Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (12)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.proxy.bytesSent Bytes sent through the proxy session. | apache.httpd.bytesSent | pint |
gen.src.ip Source IP address. | apache.httpd.client | text_general |
gen.src.port Source port number. | apache.httpd.clientPort | pint |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | apache.httpd.endpoint | string |
gen.severity Normalized severity field across log sources. | apache.httpd.level | strings |
gen.proxy.method HTTP request method (e.g., GET, POST). | apache.httpd.method | string |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | apache.httpd.protocol | strings |
gen.proxy.referrer HTTP referrer header value. | apache.httpd.referrer | string |
gen.dest.port Destination port number. | apache.httpd.serverPort | pint |
gen.proxy.httpStatus HTTP response status code from the proxy. | apache.httpd.status | pint |
gen.username Username associated with the event. | apache.httpd.user | text_general |
gen.proxy.userAgent User agent string from the HTTP request. | apache.httpd.userAgent | string |
Reference-Specific Fields (21)
| Field | Type |
|---|---|
apache.httpd.bytesSent Number of bytes sent in the response body. | plong |
apache.httpd.caller Component or sub-system within Apache that generated the log entry. | string |
apache.httpd.client IP address or hostname of the client that made the request. | string |
apache.httpd.clientPort TCP port number used by the client to make the request. | pint |
apache.httpd.endpoint Requested URI or path, including any query string. | string |
apache.httpd.errorCode Error code or identifier associated with this log entry. | string |
apache.httpd.level Log level or severity of the entry (e.g., info, warn, error). | string |
apache.httpd.message Detailed log message or description of the event. | text_general |
apache.httpd.method HTTP method used for the request (GET, POST, PUT, DELETE, etc.). | string |
apache.httpd.module Name of the Apache module that processed the request. | string |
apache.httpd.pid Process ID of the Apache worker handling this request. | pint |
apache.httpd.protocol HTTP protocol version used for the request (e.g., HTTP/1.1). | string |
apache.httpd.rawRequest Full raw HTTP request line exactly as received by the server. | string |
apache.httpd.referrer Value of the HTTP Referer header, indicating the referring URL. | string |
apache.httpd.server Hostname or IP address of the HTTP server handling the request. | string |
apache.httpd.serverPort TCP port number on which the HTTP server is listening. | pint |
apache.httpd.status HTTP response status code returned to the client. | pint |
apache.httpd.tid Thread ID within the Apache process handling the request. | pint |
apache.httpd.type Type of the log entry (e.g., access, error). | string |
apache.httpd.user Authenticated username associated with the request, if any. | string |
apache.httpd.userAgent User-Agent header string identifying the client application. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.