event_code |
|
keyword |
Vendor-provided numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft |
event_created |
|
date |
|
event_duration |
10293874 |
long |
Length of time in seconds for the event being described |
event_error_code |
0xC00008 |
keyword |
Vendor-provided error code associated with the current message |
event_error_description |
ERROR_ACCESS_DENIED, Not Found |
keyword |
Description of error associated with the current message |
event_log_name |
Security, auth.log |
keyword |
Reference to log - “Security” “auth.log”, etc. |
event_observer_hostname |
|
keyword/loweronly |
Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic. |
event_observer_ip |
|
ip |
IP address of the event observer |
event_observer_uid |
|
keyword |
Unique identifier (such as a serial number) associated with the event observer |
event_received_time |
2019-12-01T17:10:30Z1530014105001 |
date |
will need to build date/time formats into template or move this to vendor_event_received_time |
event_repeat_count |
5, 3, 9185 |
long |
Count of times a message has been repeated - provided by log creator/processor |
event_reporter |
|
keyword |
System that delivered the message to Graylog - a WEC server, syslog collector, etc. |
event_source |
|
keyword |
Source system that generated the event |
event_source_api_version |
|
keyword |
API version of source where logs are collected via API |
event_source_product |
windows, linux, okta |
keyword |
System responsible for generating the event, e.g. “windows”, “okta”, etc. |
event_start |
|
date |
|
event_uid |
1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 |
keyword |
Unique identification associated with a single event/message (e.g, “record number” from Windows event logs, a Graylog message ID) |