Graylog Message Categories

The below table shows how Graylog is mapping gim_event_type_code created in a pipeline, to a normalized category in our Illuminate Content. Normalized categories allow for dashboards, searches, alert rules to use a common name across all device types utilizing this format. An example of how this line looks like in the lookup tables is:

"100000","|authentication|","|logon|","logon"

The Code 100000, is attached to the log in the processing pipeline, and allows for the lookup function to attach a category, sub cateory and event type further down the processing chain.

The Category in the above case is |authentication|, where many types of events can fall. Logon, Logoff and Session Disconnect all fall under authentication for easy grouping on dashboards. A Subcategory of |logon| is applied as well to this log to signify this is happening during the logon process. There can be many under logon, like a logon sucess, logon failure. Finally the event type is added logon for further granularity of what this event was processed as.

Notes:

  • This document is a work in progress and fields will be added as content is developed. If you have a suggestion, please open a GitHub ticket HERE.
Graylog Message Categories
gim_event_type_code gim_event_category gim_event_subcategory gim_event_type
0 |message| |message| message
100000 |authentication| |authentication.logon| logon
100003 |authentication| |authentication.logon| logon with alternate credentials
100004 |authentication| |authentication.logon| session reconnect
100500 |authentication| |authentication.credential validation| credential validation
100501 |authentication| |authentication.credential validation| error
100502 |authentication| |authentication.credential validation| mfa
100503 |authentication| |authentication.credential validation| sms_send_message
100504 |authentication| |authentication.credential validation| voice_call
101000 |authentication| |authentication.access notice| special logon
101001 |authentication| |authentication.access notice| error
101500 |authentication| |authentication.access policy| access policy violation
101501 |authentication| |authentication.access policy| device policy violation
101502 |authentication| |authentication.access policy| account policy violation
102000 |authentication| |authentication.kerberos request| service ticket renewed
102001 |authentication| |authentication.kerberos request| service ticket requested
102002 |authentication| |authentication.kerberos request| tgt request
102003 |authentication| |authentication.kerberos request| error
102500 |authentication| |authentication.logoff| logoff
102501 |authentication| |authentication.logoff| session disconnect
109500 |authentication| |authentication.logon|authentication.credential validation| logon
109501 |authentication| |authentication.kerberos request|authentication.credential validation| tgt request
109999 |authentication| |authentication.default| authentication message
110000 |iam| |iam.object create| account created
110001 |iam| |iam.object create| error
110002 |iam| |iam.object create| group created
110500 |iam| |iam.object delete| account deleted
110501 |iam| |iam.object delete| group deleted
111000 |iam| |iam.object modify| account modified
111001 |iam| |iam.object modify| privileges assigned
111002 |iam| |iam.object modify| privileges removed
111003 |iam| |iam.object modify| account renamed
111004 |iam| |iam.object modify| password change
111005 |iam| |iam.object modify| administrative password reset
111006 |iam| |iam.object modify| error
111007 |iam| |iam.object modify| group member added
111008 |iam| |iam.object modify| group member removed
111009 |iam| |iam.object modify| group properties modified
111500 |iam| |iam.object disable| account locked
111501 |iam| |iam.object disable| account disabled
112000 |iam| |iam.object enable| account unlocked
112001 |iam| |iam.object enable| account enabled
112002 |iam| |iam.object enable| error
119500 |iam| |iam.information| group membership enumerated
119999 |iam| |iam.default| iam message
120000 |network| |network.network connection| network connection
120100 |network| |network.routing| network routing
120500 |network| |network.flow| flow record
129999 |network| |network.default| network message
130000 |messaging| |messaging.email| email sent
130500 |messaging| |messaging.email| email blocked
131000 |messaging| |messaging.email| email rejected
131500 |messaging| |messaging.email| email quarantined
132000 |messaging| |messaging.email| email deleted
139999 |messaging| |messaging.default| message
140000 |name resolution| |name resolution.dns request| dns query
