Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (4)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.src.mac MAC address of the source device. | cisco.catalyst.host | string |
gen.severity Normalized severity field across log sources. | cisco.catalyst.severity | strings |
gen.src.ip Source IP address. | cisco.catalyst.srcip | text_general |
gen.username Username associated with the event. | cisco.catalyst.username | text_general |
Reference-Specific Fields (19)
| Field | Type |
|---|---|
cisco.catalyst.auditsession | string |
cisco.catalyst.cryptocipher | string |
cisco.catalyst.event.module | string |
cisco.catalyst.event.msg | text_general |
cisco.catalyst.event.name | string |
cisco.catalyst.event.rawmsg | string |
cisco.catalyst.event.submodule | string |
cisco.catalyst.group | string |
cisco.catalyst.hmac | string |
cisco.catalyst.host | string |
cisco.catalyst.jack | strings |
cisco.catalyst.linkstate | string |
cisco.catalyst.parsingstate | string |
cisco.catalyst.result | string |
cisco.catalyst.serverip | string |
cisco.catalyst.severity | pint |
cisco.catalyst.srcip | string |
cisco.catalyst.username | string |
cisco.catalyst.vlan | plong |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.