Event Fields

Event Fields
Field Name Example Values Field Type Notes
event_code 4624, 1 keyword Vendor-provided numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft
event_created 2020-02-20 08:00:00, 1602080607 date Date/time that the event was created
event_duration 10293874 long Length of time in seconds for the event being described
event_error_code 0xC00008 keyword Vendor-provided error code associated with the current message
event_error_description ERROR_ACCESS_DENIED, Not Found keyword Description of error associated with the current message
event_log_name security, auth.log keyword Reference to log - “Security” “auth.log”, etc.
event_observer_hostname   keyword/loweronly Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic.
event_observer_ip, fe80:5cc3:11:4::2c ip IP address of the event observer
event_observer_uid   keyword Unique identifier (such as a serial number or asset ID) associated with the event observer
event_received_time 2020-02-20 08:00:00, 1602080607 date Date/time that the event was received by the reporting host. Normally applicable to logs relayed by a centralized log server.
event_repeat_count 5, 3, 9185 long Count of times a message has been repeated - provided by log creator/processor
event_reporter   keyword System that delivered the message to Graylog - a WEC server, syslog collector, etc.
event_source   keyword Source system that generated the event
event_source_api_version   keyword API version of source where logs are collected via API
event_source_product windows, linux, okta keyword System responsible for generating the event, e.g. “windows”, “okta”, etc.
event_start 2020-02-20 08:00:00, 1602080607 date Beginning time of an event described in a log message, usually associated with an event that has a duration.
event_uid 1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 keyword Unique identification associated with a single event/message (e.g, “record number” from Windows event logs, a Graylog message ID)
Derived and Enriched Fields (values will be derived or added from external sources)
Field Name Example Values Field Type Notes
event_action authenticate, change, alert, network keyword This field indicates what action the event is documenting, it can be an array of values where the event can be used to document multiple things (i.e., IDPS events can be both “alert” and “network”)
event_outcome success, failure keyword  
event_severity critical, high, medium, low, informational keyword  
event_severity_level 1-5 byte Numeric representation of the severity rating of the source message: 1 = Critical, 2 = High, 3 = Medium, 4 = Low, 5 = Informational