Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (3)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.src.ip Source IP address. | ssh.srcIP | text_general |
gen.src.port Source port number. | ssh.srcPort | pint |
gen.username Username associated with the event. | ssh.username | text_general |
Reference-Specific Fields (10)
| Field | Type |
|---|---|
ssh.action SSH action field indicating the operation performed (e.g., connect, disconnect, command execution). | string |
ssh.authMethod SSH authentication method field specifying how the user authenticated (e.g., password, publickey). | string |
ssh.fingerprint | string |
ssh.procID SSH process ID field indicating the operating system process ID handling the SSH session. | pint |
ssh.reason SSH reason field providing additional information about the result (e.g., authentication error, timeout). | text_general |
ssh.result SSH result field indicating the outcome of the action (e.g., success, failure). | string |
ssh.srcIP SSH source IP field containing the IP address of the client initiating the connection. | text_general |
ssh.srcPort SSH source port field specifying the TCP port on the client side. | pint |
ssh.uid SSH user ID field representing the numeric identifier of the user on the system. | pint |
ssh.username SSH username field containing the account name used for the session. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.