Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (12)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.dest.interface Network interface used for the destination connection. | barracudaFirewall.dstIF | strings |
gen.dest.ip Destination IP address. | barracudaFirewall.dstIP barracudaFirewall.remoteIP | text_general |
gen.dest.port Destination port number. | barracudaFirewall.dstPort | pint |
gen.firewall.rule Firewall rule that triggered the event. | barracudaFirewall.eventRule barracudaFirewall.rule | strings |
gen.src.ip Source IP address. | barracudaFirewall.localIP barracudaFirewall.srcIP | text_general |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | barracudaFirewall.proto barracudaFirewall.protocol | strings |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | barracudaFirewall.receivedBytes | plong |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | barracudaFirewall.sentBytes | plong |
gen.severity Normalized severity field across log sources. | barracudaFirewall.severity | strings |
gen.src.interface Network interface used for the source connection. | barracudaFirewall.srcIF | strings |
gen.src.mac MAC address of the source device. | barracudaFirewall.srcMAC | string |
gen.src.port Source port number. | barracudaFirewall.srcPort | pint |
Reference-Specific Fields (44)
| Field | Type |
|---|---|
barracudaFirewall.action Textual description of the firewall action taken (e.g., ALLOW, BLOCK) | text_general |
barracudaFirewall.addr Generic address field (could be IPv4, IPv6, or other) | text_general |
barracudaFirewall.addr6 IPv6 address involved in the transaction (if applicable) | text_general |
barracudaFirewall.application Application name or ID detected in the session | text_general |
barracudaFirewall.category Event category or type classification (e.g., Malware, VPN) | string |
barracudaFirewall.class Numeric classification code for the event type | plong |
barracudaFirewall.className Human-readable name corresponding to the class code | string |
barracudaFirewall.count Numeric count of repeated events or sessions | plong |
barracudaFirewall.dstIF Name of the destination interface through which traffic was routed | string |
barracudaFirewall.dstIP IP address of the destination endpoint | text_general |
barracudaFirewall.dstNAT Address used for destination NAT in the session | text_general |
barracudaFirewall.dstPort Transport port on the destination side | pint |
barracudaFirewall.dstService Service name or port protocol at the destination | string |
barracudaFirewall.duration Duration of the session in seconds | plong |
barracudaFirewall.eventRule Numeric ID of the specific event rule | plong |
barracudaFirewall.eventTime Timestamp when the event was logged | pdate |
barracudaFirewall.fromBox Identifier or address of the local firewall box/interface generating the log | string |
barracudaFirewall.host Hostname or IP of the firewall device that recorded the event | string |
barracudaFirewall.info Additional numeric information or code related to the event | plong |
barracudaFirewall.layer Numeric code of the processing layer | plong |
barracudaFirewall.layerName Name of the OSI layer or internal processing layer where the event occurred | string |
barracudaFirewall.localIP Local IP address of the firewall interface handling the traffic | text_general |
barracudaFirewall.module Internal module or component that generated the log | string |
barracudaFirewall.msg Free-form text message providing extra context for the event | text_general |
barracudaFirewall.peer Identifier or address of the peer endpoint | text_general |
barracudaFirewall.proto Shorthand for protocol used (alias of protocol field) | string |
barracudaFirewall.protocol Transport protocol used (e.g., TCP, UDP, ICMP) | string |
barracudaFirewall.rawMsg Raw log message text before parsing | text_general |
barracudaFirewall.reason Textual reason given for the action or event | text_general |
barracudaFirewall.receivedBytes Total bytes received by the source during the session | plong |
barracudaFirewall.receivedPackets Count of packets received from destination to source | plong |
barracudaFirewall.remoteIP IP address of the remote endpoint involved in the session | text_general |
barracudaFirewall.requestedTunnel Name or ID of the VPN tunnel requested for this session | string |
barracudaFirewall.rule Firewall rule identifier or name that matched the session | string |
barracudaFirewall.sentBytes Number of bytes sent from source to destination during the session | plong |
barracudaFirewall.sentPackets Count of packets sent from source to destination | plong |
barracudaFirewall.severity Severity level of the logged event (e.g., INFO, WARNING, CRITICAL) | string |
barracudaFirewall.srcIF Name of the source interface through which traffic arrived | string |
barracudaFirewall.srcIP IP address of the source endpoint initiating the session | text_general |
barracudaFirewall.srcMAC MAC address of the source device | string |
barracudaFirewall.srcNAT Address used for source NAT in the session | text_general |
barracudaFirewall.srcPort Transport port on the source side | pint |
barracudaFirewall.tunnel Identifier of the VPN or other tunnel used | string |
barracudaFirewall.type Type or category of the log event | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.