Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (17)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | barracudaWaf.Action | strings |
gen.username Username associated with the event. | barracudaWaf.AuthenticatedUser | text_general |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | barracudaWaf.BytesReceived | plong |
gen.proxy.bytesReceived Bytes received through the proxy session. | barracudaWaf.BytesReceived | pint |
gen.proxy.bytesSent Bytes sent through the proxy session. | barracudaWaf.BytesSent | pint |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | barracudaWaf.BytesSent | plong |
gen.src.ip Source IP address. | barracudaWaf.ClientIP barracudaWaf.SourceIP | text_general |
gen.src.port Source port number. | barracudaWaf.ClientPort barracudaWaf.SourcePort | pint |
gen.dest.ip Destination IP address. | barracudaWaf.DestinationIP barracudaWaf.ServiceIP | text_general |
gen.dest.port Destination port number. | barracudaWaf.DestinationPort barracudaWaf.ServicePort | pint |
gen.proxy.httpStatus HTTP response status code from the proxy. | barracudaWaf.HttpStatus | pint |
gen.severity Normalized severity field across log sources. | barracudaWaf.LogLevel barracudaWaf.Severity | strings |
gen.proxy.method HTTP request method (e.g., GET, POST). | barracudaWaf.Method | string |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | barracudaWaf.Protocol | strings |
gen.proxy.referrer HTTP referrer header value. | barracudaWaf.Referrer | string |
gen.firewall.rule Firewall rule that triggered the event. | barracudaWaf.Rule | strings |
gen.proxy.userAgent User agent string from the HTTP request. | barracudaWaf.UserAgent | string |
Reference-Specific Fields (51)
| Field | Type |
|---|---|
barracudaWaf.AclPolicy Name of the ACL policy applied to this request | string |
barracudaWaf.ActName Name of the WAF action taken (e.g., BLOCK, ALLOW) | text_general |
barracudaWaf.Action Final verdict for the request (ALLOW, DENY, etc.) | string |
barracudaWaf.AttackDetails | text_general |
barracudaWaf.AttackType Type or category of web attack detected (e.g., SQL injection, XSS) | text_general |
barracudaWaf.AuthenticatedUser Username authenticated (if any) for the request | text_general |
barracudaWaf.BytesReceived Number of bytes received from the client | plong |
barracudaWaf.BytesSent Number of bytes sent back to the client | plong |
barracudaWaf.CacheHit Whether the response was served from cache (true/false) | boolean |
barracudaWaf.Category Classification category assigned to the event | string |
barracudaWaf.ClientIP IP address of the end-user client | text_general |
barracudaWaf.ClientPort Port on the client side used for the connection | pint |
barracudaWaf.Cookie Value of the Cookie header in the HTTP request | string |
barracudaWaf.DestinationIP IP address of the requested backend server | text_general |
barracudaWaf.DestinationPort Port on the backend server to which the request was forwarded | pint |
barracudaWaf.Details Additional contextual details about the event | text_general |
barracudaWaf.EventID Unique identifier for the WAF log event | string |
barracudaWaf.FollowUpAction Subsequent action performed after initial WAF decision | text_general |
barracudaWaf.Host Host header value from the HTTP request | text_general |
barracudaWaf.HttpStatus HTTP status code returned to the client | pint |
barracudaWaf.LogLevel Logging level (debug, info, warn, error) | string |
barracudaWaf.LogType Type of log record (access, attack, error) | text_general |
barracudaWaf.Message Human-readable description of the log entry | text_general |
barracudaWaf.Method HTTP method used (GET, POST, PUT, etc.) | string |
barracudaWaf.ModuleName Name of the specific WAF module that handled the request | string |
barracudaWaf.ProfileMatched Name of the security profile that matched the request | string |
barracudaWaf.Protected Identifier of the protected resource or URL | string |
barracudaWaf.Protocol Transport protocol used (e.g., HTTP, HTTPS) | string |
barracudaWaf.ProxyIP IP address of any proxy between client and WAF | text_general |
barracudaWaf.ProxyPort Port of any proxy used between client and WAF | pint |
barracudaWaf.QueryString HTTP query string from the client request | string |
barracudaWaf.Referrer Value of the HTTP Referer header | text_general |
barracudaWaf.ResponseType Type of response served (e.g., HTML, JSON) | string |
barracudaWaf.Rule Name or ID of the specific WAF rule triggered | text_general |
barracudaWaf.RuleType Type of WAF rule triggered (e.g., signature, anomaly) | string |
barracudaWaf.ServerIP IP address of the WAF appliance itself | text_general |
barracudaWaf.ServerTimeMs Time taken by the backend server to respond, in milliseconds | plong |
barracudaWaf.ServiceIP IP address of the WAF-protected service | text_general |
barracudaWaf.ServicePort Port number on which the WAF listens for incoming requests | pint |
barracudaWaf.SeverPort | pint |
barracudaWaf.Severity Severity level of the detected event (e.g., low, medium, high) | string |
barracudaWaf.SourceIP IP address from which the web request originated | text_general |
barracudaWaf.SourcePort Client port number from which the request originated | pint |
barracudaWaf.Time Timestamp when the request was processed by the WAF | pdate |
barracudaWaf.TimeTakenMs Total time taken by WAF to process the request, in ms | plong |
barracudaWaf.URL Full URL requested by the client | text_general |
barracudaWaf.UnitName Identifier of the WAF unit or cluster member | string |
barracudaWaf.UserAgent User-Agent header sent by the client | text_general |
barracudaWaf.Version WAF software version processing the request | string |
barracudaWaf.WFMatched Identifier of the WAF filter or pattern matched | string |
barracudaWaf.trTail Trailing details or parameters from the request URL | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.