# Events/Logs Schema

When events are sent from open-appsec agents to be viewed in the cloud application and/or to a Syslog/CEF server, they are sent in a specific field structure.

This page will document the fields being sent. This will allow [filter queries](https://docs.openappsec.io/references/event-query-language) in the cloud application and log parsing to be done on the Syslog/CEF side (see configuration of [Trigger objects](https://docs.openappsec.io/setup-instructions/setup-log-triggers) for more info).

## Schema in openAPI format

See below the security logs schema in openAPI format. 

{% file src="<https://1225393248-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FNcZmX14M2KdTBrq9EOnI%2Fuploads%2Fl1f8vfd3gKT0bGKQNwS6%2Fagents-security-logs-openapi-schema-v1.0.4.json?alt=media&token=3c83b659-9854-440b-82c6-370ca0397cab>" %}

The definitions per field are relevant even when the logs aren't sent in JSON format.

## Log fields

This table shows the predefined field keywords alongside their view name in the logs table and log cards.

{% hint style="warning" %}
in brackets for each field name is the name when sent to syslog/CEF. Usually the difference is simply an all-lowercase format vs lowerCamelCase
{% endhint %}

<table><thead><tr><th width="150">Field Name in Log View</th><th width="150">Field Name</th><th>Description</th></tr></thead><tbody><tr><td><code>Event Name</code></td><td><code>eventname</code><br><code>(title - for syslog only)</code></td><td>This field describes the event in text.</td></tr><tr><td><code>Severity</code></td><td><code>eventseverity (eventSeverity)</code></td><td>Info, Low, Medium, High, Critical</td></tr><tr><td><code>Priority</code></td><td><code>eventpriority (eventPriority)</code></td><td>Low, Medium, High, Urgent</td></tr><tr><td><code>Confidence Level</code></td><td><code>eventconfidence (eventConfidence)</code></td><td>Low, Medium, High, Very High<br>(The higher the confidence level, the less likely it is the event is a false-positive)</td></tr><tr><td><code>Event Reference Id</code></td><td>e<code>ventreferenceid (eventReferenceId)</code></td><td>Some events result in showing the user a reference ID (for example when showing an HTTP response page upon prevention). This reference ID will correlate to this field in the log.</td></tr><tr><td><code>Agent UUID</code></td><td><code>agentid</code><br><code>(agentId)</code></td><td>UUID of the agent creating the log, if applicable.</td></tr><tr><td><code>Issuing Engine Version</code></td><td><code>issuingengineversion (issuingEngineVersion)</code></td><td>The agent's and service's version sending reporting this event.</td></tr><tr><td><code>Security Action</code></td><td><code>securityaction (securityAction)</code></td><td>The action taken by the security practice upon this event.</td></tr><tr><td><code>Asset Name</code></td><td><code>assetname</code><br><code>(assetName)</code></td><td>The name of the asset, protected by the security practice that found a match and issued this log.</td></tr><tr><td><code>Asset ID</code></td><td><code>assetid</code><br><code>(assetId)</code></td><td>The object ID of the asset, protected by the security practice that found a match and issued this log.</td></tr><tr><td><code>Zone Name</code></td><td><code>zonename</code><br><code>(zoneName)</code></td><td>The name of the zone, protected by the security practice that found a match and issued this log.</td></tr><tr><td><code>Zone ID</code></td><td><code>zoneid</code><br><code>(zoneId)</code></td><td>The object ID of the zone, protected by the security practice that found a match and issued this log. This can be used unique searches when given names are similar.</td></tr><tr><td><code>Practice Type</code></td><td><code>practicetype</code><br><code>(practiceType)</code></td><td>The type of the security practice that found a match and issued this log (e.g. "Threat Prevention").</td></tr><tr><td><code>Practice SubType</code></td><td><code>practicesubtype</code><br><code>(practiceSubType)</code></td><td>The subtype of the security practice that found a match and issued this log (e.g. "Web Application").</td></tr><tr><td><code>Practice Name</code></td><td><code>practicename</code><br><code>(practiceName)</code></td><td>The name of the security practice that found a match and issued this log.</td></tr><tr><td><code>Practice ID</code></td><td><code>practiceid</code><br><code>(practiceId)</code></td><td>The object UUID of the security practice that found a match and issued this log. This can be used unique searches when given names are similar.</td></tr><tr><td><code>Source IP</code></td><td><code>sourceip</code><br><code>(sourceIp)</code></td><td>Source IP address of the network traffic that caused the matched event.