<fields>
<module>im_mseventlog</module>
<field>
<name>raw_event</name>
<type>string</type>
<persist>FALSE</persist>
<description>
<en>
A string containing the timestamp, hostname, severity, and
message from the event.
</en>
</description>
</field>
<field>
<name>Message</name>
<type>string</type>
<persist>FALSE</persist>
<lookup>FALSE</lookup>
<description>
<en>
The message from the event.
</en>
</description>
</field>
<field>
<name>EventTime</name>
<type>datetime</type>
<persist>TRUE</persist>
<description>
<en>
The TimeGenerated field of the EventRecord.
</en>
</description>
</field>
<field>
<name>EventTimeWritten</name>
<type>datetime</type>
<persist>FALSE</persist>
<description>
<en>
The TimeWritten field of the EventRecord.
</en>
</description>
</field>
<field>
<name>Hostname</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The host or computer name field of the EventRecord.
</en>
</description>
</field>
<field>
<name>SourceName</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The event source which produced the event (the subsystem or
application name).
</en>
</description>
</field>
<field>
<name>EventID</name>
<type>integer</type>
<persist>TRUE</persist>
<description>
<en>
The event ID of the EventRecord.
</en>
</description>
</field>
<field>
<name>CategoryNumber</name>
<type>integer</type>
<persist>TRUE</persist>
<description>
<en>
The category number, stored as Category in the EventRecord.
</en>
</description>
</field>
<field>
<name>Category</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The category name resolved from CategoryNumber.
</en>
</description>
</field>
<field>
<name>FileName</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The logfile source of the event (for example, `Security` or
`Application`).
</en>
</description>
</field>
<field>
<name>AccountName</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The username associated with the event.
</en>
</description>
</field>
<field>
<name>AccountType</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The type of the account. Possible values are: `User`, `Group`,
`Domain`, `Alias`, `Well Known Group`, `Deleted Account`,
`Invalid`, `Unknown`, and `Computer`.
</en>
</description>
</field>
<field>
<name>Domain</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The domain name of the user.
</en>
</description>
</field>
<field>
<name>SeverityValue</name>
<type>integer</type>
<persist>TRUE</persist>
<description>
<en>
The normalized severity number of the event, mapped as follows.
[cols="2", options="header,autowidth"]
|===
|Event Log Severity
|Normalized Severity
|0/Audit Success
|2/INFO
|0/Audit Failure
|4/ERROR
|1/Critical
|5/CRITICAL
|2/Error
|4/ERROR
|3/Warning
|3/WARNING
|4/Information
|2/INFO
|5/Verbose
|1/DEBUG
|===
</en>
</description>
</field>
<field>
<name>Severity</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The normalized severity name of the event. See
<<im_mseventlog_field_SeverityValue,$SeverityValue>>.
</en>
</description>
</field>
<field>
<name>EventType</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The type of the event, which is a string describing the
severity. Possible values are: `ERROR`, `AUDIT_FAILURE`,
`AUDIT_SUCCESS`, `INFO`, `WARNING`, and `UNKNOWN`.
</en>
</description>
</field>
<field>
<name>RecordNumber</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The number of the event record.
</en>
</description>
</field>
</fields>
|