Destination Fields

edit

Destination fields describe details about the destination of a packet/event.

Destination fields are usually populated in conjunction with source fields.

Destination Field Details

edit
Field Description Level

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.

Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

extended

destination.bytes

Bytes sent from the destination to the source.

type: long

example: 184

core

destination.domain

Destination domain.

type: keyword

core

destination.ip

IP address of the destination.

Can be one or multiple IPv4 or IPv6 addresses.

type: ip

core

destination.mac

MAC address of the destination.

type: keyword

core

destination.nat.ip

Translated ip of destination based NAT sessions (e.g. internet to private DMZ)

Typically used with load balancers, firewalls, or routers.

type: ip

extended

destination.nat.port

Port the source session is translated to by NAT Device.

Typically used with load balancers, firewalls, or routers.

type: long

extended

destination.packets

Packets sent from the destination to the source.

type: long

example: 12

core

destination.port

Port of the destination.

type: long

core

Field Reuse

edit
Field sets that can be nested under Destination
edit
Nested fields Description

destination.as.*

Fields describing an Autonomous System (Internet routing prefix).

destination.geo.*

Fields describing a location.

destination.user.*

Fields to describe the user relevant to the event.