HTTP Fields¶

HTTP Fields¶
Field Name	Example Values	Field Type	Notes
http_application	facebook	keyword	Layer 7 application name
http_bytes	29347485	Long	Sum of request + response bytes
http_content_type	application/octet-stream	keyword	Mime type of http content https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types
http_headers		keyword	Full list of http headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
http_host	Host: wwww.mycorp.local	keyword	host: … header from request, if present
http_referrer	http://mycorp.local/	keyword	“referer” header value if present
http_request_bytes	239478	long	SIze of request
http_request_method	GET, POST	keyword	HTTP request method from https://tools.ietf.org/html/rfc7231
http_request_path	/path/to/resource?option=test	keyword	Need to review field length/truncation at 8192 characters (consider utf-8). Some may consider the path not to include the “query” (text after the last “/”) but this value may include it.
http_response_bytes	498274	long	Size of response
http_response	OK, Moved Permanently	keyword	Text response mapped from the response code https://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html
http_response_code	200, 404, 500	integer	Numeric server response code
http_uri	https://www.graylog.org, https://www.graylog.org/blog, https://www.mycorp.local/workspaces/team#posts	keyword	Full request string; Need to review field length/truncation at 8192 characters (consider utf-8)
http_uri_category	Suspicious, Games	keyword	Categorization of associated web site/URL
http_uri_stem	Default.htm	keyword	The target of the request. For Example: http://www.test.com/test.jsp?hello=y the URI stem is /test.jsp
http_uri_query	hello=y	keyword	The query the client was trying to perform. Example http://www.test.com/test.jsp?hello=y the query is hello=y
http_user_agent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0)	keyword	User Agent string
http_user_agent_name	Firefox	keyword	Attempted identification of the browser client usually based on user agent analysis
http_user_agent_os	Windows 10	keyword	Operating System of User Agent
http_version	1.0, 1.1, 2.0	keyword	HTTP version
http_xff	X-Forwarded-For: 10.1.2.3	keyword	HTTP x-forwarded-for header value. Future: May map as IP, need to account for different ways this is presented.

Derived and Enriched Fields (values will be derived or added from external sources)¶
Field Name	Example Values	Field Type	Notes
http_request_path_analyzed		** TBD	Need to review best analyzer configuration for HTTP paths / consider truncation
http_uri_analyzed	ftp://ftp01.server.internal/file.tar.gz, https://www.graylog.org, https://www.graylog.org/blog	text/standard	Optionally copied when a URL must be tokenized. Future: will have to research best analyzer config / consider truncation
http_uri_length	9283	long	String length of HTTP user agent
http_user_agent_analyzed		text/standard	This is a copy of the http_user_agent field but processed with text analysis
http_user_agent_length	54	long	String length of original user agent