Event Fields

Event Fields
Field Name Example Values Field Type Notes
event_code   keyword Vendor-provided numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft
event_created   date  
event_duration 10293874 long Length of time in seconds for the event being described
event_error_code 0xC00008 keyword Vendor-provided error code associated with the current message
event_error_description ERROR_ACCESS_DENIED, Not Found keyword Description of error associated with the current message
event_log_name Security, auth.log keyword Reference to log - “Security” “auth.log”, etc.
event_observer_hostname   keyword/loweronly Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic.
event_observer_ip   ip IP address of the event observer
event_observer_uid   keyword Unique identifier (such as a serial number) associated with the event observer
event_received_time 2019-12-01T17:10:30Z1530014105001 date will need to build date/time formats into template or move this to vendor_event_received_time
event_repeat_count 5, 3, 9185 long Count of times a message has been repeated - provided by log creator/processor
event_reporter   keyword System that delivered the message to Graylog - a WEC server, syslog collector, etc.
event_source   keyword Source system that generated the event
event_source_api_version   keyword API version of source where logs are collected via API
event_source_product windows, linux, okta keyword System responsible for generating the event, e.g. “windows”, “okta”, etc.
event_start   date  
event_uid 1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 keyword Unique identification associated with a single event/message (e.g, “record number” from Windows event logs, a Graylog message ID)
Derived and Enriched Fields (values will be derived or added from external sources)
Field Name Example Values Field Type Notes
event_action authentication, change, alert, network keyword This field indicates what action the event is documenting, it can be an array of values where the event can be used to document multiple things (i.e., IDPS events can be both “alert” and “network”)
event_action_type credential validation, logon, notice keyword This is a sub-type to event_action’s type field.
event_outcome success, failure keyword  
event_severity critical, high, medium, low, informational keyword  
event_severity_level 1-5 byte Numeric representation of the severity rating of the source message: 1 = Critical, 2 = High, 3 = Medium, 4 = Low, 5 = Informational