WebΒΆ

The web data model describes web requests, responses, etc. on various levels.

Required tags: web

Field Imp Description
     
dest_host (and/or dest_ip) High The destination of the network traffic
http_method High The HTTP method used in the request (GET, PUT,POST, DELETE, HEAD, OPTIONS, CONNECT, TRACE).
http_user_agent High The user agent used in the request.
http_x_forwarded_for High The originating IP address of a client connecting to a web server through an HTTP proxy or load balancer
http_x_forwarded_to High The destination IP address of a client connecting to a web server through an HTTP proxy or load balancer
src_host (and/or src_ip) High The source of the network traffic
status High The HTTP response code indicating the status of the proxy request.
user High The user that requested the HTTP resource.
     
action Medium The action taken by the server or proxy.
app Medium The app recording the data, such as IIS, Squid, or Bluecoat.
bytes_in Medium The number of inbound bytes transferred.
bytes_out Medium The number of outbound bytes transferred.
category Medium The category of traffic, provided by a proxy server, if available.
http_referrer Medium The HTTP referrer used in the request.
url_length Medium The length of the URL.
     
bytes Low The total number of bytes transferred (bytes_in + bytes_out).
cached Low Indicates whether the event data is cached or not.
cookie Low The cookie file recorded in the event.
duration Low The time taken by the proxy event, in milliseconds.
http_content_type Low The content-type of the requested HTTP resource.
http_user_agent_length Low The length of the user agent used in the request.
response_time Low The milliseconds of time it took to receive a response, if available.
site Low The virtual site which services the request, if applicable.
uri_path Low The path of the resource served by the webserver or proxy.
uri_query Low The path of the resource requested by the client.
url Low The URL of the requested HTTP resource.
vendor_product Low The product and vendor that logged the Web event. This can be set directly or auto-populated from vendor and product as they are available.