Last modified 19 months ago Last modified on 10/08/12 17:41:46

Field Names

Field names must consist only of alphanumeric characters and are treated as case-insensitive

Unified Field List

This list is a condensed merger of the nxlog, auditd, and libumberlog field lists

Field names may be represented in either inline or structured format.

  • Inline field names are represented as structures, with the field object and name attributes separated by a !. For example: {"user!name":"bob"}
  • Structured field names are represented using hierarchical structuring. For example: {"user":{"name":"bob"}}

General Fields

Object Name Type Description
actionSTRINGPrimary event action or operation
appnameSTRINGName of the application that generated the event
auidSTRINGSource User login authentication ID (login id)
domainSTRINGSource user domain (NT Domain)
dstOBJECTNetwork destination
egidSTRINGSource user group effective ID (egid)
eidSTRINGSource user effective ID (euid)
fileOBJECTFile information
hostSTRINGHostname of the event source
ipv4IPV4IPv4 address of the event source
ipv6IPV6IPv6 address of the event source
msgSTRINGThe event message
msgidSTRINGThe event message identifier
nativeOBJECTFields and data specific to the source application
pidSTRINGProcess ID that generated the event
pnameSTRINGProcess name that generated the event
priSTRINGEvent priority ("ERROR"|"WARN"|"DEBUG"|"CRIT")
profileSTRINGCEE Profile URI that describes the custom event
profileverSTRINGCEE Profile version
sevNUMBEREvent severity
srcOBJECTNetwork source
statusSTRINGEvent status ("SUCCESS"|"FAIL"|"ERROR")
subsysSTRINGApplication subsystem responsible for generating the event
syslogOBJECTSyslog compatibility
tidNUMBERNumeric thread ID associated with the process generating the event
timeDATETIMEEvent Start Time
uidSTRINGSource user account ID (uid)
userOBJECTUser account
usernameSTRINGSource user name
vendSTRINGVendor of the event source application
verSTRINGApplication version of the event source application
appnameSTRINGApplication name
appvendSTRINGApplication vendor
appverSTRINGApplication version
dsthostSTRINGNetwork destination hostname
dstipv4IPV4Network destination IPv4 address
dstipv6IPV6Network destination IPv6 address
dstportNUMBERNetwork destination port
filehashmd5STRINGFile MD5 Hashsum
filelineNUMBERFile line number
filemodeSTRINGFile mode flags
filenameSTRINGFile name
filepathSTRINGFile system path
filepermSTRINGFile permissions
filesizeNUMBERFile size in octets
native**Native event fields
procidSTRINGProcess ID (pid)
procnameSTRINGProcess name
proctidNUMBERThread identifier of the process
srchostSTRINGNetwork source hostname
srcipv4IPV4Network source IPv4 address
srcipv6IPV6Network source IPv6 address
srcportNUMBERNetwork source port
syslogfacNUMBERSyslog facility value
syslogpriNUMBERSyslog priority value
syslogtagSTRINGSyslog Tag value
syslogverNUMBERSyslog Protocol version (0=legacy/RFC3164; 1=RFC5424)
userdomainSTRINGUser account domain (NT Domain)
usergidSTRINGGroup ID (gid)
usergroupSTRINGGroup name
useridSTRINGUser account ID (uid)
usernameSTRINGUser account name

Other Lists (NOT the LumberJack field specification)