</td></tr><tr><td><code>Source Port</code></td><td><code>sourceport</code><br><code>(sourcePort)</code></td><td>Source TCP/UDP Port of the network traffic that caused the matched event.</td></tr><tr><td><code>Source Country</code></td><td><code>sourcecountryname</code><br><code>(sourceCountryName)</code></td><td>Source country name of the network traffic that caused the matched event, if applicable.</td></tr><tr><td><code>Destination IP</code></td><td><code>destinationip</code><br><code>(destinationIp)</code></td><td>Destination IP address of the network traffic that caused the matched event.</td></tr><tr><td><code>Destination Port</code></td><td><code>destinationport</code><br><code>(destinationPort)</code></td><td>Destination TCP/UDP Port of the network traffic that caused the matched event.</td></tr><tr><td><code>Destination Country</code></td><td><code>destinationcountryname</code><br><code>(destinationCountryName)</code></td><td>Destination country of the network traffic that caused the matched event, if applicable.</td></tr><tr><td><code>IP Protocol</code></td><td><code>ipprotocol</code><br><code>(ipProtocol)</code></td><td>IP Protocol of the network traffic that caused the matched event.</td></tr><tr><td><code>Source Identifier</code></td><td><code>httpsourceid</code><br><code>(httpSourceId)</code></td><td>The source identifier as determined from the HTTP traffic according to configuration (according to the X-Forwarded-For header, a cookie, source IP address, etc.).</td></tr><tr><td><code>HTTP Host</code></td><td><code>httphostname</code><br><code>(httpHostName)</code></td><td>The source identifier as determined from the HTTP traffic according to configuration (according to the X-Forwarded-For header, a cookie, source IP address, etc.).</td></tr><tr><td><code>HTTP Method</code></td><td><code>httpmethod</code><br><code>(httpMethod)</code></td><td>HTTP Method as determined from the HTTP traffic (e.g. GET, POST, etc.).</td></tr><tr><td><code>HTTP URI Path</code></td><td><code>httpuripath (httpUriPath)</code></td><td>HTTP URI path as determined from the HTTP traffic.</td></tr><tr><td><code>HTTP URI Query</code></td><td><code>httpuriquery (httpUriQuery)</code></td><td>HTTP URI query as determined from the HTTP traffic.</td></tr><tr><td><code>HTTP Request Headers</code></td><td><code>httprequestheaders</code><br><code>(httpRequestHeaders)</code></td><td>HTTP Request Headers (Sent only if relevant additional logging is configured on the <a href="../setup-instructions/setup-log-triggers">trigger</a> object that was used).</td></tr><tr><td><code>HTTP Request Body</code></td><td><code>httprequestbody</code><br><code>(httpRequestBody)</code></td><td>HTTP Request Body (Sent only if relevant additional logging is configured on the <a href="../setup-instructions/setup-log-triggers">trigger </a>object that was used). Body will be truncated if too long.</td></tr><tr><td><code>Incident Type</code></td><td><code>waapincidenttype</code><br><code>(waapIncidentType)</code></td><td>AppSec incident types (e.g. LDAP injection, SQL injection, etc.).</td></tr><tr><td><code>Incident Details</code></td><td><code>waapincidentdetails</code><br><code>(waapIncidentDetails)</code></td><td>A more granular description of the event caught by appSec.</td></tr><tr><td><code>User Reputation</code></td><td><code>waapuserreputation</code><br><code>(waapUserReputation)</code></td><td>AppSec user reputation for the identified source.</td></tr><tr><td><code>Matched Location</code></td><td><code>matchedlocation</code><br><code>(matchedLocation)</code></td><td>The location within the HTTP traffic where an indicator, causing this event, was detected (e.g. "referer parameter").</td></tr><tr><td><code>Matched Parameter</code></td><td><code>matchedparameter</code><br><code>(matchedParameter)</code></td><td>The parameter name within the HTTP traffic, where an indicator, causing this event, was detected (e.g. "uuid").</td></tr><tr><td><code>Matched Sample</code></td><td><code>matchedsample</code><br><code>(matchedSample)</code></td><td>The traffic data where the indicators were detected and created the event.</td></tr><tr><td><code>Match Reason</code></td><td><code>matchreason</code><br><code>(matchReason)</code></td><td>An additional elaboration for the reason the event was detected (For example, when Web API Schema validation fails, this field will detail what exactly failed).</td></tr><tr><td><code>Found Indicators</code></td><td><code>waapfoundindicators</code><br><code>(waapFoundIndicators)</code></td><td>The detected indicators which created the event.</td></tr><tr><td><code>Practice Override</code></td><td><code>waapoverride</code><br><code>(waapOverride)</code></td><td>Override configuration for this event.</td></tr></tbody></table>