Palo Alto Networks URL Filtering Log
Records web browsing activity including URLs visited, URL categories, content types, and policy actions for web access control and compliance monitoring
Quick Facts
Default Path (Linux)
Syslog receiver (e.g., /var/log/paloalto/url.log)Docker
/var/log/pan/url.logDefault Format
CSV (Comma-Separated Values)
JSON Native
No
Rotation
Configurable via syslog server or Panorama retention policies
Log Example
Default format: CSV Format (Syslog)
Example Log Entrylog
1,2026/01/02 10:30:15,007654321012,URL,end,2560,2026/01/02 10:30:15,192.168.1.100,151.101.1.140,198.51.100.1,151.101.1.140,Allow-Web,corp\jsmith,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-Logs,2026/01/02 10:30:15,67890,1,55000,443,55000,443,0x400000,tcp,alert,www.reddit.com/,social-networking,informational,client-to-server,9876543210,0x8000000000000000,192.168.0.0-192.168.255.255,United States,text/html,allow,content-type,low,PA-3260,from-policy,reddit.com,/r/technology,Mozilla/5.0 (Windows NT 10.0; Win64; x64),http-hdr-referer,container-pageStructure:
Comma-separated values with URL filtering specific fieldsPaths by Platform
Syslog Server
/var/log/paloalto/url.logAvailable Formats
CSV Format (Syslog)
Default
Example:
1,2026/01/02 10:30:15,007654321012,URL,end,2560,2026/01/02 10:30:15,192.168.1.100,151.101.1.140,198.51.100.1,151.101.1.140,Allow-Web,corp\jsmith,,ssl,vsys1,trust,untrust,ethernet1/2,ethernet1/1,Forward-Logs,2026/01/02 10:30:15,67890,1,55000,443,55000,443,0x400000,tcp,alert,www.reddit.com/,social-networking,informational,client-to-server,9876543210,0x8000000000000000,192.168.0.0-192.168.255.255,United States,text/html,allow,content-type,low,PA-3260,from-policy,reddit.com,/r/technology,Mozilla/5.0 (Windows NT 10.0; Win64; x64),http-hdr-referer,container-pageStructure:
Comma-separated values with URL filtering specific fieldsCEF Format
Example:
CEF:0|Palo Alto Networks|PAN-OS|11.0.0|URL|end|3|src=192.168.1.100 dst=151.101.1.140 spt=55000 dpt=443 proto=tcp act=alert request=www.reddit.com/ cs1=Allow-Web cs1Label=Rule cs2=social-networking cs2Label=URLCategoryStructure:
Common Event Format for SIEM integrationFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
receive_time | datetime | Time the log was received at the management plane | 2026/01/02 10:30:15 |
serial | string | Serial number of the firewall | 007654321012 |
type | string | Log type (URL for URL filtering logs) | URL |
subtype | string | URL log subtype | end |
time_generated | datetime | Time the log was generated on the dataplane | 2026/01/02 10:30:15 |
src | ip | Source IP address (user/client) | 192.168.1.100 |
dst | ip | Destination IP address (web server) | 151.101.1.140 |
natsrc | ip | Post-NAT source IP address | 198.51.100.1 |
natdst | ip | Post-NAT destination IP address | 151.101.1.140 |
rule | string | Security policy rule name that matched | Allow-Web |
srcuser | string | Source user (from User-ID) | corp\jsmith |
app | string | Application identified by App-ID | ssl |
vsys | string | Virtual system name | vsys1 |
from | string | Source security zone | trust |
to | string | Destination security zone | untrust |
inbound_if | string | Inbound interface | ethernet1/2 |
outbound_if | string | Outbound interface | ethernet1/1 |
sessionid | integer | Unique session identifier | 67890 |
sport | integer | Source port | 55000 |
dport | integer | Destination port | 443 |
proto | string | IP protocol | tcp |
action | string | Action taken on the URL request | alert |
url | string | Full URL or hostname accessed | www.reddit.com/r/technology |
url_category | string | URL category from PAN-DB | social-networking |
severity | string | Severity level based on URL category risk | informational |
direction | string | Direction of the request | client-to-server |
content_type | string | HTTP content type of the response | text/html |
http_method | string | HTTP request method | GET |
user_agent | string | Browser user agent string | Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 |
referer | string | HTTP referer header | https://www.google.com/ |
device_name | string | Firewall hostname | PA-3260 |
url_category_list | string | List of all URL categories matched (comma-separated) | social-networking,news |
