Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (3)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.facility Normalized facility field across log sources. | rlylog.facility | string |
gen.hostname Normalized hostname of the system generating the log. | rlylog.hostname | text_general |
gen.severity Normalized severity field across log sources. | rlylog.severity | strings |
Reference-Specific Fields (14)
| Field | Type |
|---|---|
rlylog.app_name Application name from RFC 5424 (not used in RFC 3164). | text_general |
rlylog.client IP address of the client that sent the syslog message to the relay. | text_general |
rlylog.content Message body from RFC 3164 (not used in RFC 5424). | text_general |
rlylog.facility Syslog facility value indicating the type of process that generated the log. | pint |
rlylog.hostname Hostname of the device that generated the syslog. | text_general |
rlylog.message Message body from RFC 5424 (not used in RFC 3164). | text_general |
rlylog.msg_id Message identifier from RFC 5424. | text_general |
rlylog.priority Combined facility and severity value. | pint |
rlylog.proc_id Process identifier from RFC 5424. | text_general |
rlylog.severity Syslog severity level of the message. | pint |
rlylog.structured_data Structured data field from RFC 5424 containing additional metadata. | text_general |
rlylog.tag Process tag from RFC 3164 (not used in RFC 5424). | text_general |
rlylog.timestamp Timestamp of when the syslog was generated. | pdate |
rlylog.version Syslog protocol version from RFC 5424. | pint |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.