Event Fields

Event Fields
Field Name Example Values Field Type Notes
event_action blocked, allowed, scan_start, scan_end, scan_pause, scan_cancel, scan_resume keyword Action that was described in a log such as a firewall log or an antivirus agent log
event_code 4624, 1 long Numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft. This field is treated as a numeric value in order to support ranged queries. Any leading 0 values will be removed
event_created 2020-02-20 08:23:15.102, 1602080607 date Date/time that the event actually occured or when the original event message was created
event_duration 10293874 long Length of time, in seconds, for the event being described
event_end 2021-03-26T11:25:13.113 date Date/time that event described in the log message had concluded, usually associated with an event that has a duration.
event_error_code 0xC00008 keyword Vendor-provided error code associated with the current message
event_error_description ERROR_ACCESS_DENIED, Not Found keyword Description of error associated with the current message
event_id 0023425, 90EF8 keyword Vendor-provided identifier representing a message type. This is similar to event_code but is instead mapped as a lateral string value. Ranged searches are not supported but the ID values will not be modified in any way.
event_log_name security, auth.log keyword Reference to log, such as ‘Security’, ‘auth.log’, etc. - this differs from vendor_subtype as it refers more to the original source the log was collected from.
event_log_path /var/log/syslog keyword Full path of log file source
event_observer_hostname SERVER01.server01.corp.internal keyword/loweronly Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic.
event_observer_id 234cd78sc keyword Unique ID of the Observer Device, Serial Number, etc
event_observer_ip, fe80:5cc3:11:4::2c ip IP address of the event observer
event_observer_uid   keyword Unique identifier (such as a serial number or asset ID) associated with the event observer
event_received_time 2020-02-20 08:00:00, 1602080607 date Date/time that the event was received by the reporting host. Normally applicable to logs relayed by a centralized log server.
event_repeat_count 5, 3, 9185 long Count of times a message has been repeated
event_reporter SERVER01.server01.corp.internal keyword Hostname or IP for system that delivered the message to Graylog - a WEC server, syslog collector, etc.
event_source LAPTOP01,laptop01.corp.internal keyword Hostname or IP of source system that generated the event
event_source_api_version   keyword API version of source where logs are collected via API
event_source_product windows, linux, okta keyword System responsible for generating the event, e.g. “windows”, “okta”, etc.
event_start 2020-02-20 08:00:00, 1602080607 date Beginning time of an event described in a log message, usually associated with an event that has a duration.
event_uid 1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 keyword Unique identification associated with a single event/message (e.g, “record number” from Windows event logs, a Graylog message ID)
Derived and Enriched Fields (values will be derived or added from external sources)
Field Name Example Values Field Type Notes
event_outcome success, failure keyword The outcome (success/failure) of the action described by event_action.
event_severity critical, high, medium, low, informational keyword This will be added by Illuminate Core if only the event_severity_level is defined. This can be mapped from vendor severity levels that do not use the same severity definitions.
event_severity_level 1-5 byte Numeric representation of the severity rating of the source message: 1 = informational, 2 = low, 3 = medium, 4 = high, 5 = critical. This will be added by Illuminate core when only event_severity is defined.