting <log-forwarding-profile>
commitLog-end is recommended for most use cases to reduce log volume
Log To Syslog
Configure syslog forwarding
# Configure syslog server profile
set shared log-settings syslog <profile-name> server <server-name> server <ip-address>
set shared log-settings syslog <profile-name> server <server-name> transport UDP
set shared log-settings syslog <profile-name> server <server-name> port 514
set shared log-settings syslog <profile-name> server <server-name> format BSD
# Create log forwarding profile
set shared log-settings profiles <profile-name> match-list <match-name> log-type traffic
set shared log-settings profiles <profile-name> match-list <match-name> send-syslog <syslog-profile>
# Apply to security rules
set rulebase security rules <rule-name> log-setting <profile-name>Use Cases
Application visibility
Identify applications traversing the network
app
bytes
packets
GROUP BY app | STATS sum(bytes), count()Bandwidth consumption
Track top bandwidth consumers by source IP or application
src
app
bytes
GROUP BY src, app | STATS sum(bytes) | SORT bytes DESCSession monitoring
Monitor active and completed sessions
sessionid
subtype
elapsed
session_end_reason
Policy rule usage
Analyze which security rules are being triggered
rule
action
GROUP BY rule | STATS count() | SORT count DESCTroubleshooting
Tested On
v11.1.0 on PAN-OS
admin - 2026-01-02
v10.2.4 on PAN-OS
admin - 2026-01-02
Last updated: 2026-01-02 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!