Identity
Forward Logs to Strata Logging Service
Table of Contents
Forward Logs to Strata Logging Service
Learn about forwarding logs to the Strata Logging Service using the Cloud Identity
Engine.
The Cloud Identity Engine (CIE) supports automated log
forwarding to the Strata Logging Service (SLS). With this integration, you’ll gain
granular visibility into Directory Sync and Administrative Audit
events; centralizing telemetry in SLS allows you to move beyond minimal service
insights to efficiently troubleshoot synchronization errors, monitor real-time sync
progress, and gather the evidence required for internal compliance audits.
This functionality includes the following:
- Directory Synchronization Monitoring: Detailed tracking of the sync life cycle (full and incremental). This includes visibility into sync progress for large-scale directories and the ability to isolate failures to specific domains, forests, or trees.
- Configuration Change Auditing: A definitive record of administrative actions. Audit logs specifically support changes made within the following UI sections:
- Directory Sync: directories, agents & certificates, attributes.
- Security Risk: risk connections, Cloud Dynamic Groups.
- Authentication: CA chains, authentication types, authentication profiles.
Consider the following constraints:
- Authentication (Auth) Logs: Log forwarding for end-user authentication events (visible in the Authentication Logs UI section) is not currently supported.
- External forwarding: Exporting CIE logs from SLS to external SIEM systems (e.g., Splunk, Elastic) is not supported.
Troubleshooting Considerations
Forwarding CIE logs to SLS enables you to quickly troubleshoot errors and collect
compliance evidence, allowing you to avoid delays in error remediation while
ensuring that compliance requirements are met.
Directory Sync
Troubleshooting
To troubleshoot directory synchronization, consider
the following:
- Sync Progress Tracking: Monitor the event_state sequence from SYNC_START to SYNC_IN_PROGRESS to verify that high-volume synchronization jobs are active.
- Point-of-Failure Analysis: In the event of a SYNC_FAILURE, the failure_reason_code identifies the technical root cause, while the directory_id and directory_name isolate the specific forest or domain experiencing the issue.
- Object Count Validation: Upon SYNC_SUCCESS, the count_summary JSON provides the final tally of users and groups processed, facilitating immediate reconciliation with the source directory.
Sync Logs
| Attribute Name | Data Type | Example | Values | Description | Optional | Notes |
| cie_log_time | TIMESTAMP | 2025-12-18T05:16:02+00:00 | The precise time the event occurred (in UTC). | No | ||
| customer_id | STRING | 7701561416184349696 | Customer's CIE Tenant ID | No | SLS Common Field, Mandatory | |
| directory_id | STRING | 7a7d7ede-62f9-4f50-b1b7-0b6c38d5678b | Domain/Directory Id | No | ||
| directory_type | ENUM | CLOUD DIRECTORY |
ON-PREM DIRECTORY
CLOUD DIRECTORY
SCIM PROTOCOL
| Type of Directory | No | |
| vendor_name | ENUM | ENTRA_ID |
MICROSOFT ACTIVE DIRECTORY
OPEN_LDAP
ENTRA_ID
OKTA
GOOGLE
| No | SLS Common Field, Mandatory | |
| client_application_id | STRING | 2a509489-fba5-4674-b34f-d4dea7416f2d | ID of the Client Application used for the sync operation | Yes | ||
| sync_type | ENUM | FULL_SYNC |
FULL_SYNC
INCREMENTAL_SYNC
| Indicates the sync type (Full vs. Incremental). | No | |
| sync_job_id | STRING | 152740840 | A unique ID for the entire sync run | No | ||
| event_sequence_id | INTEGER | 1 | A sequence number to order events within a single sync_job_id | No | ||
| event_category | ENUM | MEMBERSHIP_CHANGE |
SYNC_START
SYNC_COMPLETE
RESOURCE_CHANGE
MEMBERSHIP_CHANGE
MEMBERSHIP_STATS
| The broad type of event | No | |
| event_type | ENUM | MEMBER_ADDED |
USER_ADDED
USER_REMOVED
USER_MODIFIED
GROUP_ADDED
GROUP_MODIFIED
GROUP_REMOVED
MEMBER_ADDED
GROUP_UPDATE_IN_PROGRESS
MEMBER_REMOVED
GROUP_MEMBERSHIP_STATS
| The specific action that occurred | No | |
| event_state | ENUM | SYNC_IN_PROGRESS |
