eaiovnaovbqoebvqoeavibavo im_udp-fields.xml000064400000000666147633142140010024 0ustar00 im_udp raw_event string FALSE The received string. MessageSourceAddress string FALSE The IP address of the remote host. im_internal-fields.xml000064400000004160147633142140011041 0ustar00 im_internal raw_event string FALSE The string passed to the <<core_proc_log_info,log_info()>> or other log_* procedure. Message string FALSE The same value as <<im_internal_field_raw_event,$raw_event>>. SeverityValue integer FALSE Depending on the log level of the internal message, the value corresponding to "debug", "info", "warning", "error", or "critical". Severity string TRUE TRUE The severity name of the event. EventTime datetime TRUE The current time. SourceName string TRUE Set to `nxlog`. ProcessID integer FALSE The process ID of the {productName} process. Hostname string TRUE TRUE The hostname where the log was produced. ErrorCode integer TRUE The error number provided by the Apache portable runtime library, if an error is logged resulting from an operating system error. im_mseventlog-fields.xml000064400000010505147633142140011410 0ustar00 im_mseventlog raw_event string FALSE A string containing the timestamp, hostname, severity, and message from the event. Message string FALSE FALSE The message from the event. EventTime datetime TRUE The TimeGenerated field of the EventRecord. EventTimeWritten datetime FALSE The TimeWritten field of the EventRecord. Hostname string TRUE TRUE The host or computer name field of the EventRecord. SourceName string TRUE The event source which produced the event (the subsystem or application name). EventID integer TRUE The event ID of the EventRecord. CategoryNumber integer TRUE The category number, stored as Category in the EventRecord. Category string TRUE The category name resolved from CategoryNumber. FileName string TRUE TRUE The logfile source of the event (for example, `Security` or `Application`). AccountName string TRUE TRUE The username associated with the event. AccountType string TRUE TRUE The type of the account. Possible values are: `User`, `Group`, `Domain`, `Alias`, `Well Known Group`, `Deleted Account`, `Invalid`, `Unknown`, and `Computer`. Domain string TRUE TRUE The domain name of the user. SeverityValue integer TRUE The normalized severity number of the event, mapped as follows. [cols="2", options="header,autowidth"] |=== |Event Log Severity |Normalized Severity |0/Audit Success |2/INFO |0/Audit Failure |4/ERROR |1/Critical |5/CRITICAL |2/Error |4/ERROR |3/Warning |3/WARNING |4/Information |2/INFO |5/Verbose |1/DEBUG |=== Severity string TRUE The normalized severity name of the event. See <<im_mseventlog_field_SeverityValue,$SeverityValue>>. EventType string TRUE TRUE The type of the event, which is a string describing the severity. Possible values are: `ERROR`, `AUDIT_FAILURE`, `AUDIT_SUCCESS`, `INFO`, `WARNING`, and `UNKNOWN`. RecordNumber integer FALSE The number of the event record. core-fields.xml000064400000002154147633142140007471 0ustar00 core raw_event string FALSE The data received from stream modules (im_file, im_tcp, etc.). EventReceivedTime datetime TRUE The time when the event is received. The value is not modified if the field already exists. SourceModuleName string TRUE TRUE The name of the module instance, for input modules. The value is not modified if the field already exists. SourceModuleType string FALSE The type of module instance (such as `im_file`), for input modules. The value is not modified if the field already exists. im_msvistalog-fields.xml000064400000015322147633142140011417 0ustar00 im_msvistalog raw_event string FALSE A string containing the EventTime, Hostname, Severity, EventID, and Message from the event. Message string FALSE FALSE The message from the event. EventTime datetime TRUE The EvtSystemTimeCreated field. Hostname string TRUE TRUE The EvtSystemComputer field. SourceName string TRUE The event source which produced the event, from the EvtSystemProviderName field. EventID integer TRUE The event ID (specific to the event source) from the EvtSystemEventID field. Task integer FALSE The task number from the EvtSystemTask field. Category string TRUE The category name resolved from Task. Keywords integer FALSE The value of the Keywords field from EvtSystemKeywords. Channel string TRUE TRUE The Channel of the event source (for example, `Security` or `Application`). AccountName string TRUE TRUE The username associated with the event. AccountType string TRUE TRUE The type of the account. Possible values are: `User`, `Group`, `Domain`, `Alias`, `Well