| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
event_action
|
blocked, allowed, scan_start, scan_end, scan_pause, scan_cancel, scan_resume |
keyword | Action that was described in a log such as a firewall log or an antivirus agent log |
event_code
|
4624, 1 | long | Numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft. This field is treated as a numeric value in order to support ranged queries. Any leading 0 values will be removed |
event_created
|
2020-02-20 08:23:15.102, 1602080607 | date | Date/time that the event actually occured or when the original event message was created |
event_duration
|
10293874 | long | Length of time, in seconds, for the event being described |
event_end
|
2021-03-26T11:25:13.113 | date | Date/time that event described in the log message had concluded, usually associated with an event that has a duration. |
event_error_code
|
0xC00008 | keyword | Vendor-provided error code associated with the current message |
event_error_description
|
ERROR_ACCESS_DENIED, Not Found | keyword | Description of error associated with the current message |
event_id
|
0023425, 90EF8 | keyword | Vendor-provided identifier representing a message type. This is similar to event_code but is instead mapped as a lateral string value. Ranged searches are not supported but the ID values will not be modified in any way. |
event_log_name
|
security, auth.log | keyword | Reference to log, such as 'Security', 'auth.log', etc. - this differs from vendor_subtype as it refers more to the original source the log was collected from. |
event_log_path
|
/var/log/syslog | keyword | Full path of log file source |
event_observer_hostname
|
SERVER01.server01.corp.internal | keyword/loweronly | Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic. |
event_observer_id
|
234cd78sc | keyword | Unique ID of the Observer Device, Serial Number, etc |
event_observer_ip
|
10.1.2.3, fe80:5cc3:11:4::2c | ip | IP address of the event observer |
event_observer_uid
|
keyword | Unique identifier (such as a serial number or asset ID) associated with the event observer | |
event_received_time
|
2020-02-20 08:00:00, 1602080607 | date | Date/time that the event was received by the reporting host. Normally applicable to logs relayed by a centralized log server. |
event_repeat_count
|
5, 3, 9185 | long | Count of times a message has been repeated |
event_reporter
|
SERVER01.server01.corp.internal | keyword | Hostname or IP for system that delivered the message to Graylog - a WEC server, syslog collector, etc. |
event_source
|
LAPTOP01,laptop01.corp.internal | keyword | Hostname or IP of source system that generated the event |
event_source_api_version
|
keyword | API version of source where logs are collected via API | |
event_source_product
|
windows, linux, okta | keyword | System responsible for generating the event, e.g. “windows,” “okta,” etc. |
event_start
|
2020-02-20 08:00:00, 1602080607 | date | Beginning time of an event described in a log message, usually associated with an event that has a duration. |
event_uid
|
1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 | keyword | Unique identification associated with a single event/message (e.g. “record number” from Windows event logs, a Graylog message ID) |
| Field Name | Example Values | Field Type | Notes |
|---|---|---|---|
event_outcome
|
success, failure | keyword | The outcome (success/failure) of the action described by event_action. |
event_severity
|
critical, high, medium, low, informational | keyword | This will be added by Illuminate Core if only the event_severity_level is defined. This can be mapped from vendor severity levels that do not use the same severity definitions. |
event_severity_level
|
1-5 | byte | Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical. This will be added by Illuminate core when only event_severity is defined. |