140100 |name resolution| |name resolution.dns transaction| dns query and response
140200 |name resolution| |name resolution.dns answer| dns response
140300 |name resolution| |name resolution.error| dns error
140500 |name resolution| |name resolution.ddns update| ddns update
149999 |name resolution| |name resolution.default| dns message
150000 |database| |database.query| database query
150500 |database| |database.update| update rows
151000 |database| |database.add| insert rows
151001 |database| |database.add| add table
151002 |database| |database.add| create database
151500 |database| |database.delete| delete rows
151501 |database| |database.delete| drop table
151502 |database| |database.delete| drop database
159999 |database| |database.default| database message
160000 |endpoint| |endpoint.process| process started
160001 |endpoint| |endpoint.process| process stopped
160002 |endpoint| |endpoint.process| image loaded
160003 |endpoint| |endpoint.process| process accessed
160004 |endpoint| |endpoint.process| process altered
160005 |endpoint| |endpoint.process| remote thread created
160500 |endpoint| |endpoint.ports| port open
160501 |endpoint| |endpoint.ports| port closed
160502 |endpoint| |endpoint.ports| open ports
161000 |endpoint| |endpoint.filesystem| file created
161001 |endpoint| |endpoint.filesystem| file deleted
161002 |endpoint| |endpoint.filesystem| file modified
161003 |endpoint| |endpoint.filesystem| file timestamp modified
161004 |endpoint| |endpoint.filesystem| file stream created
161010 |endpoint| |endpoint.filesystem| raw access
161011 |endpoint| |endpoint.filesystem| file access
161500 |endpoint| |endpoint.service| service started
161501 |endpoint| |endpoint.service| service stopped
161502 |endpoint| |endpoint.service| configuration change
161503 |endpoint| |endpoint.service| service installed
161504 |endpoint| |endpoint.service| service removed
161505 |endpoint| |endpoint.service| service error
162000 |endpoint| |endpoint.configuration| registry key added
162001 |endpoint| |endpoint.configuration| registry key removed
162002 |endpoint| |endpoint.configuration| configuration file modified
162003 |endpoint| |endpoint.configuration| system configuration modified
162004 |endpoint| |endpoint.configuration| system time changed
162005 |endpoint| |endpoint.configuration| registry value set
162006 |endpoint| |endpoint.configuration| registry value added
162007 |endpoint| |endpoint.configuration| registry value removed
162008 |endpoint| |endpoint.configuration| registry object renamed
162020 |endpoint| |endpoint.configuration| driver loaded
162500 |endpoint| |endpoint.audit| audit log cleared
162501 |endpoint| |endpoint.audit| auditing stopped
162502 |endpoint| |endpoint.audit| audit error
162503 |endpoint| |endpoint.audit| audit policy changed
162600 |endpoint| |endpoint.pipe| pipe created
162601 |endpoint| |endpoint.pipe| pipe connected
162700 |endpoint| |endpoint.wmi| wmi filter
162701 |endpoint| |endpoint.wmi| wmi consumer
162702 |endpoint| |endpoint.wmi| wmi binding
162800 |endpoint| |endpoint.agent activity| agent activity
162900 |endpoint| |endpoint.agent update| agent update
163000 |endpoint| |endpoint.agent status| agent status
169800 |endpoint| |endpoint.performance| system health
169900 |endpoint| |endpoint.default| clipboard changed
169999 |endpoint| |endpoint.default| endpoint message
170000 |alert| |alert.network alert| ids alert
170001 |alert| |alert.network alert| network alert
170002 |alert| |alert.network alert| network dlp alert
171000 |alert| |alert.host alert| malware alert
171001 |alert| |alert.host alert| host dlp alert
171002 |alert| |alert.host alert| hips alert
171003 |alert| |alert.host alert| fim alert
179999 |alert| |alert.default| alert message
180000 |http| |http.default| http message
180100 |http| |http.request| http request
180200 |http| |http.communication| http communication
180300 |http| |http.proxied| http proxied communication
900000 |http|network| |http.default|network.default| network default http default
900001 |http|network| |http.default|network.network connection| network http default
900002 |http|network| |http.request|network.default| network default http request
900003 |http|network| |http.request|network.network connection| network http request
900004 |http|network| |http.communication|network.default| network default http communication
900005 |http|network| |http.communication|network.network connection| network http communication
900006 |http|network| |http.proxied|network.default| network default http proxied
900007 |http|network| |http.proxied|network.network connection| network http proxied