Known Group`, `Deleted Account`, `Invalid`, `Unknown`, and `Computer`. Domain string TRUE TRUE The domain name of the user. UserID string FALSE TRUE The Security Identifier (SID) which resolves to <<im_msvistalog_field_AccountName,$AccounteName>>, stored in EvtSystemUserID. SeverityValue integer TRUE The normalized severity number of the event, mapped as follows. [cols="2", options="header,autowidth"] |=== |Event Log Severity |Normalized Severity |0/Audit Success |2/INFO |0/Audit Failure |4/ERROR |1/Critical |5/CRITICAL |2/Error |4/ERROR |3/Warning |3/WARNING |4/Information |2/INFO |5/Verbose |1/DEBUG |=== Severity string TRUE The normalized severity name of the event. See <<im_msvistalog_field_SeverityValue,$SeverityValue>>. EventType string TRUE TRUE The type of the event, which is a string describing the severity. This is translated to its string representation from EvtSystemLevel. Possible values are: `CRITICAL`, `ERROR`, `AUDIT_FAILURE`, `AUDIT_SUCCESS`, `INFO`, `WARNING`, and `VERBOSE`. ProviderGuid string FALSE TRUE The globally unique identifier of the event's provider as stored in EvtSystemProviderGuid. This corresponds to the name of the provider in the <<im_msvistalog_field_SourceName,$SourceName>> field. Version integer FALSE The Version number of the event as in EvtSystemVersion. OpcodeValue integer FALSE The Opcode number of the event as in EvtSystemOpcode. Opcode string TRUE The Opcode string resolved from OpcodeValue. ActivityID string FALSE TRUE A globally unique identifier for the current activity, as stored in EvtSystemActivityID. RelatedActivityID string FALSE TRUE The RelatedActivityID as stored in EvtSystemRelatedActivityID. ProcessID integer FALSE The process identifier of the event producer as in EvtSystemProcessID. ThreadID integer FALSE The thread identifier of the event producer as in EvtSystemThreadID. RecordNumber integer FALSE The number of the event record. xm_syslog-fields.xml000064400000014112147633142140010562 0ustar00 xm_syslog In addition to the fields listed below, the <<xm_syslog_proc_parse_syslog,parse_syslog()>> and <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> procedures will create fields from the Structured Data part of an IETF Syslog message. If the SD-ID in this case is not "NXLOG", these fields will be prefixed by the SD-ID (for example, `$mySDID.CustomField`). raw_event string FALSE A Syslog formatted string, set after <<xm_syslog_proc_to_syslog_bsd,to_syslog_bsd()>> or <<xm_syslog_proc_to_syslog_ietf,to_syslog_ietf()>> is called. Message string FALSE The message part of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. SyslogSeverityValue integer FALSE The severity code of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. The default severity is `5` (notice). See <<xm_syslog_field_SeverityValue,$SeverityValue>>. SyslogSeverity string FALSE TRUE The severity name of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. The default severity is `notice`. See <<xm_syslog_field_SeverityValue,$SeverityValue>>. SeverityValue integer TRUE The normalized severity number of the event, mapped as follows. [cols="2", options="header,autowidth"] |=== |Syslog Severity |Normalized Severity |0/emerg |5/critical |1/alert |5/critical |2/crit |5/critical |3/err |4/error |4/warning |3/warning |5/notice |2/info |6/info |2/info |7/debug |1/debug |=== Severity string TRUE TRUE The normalized severity name of the event. See <<xm_syslog_field_SeverityValue,$SeverityValue>>. SyslogFacilityValue integer FALSE The facility code of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. The default facility is `1` (user). SyslogFacility string TRUE TRUE The facility name of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. The default facility is `user`. EventTime datetime TRUE The timestamp found in the Syslog message, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. If the year value is missing, it is set to the current year. Hostname string TRUE TRUE The hostname part of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. SourceName string TRUE TRUE The application/program part of the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. MessageID string FALSE TRUE The MSGID part of the syslog message, set after <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. ProcessID string FALSE The process ID in the Syslog line, set after <<xm_syslog_proc_parse_syslog,parse_syslog()>>, <<xm_syslog_proc_parse_syslog_bsd,parse_syslog_bsd()>>, or <<xm_syslog_proc_parse_syslog_ietf,parse_syslog_ietf()>> is called. im_mark-fields.xml000064400000002772147633142140010166 0ustar00 