SYNC_START
SYNC_IN_PROGRESS
SYNC_SUCCESS
SYNC_FAILURE
| Current state or outcome of the sync job | No | |
| target_type | ENUM | GROUP |
GROUP
USER
| The type of the related/affected entity (usually Group). | No | |
| target_id | STRING | Group_A | The unique ID of the related/affected entity (e.g., Group's ID). | No | ||
| source_type | ENUM | USER | USER | The type of entity being acted upon (User, Group, etc.). | Yes | |
| source_id | STRING | User_A | The unique ID of the entity being acted upon (e.g., User's ID). | Yes | ||
| flattened_membership_count_cie | INTEGER | 20 | ||||
| flattened_membership_count_cie_previous_sync | INTEGER | 20 | ||||
| flattened_membership_count_idp | INTEGER | 20 | ||||
| immediate_membership_count_cie | INTEGER | 20 | ||||
| immediate_membership_count_cie_previous_sync | INTEGER | 20 | ||||
| immediate_membership_count_idp | INTEGER | 20 | ||||
| count | INTEGER | 20 | Indicates the number of impacted objects | |||
| count_summary | JSON / Dictionary / |
{
"application": 0,
"computer": 0,
"group": 0,
"user": 14259
}
| JSON object containing total object counts (only populated on SYNC_SUCCESS). | Yes | ||
| failure_reason_code | STRING | Root cause of the job failure (only populated on SYNC_FAILURE). | Yes | |||
| recommended_action | STRING | Instruction for resolving the failure (only populated on SYNC_FAILURE). | Yes | |||
| log_type | DICT |
{
"id": 8000,
"value": "audit"
}
| Mandatory Field | |||
| sub_type | DICT |
{
"id": 8000,
"value": "Default"
}
| Mandatory Field | |||
| log_source_id | STRING | CLOUD_IDENTITY_ENGINE | Mandatory Field | |||
| log_source_group_id | STRING | CLOUD_IDENTITY_ENGINE - DIRECTORY_SYNC_SERVICE | Mandatory Field | |||
| log_source | STRING | CLOUD_IDENTITY_ENGINE | Mandatory Field | |||
| time_generated | INT | 1740603470 | Time when log is published. Example: 1762992825000 - It should be epoch value | |||
| time_generated_high_res | INT | 1740603470668 | ||||
| tsg_id | STRING | 1673741556 | Customer's TSG Id | |||
| platform_type | STRING | CLOUD_IDENTITY_ENGINE | Mandatory Field |
Compliance Auditing
For compliance auditing, consider:- Administrative Accountability: Use event_source_user_email and event_description to audit which administrator modified settings in sections like CA Chains, Risk Connections, or Authentication Profiles, exactly what was changed, and when.
Audit Logs
| Attribute Name | Data Type | Example | Description |
| event_time | STRING | 2025-11-13T00:13:45Z | Time when event happened. Example: 2025-11-13T00:13:45Z |
| event_category | STRING |
USER_REMOVED_FROM_RISK_CATEGORY
RISK_SIGNAL_REMOVED_FROM_RISK_CATEGORY
RISK_SIGNAL_ADDED_TO_RISK_CATEGORY
RISK_CONNECTION_ADDED
CDUG_CREATED
VAULT_ADDED
VAULT_DELETED
SECRET_ADDED
SECRET_MODIFIED
SECRET_SHARED
SECRET_UNSHARED
SECRET_DELETED
SECRET_RETRIEVED
CIE_LOGIN
DIRECTORY_ADDED
DIRECTORY_RECONNECTED
DIRECTORY_REMOVED
FULL_SYNC_TRIGGER_SUCCESSFUL
INCREMENTAL_SYNC_TRIGGER_SUCCESSFUL
FULL_SYNC_TRIGGER_UNSUCCESSFUL
INCREMENTAL_SYNC_TRIGGER_UNSUCCESSFUL
CIE_DIRECTORY_USER_ADDED
CIE_DIRECTORY_USER_REMOVED
RISK_CONNECTION_ADDED
RISK_CONNECTION_EDITED
RISK_CONNECTION_DELETED
AUTHENTICATION_TYPE_ADDED
AUTHENTICATION_TYPE_UPDATED
AUTHENTICATION_TYPE_DELETED
AUTHENTICATION_PROFILE_ADDED
AUTHENTICATION_PROFILE_UPDATED
AUTHENTICATION_PROFILE_DELETED
CA_CHAIN_ADDED
CA_CHAIN_UPDATED
CA_CHAIN_DELETED
| A high level view |
| event_description | STRING |
[admin] removed [user] from risk category
[category]
[admin] removed [risk signal] from risk category
[category]
[admin] added [risk signal] to risk category
[category]
[admin] added a new risk connection [risk source]
[admin] created a new CDUG
[user] added a new vault [name of vault] and associated
it with [directory]
[user] deleted vault [name of vault] which was
associated with [directory]
[user] added a new secret for [application name] [URL]]
in vault [vault name]
[user] changed the secret for an existing secret for
[application name] [URL] in vault [vault name]
