In order to forward URL logs, it is necessary to forward Threat logs of Severity 'informational' to the Syslog server. Doing so will forward other informational threat logs (Data Filtering) in addition to URL logs.
Please refer to the following document for more information on how to configure URL log forwarding to Syslog: How to Forward Threat Logs to Syslog Server
By default, when threat logs are forwarded to Syslog server, the logs will have all several fields including source IP, destination IP and many others including the URL.
To create a custom syslog format to include the URLs in the logs, include the "$misc" field, as shown below to get the URLs in the syslogs.
In the above example, $category==Cateogry of the URL, $misc== URL,$src==Source IP are selected and the syslog looks like this:
URL Filtering and Data Filtering use the 'Informational' severity for threats.
Configure forwarding settings here. This setting allows forwarding not only to syslog, but also covers forwarding for Panorama, SNMP Trap, or Email.
The following example configures forwarding of the email alerts:
Helpful. BAD on pal for using the $misc field.. If it was not for this post a ticket would have had to been created..
I've been racking my brains on this one for a while.
Helpful, but sure wasted a lot of time.