http_application |
facebook |
keyword |
Layer 7 application name |
http_bytes |
29347485 |
Long |
Sum of request + response bytes |
http_content_type |
application/octet-stream |
keyword |
Mime type of http content https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/MIME_types |
http_headers |
|
keyword |
Full list of http headers https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers |
http_host |
Host: wwww.mycorp.local |
keyword |
host: … header from request, if present |
http_method |
GET, POST |
keyword |
HTTP request method from https://tools.ietf.org/html/rfc7231 |
http_referrer |
http://mycorp.local/ |
keyword |
“referer” header value if present |
http_request_bytes |
239478 |
long |
SIze of request |
http_request_path |
/path/to/resource?option=test |
keyword |
Need to review field length/truncation at 8192 characters (consider utf-8). Some may consider the path not to include the “query” (text after the last “/”) but this value may include it. |
http_response_bytes |
498274 |
long |
Size of response |
http_response |
OK, Moved Permanently |
keyword |
Text response mapped from the response code https://www.w3.org/Protocols/rfc2616/rfc2616-sec6.html |
http_response_code |
200, 404, 500 |
integer |
Numeric server response code |
http_uri |
https://www.graylog.org, https://www.graylog.org/blog, https://www.mycorp.local/workspaces/team#posts |
keyword |
Full request string; Need to review field length/truncation at 8192 characters (consider utf-8) |
http_uri_category |
Suspicious, Games |
keyword |
Categorization of associated web site/URL |
http_uri_stem |
Default.htm |
keyword |
The target of the request. For Example: http://www.test.com/test.jsp?hello=y the URI stem is /test.jsp |
http_uri_query |
hello=y |
keyword |
The query the client was trying to perform. Example http://www.test.com/test.jsp?hello=y the query is hello=y |
http_user_agent |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0) |
keyword |
User Agent string |
http_user_agent_name |
Firefox |
keyword |
Attempted identification of the browser client usually based on user agent analysis |
http_user_agent_os |
Windows 10 |
keyword |
Operating System of User Agent |
http_version |
1.0, 1.1, 2.0 |
keyword |
HTTP version |
http_xff |
X-Forwarded-For: 10.1.2.3 |
keyword |
HTTP x-forwarded-for header value. Future: May map as IP, need to account for different ways this is presented. |