Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (8)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.mail.sender Email address of the message sender. | postfix.from | strings |
gen.mail.receiver Email address of the message recipient. | postfix.to | strings |
gen.src.ip Source IP address. | postfix.clientIp | text_general |
gen.dest.ip Destination IP address. | postfix.relayIp postfix.serverIp | text_general |
gen.dest.port Destination port number. | postfix.relayPort postfix.serverPort | pint |
gen.src.port Source port number. | postfix.clientPort | pint |
gen.mail.size Size of the email in bytes. | postfix.size | plong |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | postfix.proto | strings |
Reference-Specific Fields (25)
| Field | Type |
|---|---|
postfix.queueId Unique identifier assigned by Postfix to the message in the mail queue. | string |
postfix.messageId Id of a Mail taken from the Message-ID header, for tracking the mail across mail systems | string |
postfix.from Envelope sender address of the email. | text_general |
postfix.to Envelope recipient address of the email. | text_general |
postfix.clientHostname Hostname of the SMTP client that connected to Postfix. | text_general |
postfix.clientIp IP address of the SMTP client that submitted the message. | text_general |
postfix.status Delivery status of the message (e.g., sent, deferred, bounced). | text_general |
postfix.dsn The Delivery Status Notification Code | string |
postfix.dsnStatus The main status of the Delivery Status Notification Code mapped according to iana | text_general |
postfix.dsnSubStatus Sub Status of the Delivery Status Notification Code mapped according to iana. In case no enumerated Status Code is available the subject sub-code will be used | text_general |
postfix.details Additional details of the event, such as error messages/reasons | text_general |
postfix.delay The Delay of the transaction in seconds | pfloat |
postfix.relayIp The IP of the Relay Server chosen to forward the mail to its final destination | string |
postfix.relayHostname The Hostname (if available) of the Relay Server chosen to forward the mail to its final destination | string |
postfix.relayPort The Port of the Relay Server chosen to forward the mail to its final destination | pint |
postfix.clientPort The Port of the Client | pint |
postfix.size The Size of the Mail in Bytes | plong |
postfix.nrcpt Number of recipients | pint |
postfix.uid | pint |
postfix.proto Mail Protocol used | string |
postfix.helo The Domain the client presented itself with | string |
postfix.serverHostname Hostname of the mail server if available | string |
postfix.serverIp IP of the mail server | string |
postfix.serverPort Port of the mail server | pint |
postfix.sessionInfo Key Value pairs of Session Details provided on disconnect | strings |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.