LOG: Log Event
A single ingested log event from an external system. Each LOG belongs to exactly one LOGSOURCE and is stored in the per-tenant {subscriptionId}_logs DynamoDB table. NOT the main subscription table. so that high-volume log writes never reach OpenSearch and never bloat the main entity store.
Default definition. This article describes the default
LOG definition shipped with DemandFlow. Administrators can add, remove, rename, or re-type fields, change which ones are required, and alter the layout from the Definitions screen in Settings. Your tenant's current schema may differ from what is shown here. To read the current definition at any time, GET the DEFINITION object whose id matches LOG.Entity properties
| Property | Value |
|---|---|
| Entity code | LOG |
| Display name | Log Event |
| Plural | Log Events |
| Level | 9110 |
Use cases
LOG records are written exclusively by the logIngestExt Lambda; they are never created from the UI. The envelope fields (timestamp, severity, category, host, user, action, outcome, message, tags) are normalised by the ingest Lambda before write so they can be filtered consistently across sources of different shapes. The original payload is preserved verbatim in the raw field as a JSON string.
Fields
Event Envelope
| Field | Type | Required | Notes |
|---|---|---|---|
timestamp | datetime | Yes | When the event occurred at the source. provided by the source, NOT the time DemandFlow received it. Read only. |
ingestedAt | datetime | When DemandFlow received the event. Read only. | |
severity | enum | Yes | Severity Valid ids: debug (Debug), info (Info), notice (Notice), warn (Warning), error (Error), critical (Critical). |
category | enum | Category Valid ids: auth (Auth), network (Network), app (Application), system (System), audit (Audit), other (Other). | |
sourceId | text | Immutable LOGSOURCE slug. stamped at ingest time, never changes even if the LOGSOURCE display name is renamed. Read only. | |
sourceType | text | Source Type Read only. | |
host | text | Host Read only. | |
user | text | User Read only. | |
action | text | Action Read only. | |
outcome | enum | Outcome Read only. Valid ids: success (Success), failure (Failure), unknown (Unknown). | |
message | text (multi-line) | Short human-readable summary line. Read only. | |
tags | array | Tags Read only. | |
linkedTicketRef | text | Populated when a ticket has been created from this event via the Create Ticket toolbar action. Prevents duplicate tickets being raised for the same event. Read only. | |
linkedTicketId | text | Linked ticket ID Read only. |
Relationships
- No declared relationships in the default definition.
Creating a Log Event via the API
POST /v1/objects
Authorization: Bearer <your-pat>
Content-Type: application/json
{
"entity": "LOG",
"level": 9110,
"comboKey": "SUB:<your-sub-id>|ENT:",
"timestamp": "2026-01-01T12:00:00Z",
"severity": "debug",
"ingestedAt": "2026-01-01T12:00:00Z",
"category": "auth"
}Listing Log Events records
# All log events in your tenant
GET /v1/entities/LOG/SUB