im_mark raw_event string FALSE The value defined by the <<im_mark_config_mark,Mark>> directive, `-- MARK --` by default. Message string FALSE The same value as <<im_mark_field_raw_event,$raw_event>>. SeverityValue integer TRUE The INFO severity level value: `2`. Severity string TRUE TRUE The severity name: `INFO`. EventTime datetime TRUE The current time. SourceName string TRUE Set to `nxlog`. ProcessID integer TRUE The process ID of the {productName} process. im_systemd-fields.xml000064400000041332147633142140010717 0ustar00 im_systemd raw_event string FALSE A list of event fields in key-value pairs. Message string FALSE A human-readable message string for the current entry. This is supposed to be the primary text shown to the user. This is usually not translated (but might be in some cases), and not supposed to be parsed for metadata. MessageID string FALSE A 128-bit message identifier for recognizing certain message types, if this is desirable. This should contain a 128-bit identifier formatted as a lower-case hexadecimal string, without any separating dashes or suchlike. This is recommended to be a UUID-compatible ID, but this is not enforced, and formatted differently. Severity string FALSE A priority value between 0 ("emerg") and 7 ("debug") formatted as a string. This field is compatible with syslog's priority concept. SeverityValue integer FALSE A priority value between 0 ("emerg") and 7 ("debug") formatted as a decimal string. This field is compatible with syslog's priority concept. CodeFile string FALSE Code location to generate this message, if known. Contains the source filename. CodeLine integer FALSE Code location to generate this message, if known. Contains the line number. CodeFunc string FALSE Code location to generate this message, if known. Contains the function name. Errno integer FALSE Low-level Unix error number which caused the entry, if any. Contains the numeric value of 'errno' formatted as a decimal string. Facility string FALSE Syslog compatibility fields containing the facility. SourceName string FALSE Syslog compatibility field containing the identifier string (i.e. "tag"). ProcessID string FALSE Syslog compatibility field containing the client PID. User string FALSE User ID of the process the journal entry originates from. Group string FALSE Group ID of the process the journal entry originates from. ProcessName string FALSE Name of the process the journal entry originates from. ProcessExecutable string FALSE Executable path of the process the journal entry originates from. ProcessCmdLine string FALSE Command line of the process the journal entry originates from. Capabilities string FALSE Effective capabilities of the process the journal entry originates from. AuditSession string FALSE Session of the process the journal entry originates from, as maintained by the kernel audit subsystem. AuditUID string FALSE Login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem. SystemdCGroup string FALSE Control group path in the systemd hierarchy of the process the journal entry originates from. SystemdSession string FALSE Systemd session ID (if any) of the process the journal entry originates from. SystemdUnit string FALSE Systemd unit name (if any) of the process the journal entry originates from. SystemdUserUnit string FALSE Systemd user session unit name (if any) of the process the journal entry originates from. SystemdOwnerUID string FALSE Owner UID of the systemd session (if any) of the process the journal entry originates from. SystemdSlice string FALSE Systemd slice unit of the process the journal entry originates from. AuditUID string FALSE Login UID of the process the journal entry originates from, as maintained by the kernel audit subsystem. SelinuxContext string FALSE SELinux security context (label) of the process the journal entry originates from. EventTime datetime FALSE The earliest trusted timestamp of the message, if any is known that is different from the reception time of the journal. BootID string FALSE Kernel boot ID for the boot the message was generated in, formatted as a 128-bit hexadecimal string. MachineID string FALSE Machine ID of the originating host. SysInvID string FALSE Invocation ID for the runtime cycle of the unit the message was generated in, as available to processes of the unit in $INVOCATION_ID. Hostname string FALSE The name of the originating host. Transport string FALSE Transport of the entry to the journal service. Available values are: audit, driver, syslog, journal, stdout, kernel. KernelDevice string FALSE Device name of the kernel. If the