nxlog modified CEE dictionary

Field name Type Description
AccountAuditIDINTEGERThe unique identifier corresponding to the account performing the event
AccountEffectiveGroupName?STRINGThe name of the primary group associated with the effective user
AccountEffectiveIDINTEGERThe effective user ID (UID)
AccountEffectiveName?STRINGThe effective user name
AccountGroupIDINTEGERThe ID of the group(s) to which the user belongs
AccountGroupName?STRINGThe group(s) to which the user account belongs
AccountIDINTEGERThe unique identifier assigned to the user account, often called the user id (uid)
AccountName?STRINGThe name associated with the user account
AccountRole?STRINGThe role assigned to the user's account. Used for role-based access control (RBAC) and in systems such as Security Enhanced (SE) Linux
AccountType?STRINGThe type of the account
ActivityIDSTRINGThe ActivityID as stored in EvtSystemActivityID.
AndroidSeverity?STRINGThe severity (called priority in android) which can take these values: DEFAULT VERBOSE DEBUG INFO WARN WRROR FATAL SILENT UNKNOWN
AndroidSeverityValue?INTEGERThe severity (called priority in android) number from 1-8.
ApplicationOldVersion?STRINGThe old version of the application, for use when an application is being updated or downgraded, and has a change in version numbers. Instances of {app_oldver} must always appear with {app_ver}, specifying the new version information
ApplicationVendor?STRINGThe application vendor
ApplicationVersion?STRINGThe current version of the application. When recording a change in application version, the {app_ver} field should be accompanied by an {app_oldver} field to specify the version being updated
CategorySTRINGCategory name of the event
CategoryNumber?INTEGERThe category number, stored as Category in the EventRecord?.
ChannelSTRINGThe Channel (e.g. Security, Application) of the event source.
ConfigName?STRINGThe name of a configuration parameter
ConnectionStatus?STRINGThe status of the network connection
CountINTEGERThe number of times similar events were observed
CountryCode?STRINGThe ISO 3166-1 Alpha-2 country code of the country
CountryName?STRINGThe name of the country
CurrentWorkingDirectory?STRINGThe path of the current working directory (such as that given by the "pwd" command in Linux)
DestinationBytesReceived?INTEGERThe number of 8-bit bytes (octets) received by the destination system
DestinationBytesSent?INTEGERThe number of 8-bit bytes (octets) sent by the destination system
DestinationCountryCode?STRINGThe ISO 3166-1 Alpha-2 country code of the country where the destination system resides
DestinationCountryName?STRINGThe name of the country where the destination system is physically located
DestinationIPAddressSTRINGThe IP address of the destination system. It is prefered that systems use the {dst_ipv4} or {dst_ipv6} fields when possible.
DestinationInterface?STRINGThe name of the interface on the destination system used
DestinationLocation?STRINGA description of the physical location of the destination system
DestinationMACAddressSTRINGThe MAC address of the destination system
EmailFrom?STRINGThe sender's (From:) electronic (e-mail) addresses, as defined within RFC 822
EmailSubject?STRINGThe "subject" field of an e-mail (RFC 822) message
EmailTo?STRINGThe receiver's (To:) electronic (e-mail) addresses, as defined within RFC 822
ErrorCode?INTEGERIf an error is logged resulting from an OS error, this field contains the error number provided by the Apache portable runtime library.
EventCode?INTEGERThe event code (EventCode?).
EventDuration?INTEGERAn ISO8601 compliant string indicating the duration of the event
EventEndTime?DATETIMEAn ISO8601 compliant timestamp designating the date, time, and timezone offset when the event finished
EventIDINTEGERA unique identifier that corresponds to the event type, as provided by the log source. Examples of message/event identifiers are the Microsoft Windows Event ID, the Cisco PIX ID (e.g., %PIX-2-106001), or the Sourcefire Snort snortid.
EventReceivedTime?DATETIMEA timestamp reflecting when the event record was received by an upstream device
EventTime?DATETIMEAn ISO8601 compliant timestamp designating the date, time, and timezone offset when the event began
EventTimeWritten?DATETIMEWill be set to the TimeWritten? field of the EventRecord?.
EventType?STRINGType of the event, in windows event log this is similar to severity
FacilitySTRINGFacility name of the event, e.g. in syslog messages
FileAccessTime?DATETIMEThe time the file was last accessed. On Unix systems, this information can be found by calling stat() on a file inode
FileCreateTime?DATETIMEThe creation time of a file
FileInodeIDINTEGERThe identifier for the file's inode
FileModificationTime?DATETIMEThe last modified time of a file. On Unix systems, this information can be found by calling stat() on the file's inode
FileName?STRINGThe name of the file
FileOldPermissions?STRINGIn cases where the event is recording a change in file permissions, this field denotes the permission state before the change occurred. The "FilePermissions?" Field should always be present when the "FileOldPermissions?" Field is used, identifying the current value of the file permissions state
FileOwner?STRINGThe name of the account that owns the file
FilePath?STRINGThe path to the file that is the object of the event, without the file name.
FilePermissions?STRINGThe permissions assigned to the file by the operating system or file system
FileSize?INTEGERThe size of the file in octets (8-bit bytes)
FileURISTRINGThe full path and file name of the file that is the object of the event
FirewallRuleIDSTRINGThe identifier for a specific firewall rule
HTTP1stLineSTRINGThe contents of the first line of the HTTP request
HTTPClientSTRINGThe name of the client (e.g., web browser) being used, example "Mozilla Firefox"
HTTPContentTypeSTRINGThe HTTP connection type
HTTPKeepaliveCountINTEGERThe number of TCP KeepAlive? requests processed for this connection
HTTPMethodSTRINGThe request method used by HTTP
HTTPQuerySTRINGThe contents of the query string
HTTPRefererSTRINGThe contents of the HTTP Referrer field
HTTPResponseStatusSTRINGThe HTTP status
