Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (7)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.dest.port Destination port number. | squid.dstPort | pint |
gen.proxy.endpoint Destination endpoint accessed through the proxy. | squid.endpoint | string |
gen.proxy.method HTTP request method (e.g., GET, POST). | squid.method | string |
gen.proxy.httpStatus HTTP response status code from the proxy. | squid.responseCode | pint |
gen.proxy.bytesSent Bytes sent through the proxy session. | squid.responseLength | pint |
gen.src.ip Source IP address. | squid.srcIP | text_general |
gen.username Username associated with the event. | squid.user | text_general |
Reference-Specific Fields (15)
| Field | Type |
|---|---|
squid.cacheResult Cache action code indicating whether the request was a HIT, MISS, or other cache event. | string |
squid.contentType MIME content type of the response (e.g., text/html, application/json). | string |
squid.dst Destination IP address or hostname resolved from the URL. | text_general |
squid.dstPort Destination port number (e.g., 80, 443) extracted from the URL. | pint |
squid.endpoint Request URI path and query, normalized for logging. | string |
squid.method HTTP method used by the client (e.g., GET, POST). | string |
squid.proxyHierarchyRoute Hierarchy status code showing which cache or parent was used (e.g., DEFAULT_PARENT, NONE). | string |
squid.requestTime Time in milliseconds that Squid spent processing the client's request—from connection establishment to last byte sent. | plong |
squid.responseCode HTTP response status code that Squid returned to the client. | pint |
squid.responseLength Total number of bytes (headers + body) sent to the client. | plong |
squid.scheme URL scheme of the request (e.g., http, https). | string |
squid.srcIP IP address of the client that issued the request. | text_general |
squid.timestamp Timestamp of the client request in seconds since the Unix epoch, with millisecond resolution. | pdate |
squid.upstream Upstream server or peer that handled the request when forwarded (IP or cache_peer name). | string |
squid.user Authenticated username, or '-' if no authentication was required. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.