entry is associated to a block device, the field contains the major and minor of the device node, separated by ":" and prefixed by "b". Similar for character devices but prefixed by "c". For network devices, this is the interface index prefixed by "n". For all other devices, this is the subsystem name prefixed by "+", followed by ":", followed by the kernel device name. KernelSubsystem string FALSE Subsystem name of the kernel. DevName string FALSE Device name of the kernel as it shows up in the device tree under the '/sys' directory. DevNode string FALSE Node path of the device under the '/dev' directory. DevLink string FALSE Additional symlink names pointing to the device node under the '/dev' directory. CoredumpUnit string FALSE Annotation to the message in case it contains coredumps from system and session units. CoredumpUserUnit string FALSE Annotation to the message in case it contains coredumps from system and session units. ObjProcessID integer FALSE This field contains the same value as the 'ProcessID', except that the process identified by PID is described, instead of the process which logged the message. ObjUser integer FALSE This field contains the same value as the 'User', except that the process identified by PID is described, instead of the process which logged the message. ObjGroup integer FALSE This field contains the same value as the 'Group', except that the process identified by PID is described, instead of the process which logged the message. ObjUser integer FALSE This field contains the same name as the 'User', except that the process identified by PID is described, instead of the process which logged the message. ObjProcessName integer FALSE This field contains the same value as the 'ProcessName', except that the process identified by PID is described, instead of the process which logged the message. ObjProcessExecutable integer FALSE This field contains the same value as the 'ProcessExecutable', except that the process identified by PID is described, instead of the process which logged the message. ObjProcessCmdLine integer FALSE This field contains the same value as the 'ProcessCmdLine', except that the process identified by PID is described, instead of the process which logged the message. ObjAuditSession integer FALSE This field contains the same value as the 'AuditSession', except that the process identified by PID is described, instead of the process which logged the message. ObjAuditUID integer FALSE This field contains the same value as the 'AuditUID', except that the process identified by PID is described, instead of the process which logged the message. ObjSystemdCGroup integer FALSE This field contains the same value as the 'SystemdCGroup', except that the process identified by PID is described, instead of the process which logged the message. ObjSystemdSession integer FALSE This field contains the same value as the 'SystemdSession', except that the process identified by PID is described, instead of the process which logged the message. ObjSystemdUnit integer FALSE This field contains the same value as the 'SystemdUnit', except that the process identified by PID is described, instead of the process which logged the message. ObjSystemdOwnerUID integer FALSE This field contains the same value as the 'SystemdOwnerUID', except that the process identified by PID is described, instead of the process which logged the message. pm_pattern-fields.xml000064400000001014147633142140010704 0ustar00 pm_pattern PatternID integer FALSE The ID number of the pattern which matched the message. PatternName string TRUE TRUE The name of the pattern which matched the message. pm_norepeat-fields.xml000064400000003052147633142140011050 0ustar00 pm_norepeat raw_event string FALSE A string containing the `last message repeated n times` message. Message string FALSE The same value as <<pm_norepeat_field_raw_event,$raw_event>>. SeverityValue integer TRUE The INFO severity level value: `2`. Severity string TRUE TRUE The severity name: `INFO`. EventTime datetime TRUE The time of the last event or the current time if EventTime was not present in the last event. SourceName string TRUE Set to `nxlog`. ProcessID integer TRUE The process ID of the {productName} process. im_ssl-fields.xml000064400000000666147633142140010035 0ustar00 im_ssl raw_event string FALSE The received string. MessageSourceAddress string FALSE The IP address of the remote host. im_tcp-fields.xml000064400000000574147633142140010020 0ustar00 im_tcp raw_event string The received string. MessageSourceAddress string The IP address of the remote host.