[user] shared a secret for [application name] [URL] in
vault [vault name]
[user] stopped sharing a secret for [application name]
[URL] in vault [vault name]
[user] deleted a secret for [application name] [URL] in
vault [vault name]
[user] retrieved a secret for [application name] [URL]
in vault [vault name]
[admin] logged in to Cloud Identity Engine
Application
A new [vendor] directory, [directory name], has been
added
[vendor] directory, [directory name], has been
reconnected
[vendor] directory, [directory name], has been
deleted
A full synchronization for [vendor] directory,
[directory name], with ID [directory ID] has been manually
initiated successfully
A incremental synchronization for [vendor] directory,
[directory name], with ID [directory ID] has been manually
initiated successfully
Request for full synchronization for [vendor]
directory, [directory name], with ID [directory ID] is
unsuccessful
Request for incremental synchronization for [vendor]
directory, [directory name], with ID [directory ID] is
unsuccessful
A new user, [user], has been added to CIE Directory
[directory name]
User, [user], has been removed from CIE Directory
[directory name]
A new [vendor] risk connection has been added
[vendor] risk connection has been edited
[vendor] risk connection has been deleted.
A new [SAML/OIDC/Client Certificate/Password
Authentication] authentication type [Auth type name] has been
added.
[SAML/OIDC/Client Certificate/Password Authentication]
authentication type [Auth type name] has been updated.
[SAML/OIDC/Client Certificate/Password Authentication]
authentication type [Auth type name] has been deleted.
A new [multi/single] authentication profile, [auth
profile name], has been added.
[multi/single] authentication profile, [auth profile
name], has been updated.
[multi/single] authentication profile, [auth profile
name], has been deleted.
CA Chain [CA Chain Name] has been added.
CA Chain [CA Chain Name] has been deleted.
CA Chain [CA Chain Name] has been updated.
| |
| log_source | STRING | CLOUD_IDENTITY_ENGINE | Mandatory Field |
| log_source_id | STRING | CLOUD_IDENTITY_ENGINE | Mandatory Field |
| log_source_group_id | STRING |
CLOUD_IDENTITY_ENGINE - DIRECTORY_SYNC_SERVICE
CLOUD_IDENTITY_ENGINE - CLOUD_AUTH_SERVICE
CLOUD_IDENTITY_ENGINE - SECRETS_VAULT
CLOUD_IDENTITY_ENGINE - USER_RISK_ENGINE"
| Mandatory Field |
| time_generated | INT | 1740603470 | Time when log is published. Example: 1762992825000 - It should be epoch value |
| time_generated_high_res | INT | 1740603470668 | |
| customer_id | STRING | 4711855380396736512 | CIE Tenant Id |
| tsg_id | STRING | 1673741556 | Customer's TSG Id |
| vendor_name | STRING | Palo Alto Networks | Mandatory Field |
| event_source_user_first_name | STRING | John | |
| event_source_user_last_name | STRING | Smith | |
| event_source_user_email | STRING | john@paloaltonetworks.com | |
| platform_type | STRING | CLOUD_IDENTITY_ENGINE | Mandatory Field |
| log_type | DICT |
{
"id": 8000,
"value": "audit"
}
| Mandatory Field |
| sub_type | DICT |
{
"id": 8000,
"value": "Default"
}
| Mandatory Field |
View CIE Logs Forwarded to Strata Logging Service
To leverage the benefits of automated CIE log forwarding to SLS, you’ll
need to:
- Configure SLS. This process includes procuring the necessary license, activating the SLS, and performing onboarding tasks.
- Establish a storage quota. You set the Configure Quota and Audit log type within Strata Cloud Manager (SCM). This allows you to allocate the necessary space for the logs.
- Set the Retention Period. Numerous (often regulatory) guidelines determine the retention period.
To view CIE logs forwarded to Strata Logging Service (SLS):
- Log in the Palo Alto Networks Hub.Locate your tenant in the Tenants window. Once selected, the Strata Cloud Manager (SCM) page appears.In SCM, select Log Viewer in the navigation pane.In the Log Viewer screen, view Audit Logs by selecting Network/Firewall Traffic > Common > Audit.To view Sync Logs, select Directory Sync in the Cloud Identity Engine section.
