Service Fields

Overview

The service fields describe system daemons, services, or background processes that operate as managed components of an operating environment. They represent the identifying attributes of a service, such as its name, version, and operational state, as observed in telemetry from operating systems or service managers. The entity provides a consistent structure for representing service-level information across diverse platforms and execution models.

Design and Usage

The service entity defines the conceptual characteristics of a system service without relying on vendor-specific naming or control mechanisms. It captures the essential properties of a service to support monitoring, auditing, and analysis of background processes and managed workloads. As a top-level entity, service stands independently and may be referenced by events that describe lifecycle changes, operational status, or configuration updates.

Common Use Cases

Monitoring service start, stop, and restart activity across operating systems
Associating events with the specific service responsible for generating or handling system actions
Tracking service versions and states for security, compliance, or operational diagnostics

Implementation Notes

As a top-level entity, service represents the complete object associated with a system daemon or background process. Its fields should remain stable and platform-neutral to ensure consistent interpretation across heterogeneous environments. If a related entity is implied by an event but not explicitly provided, corresponding fields should be included to clarify event semantics and maintain relational integrity.

field	field_type	description	example_values
service_name	keyword	Identifies the service or daemon by its assigned name.	graylog-server.service, sshd, graylog-sidecar
service_version	keyword	Version value associated with the service or its underlying application.	1.0.1054
service_state	keyword	Indicates the operational state of the service.	running, started, stopped