Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (8)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | pfsense.Action | strings |
gen.dest.ip Destination IP address. | pfsense.DestIP | text_general |
gen.dest.port Destination port number. | pfsense.DestPort | pint |
gen.firewall.direction Traffic direction (e.g., inbound, outbound). | pfsense.Direction | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | pfsense.ProtocolID | strings |
gen.firewall.rule Firewall rule that triggered the event. | pfsense.RuleNumber | strings |
gen.src.ip Source IP address. | pfsense.SourceIP | text_general |
gen.src.port Source port number. | pfsense.SourcePort | pint |
Reference-Specific Fields (41)
| Field | Type |
|---|---|
pfsense.ACK TCP acknowledgment number from the packet. | plong |
pfsense.ACK TCP acknowledgment number from the packet. | plong |
pfsense.Action Firewall action taken: pass, block, reject, etc. | string |
pfsense.DataLength Length in bytes of the packet's payload data. | plong |
pfsense.DestIP Array of destination IP addresses seen by the firewall. | text_generals |
pfsense.DestPort Destination transport port (TCP/UDP) of the packet. | pint |
pfsense.Direction Direction of traffic: inbound or outbound. | string |
pfsense.ECN Explicit Congestion Notification bits from the IP header. | plong |
pfsense.Filterlog Array of raw filter log entries associated with this event. | text_generals |
pfsense.Flags IP header flags (e.g. DF, MF). | text_generals |
pfsense.HopLimit IPv6 hop limit (same as TTL for IPv4). | plong |
pfsense.ICMP_Description Textual descriptions from ICMP messages (e.g. error codes). | text_generals |
pfsense.ICMP_DestIP Array of destination IPs referenced in ICMP payloads. | text_generals |
pfsense.ICMP_ID Identifier field from the ICMP header. | plong |
pfsense.ICMP_MTU MTU value reported in ICMP fragmentation-needed messages. | plong |
pfsense.ICMP_Port Port field in ICMP-based protocols (where used). | pint |
pfsense.ICMP_ProtocolID Numeric protocol ID carried inside ICMP messages. | pint |
pfsense.ICMP_Sequence List of ICMP sequence numbers from echo requests/replies. | plongs |
pfsense.ICMP_Sequence List of ICMP sequence numbers from echo requests/replies. | strings |
pfsense.ICMP_Type ICMP message type (e.g. 8 for echo request). | string |
pfsense.ID Identification field from the IP header (used for fragmentation). | plong |
pfsense.IPVersion IP protocol version of the packet (e.g. 4 for IPv4, 6 for IPv6). | pint |
pfsense.Interface Name of the firewall interface that saw the packet. | string |
pfsense.Length Total length of the IP packet (header + data). | plong |
pfsense.Offset Fragmentation offset field from the IP header. | plong |
pfsense.Options Array of IP header options present (if any). | text_generals |
pfsense.Options Array of IP header options present (if any). | strings |
pfsense.Protocol Protocol name (e.g. TCP, UDP, ICMP). | string |
pfsense.ProtocolID Numeric protocol identifier (e.g. 6 for TCP, 17 for UDP). | pint |
pfsense.Reason Textual reason or log code explaining the action. | string |
pfsense.RuleNumber Number of the firewall rule that matched this packet. | plong |
pfsense.Sequence List of generic packet sequence numbers seen by the firewall. | strings |
pfsense.Sequence List of generic packet sequence numbers seen by the firewall. | plongs |
pfsense.SourceIP Array of source IP addresses seen by the firewall. | text_generals |
pfsense.SourcePort Source transport port (TCP/UDP) of the packet. | pint |
pfsense.SubRuleNumber Sub-rule number within a multi-part rule set. | plong |
pfsense.TCPFlags List of TCP control flags set in the packet (e.g. SYN, ACK). | text_generals |
pfsense.TOS Type of Service (IPv4) or Traffic Class (IPv6) field. | string |
pfsense.TTL Time-to-live value from the IP header. | plong |
pfsense.Tracker State table tracker ID for this connection. | string |
pfsense.Window TCP window size advertised in the packet. | plong |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.