Global Fields (4)
| Field | Type |
|---|---|
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.id Unique identifier for the log entry. | string |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Generic Fields (4)
These are common fields that appear across multiple namespaces. They represent attributes that are inherited or reused from a global schema— things like timestamps, unique identifiers, user IDs, or status codes that every namespace needs. By sharing these fields, we ensure consistency and make it easy to run cross-namespace searches and reports.
| Field | Reference-Specific Fields | Type |
|---|---|---|
gen.src.ip Source IP address. | unbound.ClientIP | text_general |
gen.dns.domain Queried DNS domain name. | unbound.Domain | strings |
gen.dns.record DNS record type (e.g., A, AAAA, MX). | unbound.RecordType | strings |
gen.severity Normalized severity field across log sources. | unbound.Severity | strings |
Reference-Specific Fields (17)
| Field | Type |
|---|---|
unbound.CacheHits Number of queries answered from cache. | plong |
unbound.Class DNS class of the record (usually "IN" for Internet). | string |
unbound.ClientIP IP address of the client making the DNS request. | string |
unbound.Domain Domain name involved in the logged operation. | string |
unbound.LogType Type of log entry (e.g., "info", "error", "debug"). | string |
unbound.Msg Additional message or note associated with the log entry. | text_general |
unbound.Prefetch Number of prefetch operations executed. | plong |
unbound.Queries Total number of queries processed. | plong |
unbound.RecordType DNS record type queried or processed (e.g., "A", "AAAA", "MX"). | string |
unbound.Recursions Number of recursive queries performed. | plong |
unbound.Rejected Number of queries that were rejected (e.g., due to access control). | plong |
unbound.RequestList.Avg Average size of the request list over time. | pfloat |
unbound.RequestList.Exceeded Number of times the request list capacity was exceeded. | plong |
unbound.RequestList.Jostled Count of entries removed (jostled out) from the request list due to overflow. | plong |
unbound.RequestList.Max Maximum size reached by the request list. | plong |
unbound.Severity Severity level of the log message. | string |
unbound.Thread Identifier of the Unbound thread handling this request. | pint |
Sample Log Event
Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.