| event_action |
blocked, allowed, scan_start, scan_end, scan_pause, scan_cancel, scan_resume |
keyword |
Action that was described in a log such as a firewall log or an antivirus agent log |
| event_code |
4624, 1 |
long |
Numeric event defined by the vendor representing the source message type, e.g. EventCode/Event ID for Microsoft. This field is treated as a numeric value in order to support ranged queries. Any leading 0 values will be removed |
| event_created |
2020-02-20 08:23:15.102, 1602080607 |
date |
Date/time that the event actually occured or when the original event message was created |
| event_duration |
10293874 |
long |
Length of time, in seconds, for the event being described |
| event_end |
2021-03-26T11:25:13.113 |
date |
Date/time that event described in the log message had concluded, usually associated with an event that has a duration. |
| event_error_code |
0xC00008 |
keyword |
Vendor-provided error code associated with the current message |
| event_error_description |
ERROR_ACCESS_DENIED, Not Found |
keyword |
Description of error associated with the current message |
| event_id |
0023425, 90EF8 |
keyword |
Vendor-provided identifier representing a message type. This is similar to event_code but is instead mapped as a lateral string value. Ranged searches are not supported but the ID values will not be modified in any way. |
| event_log_name |
security, auth.log |
keyword |
Reference to log, such as ‘Security’, ‘auth.log’, etc. - this differs from vendor_subtype as it refers more to the original source the log was collected from. |
| event_log_path |
/var/log/syslog |
keyword |
Full path of log file source |
| event_observer_hostname |
SERVER01.server01.corp.internal |
keyword/loweronly |
Hostname or FQDN of a system such as an IDS or IPS that generates an message (such as an alert) based on inspection of a thing, such as network traffic. |
| event_observer_id |
234cd78sc |
keyword |
Unique ID of the Observer Device, Serial Number, etc |
| event_observer_ip |
10.1.2.3, fe80:5cc3:11:4::2c |
ip |
IP address of the event observer |
| event_observer_uid |
|
keyword |
Unique identifier (such as a serial number or asset ID) associated with the event observer |
| event_received_time |
2020-02-20 08:00:00, 1602080607 |
date |
Date/time that the event was received by the reporting host. Normally applicable to logs relayed by a centralized log server. |
| event_repeat_count |
5, 3, 9185 |
long |
Count of times a message has been repeated |
| event_reporter |
SERVER01.server01.corp.internal |
keyword |
Hostname or IP for system that delivered the message to Graylog - a WEC server, syslog collector, etc. |
| event_source |
LAPTOP01,laptop01.corp.internal |
keyword |
Hostname or IP of source system that generated the event |
| event_source_api_version |
|
keyword |
API version of source where logs are collected via API |
| event_source_product |
windows, linux, okta |
keyword |
System responsible for generating the event, e.g. “windows”, “okta”, etc. |
| event_start |
2020-02-20 08:00:00, 1602080607 |
date |
Beginning time of an event described in a log message, usually associated with an event that has a duration. |
| event_uid |
1123523564, 0122e2b3-9923-11ea-ab51-061b68b4ca16 |
keyword |
Unique identification associated with a single event/message (e.g, “record number” from Windows event logs, a Graylog message ID) |