http_application |
|
keyword |
Layer 7 app name, e.g. “Facebook”, etc. |
http_bytes |
integer |
Long |
Size of request + response bytes |
http_content_type |
|
keyword |
Mime type of http content https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types |
http_headers |
|
keyword |
Full list of http headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers |
http_host |
|
keyword |
host: … header from request, if present |
http_method |
GET, POST |
keyword |
|
http_path |
/path/to/resource?option=test |
keyword |
Need to review field length/truncation at 8192 characters (consider utf-8). Some may consider the path not to include the “query” (text after the last “/”) but this value may include it. |
http_referrer |
|
keyword |
“referer” header value if present |
http_request_bytes |
|
long |
SIze of request |
http_response_bytes |
|
long |
Size of response |
http_response |
|
keyword |
Text response mapped from the response code https://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html |
http_response_code |
|
integer |
Numeric server response code - 200, 404, 500, etc. |
http_url |
ftp://ftp01.server.internal/file.tar.gz, https://www.graylog.org, https://www.graylog.org/blog |
keyword |
Need to review field length/truncation at 8192 characters (consider utf-8) |
http_url_category |
Suspicious, Games |
keyword |
|
http_user_agent |
|
keyword |
Original User Agent (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0” |
http_user_agent_analyzed |
string |
text/standard |
This is a copy of the http_user_agent field |
http_user_agent_name |
|
keyword |
Name of User Agent (Firefox) |
http_user_agent_os |
|
keyword |
Operating System of User Agent |
http_user_agent_length |
|
integer |
String length of original user agent |
http_version |
|
keyword |
HTTP version, e.g 1.0, 1.1, etc. |
http_xff |
|
keyword |
HTTP x-forwarded for header value. Future: May map as IP, need to account for different ways this is presented. |