Identity
Forward Logs to Strata Logging Service
Table of Contents
Forward Logs to Strata Logging Service
Learn about forwarding logs to the Strata Logging Service using the Cloud Identity
Engine.
The Cloud Identity Engine (CIE) supports automated log
forwarding to the Strata Logging Service (SLS). With this integration, you’ll gain
granular visibility into Directory Sync and Administrative Audit
events; centralizing telemetry in SLS allows you to move beyond minimal service
insights to efficiently troubleshoot synchronization errors, monitor real-time sync
progress, and gather the evidence required for internal compliance audits.
This functionality includes the following:
- Directory Synchronization Monitoring: Detailed tracking of the sync life cycle (full and incremental). This includes visibility into sync progress for large-scale directories and the ability to isolate failures to specific domains, forests, or trees.
- Configuration Change Auditing: A definitive record of administrative actions. Audit logs specifically support changes made within the following UI sections:
- Directory Sync: directories, agents & certificates, attributes.
- Security Risk: risk connections, Cloud Dynamic Groups.
- Authentication: CA chains, authentication types, authentication profiles.
Consider the following constraints:
- Authentication (Auth) Logs: Log forwarding for end-user authentication events (visible in the Authentication Logs UI section) is not currently supported.
- External forwarding: Exporting CIE logs from SLS to external SIEM systems (e.g., Splunk, Elastic) is not supported.
Troubleshooting Considerations
Forwarding CIE logs to SLS enables you to quickly troubleshoot errors and collect
compliance evidence, allowing you to avoid delays in error remediation while
ensuring that compliance requirements are met.
Directory Sync
Troubleshooting
To troubleshoot directory synchronization, consider
the following:
- Sync Progress Tracking: Monitor the event_state sequence from SYNC_START to SYNC_IN_PROGRESS to verify that high-volume synchronization jobs are active.
- Point-of-Failure Analysis: In the event of a SYNC_FAILURE, the failure_reason_code identifies the technical root cause, while the directory_id and directory_name isolate the specific forest or domain experiencing the issue.
- Object Count Validation: Upon SYNC_SUCCESS, the count_summary JSON provides the final tally of users and groups processed, facilitating immediate reconciliation with the source directory.
Sync Logs
| Attribute Name | Raw Attribute Name | Example | Values | Description |
| CIE Time Received | cie_log_time | 2025-12-18T05:16:02+00:00 | Time of the event in UTC when the sync operation occurred | |
| Customer Id | customer_id | 7701561416184349696 | Customer ID of the Cloud Identity Engine instance | |
| Directory Id | directory_id | 7a7d7ede-62f9-4f50-b1b7-0b6c38d5678b | Unique identifier of the directory being synchronized | |
| Directory Type | directory_type | CLOUD DIRECTORY |
ON-PREM DIRECTORY
CLOUD DIRECTORY
SCIM PROTOCOL
| Type of directory being synchronized |
| Vendor Name | vendor_name | ENTRA_ID |
MICROSOFT ACTIVE DIRECTORY
OPEN_LDAP
ENTRA_ID
OKTA
GOOGLE
| Identity provider vendor supplying the directory data |
| Client Application Id | client_application_id | 2a509489-fba5-4674-b34f-d4dea7416f2d | Unique identifier of the client application used for the directory sync operation | |
| Sync Type | sync_type | FULL_SYNC |
FULL_SYNC
INCREMENTAL_SYNC
| Type of synchronization performed - full synchronization or incremental (delta) synchronization |
| Sync Job Id | sync_job_id | 152740840 | Unique identifier for the entire synchronization run | |
| Event Sequence Id | event_sequence_id | 1 | Sequential number used to order events within a single sync_job_id for chronological event tracking | |
