Field Schema Reference

About the Graylog Field Mapping Schema

The Graylog Field Mapping Schema defines the standard field names used to normalize log data across different sources. Normalization ensures that events from different systems can be analyzed, searched, and visualized consistently.

This schema is designed for both content builders and end users. Builders use it to map raw log data into consistent field names, while analysts and administrators benefit from predictable fields in dashboards, alerts, and reports.

Why Normalization Matters

Without a schema, each log source may use different field names for the same concept (e.g., src_ip vs. client_address). Normalization creates a common language so queries, dashboards, and alerts work across all sources without custom adjustments.

The higher level operations in Graylog Illuminate, and much of the content, relies on the schema to operate.

A common schema is also very useful in reducing friction when searching logs, having a common reference for event log data makes searching and analyzing data, even across multiple sources, more straightforward.

How Field Names Are Structured

Field names are built from prefixes that represent entities (such as 'source' or 'destination') combined with properties that describe those entities (such as 'ip' or 'hostname'). The parts are joined with underscores.

For example, the field source_ip identifies the IP address of the originator of network traffic. Similarly, destination_hostname refers to the hostname of the target system.

Some properties are always subordinate and never appear as top-level entities. For example, geolocation fields are always tied to another entity such as 'source' or 'destination'.

Graylog Field Mapping Schema Entities

The entities in the schema serve as prefixes for field names. They represent common objects such as a source, destination, process, or file. Each entity may have multiple properties, such as IP, hostname, or path.

The following is a generated list of all entities defined in the Graylog Field Mapping Schema.

The following schema field definitions are part of Graylog's normalized event model:

• Alert

• Application

• Associated

• Container

• Destination

• Email

• Event

• File

• Hash

• Host

• Http

• Network

• Policy

• Privilege

• Process

• Query

• Rule

• Service

• Source

• Threat

• Trace

• User

• Vendor