HTTPURLSTRINGThe URL address that the web client is trying to access. Typically, this will be an "http" or "https" URI, but may be a "file", "svn", or other protocol URI identifier
HashAlgorithm?STRINGThe name of the hash algorithm used to create the value of the hash_value field.
HashValue?STRINGThe value calculated by the hash algorithm.
InodeAccountIDSTRINGThe identifier of the user account who is the owner of the inode
InodeDeviceIDSTRINGThe identifier of the device that contains the inode
InodeLinks?INTEGERThe number of hard links currently pointing to the inode
InterfaceSTRINGThe named network interface
KeywordsINTEGERThe value of the Keywords field from EvtSystemKeywords?.
LocationSTRINGA description of the physical location related to the event
MalwareName?STRINGName of the virus, trojan etc found by scanner software.
MessageSTRINGA free-text description of the record, intended for human consumption.
MessageIDSTRINGThe MSGID part of the syslog message, filled after parse_syslog_ietf() is called.
MessageSourceAddress?STRINGThe IP address of the sender where the event was received from.
NetworkApplicationProtocol?STRINGThe protocol(s) used on the application layer (OSI Layer 7) of the network stack
NetworkPresentationProtocol?STRINGThe protocol used on the presentation layer (OSI Layer 6) of the network stack
NetworkSessionProtocol?STRINGThe protocol used on the session layer (OSI Layer 5) of the network stack
NetworkTransportProtocol?STRINGThe protocol used on the transport layer (OSI Layer 4) of the network stack
OpcodeSTRINGThe opcode string resolved from OpcodeValue?.
OpcodeValue?INTEGERThe Opcode number of the event as in EvtSystemOpcode?.
PatternIDINTEGERSet to the id number of the pattern which matched the message.
PatternName?STRINGSet to the name of the pattern which matched the message.
PriorityINTEGERThe event priority
ProcessIDSTRINGThe process id in the syslog line, filled after parse_syslog_bsd() or parse_syslog_ietf() is called.
ProcessName?STRINGThe name of a process
ProviderGuid?STRINGThe GUI of the event's provider as stored in EvtSystemProviderGuid?. This corresponds to the name of the provider stored in the SourceName? field.
ReasonSTRINGThe reason message which contains details about an outcome or status
RecordIDINTEGERA unique identifier that corresponds to an individual record instance
RecordNumber?INTEGERThe number of the event record.
RegistryHive?STRINGThe registry hive
RegistryKey?STRINGThe registry key
RegistryName?STRINGThe name of the registry entry. The value associated with this name should be recorded in the {reg_val} field
RegistryValue?STRINGThe value of the registry key specified in the {reg_name} field
RegistryValueType?STRINGThe type of registry value
RelatedActivityIDSTRINGThe RelatedActivityID as stored in EvtSystemRelatedActivityID.
SNMP.MessageSourceAddress?STRINGContains the IP address of the sender as provided in the trap message. Note that there is a MessageSourceAddress? set by the im_udp module.
SNMP.TrapCodeGeneric?INTEGERIndicates one of a number of generic trap types.
SNMP.TrapCodeSpecific?INTEGERA code value indicating an implementation-specific trap type.
SNMP.TrapName?STRINGThe resolved name of the object identifier in SNMP.TrapOID. The field will be unset if the OID cannot be resolved.
SNMP.TrapNameGeneric?STRINGThe textual representation of SNMP.TrapCodeGeneric?, i.e. coldStart(0), warmStart(1), linkDown(2), linkUp(3), authenticationFailure(4), egpNeighborLoss(5), enterpriseSpecific(6)
SNMP.TrapOIDSTRINGThe object identifier of the TRAP message.
SeveritySTRINGAn indication of how severe the impact of the event may be
SeverityValue?INTEGERAn indication of how severe the impact of the event may be
SourceBytesReceived?INTEGERThe number of octets (8-bit bytes) the network source received
SourceBytesSent?INTEGERThe number of octets (8-bit bytes) the network source sent
SourceDomain?STRINGThe (network) DNS domain address of the system
SourceIPv4AddressIP4ADDRThe IPv4 address of the network communication source
SourceIPv6AddressIP6ADDRThe IPv6 address of the network communication source
SourceInterface?STRINGThe named network interface
SourceMACAddressSTRINGThe MAC (MAC-48) address of the system interface
SourceNTDomainSTRINGThe (network) Microsoft Windows NT domain address of the system
SourcePort?INTEGERThe network port used to send or transmit data
SyslogFacility?STRINGThe facility part of the syslog line, filled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default facility is "user".
SyslogFacilityValue?INTEGERThe facility part of the syslog line, filled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default facility is 1 (="user").
SyslogSeverity?STRINGThe severity part of the syslog line, filled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default severity is "notice".
SyslogSeverityValue?INTEGERThe severity part of the syslog line, filled after parse_syslog_bsd() or parse_syslog_ietf() is called. The default severity is 5 (="notice").
TSAResponseBINARYContains the response for the Time-Stamp request from the server. This does not include the certificate.
TaskINTEGERThe task number as in EvtSystemTask?.
TaxonomyAction?STRINGThe type of the action
TaxonomyAttack?STRINGThe type of the attack
TaxonomyObject?STRINGThe type of the object
TaxonomyProducer?STRINGThe producer or source of the event
TaxonomyStatus?STRINGThe status or outcome of the event
ThreadIDINTEGERThe thread identifier of the event producer as in EvtSystemThreadID.
UserIDSTRINGThe SID which resolves to AccountName?, stored in EvtSystemUserID.
VersionINTEGERThe Version number of the event as in EvtSystemVersion?.
VulnerabilityCVESTRINGThe CVE identifier(s) corresponding to the vulnerability
VulnerabilityName?STRINGThe name of the vulnerability
WIFIChannelINTEGERThe 802.11 channel number used for wireless communications
WIFIEncryptionSTRINGThe type of encryption used to protect the transmitted data
raw_eventSTRINGWill be set to a string containing the timestamp, loglevel, hostname, tag, pid and message.
sysUptimeINTEGERProvides the amount of time that has elapsed between the last network reinitialization and generation of the trap. This name is chosen in order to be in accordance with RFC 5424.


