Event Fields
Overview
The event fields represent the core metadata associated with any log message or security event. They describe when, where, and how an event occurred — providing the contextual foundation for correlation, sequencing, enrichment, and analytics across diverse log sources.
Each field within the event entity captures a specific attribute of the log lifecycle, from when it was generated by the source system to when it was received and processed by a collector or SIEM. These fields serve as the canonical reference for temporal, structural, and contextual normalization across data sources. They also define lifecycle metadata that supports normalization across all other entity types such as file, process, user, and network.
Design and Usage
The event fields are top-level properties and are not appended to other fields. They are typically populated by the log source, collection agent, or processing pipeline. Key design principles include:
- Consistency: Provides a unified event schema across products and log types.
- Traceability: Enables end-to-end reconstruction of event flow (source → observer → collector).
- Temporal accuracy: Separates creation, start, end, and received times for forensic clarity.
- Cross-platform support: Applicable to operating systems, cloud services, applications, and network devices.
Common Use Cases
- Correlation and timeline reconstruction — Use
event_start,event_end, andevent_createdto sequence actions within or across systems. - Data provenance tracking — Combine
event_source,event_reporter, andevent_observer_*fields to identify the true origin of an event. - Severity and outcome analysis — Use
event_severityandevent_outcomefor risk scoring, prioritization, and alert tuning. - Forensic validation — Cross-reference
event_code,event_id, andevent_log_namewith vendor documentation or reference databases.
Implementation Notes
Event timing
event_createdrepresents when the event actually occurred or was created by the source.event_received_timerepresents when the event was ingested by a collector or SIEM.event_startandevent_endprovide a temporal range for duration-based activities.
Identifiers
event_codeis numeric (e.g., Windows Event ID), enabling range-based queries.event_idis string-based and may include non-numeric vendor identifiers.event_uidprovides a globally unique reference for deduplication and traceability.
Observer Fields
The event_observer_* fields represent the system that monitored or inspected the source (for example, an IDS inspecting network traffic). These distinguish between event producer and event observer roles in telemetry chains.
Summary
The event entity forms the backbone of the field schema. It defines a consistent, technology-agnostic vocabulary for describing when and where an event occurred, what action took place, how it was reported, and how its severity or outcome should be interpreted. Together, these fields enable accurate correlation, alerting, and investigative workflows across the entire telemetry pipeline.
| field | field_type | description | example_values |
|---|---|---|---|
|
event_action |
keyword |
Action that was described in a log such as a firewall log or an antivirus agent log. |
blocked, allowed, scan_start, scan_end, scan_pause, scan_cancel, scan_resume |
|
event_code |
long |
Numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft. This field is treated as a numeric value in order to support ranged queries. Any leading 0 values will be removed. |
4624, 1 |
|
event_created |
date |
Date/time that the event actually occured or when the original event message was created. |
2020-02-20 08:23:15.102, 1602080607 |
|
event_duration |
long |
Length of time, in seconds, for the event being described. |
10293874 |
|
event_end |
date |
Date/time that event described in the log message had concluded, usually associated with an event that has a duration. |
2021-03-26T11:25:13.113 |
|
event_error_code |
keyword |
Vendor-provided error code associated with the current message. |
0xC00008 |
|
event_error_description |
keyword |
Description of error associated with the current message. |
ERROR_ACCESS_DENIED, Not Found |
|
event_id |
keyword |
Vendor-provided identifier representing a message type. This is similar to event_code but is instead mapped as a lateral string value. Ranged searches are not supported but the ID values will not be modified in any way. |
0023425, 90EF8 |
|
event_log_name |
keyword |
Reference to log, such as 'Security', 'auth.log', etc. - this differs from vendor_subtype as it refers more to the original source the log was collected from. |
security, auth.log |
|
event_log_path |
keyword |
Full path of log file source. |
/var/log/syslog |
|
event_observer_hostname |
keyword/lowercase |
Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic. |
SERVER01.server01.corp.internal |
|
event_observer_id |
keyword |
Unique ID of the Observer Device, Serial Number, etc. |
234cd78sc |
|
event_observer_ip |
ip |
IP address of the event observer. |
10.1.2.3, fe80:5cc3:11:4::2c |
|
event_observer_uid |
keyword |
Unique identifier (such as a serial number or asset ID) associated with the event observer. |
|
|
event_received_time |
date |
Date/time that the event was received by the reporting host. Normally applicable to logs relayed by a centralized log server. |
2020-02-20 08:00:00, 1602080607 |
|
event_repeat_count |
long |
Count of times a message has been repeated. |
5, 3, 9185 |
|
event_reporter |
keyword |
Hostname or IP for system that delivered the message to Graylog - a WEC server, syslog collector, etc. |
SERVER01.server01.corp.internal |
|
event_source |
keyword |
Hostname or IP of source system that generated the event. |
LAPTOP01,laptop01.corp.internal |
|
event_source_api_version |
keyword |
API version of source where logs are collected via API. |
|
|
event_source_product |
keyword |
System responsible for generating the event, e.g. “windows,” “okta,” etc. |
windows, linux, okta |
|
event_start |
date |
Beginning time of an event described in a log message, usually associated with an event that has a duration. |
2020-02-20 08:00:00, 1602080607 |
|
event_uid |
keyword |
Unique identification associated with a single event/message (e.g. “record number” from Windows event logs, a Graylog message ID). |
1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 |
|
event_outcome |
keyword |
The outcome (success/failure) of the action described by event_action. |
success, failure |
|
event_severity |
keyword |
This will be added by Illuminate Core if only the event_severity_level is defined. This can be mapped from vendor severity levels that do not use the same severity definitions. |
critical, high, medium, low, informational |
|
event_severity_level |
byte |
Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical. This will be added by Illuminate core when only event_severity is defined. |
1-5 |
