Audits Index

action

text

keyword

HTTP method (GET, PUT, POST, PATHC, DELETE, OPTIONS)

eventChain

text

keyword

A list of UUIDs shared across disparate audit events. This can be used to trace a user’s request path through the network. The first value is the upstream proxy’s UUID. The second value is the UUID of the downstream proxy associated with this audit event.

eventId

text

keyword

The UUID of the event. This will exist as one of the UUIDs in the eventChain .

eventType

text

keyword

The service name associated this event.

originatorToken

text

keyword

A list of identities associated with the request.

payload.isSuccessful

boolean

n/a

A true/false value indicating that the request was successful.

payload.request.endpoint

text

keyword

The endpoint or route of the request.

payload.request.headers.:authority

text

keyword

The host and port of the external ingress. If Greymatter is deployed to Kubernetes, this would be the external LoadBalancer’s host and port.

payload.request.headers.:method

text

keyword

The method of the request. Identical to the action field.

payload.request.headers.:path

text

keyword

The path or route of the request. Identical to the endpoint field.

payload.request.headers.:scheme

text

keyword

The scheme (aka protocol) of the request. http for plaintext and https for TLS.

payload.request.headers.accept

text

keyword

The supported content types of the request such as application/json, text/plain .

payload.request.headers.accept-encoding

text

keyword

The supported content encoding, usually compression algorithm, of the request such as gzip .

payload.request.headers.accept-language

text

keyword

The natural language and locale the client prefers such as en-US,en .

payload.request.headers.cache-control

text

keyword

The directive that controls caching in browsers and shared caches (e.g. Proxies, CDNs).

payload.request.headers.content-length

text

keyword

The size of the message body, in bytes, sent to the recipient.

payload.request.headers.content-type

text

keyword

The type of content of the resource in the request such as image/png .

payload.request.headers.cookie

text

keyword

The cookie set by the server that is sent back by the browser.

payload.request.headers.from

text

keyword

The value of an authenticated user’s email address. This is only used for OIDC authentication where the email address is a JWT claim.

payload.request.headers.gm-observable-chain

text

keyword

The UUID of the audit event of the upstream proxy. This is the first value in the eventChain array.

payload.request.headers.if-modified-since

text

keyword

Determines if a request is conditional.

payload.request.headers.if-none-match

text

keyword

Determines if a request is conditional.

payload.request.headers.origin

text

keyword

Indicates the origin (scheme, hostname, and port) that triggered the request.

payload.request.headers.referer

text

keyword

Contains the absolute or partial address from which a resource has been requested.

payload.request.headers.sec-gpc

text

keyword

Indicates whether the user consents to a website or service selling or sharing their personal information with third parties.

payload.request.headers.upgrade-insecure-requests

text

keyword

Sends a signal to the server expressing the client's preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive.

payload.request.headers.user-agent

text

keyword

Lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 .

payload.request.headers.user_dn

text

keyword

The value of the distinguished name (DN) from a the x509 identity found in the request, manual TLS or Spire.

payload.request.headers.x-envoy-original-path

text

keyword

If the route utilizes prefix_rewrite or regex_rewrite, this header will be set to the original path. This can be useful for logging and debugging.

payload.request.headers.x-forwarded-proto

text

keyword

It is a common case where a service wants to know what the originating protocol (HTTP or HTTPS) was of the connection terminated by a front/edge proxy. x-forwarded-proto contains this information. It will be set to either http or https .

payload.request.headers.x-gm-domain

text

keyword

Correlates to the name and port of a domain registered with a proxy such as *:10908 . This is the domain associated with the listener handling the request. The value to the left of the colon represents the host associated with the proxy’s virtual host. Greymatter will primarily default to a wildcard host.

payload.request.headers.x-gm-route

text

keyword

Correlates to the name of the route registered with a proxy such as *:10908 . This is the route registered with a proxy to route traffic to a downstream proxy.

