Log Fields
When a log arrives, GridNMS normalizes it into a consistent set of named fields. That’s what lets you search across logs from very different devices in one query, and write detections that match on, say, a source IP no matter which vendor produced the message. This page lists the standard fields and the common names GridNMS recognizes for them.
Anything that doesn’t map to a standard field is still kept — see Field Extraction for adding your own.
Always-present fields
Section titled “Always-present fields”Every log carries these, taken straight from the message and how it arrived:
| Field | What it is |
|---|---|
_time |
When the event happened, from the log’s own timestamp |
_raw |
The original, unmodified message |
host |
The logging source — the device’s hostname or IP from the log header |
source |
Where the log came in (for example, the syslog port or an HTTP endpoint) |
sourcetype |
The detected log format (for example, Linux auth, CEF, LEEF) |
sender_ip |
The IP that actually sent the packet — useful for forensics when it differs from host |
severity |
Syslog severity, 0 (emergency) through 7 (debug) |
facility |
Syslog facility |
Who, what, and where
Section titled “Who, what, and where”These fields describe the actors and the action in a log line. They’re filled in as GridNMS recognizes a format, and you can populate more of them with Field Extraction.
| Field | What it is |
|---|---|
event_type |
The kind of event — for example, a user login or a network connection |
principal_user |
The actor — a login name or service account |
principal_ip |
The actor’s IP address |
principal_hostname |
The actor’s hostname |
target_ip |
The destination IP |
target_hostname |
The destination hostname |
target_user |
The target user (for example, the account a sudo switched to) |
src_ip / src_port |
The source of a network flow |
target_port |
The destination port of a network flow |
network_protocol |
The protocol — for example, tcp, ssh, http |
action |
The verb — login, disconnect, allow, drop, block |
outcome |
success or failure (empty when unknown) |
Field names GridNMS recognizes automatically
Section titled “Field names GridNMS recognizes automatically”Different vendors call the same thing by different names. GridNMS maps the common variants onto the standard fields above, so you can search the standard name and catch them all. A few examples:
| Standard field | Also recognized as |
|---|---|
src_ip |
sourceip, source_ip, src, srcip, client_ip, remote_ip, remote_addr |
src_port |
source_port, sport, spt |
target_ip |
destination_ip, dest_ip, dst_ip, dst, dstip |
target_port |
destination_port, dest_port, dport, dpt |
principal_user |
user, username, account, userid, login |
network_protocol |
protocol, proto, ip_protocol |
action |
act, verb |
outcome |
result, status |
What fills these fields in
Section titled “What fills these fields in”- Built-in parsers handle common formats out of the box — Linux authentication (sshd) logins, and CEF / LEEF security events.
- A generic key=value fallback pulls structured pairs out of any other format.
- Your own rules, added under Configure → Field Extraction, handle gear-specific formats. See Field Extraction.
Once a field is populated, you can filter on it in Log Search and group or match on it in a detection.