Default access log field reference

The access log follows the Elastic Common Schema (ECS). The information in this article can be used to look up the meaning of log fields and configure a CR Telemetry based on the listed log fields and command operators.

Log field types:
Some log fields show logging output using standard Envoy command operators. See online Envoy command operators documentation for details.
Other log fields use custom command operators to show logging output. The corresponding custom command operators are listed in the table.

Log field reference table

Log field	Description	Custom command operators (Envoy command operators not shown)
`@timestamp`	Timestamp of the logged request.
`airlock.deny_rules`	`.block_reason` – Explanation (reason) why a request has been blocked. `.matches[].rule_key` – Identifies deny rules that have been triggered by the request. `.matches[].rule_id` – Internal deny rule ID used by Ergon for debugging purposes. `.matches[].level` – Security level of the matching deny rule. `.matches[].threat_handling_mode` – Could be logOnly or block.	`%DENY_RULES%`
`airlock.header_rewrites`	Shows a list of header rewrite actions applied on request or response headers. Requires `operationalMode` to be set to `Integration`. Each item in the list contains the following fields: `.request.headers` – List of headers that have been rewritten. `.request.action` – Informs about the rewrite action that has been performed on one or more headers. Example: `remove` `.request.type` – Informs about the rule type that has been applied. Example: `remove-rule` `allow-rule` `.request.applied_rules` – Names the header rewrite rules that have been applied.	`%HEADER_REWRITES%`
`airlock.http.request.accept_language`	Contains the values of the `Accept-Language` request header.
`airlock.http.response.redirect_url`	Contains the redirect URL extracted from the `Location` response header.
`airlock.limits`	For a complete list of logged limits and their defaults, see CR Limits reference documentation. Additional information: `Path length` (path is logged in field `url.path`) `Parameter value length` (incl. parameter `name` and `value`) `Parameter name length` (incl. parameter `name`) `JSON key length` (incl. `json_path` and `key`) `JSON value length` (incl. `json_path` and `value`)	`%LIMITS%`
`airlock.log_correlation.connection_id`	Shows the connection ID respectively stream ID. These IDs allow correlating access and application log entries for in-depth analysis. Application log example: `"ConnectionId":<X>, "StreamId":<Y>`	`%LOG_CORRELATION%`
`airlock.log_correlation.stream_id`		`%LOG_CORRELATION%`
`airlock.parser.matches`	Shows the reason if parsing fails. Application log example: `"failed_check": "json_syntax"`, `"message": "Error message from parser..."` Correlating `response.details` log could be `airlock_request_blocked_parser`.
`airlock.response.details`	Shows a response code with detailed information. The Envoy response code details. Airlock Microgateway specific response code details as listed in table Airlock Microgateway specific response code details.
`airlock.response.flags`	The Envoy access log response flags provides additional information about response or connection.
`airlock.upstream.destination.ip`	Direct remote destination IP address of the upstream.
`airlock.upstream.destination.port`	Direct remote destination port of the upstream.
`airlock.upstream.http.version`	Shows the HTTP version (`1.1`/`2`) of the upstream traffic.	`%UPSTREAM_HTTP_VERSION%`
`destination.ip`	Direct destination IP address of the Pod containing the Microgateway Engine sidecar.
`destination.port`	Direct destination port of the Pod containing the Microgateway Engine sidecar.
`ecs.version`	Our logging is built on a version of the Elastic Common Schema (ECS) reference.
`event.category`	ECS categorization field. For the access log, `event.category` is always `"web"`.
`event.dataset`	Name of the dataset. For the access log, this is `envoy.access`.
`event.duration`	Duration of the request in nanoseconds as recorded by the Microgateway Engine.	`%DURATION_IN_NANOSECONDS%`
`event.end`	Time the response was finished by the Microgateway Engine.	`%END_TIME(%Y-%m-%dT%T.%3f%z)%`
`event.kind`	ECS categorization field. For the access log, `event.kind` is always `"event"`.
`event.module`	Module that recorded the event, i.e. `envoy`.
`event.outcome`	ECS categorization field. Indicates the status of the filtering process. When the Microgateway Engine works correctly, the status `"success"` is shown. Note that `"success"` is displayed even if a request was blocked – see also `event.type` categorization.
`event.start`	Time the Microgateway Engine received the request.
`event.type`	ECS categorization field. Indicates whether a request has been forwarded to the upstream. Available event types: `[ "access", "denied" ]` if a deny rule blocks a request. `[ "access", "allowed" ]` if the request was forwarded to the upstream. `[ "access", "error" ]`, see `airlock.response.details` for more information about the error.	`%EVENT_TYPE%`
`http.request.bytes`	Total request size in bytes (body and headers).	`%REQUEST_HEADERS_AND_BODY_BYTES%`
`http.request.mime_type`	MIME type of the request body.	`%REQ_MIME_TYPE%`
`http.request.body.bytes`	Request body size in bytes.
`http.request.id`	UID of the HTTP request.
`http.request.method`	HTTP method of the request.
`http.request.referrer`	Value of the `Referer` request header.
`http.response.body.bytes`	Response body size in bytes.
`http.response.bytes`	Total response size in bytes (body and headers).	`%RESPONSE_HEADERS_AND_BODY_BYTES%`
`http.response.mime_type`	MIME type of the response body.	`%RESP_MIME_TYPE%`
`http.response.status_code`	HTTP response code.
`http.version`	Shows the HTTP version (`1.1`/`2`) of the application's downstream traffic.	`%HTTP_VERSION%`
`log.level`	`"info"` for all access log entries.
`log.logger`	`"access"` for all access log entries. Other possible values: `"application"` for Microgateway Engine log entries.
`network.forwarded_ip`	Shows the identified Downstream remote IP settings.
`observer.product`	`Airlock Microgateway`
`observer.type`	The type of observer that created the log entry, i.e. `"waap"` for Web Application and API Protection.
`observer.vendor`	`Ergon Informatik AG`
`observer.version`	Release version of the Airlock Microgateway, i.e. `4.0.0`.	`%ENVIRONMENT(ENGINE_VERSION)%`
`source.ip`	Direct remote source IP address of the downstream, as detected by the Microgateway Engine.
`source.port`	Direct remote source port of the downstream, as detected by the Microgateway Engine.
`url.domain`	Domain/IP without port number as extracted from the host header.	`%HTTP_HOST%`
`url.path`	Path of the request without query string. Example: `"/my-webapp"`	`%REQ_QUERY(:PATH)%`
`url.query`	Query string of the request. Note that the `?` is excluded from the string.
`user_agent.original`	Unparsed user agent string. Example: `Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36`

Airlock Microgateway specific response code details

The following response code details can appear in the airlock.response.details log field:

Response code details	Description
`airlock_request_blocked_deny_rule`	A deny rule detected malicious data. The request was blocked.
`airlock_request_blocked_encoding`	The request contains data with invalid encoding (UTF-8 required). The request was blocked.
`airlock_request_blocked_limit`	A limit was exceeded. The request was blocked.
`airlock_request_blocked_parser`	The request contains data that could not be parsed, for example due to a syntax error in JSON data. The request was blocked.

Further information and links:

API Reference:
CRD Reference documentation

Internal links:
For general logging information, see Logging configuration and output formatting.
For optional access log configuration, see CR Telemetry.
For deny rules configuration, see CR DenyRules.
For header rewrites configuration (logging requires Integration mode), see CR HeaderRewrites.
For identification of the remote IP address of a client, see Downstream remote IP settings.