This document describes the schema of log entries sent by the Cloudmersive Reverse Proxy Server to Azure Log Analytics.

Log Entry Structure

Each log entry is a JSON object containing an envelope with metadata and a nested message payload.

Envelope Fields

• id (string) - Unique identifier for the log entry
• datetime (string) - Timestamp of the log entry
• message (string) - JSON-encoded string containing the log data fields described below

Log Data Fields

The message field contains a JSON-encoded object with the following fields. Which fields are present depends on the Data to Log options enabled on the logging policy.

Always Included

• NodeID (string) - Identifier of the reverse proxy node that processed the request
• ContentLength (string) - Content length of the request body
• TransactionID (string) - Unique identifier for the request/response transaction
• HttpResponseCode (string) - HTTP status code of the response (e.g., "200", "404")
• HttpResponseContentLength (string) - Content length of the response body
• OriginResponseTime (string) - Time in milliseconds for the origin server to return a response
• TotalResponseTime (string) - Total time in milliseconds for the complete request/response cycle

Included When "Log request URL" Is Enabled

• URL (string) - Full request URL
• HttpMethod (string) - HTTP method (e.g., GET, POST, PUT, DELETE)
• Hostname (string) - Host from the request
• Port (string) - Port from the request
• UserAgent (string) - Value of the User-Agent request header

Included When "Log client IP address" Is Enabled

• ClientIP (string) - IP address of the client
• XForwardedFor (string) - Value of the X-Forwarded-For header, if present
• TrueClientIP (string) - Value of the True-Client-IP header, if present

Included When "Log request headers" Is Enabled

• Headers (string) - JSON array of header objects, each containing HeaderName and HeaderValue

Example Headers value:

[
  { "HeaderName": "Accept", "HeaderValue": "text/html" },
  { "HeaderName": "Content-Type", "HeaderValue": "application/json" }
]

Included When "Log policy result details" Is Enabled

• PolicyResult (string) - JSON-encoded security policy evaluation outcome for the request

Example Log Entry

{
  "id": "id-here",
  "datetime": "2026-03-04T12:00:00.000Z",
  "message": "{\"NodeID\":\"node-id-here\",\"URL\":\"https://example.com/api/data\",\"HttpMethod\":\"GET\",\"Hostname\":\"example.com\",\"Port\":\"443\",\"UserAgent\":\"Mozilla/5.0\",\"ClientIP\":\"203.0.113.50\",\"XForwardedFor\":\"203.0.113.50\",\"TrueClientIP\":\"\",\"ContentLength\":\"0\",\"TransactionID\":\"txn-id-here\",\"HttpResponseCode\":\"200\",\"HttpResponseContentLength\":\"1234\",\"OriginResponseTime\":\"45\",\"TotalResponseTime\":\"50\"}"
}

Notes

• The message field is a JSON-encoded string. To query individual fields in Log Analytics, you will need to parse the message field (e.g., using KQL's parse_json() function).
• All field values are strings, including numeric values such as HttpResponseCode and OriginResponseTime.
• Fields that are not applicable or not available for a given request may be empty strings.