This guide is a reference for the schema used in Graylog Illuminate. We will keep this updated as changes are made, but if you feel a change should be included, please open a GitHub issue here.

How To Use this Guide

Welcome to the Graylog Information Model (GIM) schema. The schema is broken down into sections, like “File” or “Destination,” with all metadata fields below.

Graylog Illuminate will utilize this schema for all the content we create. This guide will the be official reference and should be used if you are creating your own content and want it to match our content.

For example, if you take any log source and put the user name into a field called user_name, then any dashboard or alert created with Illuminate will work as well.

Graylog Template

When logs are processed, data from the logs are inserted into OpenSearch as “keywords,” meaning they are not modified in any way and stored as-is. This means the following data points are unique:

Administrator or administrator.

If you are searching in the Graylog UI, you would have to search for both of these terms or know exactly which one to search for. Fields like user_name make sense to be able to search without worrying about the case of the word.

In order to ensure these options are accounted for, a custom analyzer has been included in the Graylog Schema template called “loweronly.” Fields normalized with “loweronly” will be converted to lowercase before the data is indexed, and search query strings for these fields will be converted to lowercase when ran as well. Pages in the schema will list these fields as keyword/loweronly for reference.