Find project at

Libumberlog optionally adds some metadata to existing syslog events. It also permits programmers to add arbitrary fields, which are for obvious reasons not described here. Note that appplication developers are strongly encouraged to use standard fields from this wiki page when emitting structured logs.

Field name Type Description
msgSTRINGThe traditional message part emitted via syslog() API
pidSTRINGprocess ID of the emitting process
facilitySTRINGassocitated syslog facility in textual form
prioritySTRINGassocitated syslog severity in textual form
programSTRINGprogram name of the emitting process
uidSTRINGuser id the emitting process is running under
gidSTRINGgroup id the emitting process is running under
hostSTRINGname of the emitting host
timestampSTRINGtime the log record was created, an (almost) RFC3339 timestamp

A sample from the libumberlog documentation:

Mar 24 12:01:34 localhost sshd[12590]: @cee:{

"msg": "Accepted publickey for algernon from port 55519 ssh2", "pid": "12590", "facility": "auth", "priority": "info", "program": "sshd", "uid": "0", "gid": "0", "host": "hadhodrond", "timestamp": "2012-03-24T12:01:34.236987887+0100" }


rsyslog has currently not defined a fixed dictionary for cee-enhanced syslog as the project tries to implement the consensus. A list of legacy properties is available at However, that list is not meant for cee-enhanced syslog "consumption", so it is purely for informational purposes.

Mapping Issues with nxlog(CEE)/umberlog

  • "message" (cee) vs. "msg" (umberlog)
  • are fields case sensitive? ("Facility" vs. "Facility")
  • multiple severity/facility fields