- Print
- DarkLight
- PDF
Index Fields
Name | Type | Aggregation | Description |
---|---|---|---|
action | text | keyword | HTTP method (GET, PUT, POST, PATHC, DELETE, OPTIONS) |
eventChain | text | keyword | A list of UUIDs shared across disparate audit events. This can be used to trace a user’s request path through the network. The first value is the upstream proxy’s UUID. The second value is the UUID of the downstream proxy associated with this audit event. |
eventId | text | keyword | The UUID of the event. This will exist as one of the UUIDs in the eventChain . |
eventType | text | keyword | The service name associated this event. |
originatorToken | text | keyword | A list of identities associated with the request. |
payload.isSuccessful | boolean | n/a | A true/false value indicating that the request was successful. |
payload.request.endpoint | text | keyword | The endpoint or route of the request. |
payload.request.headers.:authority | text | keyword | The host and port of the external ingress. If Greymatter is deployed to Kubernetes, this would be the external LoadBalancer’s host and port. |
payload.request.headers.:method | text | keyword | The method of the request. Identical to the action field. |
payload.request.headers.:path | text | keyword | The path or route of the request. Identical to the endpoint field. |
payload.request.headers.:scheme | text | keyword | The scheme (aka protocol) of the request. http for plaintext and https for TLS. |
payload.request.headers.accept | text | keyword | The supported content types of the request such as application/json, text/plain . |
payload.request.headers.accept-encoding | text | keyword | The supported content encoding, usually compression algorithm, of the request such as gzip . |
payload.request.headers.accept-language | text | keyword | The natural language and locale the client prefers such as en-US,en . |
payload.request.headers.cache-control | text | keyword | The directive that controls caching in browsers and shared caches (e.g. Proxies, CDNs). |
payload.request.headers.content-length | text | keyword | The size of the message body, in bytes, sent to the recipient. |
payload.request.headers.content-type | text | keyword | The type of content of the resource in the request such as image/png . |
payload.request.headers.cookie | text | keyword | The cookie set by the server that is sent back by the browser. |
payload.request.headers.from | text | keyword | The value of an authenticated user’s email address. This is only used for OIDC authentication where the email address is a JWT claim. |
payload.request.headers.gm-observable-chain | text | keyword | The UUID of the audit event of the upstream proxy. This is the first value in the eventChain array. |
payload.request.headers.if-modified-since | text | keyword | Determines if a request is conditional. |
payload.request.headers.if-none-match | text | keyword | Determines if a request is conditional. |
payload.request.headers.origin | text | keyword | Indicates the origin (scheme, hostname, and port) that triggered the request. |
payload.request.headers.referer | text | keyword | Contains the absolute or partial address from which a resource has been requested. |
payload.request.headers.sec-gpc | text | keyword | Indicates whether the user consents to a website or service selling or sharing their personal information with third parties. |
payload.request.headers.upgrade-insecure-requests | text | keyword | Sends a signal to the server expressing the client's preference for an encrypted and authenticated response, and that it can successfully handle the upgrade-insecure-requests CSP directive. |
payload.request.headers.user-agent | text | keyword | Lets servers and network peers identify the application, operating system, vendor, and/or version of the requesting user agent such as Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 . |
payload.request.headers.user_dn | text | keyword | The value of the distinguished name (DN) from a the x509 identity found in the request, manual TLS or Spire. |
payload.request.headers.x-envoy-original-path | text | keyword | If the route utilizes prefix_rewrite or regex_rewrite, this header will be set to the original path. This can be useful for logging and debugging. |
payload.request.headers.x-forwarded-proto | text | keyword | It is a common case where a service wants to know what the originating protocol (HTTP or HTTPS) was of the connection terminated by a front/edge proxy. x-forwarded-proto contains this information. It will be set to either http or https . |
payload.request.headers.x-gm-domain | text | keyword | Correlates to the name and port of a domain registered with a proxy such as *:10908 . This is the domain associated with the listener handling the request. The value to the left of the colon represents the host associated with the proxy’s virtual host. Greymatter will primarily default to a wildcard host. |
payload.request.headers.x-gm-route | text | keyword | Correlates to the name of the route registered with a proxy such as *:10908 . This is the route registered with a proxy to route traffic to a downstream proxy. |
