Some fields are relevant for only some message types, and will be null for others.
name
String representing a human-readable and understandable description of the
event. The event name should not contain information that is specifically
mentioned in other fields. Used in CEF.
type
Type of message received (either “RFC5424”, “RFC3164”, “CEF”, or “UNKNOWN”).
message
The freeform message extracted from full message. “MSG” field of the Syslog spec.
host
Extracted host from the syslog message.
version
“VERSION” field of the Syslog spec.
level
Level as determined by “PRIORITY” field of Syslog spec.
tag
“TAG” field of Syslog spec
facility
“FACILITY” as determined by the “PRIORITY” of the Syslog spec.
severity
Severity of CEF messages.
appName
“APP-NAME” field of the Syslog spec.
remoteAddress
Remote address of the request received by the connector.
rawMessage
The full, unmodified, unparsed message as received by the connector.
processId
“PROCID” field of the Syslog spec.
messageId
“MSGID” field of the Syslog spec.
deviceVendor
Vendor identifier that is used to group products.
deviceProduct
Product identifier that is used for message logging.
deviceVersion
The version of the logging device product.
deviceEventClassId
The device event class ID. This is a unique per event-type identifier. The
device event class ID identifies the type of event reported. In the intrusion
detection system (IDS) world, each signature or rule that detects certain
activity has a unique device event class ID assigned. This is a requirement
for other types of devices as well, and helps correlation engines process the
events. Also known as Signature ID.
extension
“Extension” mapping for the CEF message format.
- Type: map<string, string>
structuredData
“STRUCTURED-DATA” field of the Syslog spec.