Add syslog protocol fields to event

CHANGELOG.md

@@ -58,6 +58,7 @@ All notable changes to this project will be documented in this file based on the
   `server.address`. #247
 * Add `os.full` to capture full OS name, including version. #259
 * Add generated source code for Go. #249
+* Add syslog protocol fields to event namespace. #301
 
 ### Improvements
 * Improved the definition of the file fields #196

README.md

@@ -220,6 +220,10 @@ The event fields are used for context information about the log or metric event
 | <a name="event.end"></a>event.end | event.end contains the date when the event ended or when the activity was last observed. | extended | date |  |
 | <a name="event.risk_score"></a>event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | core | float |  |
 | <a name="event.risk_score_norm"></a>event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100.<br/>This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | extended | float |  |
+| <a name="event.facility"></a>event.facility | Value parsed from messages adhering to RFC 5424 or RFC 3164. It represents the process the event has originated from. | core | long | `1` |
+| <a name="event.facility_label"></a>event.facility_label | Human readable format of `event.facility`. | extended | keyword | `kernel` |
+| <a name="event.priority"></a>event.priority | Value parsed from messages adhering to RFC 5424 or RFC 3164. | core | long | `1` |
+| <a name="event.priority_label"></a>event.priority_label | Human readable format of `event.priority`. | extended | keyword | `Informational` |
 
 
 ## <a name="file"></a> File fields

fields.yml

@@ -603,6 +603,35 @@
             This is mainly useful if you use more than one system that assigns
             risk scores, and you want to see a normalized value across all systems.
 
+        - name: facility
+          level: core
+          type: long
+          example: 1
+          description: >
+            Value parsed from messages adhering to RFC 5424 or RFC 3164.
+            It represents the process the event has originated from.
+
+        - name: facility_label
+          level: extended
+          type: keyword
+          example: kernel
+          description: >
+            Human readable format of `event.facility`.
+
+        - name: priority
+          level: core
+          type: long
+          example: 1
+          description: >
+            Value parsed from messages adhering to RFC 5424 or RFC 3164.
+
+        - name: priority_label
+          level: extended
+          type: keyword
+          example: Informational
+          description: >
+            Human readable format of `event.priority`.
+
     - name: file
       group: 2
       title: File

schema.csv

@@ -45,12 +45,16 @@ event.created,date,core,
 event.dataset,keyword,core,stats
 event.duration,long,core,
 event.end,date,extended,
+event.facility,long,core,1
+event.facility_label,keyword,extended,kernel
 event.hash,keyword,extended,123456789012345678901234567890ABCD
 event.id,keyword,core,8a4f500d
 event.kind,keyword,extended,state
 event.module,keyword,core,mysql
 event.original,(not indexed),core,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
 event.outcome,keyword,extended,success
+event.priority,long,core,1
+event.priority_label,keyword,extended,Informational
 event.risk_score,float,core,
 event.risk_score_norm,float,extended,
 event.severity,long,core,7

schema.json

@@ -534,6 +534,26 @@
         "required": false, 
         "type": "date"
       }, 
+      "event.facility": {
+        "description": "Value parsed from messages adhering to RFC 5424 or RFC 3164. It represents the process the event has originated from.", 
+        "example": "1", 
+        "footnote": "", 
+        "group": 2, 
+        "level": "core", 
+        "name": "event.facility", 
+        "required": false, 
+        "type": "long"
+      }, 
+      "event.facility_label": {
+        "description": "Human readable format of `event.facility`.", 
+        "example": "kernel", 
+        "footnote": "", 
+        "group": 2, 
+        "level": "extended", 
+        "name": "event.facility_label", 
+        "required": false, 
+        "type": "keyword"
+      }, 
       "event.hash": {
         "description": "Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.", 
         "example": "123456789012345678901234567890ABCD", 
@@ -594,6 +614,26 @@
         "required": false, 
         "type": "keyword"
       }, 
+      "event.priority": {
+        "description": "Value parsed from messages adhering to RFC 5424 or RFC 3164.", 
+        "example": "1", 
+        "footnote": "", 
+        "group": 2, 
+        "level": "core", 
+        "name": "event.priority", 
+        "required": false, 
+        "type": "long"
+      }, 
+      "event.priority_label": {
+        "description": "Human readable format of `event.priority`.", 
+        "example": "Informational", 
+        "footnote": "", 
+        "group": 2, 
+        "level": "extended", 
+        "name": "event.priority_label", 
+        "required": false, 
+        "type": "keyword"
+      }, 
       "event.risk_score": {
         "description": "Risk score or priority of the event (e.g. security solutions). Use your system's original value here.", 
         "example": "", 

schemas/event.yml

@@ -195,3 +195,32 @@
 
         This is mainly useful if you use more than one system that assigns
         risk scores, and you want to see a normalized value across all systems.
+
+    - name: facility
+      level: core
+      type: long
+      example: 1
+      description: >
+        Value parsed from messages adhering to RFC 5424 or RFC 3164.
+        It represents the process the event has originated from.
+
+    - name: facility_label
+      level: extended
+      type: keyword
+      example: kernel
+      description: >
+        Human readable format of `event.facility`.
+
+    - name: priority
+      level: core
+      type: long
+      example: 1
+      description: >
+        Value parsed from messages adhering to RFC 5424 or RFC 3164.
+
+    - name: priority_label
+      level: extended
+      type: keyword
+      example: Informational
+      description: >
+        Human readable format of `event.priority`.

template.json

@@ -225,6 +225,13 @@
             "end": {
               "type": "date"
             },
+            "facility": {
+              "type": "long"
+            },
+            "facility_label": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "hash": {
               "ignore_above": 1024,
               "type": "keyword"
@@ -251,6 +258,13 @@
               "ignore_above": 1024,
               "type": "keyword"
             },
+            "priority": {
+              "type": "long"
+            },
+            "priority_label": {
+              "ignore_above": 1024,
+              "type": "keyword"
+            },
             "risk_score": {
               "type": "float"
             },