Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (10)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.dest.ip Destination IP address. | bigIpASM.dest_ip | text_general |
gen.dest.port Destination port number. | bigIpASM.dest_port | pint |
gen.src.ip Source IP address. | bigIpASM.ip_client | text_general |
gen.proxy.method HTTP request method (e.g., GET, POST). | bigIpASM.method | string |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | bigIpASM.protocol | strings |
gen.proxy.httpStatus HTTP response status code from the proxy. | bigIpASM.response_code | pint |
gen.severity Normalized severity field across log sources. | bigIpASM.severity | strings |
gen.src.port Source port number. | bigIpASM.src_port | pint |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | bigIpASM.uri | string |
gen.av.infectionName Name of the detected infection or malware. | bigIpASM.virus_name | strings |
Reference-Specific Fields (35)
| Field | Type |
|---|---|
bigIpASM.attack_type Type of attack detected by ASM (e.g., SQL injection). | text_general |
bigIpASM.captcha_result Outcome of any CAPTCHA challenges presented (e.g., passed, failed). | string |
bigIpASM.date_time Timestamp when the event occurred, in the format MMM DD HH:MM:SS. | pdate |
bigIpASM.dest_ip Destination IP address targeted by the request. | text_general |
bigIpASM.dest_port Destination port on the virtual server for this request. | pint |
bigIpASM.geo_location Geographic location (city, country) of the client IP. | string |
bigIpASM.http_class_name Name of the HTTP policy or class applied to the request. | text_general |
bigIpASM.ip_client IP address of the client making the request. | text_general |
bigIpASM.management_ip_address Management IP address of the BIG-IP ASM system. | text_general |
bigIpASM.method HTTP method used (e.g., GET, POST). | string |
bigIpASM.policy_apply_date Date and time when the security policy was last applied. | pdate |
bigIpASM.policy_name Name of the ASM security policy applied to this request. | text_general |
bigIpASM.protocol Protocol used for the request (e.g., HTTP, HTTPS, WS). | string |
bigIpASM.query_string Query string portion of the requested URI. | string |
bigIpASM.request Full HTTP request payload or line exactly as received by the ASM. | text_general |
bigIpASM.request_status Status of the request processing (e.g., allowed, blocked). | string |
bigIpASM.response Full HTTP response content returned by the server. | text_general |
bigIpASM.response_code HTTP response status code returned by the server. | pint |
bigIpASM.session_id Session identifier tracking this user session in ASM. | string |
bigIpASM.severity Severity level assigned to this ASM event. | string |
bigIpASM.src_port Source port used by the client for the request. | pint |
bigIpASM.staged_sig_cves List of CVE identifiers associated with the staged signatures. | string |
bigIpASM.staged_sig_ids Numeric IDs of ASM signatures that are currently staged (after the '|' in name|uid). | plong |
bigIpASM.staged_sig_names List of ASM signature names that are currently staged (not yet enforced). | text_general |
bigIpASM.support_id Identifier for support or case context associated with this event. | string |
bigIpASM.unit_hostname Fully qualified domain name of the BIG-IP ASM unit. | text_general |
bigIpASM.uri Requested URI or path of the web application request. | text_general |
bigIpASM.violation_rating Numeric severity rating of the ASM violation. | plong |
bigIpASM.violations Detailed description of all ASM violations detected. | text_general |
bigIpASM.virus_name Name of the virus detected during ASM inspection (if any). | text_general |
bigIpASM.vs_name Name of the virtual server (VS) handling this request. | text_general |
bigIpASM.web_application_name Name of the protected web application in ASM. | text_general |
bigIpASM.websocket_direction Direction of WebSocket traffic (inbound or outbound). | string |
bigIpASM.websocket_message_type Type of WebSocket message (e.g., text, binary). | string |
bigIpASM.x_forwarded_for_header_value Value of the X-Forwarded-For HTTP header for client IP chaining. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.