Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (20)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.firewall.rule Firewall rule that triggered the event. | sonicwall.af_policy sonicwall.rule | strings |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | sonicwall.arg | string |
gen.dest.interface Network interface used for the destination connection. | sonicwall.dst | strings |
gen.dest.ip Destination IP address. | sonicwall.dst | text_general |
gen.dest.port Destination port number. | sonicwall.dst | pint |
gen.dest.mac MAC address of the destination device. | sonicwall.dstMac | string |
gen.firewall.action Firewall action taken (e.g., allow, block, drop). | sonicwall.fw_action | strings |
gen.mail.sender Email address of the message sender. | sonicwall.mailFrom | strings |
gen.severity Normalized severity field across log sources. | sonicwall.pri | strings |
gen.protocol Network protocol used (e.g., TCP, UDP, ICMP). | sonicwall.proto | strings |
gen.mail.receiver Email address of the message recipient. | sonicwall.rcptTo | strings |
gen.firewall.bytesReceived Number of bytes received through the firewall session. | sonicwall.rcvd | plong |
gen.proxy.referrer HTTP referrer header value. | sonicwall.referer | string |
gen.proxy.httpStatus HTTP response status code from the proxy. | sonicwall.result | pint |
gen.firewall.bytesSent Number of bytes sent through the firewall session. | sonicwall.sent | plong |
gen.src.ip Source IP address. | sonicwall.src | text_general |
gen.src.port Source port number. | sonicwall.src | pint |
gen.src.interface Network interface used for the source connection. | sonicwall.src | strings |
gen.src.mac MAC address of the source device. | sonicwall.srcMac | string |
gen.username Username associated with the event. | sonicwall.user | text_general |
Reference-Specific Fields (90)
| Field | Type |
|---|---|
sonicwall.af_action SonicWall AppFlow action taken field. | string |
sonicwall.af_policy SonicWall AppFlow policy name field. | string |
sonicwall.af_polid SonicWall AppFlow policy ID field. | string |
sonicwall.af_service SonicWall AppFlow service name field. | string |
sonicwall.af_type SonicWall AppFlow policy type field. | string |
sonicwall.ai SonicWall attack intelligence identifier field. | string |
sonicwall.app SonicWall application identifier field. | string |
sonicwall.appName SonicWall application name field. | text_general |
sonicwall.appcat SonicWall application category field. | string |
sonicwall.appid SonicWall application ID field. | string |
sonicwall.arg SonicWall argument or parameter field. | string |
sonicwall.auditId SonicWall audit trail identifier field. | string |
sonicwall.auditPath SonicWall audit log file path field. | string |
sonicwall.auditTime SonicWall audit event timestamp field. | pdate |
sonicwall.bytesRx SonicWall bytes received count (duplicate of rcvd). | plong |
sonicwall.c SonicWall connection count field. | string |
sonicwall.category SonicWall category identifier field. | string |
sonicwall.category_legacy SonicWall legacy category field. | string |
sonicwall.catid SonicWall category ID field (duplicate of category). | string |
sonicwall.cdur SonicWall connection duration in milliseconds. | plong |
sonicwall.change SonicWall configuration change description field. | string |
sonicwall.code SonicWall numeric event code field. | string |
sonicwall.conns SonicWall active connections count field. | plong |
sonicwall.contentObject SonicWall content object identifier field. | string |
sonicwall.dpi SonicWall DPI policy applied field. | string |
sonicwall.dst SonicWall destination IP address field. | text_general |
sonicwall.dstMac SonicWall destination MAC address field. | text_general |
sonicwall.dstZone SonicWall destination zone name field. | text_general |
sonicwall.dstname SonicWall destination host name field. | string |
sonicwall.dur SonicWall duration in seconds field. | plong |
sonicwall.dyn SonicWall dynamic object name field. | string |
sonicwall.event_message SonicWall event message detail field. | text_general |
sonicwall.event_name SonicWall event name field. | text_general |
sonicwall.fileid SonicWall file transfer identifier field. | string |
sonicwall.filetxstatus SonicWall file transfer status code field. | pint |
sonicwall.filetxstatus_name SonicWall file transfer status name field. | string |
sonicwall.fw SonicWall firewall identifier field. | text_general |
sonicwall.fw_action SonicWall firewall action taken field. | string |
sonicwall.fwlan SonicWall LAN firewall interface identifier field. | string |
sonicwall.gcat SonicWall global category field. | string |
sonicwall.group_name SonicWall user or network group name field. | text_general |
sonicwall.grpIndex SonicWall group index field. | string |
sonicwall.i SonicWall generic integer field. | plong |
sonicwall.icmpCode SonicWall ICMP code field. | plong |
sonicwall.id SonicWall event or session identifier field. | string |
sonicwall.ipscat SonicWall IPS category field. | string |
sonicwall.ipspri SonicWall IPS priority field. | string |
sonicwall.lic SonicWall license usage count field. | plong |
sonicwall.m SonicWall message code field. | string |
sonicwall.mailFrom SonicWall email sender address field. | string |
sonicwall.msg SonicWall log message text field. | string |
sonicwall.n SonicWall numeric code or count field. | plong |
sonicwall.natDst SonicWall NAT destination address field. | string |
sonicwall.natSrc SonicWall NAT source address field. | string |
sonicwall.newValue SonicWall new configuration value field. | string |
sonicwall.note SonicWall note or comment field. | text_general |
sonicwall.npcs SonicWall NPCS category field. | string |
sonicwall.oldValue SonicWall old configuration value field. | string |
sonicwall.op SonicWall operation code field. | string |
sonicwall.opId SonicWall operator identifier field. | string |
sonicwall.pri SonicWall priority level field. | plong |
sonicwall.proto SonicWall protocol name or number field. | string |
sonicwall.rcptTo SonicWall email recipient address field. | string |
sonicwall.rcvd SonicWall bytes received count field. | plong |
sonicwall.referer SonicWall HTTP referrer URL field. | string |
sonicwall.result SonicWall result status field. | string |
sonicwall.rpkt SonicWall packets received count field. | plong |
sonicwall.rule SonicWall firewall rule name or ID field. | text_general |
sonicwall.sent SonicWall bytes sent count field. | plong |
sonicwall.sess SonicWall session identifier field. | string |
sonicwall.sn SonicWall serial number field. | string |
sonicwall.spkt SonicWall packets sent count field. | plong |
sonicwall.spycat SonicWall spyware category field. | string |
sonicwall.spypri SonicWall spyware priority field. | string |
sonicwall.src SonicWall source IP address field. | text_general |
sonicwall.srcMac SonicWall source MAC address field. | text_general |
sonicwall.srcZone SonicWall source zone name field. | text_general |
sonicwall.station SonicWall station identifier field. | string |
sonicwall.sub SonicWall subcategory identifier field. | string |
sonicwall.time SonicWall event timestamp field. | pdate |
sonicwall.type SonicWall event type field. | string |
sonicwall.ucastRx SonicWall unicast packets received count field. | plong |
sonicwall.ucastTx SonicWall unicast packets sent count field. | plong |
sonicwall.unsynched SonicWall unsynchronized sessions count field. | plong |
sonicwall.user SonicWall username field. | string |
sonicwall.userMode SonicWall user mode field (e.g., admin, guest). | string |
sonicwall.usestandbysa SonicWall use default by source address flag field. | boolean |
sonicwall.uuid SonicWall universally unique identifier field. | string |
sonicwall.vpnpolicy SonicWall VPN policy name field. | text_general |
sonicwall.vpnpolicyDst SonicWall VPN policy destination field. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.