Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (10)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.rule Firewall rule that triggered the event. | mikrotik.rule | strings |
gen.src.ip Source IP address. | mikrotik.source.ip mikrotik.client.ip | text_general |
gen.src.port Source port number. | mikrotik.source.port | pint |
gen.src.interface Network interface used for the source connection. | mikrotik.source.interface | strings |
gen.src.mac MAC address of the source device. | mikrotik.source.mac mikrotik.client.mac | string |
gen.dest.ip Destination IP address. | mikrotik.destination.ip | text_general |
gen.dest.port Destination port number. | mikrotik.destination.port | pint |
gen.dest.interface Network interface used for the destination connection. | mikrotik.destination.interface | strings |
gen.username Username associated with the event. | mikrotik.user.name | text_general |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | mikrotik.network.transport | strings |
Reference-Specific Fields (26)
| Field | Type |
|---|---|
mikrotik.msg Free-form message text included in the log entry. | string |
mikrotik.topics Topics of the message. | strings |
mikrotik.rule Name of the firewall rule. | string |
mikrotik.source.ip Source IP address. | string |
mikrotik.source.port Source port number. | pint |
mikrotik.source.interface Source network interface. | string |
mikrotik.source.mac MAC address of the source host. | string |
mikrotik.destination.ip Destination IP address. | string |
mikrotik.destination.port Destination port number. | pint |
mikrotik.destination.interface Destination network interface. | string |
mikrotik.client.ip Client IP address. | string |
mikrotik.client.mac MAC address of the client. | string |
mikrotik.connection.state Connection state. | string |
mikrotik.connection.mark Connection mark. | string |
mikrotik.priority.before Priority before the event. | pint |
mikrotik.priority.after Priority after the event. | pint |
mikrotik.service.name Name of the service. | string |
mikrotik.user.name Name of the user. | string |
mikrotik.event.category Category of the event. | string |
mikrotik.event.outcome Outcome of the event. | string |
mikrotik.event.duration Duration of the event. | plong |
mikrotik.network.name Name of the network. | string |
mikrotik.network.transport Name of the network transport. | string |
mikrotik.network.flags Network flags observed in the connection. | strings |
mikrotik.network.bytes The total number of bytes transmitted or received in the network event. | pint |
mikrotik.network.speed The speed of the network interface. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.