Logo

What are you looking for?

OGO log export format

Log export

OGO log export format

This article describes the log format that OGO sends when you activate Log Export feature.

Last updated on 13 Jan, 2026

{  
    "@version": "1", // Internal log export configuration version  
    "action": "suspicious", // Action taken by OGO  
    "cache": "NONE", // Is the ressoure cached by OGO  
    "cause": "", // Cause of the action  
    "clientIP": "1.1.1.1", // Client IP  
    "clientPort": "56738", // Port of the client  
    "clusterId": "163.172.105.73", // Cluster UID  
    "countryCode": "FR", // Country code ISO 2  
    "geoIp": {
        "countryCode":"FR",
        "cityName":"Paris",    
        "latitude":"48.844",     
        "longitude":"2.408"  
    }, 
    "requestInfo": { // Request meta data    
        "scheme": "https", // Scheme : http or https    
        "method": "GET", // Request method    
        "protocol": "HTTP/2.0", // Request protocol    
        "content-size": "0", // Request body content-size    
        "query-string": "some_query=...", // Query parameters    
        "request-uri": "/some-vulnerable-path" // Path (without Query parameters)  
    },  
    "requestHeaders": { // Request headers    
        "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",    
        "user-agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36"    
        "x-forwarded-for": [      "1.1.1.1"    ],    
        "host": "example.com"
    },  
    "responseHeaders": { // Response headers    
        "content-encoding": "gzip",    
        "content-type": "text/html; charset=UTF-8",    ...  
    },  
    "ogo": { // OGO Actions    
        "whitelistedIp": "false", // Is IP a whitelisted IP    
        "blocked": "false", // Is the request blocked    
        "driveUid": "45B5F128B47C4AD494DB7F8B0D1D539D", // Strongest belief drive UID which react to the request    
        "driveLabel" "Command Injection - Bash", // Strongest belief drive translation    
        "dryRun": "false", // Is in Audit mode    
        "geoBlocked": "false", // Is the country geoblocked    
        "appliedAction": "brain", // OGO Action, can be : brain (analyzed) / bypass (not analyzed) / denied (blocked by access control rule),    
        "credibility": 51000 // credibility rating of the request, value between 0 and 100,000, IP is temporary banned when dropped below the acceptability threshold.  
    },  
    "ogoVersion": "1", // Internal log export configuration version, only present for Microsoft Sentinel v2,  
    "requestBody": "...", // only show if detected drive inside,  
    "requestUrl": "https://example.com/some-vulnerable-page?some_query=...", // Full URL  
    "responseCode": 200, // Origin server response code  
    "responseContentSize": 34143, // Body response content-size  
    "responseTimeMs": 112, // Response time between OGO and Origin server  
    "serviceAddr": "2.2.2.2", // Origin server IP address  
    "site": "example.com", // Normalized FQDN  
    "TimeGenerated": "2024-04-24T01:08:02.491Z" // ISO8601 of timestamp, only present for Microsoft Sentinel v2  
    "timestamp": 1657875209811, // Epoch milliseconds timestamp of the start of the request  
    "tlsCipher": "TLS_AES_128_GCM_SHA256", // Used TLS Cipher  
    "tlsVersion": "1.3", // TLS Version 
}

Did you find this article helpful?
Previous

Syslog-ng export configuration

Next