This document attempts to capture a common field dictionary for use in structured logs.
By adhering to this dictionary, logs generated by district parties are able to interoperate cleanly.
Please send Pull Requests with your own updates! This is a community resource!
The initial list was taken from the Lumberjack project. It represents a common and already in use list of fields.
- String: A freeform string, no formatting assumed
- Object: A separate set of key/value pairs
- Integer: An integer value. These maybe represented as JSON numbers or JSON strings.
- IPv4: An IPv4 address formatted as a string in typical dotted quad syntax.
- IPv6: An IPv6 address formatted as a string in typical colon syntax.
- DateTime: A date and time formatted as a string in ISO 8601 syntax.
| Object | Name | Type | Description |
|---|---|---|---|
| action | STRING | Primary event action or operation | |
| app | OBJECT | Application | |
| appname | STRING | Name of the application that generated the event | |
| auid | STRING | Source User login authentication ID (login id) | |
| cmd | STRING | Command | |
| domain | STRING | Source user domain (NT Domain) | |
| dst | OBJECT | Network destination | |
| egid | STRING | Source user group effective ID (egid) | |
| eid | STRING | Source user effective ID (euid) | |
| file | OBJECT | File information | |
| host | STRING | Hostname of the event source | |
| ipv4 | IPV4 | IPv4 address of the event source | |
| ipv6 | IPV6 | IPv6 address of the event source | |
| message | STRING | The event message | |
| msgid | STRING | The event message identifier | |
| pid | STRING | Process ID that generated the event | |
| pname | STRING | Process name that generated the event | |
| pri | STRING | Event priority ("ERROR" | |
| proc | OBJECT | Process | |
| profile | STRING | CEE Profile URI that describes the custom event | |
| profilever | STRING | CEE Profile version | |
| sev | NUMBER | Event severity | |
| src | OBJECT | Network source | |
| status | STRING | Event status ("SUCCESS" | |
| subsys | STRING | Application subsystem responsible for generating the event | |
| syslog | OBJECT | Syslog compatibility | |
| tid | NUMBER | Numeric thread ID associated with the process generating the event | |
| time | DATETIME | Event Start Time | |
| uid | STRING | Source user account ID (uid) | |
| user | OBJECT | User account | |
| username | STRING | Source user name | |
| vend | STRING | Vendor of the event source application | |
| ver | STRING | Application version of the event source application | |
| app | name | STRING | Application name |
| app | vend | STRING | Application vendor |
| app | ver | STRING | Application version |
| dst | host | STRING | Network destination hostname |
| dst | ipv4 | IPV4 | Network destination IPv4 address |
| dst | ipv6 | IPV6 | Network destination IPv6 address |
| dst | port | NUMBER | Network destination port |
| file | hashmd5 | STRING | File MD5 Hashsum |
| file | line | NUMBER | File line number |
| file | mode | STRING | File mode flags |
| file | name | STRING | File name |
| file | path | STRING | File system path |
| file | perm | STRING | File permissions |
| file | size | NUMBER | File size in octets |
| proc | id | STRING | Process ID (pid) |
| proc | name | STRING | Process name |
| proc | tid | NUMBER | Thread identifier of the process |
| src | host | STRING | Network source hostname |
| src | ipv4 | IPV4 | Network source IPv4 address |
| src | ipv6 | IPV6 | Network source IPv6 address |
| src | port | NUMBER | Network source port |
| syslog | fac | NUMBER | Syslog facility value |
| syslog | pri | NUMBER | Syslog priority value |
| syslog | tag | STRING | Syslog Tag value |
| syslog | ver | NUMBER | Syslog Protocol version (0=legacy/RFC3164; 1=RFC5424) |
| user | domain | STRING | User account domain (NT Domain) |
| user | gid | STRING | Group ID (gid) |
| user | group | STRING | Group name |
| user | id | STRING | User account ID (uid) |
| user | name | STRING | User account name |