Parsers and Generated Fields

Tag Fields Created by Parser haproxy

  • #Cps.version

  • #Vendor

  • #ecs.version

  • #event.dataset

  • #event.kind

  • #event.module

  • #event.outcome

  • #observer.type

Fields Identified by Parser haproxy
Source FieldCPS FieldDescriptionMapping
None@timestampEvent timestampParsed from @timestamp using parseTimestamp() with format "MMM [ ]d HH:mm:ss"
Vendor.client_ip (indirect)client.addressClient addressCopied from source.address
Vendor.client_ip (indirect)client.ipClient IP addressCopied from client.address after IP validation
Vendor.client_port (indirect)client.portClient portCopied from source.port
Vendor.BytesReaddestination.bytesDestination bytesCopied from Vendor.BytesRead
Noneecs.versionECS schema versionStatic value: 9.2.0
Vendor.messageerror.codeError codeExtracted from Vendor.message using regex for error codes
Vendor.messageerror.messageError messageCopied from Vendor.message for error logs
Noneevent.category[]Event categorizationArray populated based on log type: ["network"] for errors/TCP, ["web","network"] for HTTP
Vendor.bind_name, Vendor.status_code, Vendor.client_ipevent.datasetDataset identifierConditionally set based on log type: haproxy.error, haproxy.http, or haproxy.tcp
Noneevent.kindEvent kindStatic value: event
Noneevent.moduleModule nameStatic value: haproxy
Vendor.status_code, Vendor.bind_nameevent.outcomeEvent outcomeConditionally set to "success" for 2xx status codes, "failure" for 4xx/5xx or errors
Vendor.status_code, Vendor.bind_nameevent.type[]Event typeArray populated based on context: ["connection","denied"] for errors, ["access","connection","allowed/denied"] for HTTP, ["connection","allowed"] for TCP
log.syslog.hostnamehost.nameHost nameCopied from log.syslog.hostname
Vendor.methodhttp.request.methodHTTP request methodCopied from Vendor.method (extracted from HTTP request)
Vendor.bytes_readhttp.response.bytesHTTP response bytesCopied from Vendor.bytes_read
Vendor.status_codehttp.response.status_codeHTTP response status codeCopied from Vendor.status_code
Vendor.protocolhttp.versionHTTP versionExtracted from Vendor.protocol using regex
Nonelog.syslog.appnameSyslog application nameExtracted from syslog header using regex
Nonelog.syslog.hostnameSyslog hostnameExtracted from syslog header using regex
Nonelog.syslog.prioritySyslog priorityExtracted from syslog header using regex
Nonelog.syslog.procidSyslog process IDExtracted from syslog header using regex
NonemessageLog message contentExtracted from syslog header after timestamp and process info
Vendor.protocolnetwork.protocolNetwork protocolExtracted from Vendor.protocol using regex and converted to lowercase
log.syslog.hostnameobserver.nameObserver nameCopied from log.syslog.hostname
log.syslog.appnameprocess.nameProcess nameCopied from log.syslog.appname
log.syslog.procidprocess.pidProcess IDCopied from log.syslog.procid
Vendor.BytesRead (indirect)server.bytesServer bytesCopied from destination.bytes
Vendor.frontendservice.nameService nameCopied from Vendor.frontend
Vendor.client_ipsource.addressSource addressCopied from Vendor.client_ip and converted to lowercase
Vendor.client_ip (indirect)source.ipSource IP addressCopied from source.address after IP validation
Vendor.client_portsource.portSource portCopied from Vendor.client_port
Vendor.tlstls.establishedTLS connection establishedSet to "true" when Vendor.tls equals "~"
Vendor.ssl_versiontls.versionTLS versionExtracted from Vendor.ssl_version using regex
Vendor.ssl_versiontls.version_protocolTLS protocol versionExtracted from Vendor.ssl_version using regex and converted to lowercase
Vendor.pathurl.domainURL domainParsed from Vendor.path using parseUrl() function
Vendor.pathurl.pathURL pathParsed from Vendor.path using parseUrl() function
Vendor.pathurl.queryURL query parametersParsed from Vendor.path using parseUrl() function