payload.request.headers.x-gm-rule | text | keyword | A rule associated with a proxy route. Greymatter will always set this to DEFAULT . |
payload.request.headers.x-gm-shared-rules | text | keyword | A shared-rule associated with a proxy route. Greymatter will always set this to DEFAULT . |
payload.request.headers.x-request-id | text | keyword | Used to uniquely identify a request as well as perform stable access logging and tracing. |
payload.response.code | long | n/a | The response code of the HTTP request such as 200 for success or 401 for unauthorized access. |
payload.response.headers.:status | text | keyword | The status code of the request. Correlates with payload.response.code . |
payload.response.headers.accept-ranges | text | keyword | A marker used by the server to advertise its support for partial requests from the client for file downloads. The value of this field indicates the unit that can be used to define a range. |
payload.response.headers.cache-control | text | keyword | The directive that controls caching in browsers and shared caches (e.g. Proxies, CDNs). |
payload.response.headers.connection | text | keyword | Controls whether the network connection stays open after the current transaction finishes. If the value sent is keep-alive, the connection is persistent and not closed, allowing for subsequent requests to the same server to be done. |
payload.response.headers.content-encoding | text | keyword | Lists any encodings that have been applied to the representation (message payload), and in what order. This lets the recipient know how to decode the representation in order to obtain the original payload format. |
payload.response.headers.content-length | text | keyword | The size of the message body, in bytes, sent to the recipient. |
payload.response.headers.content-type | text | keyword | The type of content of the resource in the request such as image/png . |
payload.response.headers.date | text | keyword | Contains the date and time at which the message originated |
payload.response.headers.etag | text | keyword | An identifier for a specific version of a resource. It lets caches be more efficient and save bandwidth, as a web server does not need to resend a full response if the content was not changed. |
payload.response.headers.gm-observable-chain | text | keyword | The UUID of the audit event of the upstream proxy. This is the first value in the eventChain array. |
payload.response.headers.keep-alive | text | keyword | Allows the sender to hint about how the connection may be used to set a timeout and a maximum amount of requests. |
payload.response.headers.last-modified | text | keyword | A date and time when the origin server believes the resource was last modified. |
payload.response.headers.location | text | keyword | Indicates the URL to redirect a page to. It only provides a meaning when served with a 3xx (redirection) or 201 (created) status respo nse. |
payload.response.headers.server | text | keyword | Describes the software used by the origin server that handled the request — that is, the server that generated the response. |
payload.response.headers.transfer-encoding | text | keyword | Specifies the form of encoding used to safely transfer the payload body to the user. |
payload.response.headers.user_dn | text | keyword | The value of the distinguished name (DN) from a the x509 identity found in the request, manual TLS or Spire. |
payload.response.headers.vary | text | keyword | Describes the parts of the request message aside from the method and URL that influenced the content of the response it occurs in. Most often, this is used to create a cache key when content negotiation is in use. |
payload.response.headers.x-envoy-upstream-service-time | text | keyword | Contains the time in milliseconds spent by the upstream host processing the request and the network latency between the proxy and upstream host. This is useful if the client wants to determine service time compared to network latency between client and proxy. |
payload.response.headers.x-gm-route | text | keyword | Correlates to the name of the route registered with a proxy such as *:10908 . This is the route registered with a proxy to route traffic to a downstream proxy. |
payload.response.headers.x-gm-rule | text | keyword | A rule associated with a proxy route. Greymatter will always set this to DEFAULT . |
payload.response.headers.x-gm-shared-rules | text | keyword | A shared-rule associated with a proxy route. Greymatter will always set this to DEFAULT . |
payload.response.headers.x-powered-by | text | keyword | An optional and unofficial HTTP header, used to indicate the technology stack used on the server-side. |
payload.response.headers.x-request-id | text | keyword | Used to uniquely identify a request as well as perform stable access logging and tracing. |
schemaVersion | text | keyword | Version of the audit event schema. |
systemIp | text | keyword | The IP address of the host of the Greymatter proxy. In Kubernetes, this is the Pod IP. |
timestamp | date | n/a | The UNIX timestamp when the audit event was captured. |
For more details on HTTP request/response headers, please refer to the MDN Web Docs .