Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (9)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | lancom.gpAppFilterd.Action lancom.gpFilter.action lancom.suricata.Action lancom.ulogd.action | strings |
gen.dest.ip Destination IP address. | lancom.gpAppFilterd.Destination lancom.suricata.Destination lancom.ulogd.DST | text_general |
gen.src.interface Network interface used for the source connection. | lancom.gpAppFilterd.In lancom.ulogd.IN | strings |
gen.dest.interface Network interface used for the destination connection. | lancom.gpAppFilterd.Out lancom.ulogd.OUT | strings |
gen.src.ip Source IP address. | lancom.gpAppFilterd.Source lancom.gpFilter.address lancom.suricata.Source lancom.ulogd.SRC | text_general |
gen.severity Normalized severity field across log sources. | lancom.suricata.Severity | strings |
gen.dest.port Destination port number. | lancom.ulogd.DPT | pint |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | lancom.ulogd.PROTO | strings |
gen.src.port Source port number. | lancom.ulogd.SPT | pint |
Reference-Specific Fields (45)
| Field | Type |
|---|---|
lancom.gpAppFilterd.Action Action taken by the application filter (e.g., allowed, blocked). | string |
lancom.gpAppFilterd.ConnId Unique connection identifier assigned by the filter. | string |
lancom.gpAppFilterd.Destination Destination endpoint (IP:port) as seen by the application filter. | text_general |
lancom.gpAppFilterd.In Inbound policy or rule name applied. | string |
lancom.gpAppFilterd.Mark Firewall mark or tag assigned to the flow. | string |
lancom.gpAppFilterd.Out Outbound policy or rule name applied. | string |
lancom.gpAppFilterd.Protocolstack Full protocol stack description of the flow (e.g., TCP/IPv4). | text_general |
lancom.gpAppFilterd.Source Source endpoint (IP:port) as seen by the application filter. | text_general |
lancom.gpAppFilterd.State Connection state as tracked by the application filter (e.g., NEW, ESTABLISHED). | string |
lancom.gpFilter.action Action applied by the group policy filter (e.g., allow, block). | string |
lancom.gpFilter.address IP address or subnet filtered by the policy. | text_general |
lancom.gpFilter.category Content category filtered by the policy (e.g., social media). | text_general |
lancom.gpFilter.direction Traffic direction to which the policy applies (inbound/outbound). | string |
lancom.gpFilter.domain Domain or URL category filtered by the policy. | text_general |
lancom.gpFilter.profile Name of the group policy profile used. | text_general |
lancom.suricata.Action Action taken by Suricata (e.g., pass, drop). | string |
lancom.suricata.Category Category of the Suricata alert (e.g., trojan, policy). | string |
lancom.suricata.Classification Suricata intrusion detection classification of the event. | text_general |
lancom.suricata.Destination Destination IP address detected by Suricata. | text_general |
lancom.suricata.Name Name of the Suricata rule or alert. | text_general |
lancom.suricata.Ruleset Name of the Suricata ruleset applied. | string |
lancom.suricata.Severity Severity level assigned by Suricata to the alert. | pint |
lancom.suricata.SignatureId Identifier of the Suricata signature triggered. | plong |
lancom.suricata.Source Source IP address detected by Suricata. | text_general |
lancom.ulogd.ACK TCP acknowledgment number in the packet. | plong |
lancom.ulogd.BYTES Total number of bytes in the connection/session. | plong |
lancom.ulogd.CODE ICMP code value for ICMP packets. | pint |
lancom.ulogd.DPT Destination port number of the packet. | plong |
lancom.ulogd.DST Destination IP address of the logged packet. | text_general |
lancom.ulogd.FLAGS | strings |
lancom.ulogd.ID IP identification field value of the packet. | plong |
lancom.ulogd.IN Name of the incoming interface on which the packet was received. | text_general |
lancom.ulogd.OUT Name of the outgoing interface on which the packet was sent. | text_general |
lancom.ulogd.PKTS Total number of packets in the connection/session. | plong |
lancom.ulogd.PREC Type of Service (ToS) precedence bits. | string |
lancom.ulogd.PROTO Protocol of the logged packet (e.g., TCP, UDP, ICMP). | string |
lancom.ulogd.SEQ TCP sequence number of the packet. | plong |
lancom.ulogd.SPT Source port number of the packet. | plong |
lancom.ulogd.SRC Source IP address of the logged packet. | text_general |
lancom.ulogd.TYPE Numeric type code associated with the packet or event. | pint |
lancom.ulogd.URGP TCP urgent pointer value, if any. | plong |
lancom.ulogd.WINDOW TCP window size advertised by the sender. | plong |
lancom.ulogd.action Firewall action taken on the packet (e.g., ACCEPT, DROP). | string |
lancom.ulogd.dropped Indicates whether the packet was dropped (yes/no). | string |
lancom.ulogd.event Raw event message or log record details. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.