Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (12)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.proxy.bytesSent Bytes sent through the proxy session. | nginx.bytesSent | pint |
gen.src.ip Source IP address. | nginx.client | text_general |
gen.src.port Source port number. | nginx.clientPort | pint |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | nginx.endpoint | string |
gen.severity Normalized severity field across log sources. | nginx.level | strings |
gen.proxy.method HTTP request method (e.g., GET, POST). | nginx.method | string |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | nginx.protocol | strings |
gen.proxy.referrer HTTP referrer header value. | nginx.referrer | string |
gen.dest.port Destination port number. | nginx.serverPort | pint |
gen.proxy.httpStatus HTTP response status code from the proxy. | nginx.status | pint |
gen.username Username associated with the event. | nginx.user | text_general |
gen.proxy.userAgent User agent string from the HTTP request. | nginx.userAgent | string |
Reference-Specific Fields (19)
| Field | Type |
|---|---|
nginx.bytesSent Number of bytes sent to the client in the response body. | plong |
nginx.client IP address (or hostname) of the client that initiated the request, as logged by NGINX. | text_general |
nginx.clientPort TCP port number on the client side from which the request originated. | pint |
nginx.endpoint The requested URI or path, including query string if present. | text_general |
nginx.host Value of the HTTP Host header, indicating the virtual host target. | text_general |
nginx.level Severity level of the log entry (error, warn, notice, info, debug). | string |
nginx.message Free-form log message emitted by NGINX, often used in error or warning contexts. | text_general |
nginx.method HTTP method used for the request (GET, POST, PUT, DELETE, etc.). | string |
nginx.protocol Protocol version used for the request (HTTP/1.0, HTTP/1.1, HTTP/2.0). | string |
nginx.rawRequest The raw HTTP request line or full request payload exactly as received by NGINX. | text_general |
nginx.referrer Value of the HTTP Referer header, indicating the URL of the page that linked to the requested resource. | text_general |
nginx.server Hostname or IP of the NGINX server that received and processed the request. | text_general |
nginx.serverPort TCP port number on the server that received the request. | pint |
nginx.status HTTP response status code returned by the server (e.g., 200, 404, 500). | pint |
nginx.type Type of log entry (e.g., access, error), categorizing the logged event. | string |
nginx.upstream The actual upstream server (address or name) that handled the request. | text_general |
nginx.upstreams List of upstream server identifiers (names or addresses) that could handle or have handled the request. | text_generals |
nginx.user Authenticated username, if HTTP authentication was used, otherwise empty. | text_general |
nginx.userAgent User-Agent header string sent by the client, identifying the browser or client application. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.