Message format

Message Format

As of Base Software 8.3, the appliance uses two message formats:

  • OCSF-aligned JSON: For the appliance's Base security events and for web-server access logs.
  • The existing field-and-value text format: For installed-application events, which are unchanged.

Some forwarded messages are always plain syslog text and are never JSON: OS-level authentication events, installed-application messages, and occasional operational messages from the reverse proxy.

JSON Events

On the wire, each event is a standard syslog line whose message (MSG) is the JSON object. A Base security event in RFC 5424 format looks like:

<13>1 2026-07-10T20:00:00.000000+00:00 appliance.example.com user - - - {"message":"Login successful","activity_name":"Logon", ... }

<13> is the priority - facility user, with a severity that varies by event; user is the program name (the RFC 5424 APP-NAME, or the tag in a legacy BSD format). Everything after the header is the JSON message. Collectors often strip the leading <13> when writing the message to a file, and a legacy BSD format uses the RFC 3164 header instead.

A web-server access event (HTTP category - on-premises only) arrives with a different facility and program - facility daemon, and a program name of nginx, httpd, or haproxy (the web server that handled the request) — and its JSON has a request-and-response shape with no message, activity_name, or status:

<30>1 2026-07-10T20:00:00.000000+00:00 appliance.example.com haproxy - - - {"src_endpoint":{"ip":"192.0.2.10","port":41522}, ... }

Examples

The following examples show each JSON message individually and format it for readability.

A Base security event:

{
  "message": "Login successful",
  "activity_name": "Logon",
  "status": "Success",
  "status_id": 1,
  "time": 1780000000000,
  "actor": { "user": { "name": "admin" } },
  "src_endpoint": { "ip": "192.0.2.10" },
  "metadata": { "correlation_uid": "b1c2d3e4-0000-4a5b-8c9d-000000000001" },
  "auth_protocol": "Password",
  "auth_protocol_id": 99,
  "service": { "name": "Appliance Web" }
}

A web-server access event: On-premises only

{
  "src_endpoint": { "ip": "192.0.2.10", "port": 41522 },
  "metadata": { "correlation_uid": "b1c2d3e4-0000-4a5b-8c9d-000000000001" },
  "time": 1780000000000,
  "http_request": {
    "http_method": "POST",
    "url": { "hostname": "appliance.example.com", "scheme": "https", "path": "/appliance/login", "query_string": "" },
    "version": "HTTP/2.0",
    "user_agent": "Mozilla/5.0",
    "length": 512
  },
  "http_response": { "code": 200, "length": 1024 },
  "tls": { "version": "TLSv1.3", "cipher": "TLS_AES_256_GCM_SHA384", "sni": "appliance.example.com" },
  "duration": 42
}

The correlation_uid value is shared between a web-server access event and any Base security events produced by the same request, so related events can be tied together.


©2003-2026 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.