payload.request.headers.x-gm-rule

text

keyword

A rule associated with a proxy route. Greymatter will always set this to DEFAULT .

payload.request.headers.x-gm-shared-rules

text

keyword

A shared-rule associated with a proxy route. Greymatter will always set this to DEFAULT .

payload.request.headers.x-request-id

text

keyword

Used to uniquely identify a request as well as perform stable access logging and tracing.

payload.response.code

long

n/a

The response code of the HTTP request such as 200 for success or 401 for unauthorized access.

payload.response.headers.:status

text

keyword

The status code of the request. Correlates with payload.response.code .

payload.response.headers.accept-ranges

text

keyword

A marker used by the server to advertise its support for partial requests from the client for file downloads. The value of this field indicates the unit that can be used to define a range.

payload.response.headers.cache-control

text

keyword

The directive that controls caching in browsers and shared caches (e.g. Proxies, CDNs).

payload.response.headers.connection

text

keyword

Controls whether the network connection stays open after the current transaction finishes. If the value sent is keep-alive, the connection is persistent and not closed, allowing for subsequent requests to the same server to be done.

payload.response.headers.content-encoding

text

keyword

Lists any encodings that have been applied to the representation (message payload), and in what order. This lets the recipient know how to decode the representation in order to obtain the original payload format.

payload.response.headers.content-length

text

keyword

The size of the message body, in bytes, sent to the recipient.

payload.response.headers.content-type

text

keyword

The type of content of the resource in the request such as image/png .

payload.response.headers.date

text

keyword

Contains the date and time at which the message originated

payload.response.headers.etag

text

keyword

An identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content was not changed.

payload.response.headers.gm-observable-chain

text

keyword

The UUID of the audit event of the upstream proxy. This is the first value in the eventChain array.

payload.response.headers.keep-alive

text

keyword

Allows the sender to hint about how the connection may be used to set a timeout and a maximum amount of requests.

payload.response.headers.last-modified

text

keyword

A date and time when the origin server believes the resource was last modified.

payload.response.headers.location

text

keyword

Indicates the URL to redirect a page to. It only provides a meaning when served with a 3xx (redirection) or 201 (created) status respo nse.

payload.response.headers.server

text

keyword

Describes the software used by the origin server that handled the request — that is, the server that generated the response.

payload.response.headers.transfer-encoding

text

keyword

Specifies the form of encoding used to safely transfer the payload body to the user.

payload.response.headers.user_dn

text

keyword

The value of the distinguished name (DN) from a the x509 identity found in the request, manual TLS or Spire.

payload.response.headers.vary

text

keyword

Describes the parts of the request message aside from the method and URL that influenced the content of the response it occurs in. Most often, this is used to create a cache key when content negotiation is in use.

payload.response.headers.x-envoy-upstream-service-time

text

keyword

Contains the time in milliseconds spent by the upstream host processing the request and the network latency between the proxy and upstream host. This is useful if the client wants to determine service time compared to network latency between client and proxy.

payload.response.headers.x-gm-route

text

keyword

Correlates to the name of the route registered with a proxy such as *:10908 . This is the route registered with a proxy to route traffic to a downstream proxy.

payload.response.headers.x-gm-rule

text

keyword

A rule associated with a proxy route. Greymatter will always set this to DEFAULT .

payload.response.headers.x-gm-shared-rules

text

keyword

A shared-rule associated with a proxy route. Greymatter will always set this to DEFAULT .

payload.response.headers.x-powered-by

text

keyword

An optional and unofficial HTTP header, used to indicate the technology stack used on the server-side.

payload.response.headers.x-request-id

text

keyword

Used to uniquely identify a request as well as perform stable access logging and tracing.

schemaVersion

text

keyword

Version of the audit event schema.

systemIp

text

keyword

The IP address of the host of the Greymatter proxy. In Kubernetes, this is the Pod IP.

timestamp

date

n/a

The UNIX timestamp when the audit event was captured.