| Event Category | event_category | MEMBERSHIP_CHANGE |
SYNC_START
SYNC_COMPLETE
RESOURCE_CHANGE
MEMBERSHIP_CHANGE
MEMBERSHIP_STATS
| High-level category of the synchronization event (sync lifecycle) |
| Event Type | event_type | MEMBER_ADDED |
USER_ADDED
USER_REMOVED
USER_MODIFIED
GROUP_ADDED
GROUP_MODIFIED
GROUP_REMOVED
MEMBER_ADDED
GROUP_UPDATE_IN_PROGRESS
MEMBER_REMOVED
GROUP_MEMBERSHIP_STATS
| Specific action or operation that occurred during the sync (detailed event subtype within event_category) |
| Event State | event_state | SYNC_IN_PROGRESS |
SYNC_START
SYNC_IN_PROGRESS
SYNC_SUCCESS
SYNC_FAILURE
| Current state or outcome of the synchronization job |
| Target Type | target_type | GROUP |
GROUP
USER
| Object type of the entity being operated on or affected by the event |
| Target Id | target_id | Group_A | Unique identifier of the entity being operated on (e.g., Group ID or User ID referenced by the event) | |
| Source Type | source_type | USER | USER | Object type of the source entity initiating or involved in the operation (e.g., User being added to a group) |
| Source Id | source_id | User_A | Unique identifier of the source entity (e.g., User ID being added to or removed from a group) | |
| Flattened Membership Count CIE | flattened_membership_count_cie | 20 | Total number of flattened (recursive/transitive) users in this group during the active sync as calculated by CIE | |
| Flattened Membership Count IDP | flattened_membership_count_cie_previous_sync | 20 | Total number of flattened (recursive/transitive) users in this group from the last successful sync operation | |
| Flattened Membership Count CIE Previous Sync | flattened_membership_count_idp | 20 | Total number of flattened (recursive/transitive) users in this group as reported by the Identity Provider | |
| Immediate Membership Count CIE | immediate_membership_count_cie | 20 | Total number of immediate (direct/non-recursive) users in this group during the active sync as calculated by CIE | |
| Immediate Membership Count IDP | immediate_membership_count_cie_previous_sync | 20 | Total number of immediate (direct/non-recursive) users in this group from the last successful sync operation | |
| Immediate Membership Count CIE Previous Sync | immediate_membership_count_idp | 20 | Total number of immediate (direct/non-recursive) users in this group as reported by the Identity Provider | |
| Count | count | 20 | Number of objects impacted by this event | |
| Count Summary- User | count_summary.user | Total number of users in the directory at the end of the sync | ||
| Count Summary- Group | count_summary.group | Total number of groups in the directory at the end of the sync | ||
| Count Summary- Computer | count_summary.computer | Total number of computers in the directory at the end of the sync | ||
| Count Summary- OU | count_summary.ou | Total number of OUs in the directory at the end of the sync | ||
| Count Summary- Container | count_summary.container | Total number of containers in the directory at the end of the sync | ||
| Count Summary- Application | count_summary.application | Total number of applications in the directory at the end of the sync | ||
| Count Summary- RoleAssignments | count_summary.roleassignments | Total number of role assignments in the directory at the end of the sync | ||
| Failure Reason Code | failure_reason_code | Root cause of the job failure (only populated on SYNC_FAILURE). | ||
| Recommended Action | recommended_action | Instruction for resolving the failure (only populated on SYNC_FAILURE). | ||
| TSG ID |
Compliance Auditing
For compliance auditing, consider:- Administrative Accountability: Use event_source_user_email and event_description to audit which administrator modified settings in sections like CA Chains, Risk Connections, or Authentication Profiles, exactly what was changed, and when.