http_headers | string | Captured HTTP headers (if configured) | X-Forwarded-For: 10.0.0.1 |
Parsing Patterns
Grok Patterns
csv:
%{INT:future_use1},%{TIMESTAMP_ISO8601:receive_time},%{DATA:serial},%{WORD:type},%{WORD:subtype},%{INT:future_use2},%{TIMESTAMP_ISO8601:time_generated},%{IP:src},%{IP:dst},%{IP:natsrc},%{IP:natdst},%{DATA:rule},%{DATA:srcuser},%{DATA:dstuser},%{DATA:app},%{DATA:vsys},%{DATA:from},%{DATA:to},%{DATA:inbound_if},%{DATA:outbound_if},%{DATA:log_action},%{TIMESTAMP_ISO8601:time_logged},%{INT:sessionid},%{INT:repeat},%{INT:sport},%{INT:dport},%{INT:natsport},%{INT:natdport},%{DATA:flags},%{WORD:proto},%{WORD:action},%{DATA:url},%{DATA:url_category},%{WORD:severity},%{DATA:direction}Regular Expressions
csv:
^(?P<future_use1>\d+),(?P<receive_time>[^,]+),(?P<serial>[^,]+),(?P<type>URL),(?P<subtype>[^,]+),(?P<future_use2>\d+),(?P<time_generated>[^,]+),(?P<src>[^,]+),(?P<dst>[^,]+),(?P<natsrc>[^,]+),(?P<natdst>[^,]+),(?P<rule>[^,]*),(?P<srcuser>[^,]*),(?P<dstuser>[^,]*),(?P<app>[^,]+),(?P<vsys>[^,]+),(?P<from>[^,]+),(?P<to>[^,]+),(?P<inbound_if>[^,]+),(?P<outbound_if>[^,]+),(?P<log_action>[^,]*),(?P<time_logged>[^,]+),(?P<sessionid>\d+),(?P<repeat>\d+),(?P<sport>\d+),(?P<dport>\d+),(?P<natsport>\d+),(?P<natdport>\d+),(?P<flags>[^,]*),(?P<proto>[^,]+),(?P<action>[^,]+),(?P<url>[^,]*),(?P<url_category>[^,]*),(?P<severity>[^,]*)Collector Configurations
splunkyaml
1# Splunk TA for Palo Alto Networks2[pan:url]3TIME_FORMAT = %Y/%m/%d %H:%M:%S4TIME_PREFIX = ^[^,]*,5MAX_TIMESTAMP_LOOKAHEAD = 446SHOULD_LINEMERGE = false7TRUNCATE = 163848pulldown_type = true910# URL category field extractions11FIELDALIAS-url_category = url_category as category12EVAL-url_domain = mvindex(split(url,"/"),0)1314# Alert on blocked categories15[pan:url]16alert.severity = case(action=="block-url",4,action=="block-continue",3,action=="alert",2,true(),1)Configuration
Enable Logging
Enable URL filtering logging in URL Filtering profile
# Configure URL Filtering Profile
set profiles url-filtering <profile-name> credential-enforcement mode disabled
set profiles url-filtering <profile-name> log-http-hdr-xff yes
set profiles url-filtering <profile-name> log-http-hdr-user-agent yes
set profiles url-filtering <profile-name> log-http-hdr-referer yes
set profiles url-filtering <profile-name> log-container-page-only no
# Set actions per category
set profiles url-filtering <profile-name> block adult
set profiles url-filtering <profile-name> block malware
set profiles url-filtering <profile-name> block phishing
set profiles url-filtering <profile-name> alert social-networking
set profiles url-filtering <profile-name> allow business-and-economy
# Apply to security rules
set rulebase security rules <rule-name> profile-setting profiles url-filtering <profile-name>Ensure URL Filtering license is active and PAN-DB is updated
Log To Syslog
Configure syslog forwarding for URL logs
# Create log forwarding profile for URL logs
set shared log-settings profiles <profile-name> match-list url-logs log-type url
set shared log-settings profiles <profile-name> match-list url-logs filter "All Logs"
set shared log-settings profiles <profile-name> match-list url-logs send-syslog <syslog-profile>
# Forward only blocked URLs
set shared log-settings profiles <profile-name> match-list blocked-urls log-type url
set shared log-settings profiles <profile-name> match-list blocked-urls filter "(action eq block-url) or (action eq block-continue)"
set shared log-settings profiles <profile-name> match-list blocked-urls send-syslog <syslog-profile>Use Cases
Web usage monitoring
Track websites visited by users
srcuser
url
url_category
time_generated
GROUP BY srcuser, url_category | STATS count()Bandwidth by category
Identify which URL categories consume the most bandwidth
url_category
bytes
GROUP BY url_category | STATS sum(bytes) | SORT bytes DESCTop visited domains
Most frequently accessed websites
url
srcuser
GROUP BY url_domain | STATS count() | SORT count DESC | LIMIT 20Troubleshooting
Tested On
v11.1.0 on PAN-OS
admin - 2026-01-02
v10.2.4 on PAN-OS
admin - 2026-01-02
Last updated: 2026-01-02 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!