diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3c4bead62c..20d8bfac64 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -58,6 +58,7 @@ All notable changes to this project will be documented in this file based on the
`server.address`. #247
* Add `os.full` to capture full OS name, including version. #259
* Add generated source code for Go. #249
+* Add syslog protocol fields to event namespace. #301
### Improvements
* Improved the definition of the file fields #196
diff --git a/README.md b/README.md
index db2ef4bfe7..8a9e06c152 100644
--- a/README.md
+++ b/README.md
@@ -220,6 +220,10 @@ The event fields are used for context information about the log or metric event
| event.end | event.end contains the date when the event ended or when the activity was last observed. | extended | date | |
| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | core | float | |
| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100.
This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | extended | float | |
+| event.facility | Value parsed from messages adhering to RFC 5424 or RFC 3164. It represents the process the event has originated from. | core | long | `1` |
+| event.facility_label | Human readable format of `event.facility`. | extended | keyword | `kernel` |
+| event.priority | Value parsed from messages adhering to RFC 5424 or RFC 3164. | core | long | `1` |
+| event.priority_label | Human readable format of `event.priority`. | extended | keyword | `Informational` |
## File fields
diff --git a/code/go/ecs/event.go b/code/go/ecs/event.go
index a281154f06..4110cf8692 100644
--- a/code/go/ecs/event.go
+++ b/code/go/ecs/event.go
@@ -135,4 +135,17 @@ type Event struct {
// This is mainly useful if you use more than one system that assigns risk
// scores, and you want to see a normalized value across all systems.
RiskScoreNorm float64 `ecs:"risk_score_norm"`
+
+ // Value parsed from messages adhering to RFC 5424 or RFC 3164. It
+ // represents the process the event has originated from.
+ Facility int64 `ecs:"facility"`
+
+ // Human readable format of `event.facility`.
+ FacilityLabel string `ecs:"facility_label"`
+
+ // Value parsed from messages adhering to RFC 5424 or RFC 3164.
+ Priority int64 `ecs:"priority"`
+
+ // Human readable format of `event.priority`.
+ PriorityLabel string `ecs:"priority_label"`
}
diff --git a/fields.yml b/fields.yml
index 68c9184f5b..3b4e7cb2f8 100644
--- a/fields.yml
+++ b/fields.yml
@@ -603,6 +603,35 @@
This is mainly useful if you use more than one system that assigns
risk scores, and you want to see a normalized value across all systems.
+ - name: facility
+ level: core
+ type: long
+ example: 1
+ description: >
+ Value parsed from messages adhering to RFC 5424 or RFC 3164.
+ It represents the process the event has originated from.
+
+ - name: facility_label
+ level: extended
+ type: keyword
+ example: kernel
+ description: >
+ Human readable format of `event.facility`.
+
+ - name: priority
+ level: core
+ type: long
+ example: 1
+ description: >
+ Value parsed from messages adhering to RFC 5424 or RFC 3164.
+
+ - name: priority_label
+ level: extended
+ type: keyword
+ example: Informational
+ description: >
+ Human readable format of `event.priority`.
+
- name: file
group: 2
title: File
diff --git a/schema.csv b/schema.csv
index 35a6c9c1c2..c3958dd91d 100644
--- a/schema.csv
+++ b/schema.csv
@@ -45,12 +45,16 @@ event.created,date,core,
event.dataset,keyword,core,stats
event.duration,long,core,
event.end,date,extended,
+event.facility,long,core,1
+event.facility_label,keyword,extended,kernel
event.hash,keyword,extended,123456789012345678901234567890ABCD
event.id,keyword,core,8a4f500d
event.kind,keyword,extended,state
event.module,keyword,core,mysql
event.original,(not indexed),core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
event.outcome,keyword,extended,success
+event.priority,long,core,1
+event.priority_label,keyword,extended,Informational
event.risk_score,float,core,
event.risk_score_norm,float,extended,
event.severity,long,core,7
diff --git a/schema.json b/schema.json
index 96f14a5c24..53c80c1f6a 100644
--- a/schema.json
+++ b/schema.json
@@ -534,6 +534,26 @@
"required": false,
"type": "date"
},
+ "event.facility": {
+ "description": "Value parsed from messages adhering to RFC 5424 or RFC 3164. It represents the process the event has originated from.",
+ "example": "1",
+ "footnote": "",
+ "group": 2,
+ "level": "core",
+ "name": "event.facility",
+ "required": false,
+ "type": "long"
+ },
+ "event.facility_label": {
+ "description": "Human readable format of `event.facility`.",
+ "example": "kernel",
+ "footnote": "",
+ "group": 2,
+ "level": "extended",
+ "name": "event.facility_label",
+ "required": false,
+ "type": "keyword"
+ },
"event.hash": {
"description": "Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.",
"example": "123456789012345678901234567890ABCD",
@@ -594,6 +614,26 @@
"required": false,
"type": "keyword"
},
+ "event.priority": {
+ "description": "Value parsed from messages adhering to RFC 5424 or RFC 3164.",
+ "example": "1",
+ "footnote": "",
+ "group": 2,
+ "level": "core",
+ "name": "event.priority",
+ "required": false,
+ "type": "long"
+ },
+ "event.priority_label": {
+ "description": "Human readable format of `event.priority`.",
+ "example": "Informational",
+ "footnote": "",
+ "group": 2,
+ "level": "extended",
+ "name": "event.priority_label",
+ "required": false,
+ "type": "keyword"
+ },
"event.risk_score": {
"description": "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.",
"example": "",
diff --git a/schemas/event.yml b/schemas/event.yml
index 0b9ac05f05..be748a6211 100644
--- a/schemas/event.yml
+++ b/schemas/event.yml
@@ -195,3 +195,32 @@
This is mainly useful if you use more than one system that assigns
risk scores, and you want to see a normalized value across all systems.
+
+ - name: facility
+ level: core
+ type: long
+ example: 1
+ description: >
+ Value parsed from messages adhering to RFC 5424 or RFC 3164.
+ It represents the process the event has originated from.
+
+ - name: facility_label
+ level: extended
+ type: keyword
+ example: kernel
+ description: >
+ Human readable format of `event.facility`.
+
+ - name: priority
+ level: core
+ type: long
+ example: 1
+ description: >
+ Value parsed from messages adhering to RFC 5424 or RFC 3164.
+
+ - name: priority_label
+ level: extended
+ type: keyword
+ example: Informational
+ description: >
+ Human readable format of `event.priority`.
diff --git a/template.json b/template.json
index 687b063982..ceb0b23b56 100644
--- a/template.json
+++ b/template.json
@@ -225,6 +225,13 @@
"end": {
"type": "date"
},
+ "facility": {
+ "type": "long"
+ },
+ "facility_label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
"hash": {
"ignore_above": 1024,
"type": "keyword"
@@ -251,6 +258,13 @@
"ignore_above": 1024,
"type": "keyword"
},
+ "priority": {
+ "type": "long"
+ },
+ "priority_label": {
+ "ignore_above": 1024,
+ "type": "keyword"
+ },
"risk_score": {
"type": "float"
},