Audit Logs
| Attribute Name | Data Type | Example | Description |
| event_time | STRING | 2025-11-13T00:13:45Z | Time when the event happened. Example: 2025-11-13T00:13:45Z |
| event_category |
CDUG_CREATED
CDUG_UPDATED
CDUG_DELETED
VAULT_ADDED
VAULT_DELETED
SECRET_ADDED
SECRET_MODIFIED
SECRET_SHARED
SECRET_UNSHARED
SECRET_DELETED
SECRET_RETRIEVED
CIE_LOGIN
DIRECTORY_ADDED
DIRECTORY_RECONNECTED
DIRECTORY_REMOVED
FULL_SYNC_TRIGGER_SUCCESSFUL
INCREMENTAL_SYNC_TRIGGER_SUCCESSFUL
FULL_SYNC_TRIGGER_UNSUCCESSFUL
INCREMENTAL_SYNC_TRIGGER_UNSUCCESSFUL
CIE_DIRECTORY_USER_ADDED
CIE_DIRECTORY_USER_REMOVED
CIE_DIRECTORY_USER_EDITED
RISK_CONNECTION_ADDED
RISK_CONNECTION_EDITED
RISK_CONNECTION_DELETED
AUTHENTICATION_TYPE_ADDED
AUTHENTICATION_TYPE_UPDATED
AUTHENTICATION_TYPE_DELETED
AUTHENTICATION_PROFILE_ADDED
AUTHENTICATION_PROFILE_UPDATED
AUTHENTICATION_PROFILE_DELETED
CA_CHAIN_ADDED
CA_CHAIN_UPDATED
CA_CHAIN_DELETED
| Type of Event | |
| event_description |
A new CDUG is created on directory [domain]
CDUG [displayName], is updated on directory
[domain]
CDUG [GUID], is deleted on directory [domain]
A new vault [name of vault] is created.
Vault [vaultID] is deleted.
A new secret [secretname], for [application name]
[URL]] is added in vault
A secret [secretname] is updated, for [application
name] [URL]]
A secret [id] is shared in the vault
Stopped sharing secret [secretid] in vault
A secret [id] is deleted from vault
Retrieved a secret [secretId] from vault
[admin] logged in to Cloud Identity Engine
Application
A new [vendor] directory, [directory name], has been
added
[vendor] directory, [directory name], has been
reconnected
[vendor] directory, [directory name], has been
deleted
A full synchronization for [vendor] directory, with ID
[directory ID] has been manually initiated successfully
A incremental synchronization for [vendor] directory,
with ID [directory ID] has been manually initiated
successfully
Request for full synchronization for [vendor]
directory, with ID [directory ID] is unsuccessful
Request for incremental synchronization for [vendor]
directory, with ID [directory ID] is unsuccessful
New user(s), [user], has/have been added to CIE
Directory [directory name]
User(s), [user] has/have been removed from CIE
Directory [directoryId]
User, [user-id], has been editied in CIE Directory
[directoryId]
A new [vendor] risk connection has been added
[vendor] risk connection has been edited
[vendor] risk connection has been deleted.
A new [AuthType] authentication type [Auth type name]
has been added.
[AuthType] authentication type [Auth type name] has
been updated.
[AuthType] authentication type [Auth type name] has
been deleted.
A new [multi/single] authentication profile, [auth
profile name], has been added.
[multi/single] authentication profile, [auth profile
name], has been updated.
[multi/single] authentication profile, [auth profile
name], has been deleted.
CA Chain [CA Chain Name] has been added.
CA Chain [CA Chain Name] has been deleted.
CA Chain [CA Chain Name] has been updated.
| Detailed event summary |
View CIE Logs Forwarded to Strata Logging Service
To leverage the benefits of automated CIE log forwarding to SLS, you’ll
need to:
- Configure SLS. This process includes procuring the necessary license, activating the SLS, and performing onboarding tasks.
- Establish a storage quota. You set the Configure Quota and Audit log type within Strata Cloud Manager (SCM). This allows you to allocate the necessary space for the logs.
- Set the Retention Period. Numerous (often regulatory) guidelines determine the retention period.
To view CIE logs forwarded to Strata Logging Service (SLS):
- Log in the Palo Alto Networks Hub.Locate your tenant in the Tenants window. Once selected, the Strata Cloud Manager (SCM) page appears.In SCM, select Log Viewer in the navigation pane.In the Log Viewer screen, view Audit Logs by selecting Network/Firewall Traffic > Common > Audit.To view Sync Logs, select Directory Sync in the Cloud Identity Engine section.
