Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (5)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.dest.ip Destination IP address. | strongSwan.dst | text_general |
gen.dest.port Destination port number. | strongSwan.dstPort | pint |
gen.src.ip Source IP address. | strongSwan.src | text_general |
gen.src.port Source port number. | strongSwan.srcPort | pint |
gen.username Username associated with the event. | strongSwan.srcUser | text_general |
Reference-Specific Fields (27)
| Field | Type |
|---|---|
strongSwan.bytesIn Total number of bytes received under this SA. | plong |
strongSwan.bytesOut Total number of bytes sent under this SA. | plong |
strongSwan.child_sa.name Identifier of the Child SA in logs, typically the connection name followed by the SA index (before the '|' in ‹name|uid›). | string |
strongSwan.child_sa.spi Array of Security Parameter Indices (SPIs) for the Child SA—used by the IPsec peer to select cryptographic state. | strings |
strongSwan.child_sa.uid Numeric unique ID of the Child SA (after the '|' in ‹name|uid›). | plong |
strongSwan.dst Destination IP address of the IKE or Child SA endpoint. | string |
strongSwan.dstPort Destination UDP port used for the IKE exchange. | pint |
strongSwan.dstUser Identity of the destination peer, as negotiated in IKE_AUTH. | string |
strongSwan.ike_sa.name Identifier(s) of the IKE SA—typically connection name and SA index—used for negotiating CHILD_SA. | strings |
strongSwan.ike_sa.uid Numeric unique ID(s) of the IKE SA instance(s). | plongs |
strongSwan.localTS Array of local traffic selectors (IP/CIDR ranges) for this SA. | strings |
strongSwan.msg Full human-readable syslog message as emitted by the charon daemon. | text_general |
strongSwan.newReqId New request ID assigned after a re-auth or rekey operation. | string |
strongSwan.new_child_sa.name Name of the newly created Child SA after rekeying, following the same naming convention as `child_sa.name`. | string |
strongSwan.new_child_sa.spi Array of SPIs for the new Child SA post-rekey. | strings |
strongSwan.new_child_sa.uid Numeric unique ID of the new Child SA after rekeying. | plong |
strongSwan.parsed Boolean indicating whether the log line was successfully parsed by the ingest pipeline. | boolean |
strongSwan.proposals Array of negotiated encryption/authentication proposals for the SA. | strings |
strongSwan.reason Free-form text giving the reason for an error or informational event. | text_general |
strongSwan.remoteTS Array of remote traffic selectors for this SA. | strings |
strongSwan.reqId Numeric request ID used internally to correlate IKEv1 or IKEv2 exchanges. | plong |
strongSwan.reqParam Additional parameters passed with the request (e.g., authentication or config payloads). | strings |
strongSwan.reqType Type of IKE request (e.g., IKE_SA_INIT, IKE_AUTH, CREATE_CHILD_SA). | string |
strongSwan.src Source IP address of the IKE or Child SA endpoint. | string |
strongSwan.srcPort Source UDP port (e.g., 500 or 4500) used for the IKE exchange. | pint |
strongSwan.srcUser Identity (e.g., FQDN, UPN) of the source peer, as negotiated in IKE_AUTH. | string |
strongSwan.subsys Subsystem or module tag (e.g. IKE, ENC, NET) indicating which component logged the message. | string |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.