Message format
Message Format
As of Base Software 8.3, the appliance uses two message formats:
- OCSF-aligned JSON: For the appliance's Base security events and for web-server access logs.
- The existing field-and-value text format: For installed-application events, which are unchanged.
Some forwarded messages are always plain syslog text and are never JSON: OS-level authentication events, installed-application messages, and occasional operational messages from the reverse proxy.
JSON Events
On the wire, each event is a standard syslog line whose message (MSG) is the JSON object. A Base security event in RFC 5424 format looks like:
<13>1 2026-07-10T20:00:00.000000+00:00 appliance.example.com user - - - {"message":"Login successful","activity_name":"Logon", ... }
<13> is the priority - facility user, with a severity that varies by event; user is the program name (the RFC 5424 APP-NAME, or the tag in a legacy BSD format). Everything after the header is the JSON message. Collectors often strip the leading <13> when writing the message to a file, and a legacy BSD format uses the RFC 3164 header instead.
A web-server access event (HTTP category - on-premises only) arrives with a different facility and program - facility daemon, and a program name of nginx, httpd, or haproxy (the web server that handled the request) — and its JSON has a request-and-response shape with no message, activity_name, or status:
<30>1 2026-07-10T20:00:00.000000+00:00 appliance.example.com haproxy - - - {"src_endpoint":{"ip":"192.0.2.10","port":41522}, ... }
Examples
The following examples show each JSON message individually and format it for readability.
A Base security event:
{
"message": "Login successful",
"activity_name": "Logon",
"status": "Success",
"status_id": 1,
"time": 1780000000000,
"actor": { "user": { "name": "admin" } },
"src_endpoint": { "ip": "192.0.2.10" },
"metadata": { "correlation_uid": "b1c2d3e4-0000-4a5b-8c9d-000000000001" },
"auth_protocol": "Password",
"auth_protocol_id": 99,
"service": { "name": "Appliance Web" }
}A web-server access event: On-premises only
{
"src_endpoint": { "ip": "192.0.2.10", "port": 41522 },
"metadata": { "correlation_uid": "b1c2d3e4-0000-4a5b-8c9d-000000000001" },
"time": 1780000000000,
"http_request": {
"http_method": "POST",
"url": { "hostname": "appliance.example.com", "scheme": "https", "path": "/appliance/login", "query_string": "" },
"version": "HTTP/2.0",
"user_agent": "Mozilla/5.0",
"length": 512
},
"http_response": { "code": 200, "length": 1024 },
"tls": { "version": "TLSv1.3", "cipher": "TLS_AES_256_GCM_SHA384", "sni": "appliance.example.com" },
"duration": 42
}The correlation_uid value is shared between a web-server access event and any Base security events produced by the same request, so related events can be tied together.
Updated 2 days ago