Log Exporter Output

Reblaze can stream traffic events via Log Exporters, e.g. to a SIEM/SOC.

Data collection

Each active Log Exporter streams events continually, in near-real time.

Reblaze gathers events for a few seconds, or until a certain amount of data has been accumulated, and then sends them all together. The latency between the actual events occurring and their receipt at the destination will generally be less than 30 seconds.

Data protocols

Reblaze sends logs using the Syslog RFC 5424 protocol.

The available transport protocols are:

  • TCP

  • TCP + TLS (requires SSL certificate)

  • UDP (not MVP)

Data format

By default, event messages are only sent for requests blocked by Reblaze.

The following requests are not included in the event stream:

  • Requests passed by Reblaze (unless the Log Exporter is in "all" mode)

  • Requests challenged by Reblaze, but not blocked

  • Requests blocked by the origin

Each line is structured as follows:

<PRI>VERSION ISOTIMESTAMP HOSTNAME APPLICATION PID MESSAGEID STRUCTURED-DATA MSG

...with these fields:

Field
Description
Default value

PRI

priority

13 [log audit]

VERSION

version

1

ISOTIMESTAMP

timestamp of message

timestamp in ISO format

HOSTNAME

hostname

reblazer

APPLICATION

application

- [a hyphen, i.e. no data]

PID

process id

- [a hyphen, i.e. no data]

MESSAGEID

message id

- [a hyphen, i.e. no data]

STRUCTURED-DATA

structured Data

- [a hyphen, i.e. no data]

MSG

message body

The rest of the message (see details below)

END OF LINE

Custom EOL string

**NF** [meaning "nothing follows"]

Each message body contains the following fields, separated by spaces, in the order shown. Strings are enclosed in double quotes.

Field
Data type
Notes

REMOTE_ADDR

string

TIMESTAMP

timestamp

STATUS

integer

BYTES_SENT

integer

REQUEST

string

Path only, without the query

BLOCKED

boolean

IS_HUMAN

boolean

BLOCK_REASON

string

The reason that a request was blocked. If more than block reason exists, only the first will be included.

GEOIP_COUNTRY_NAME

string

GEOIP_COUNTRY_CODE

string

REQUEST_ID

string

CAPTURED_VECTOR

string

Relevant only for content filter rules; includes the type of the field (e.g. header) and its name.

REQUEST_TIME

float

UPSTREAM_ADDR

string

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_RESPONSE_TIME

float

Will be a hyphen if the request did not reach the upstream.

UPSTREAM_STATUS

integer

The status code returned by the upstream server, if any. Will be a hyphen if the request did not reach the upstream.

DOMAIN_NAME

string

The server group.

HOST

string

REFERER

string

HTTP_USER_AGENT

string

ORGANIZATION

string

SSL_PROTOCOL

string

PreviousHTTP Response CodesNextPattern Matching Syntax

Last updated