Logger
logger
The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Device | device | Device | The device where the events are logged. | ||
| Log Level | log_level | String | The audit level at which an event was generated. | ||
| Log Name | log_name | String | The event log name. For example, syslog file name or Windows logging subsystem: Security. | ||
| Log Provider | log_provider | String | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. | ||
| Log Version | log_version | String | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. | ||
| Logged Time | logged_time | Timestamp |
The time when the logging system collected and logged the event. This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. |
||
| Name | name | String | The name of the logging product instance. | ||
| Product | product | Product | The product logging the event. This may be the event source product, a management server product, a scanning product, a SIEM, etc. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Transmission Time | transmit_time | Timestamp | The time when the event was transmitted from the logging device to it's next destination. | ||
| Unique ID | uid | String | The unique identifier of the logging product instance. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Version | version | String | The version of the logging product. |
Context
JSON
{
"caption": "Logger",
"description": "The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.",
"name": "logger",
"extends": "_entity",
"attributes": {
"device": {
"description": "The device where the events are logged.",
"requirement": "recommended",
"caption": "Device",
"type": "device"
},
"log_level": {
"requirement": "optional",
"caption": "Log Level",
"description": "The audit level at which an event was generated.",
"type": "string_t"
},
"log_name": {
"requirement": "recommended",
"caption": "Log Name",
"description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.",
"type": "string_t"
},
"log_provider": {
"requirement": "recommended",
"caption": "Log Provider",
"description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.",
"type": "string_t"
},
"log_version": {
"requirement": "optional",
"caption": "Log Version",
"description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.",
"type": "string_t"
},
"logged_time": {
"caption": "Logged Time",
"description": "<p>The time when the logging system collected and logged the event.</p>This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different.",
"type": "timestamp_t"
},
"name": {
"description": "The name of the logging product instance.",
"requirement": "recommended",
"caption": "Name",
"type": "string_t"
},
"product": {
"description": "The product logging the event. This may be the event source product, a management server product, a scanning product, a SIEM, etc.",
"requirement": "recommended",
"caption": "Product",
"type": "product"
},
"transmit_time": {
"description": "The time when the event was transmitted from the logging device to it's next destination.",
"requirement": "optional",
"caption": "Transmission Time",
"type": "timestamp_t"
},
"uid": {
"description": "The unique identifier of the logging product instance.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"version": {
"description": "The version of the logging product.",
"requirement": "optional",
"caption": "Version",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"constraints": {
"at_least_one": [
"name",
"uid"
]
}
}