Skip to content

Instantly share code, notes, and snippets.

@dav3860

dav3860/Event Logs Schema

Created October 9, 2013 16:14
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save dav3860/6903830 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save dav3860/6903830 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Event Logs Schema
{
"title": "Windows Event Logs",
"services": {
"query": {
"idQueue": [
2,
3,
4,
9,
10,
11,
12,
13,
14
],
"list": {
"0": {
"query": "",
"alias": "",
"color": "#7EB26D",
"id": 0,
"pin": false,
"type": "lucene"
},
"1": {
"alias": 4634,
"query": "EventID:\"4634\" AND (NOT host:server1)",
"id": 1,
"color": "#EAB839",
"pin": false,
"type": "lucene"
},
"5": {
"alias": 4776,
"query": "EventID:\"4776\" AND (NOT host:server1)",
"id": 5,
"color": "#1F78C1",
"pin": false,
"type": "lucene"
},
"6": {
"alias": 4625,
"query": "EventID:\"4625\" AND (NOT host:server1)",
"id": 6,
"color": "#BA43A9",
"pin": false,
"type": "lucene"
},
"7": {
"alias": 4624,
"query": "EventID:\"4624\" AND (NOT host:server1)",
"id": 7,
"color": "#705DA0",
"pin": false,
"type": "lucene"
},
"8": {
"alias": 4648,
"query": "EventID:\"4648\" AND (NOT host:server1)",
"id": 8,
"color": "#508642",
"pin": false,
"type": "lucene"
}
},
"ids": [
0,
1,
5,
6,
7,
8
]
},
"filter": {
"idQueue": [
2
],
"list": {
"0": {
"from": "2013-10-09T15:51:53.802Z",
"to": "2013-10-09T16:06:53.802Z",
"field": "@timestamp",
"type": "time",
"mandate": "must",
"active": true,
"alias": "",
"id": 0
},
"1": {
"type": "field",
"field": "type",
"query": "\"eventlog\"",
"mandate": "must",
"active": true,
"alias": "",
"id": 1
}
},
"ids": [
1,
0
]
}
},
"rows": [
{
"title": "Options",
"height": "50px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"title": "Set time span",
"error": "",
"span": 4,
"editable": true,
"group": [
"default"
],
"type": "timepicker",
"mode": "relative",
"time_options": [
"5m",
"15m",
"1h",
"6h",
"12h",
"24h",
"2d",
"7d",
"30d"
],
"timespan": "15m",
"timefield": "@timestamp",
"timeformat": "",
"refresh": {
"enable": false,
"interval": 30,
"min": 3
},
"filter_id": 0,
"status": "Stable"
},
{
"error": false,
"span": 8,
"editable": true,
"type": "derivequeries",
"loadingEditor": false,
"loading": false,
"label": "Search",
"query": "NOT host:server1",
"ids": [
1,
5,
6,
7,
8
],
"field": "EventID",
"fields": [
"dynamic_templates.0.dyn_template99.mapping",
"dynamic_templates.0.dyn_template99",
"@timestamp",
"@version",
"action",
"ciscotag",
"dst_ip",
"dst_name",
"dst_port",
"group",
"host",
"message",
"program",
"src_ip",
"syslog_facility",
"syslog_severity",
"type",
"user",
"dst_xlated_ip",
"dst_xlated_port",
"protocol",
"src_port",
"src_xlated_ip",
"src_xlated_port",
"CookieI",
"CookieR",
"DCE-RPC Interface UUID",
"DCE-RPC Interface UUID-1",
"DCE-RPC Interface UUID-2",
"DCE-RPC Interface UUID-3",
"ICMP",
"ICMP Code",
"ICMP Type",
"IKE IDs:",
"IKE:",
"NAT_rulenum",
"OM:",
"TCP packet out of state",
"alert",
"assigned_IP:",
"auth_method",
"dst_xlate_ip",
"dst_xlate_port",
"dstkeyid",
"during_sec",
"encryption fail reason:",
"encryption failure:",
"fragments_dropped",
"i/f_name",
"ip_id",
"ip_len",
"ip_offset",
"log_sys_message",
"message_info",
"msgid",
"om_method:",
"peer",
"policy_id",
"product",
"reason",
"reject_category",
"src_xlate_ip",
"src_xlate_port",
"srckeyid",
"start_time",
"sys_msgs",
"tcp_flags",
"vpn_user",
"agent",
"build",
"bytes",
"device",
"httpversion",
"major",
"minor",
"name",
"os",
"patch",
"referrer",
"request",
"response",
"verb",
"website",
"AccountDomain",
"AccountName",
"AccountType",
"ActivityID",
"AuthenticationPackageName",
"Category",
"CategoryNumber",
"Channel",
"ClientAddress",
"ClientName",
"DCName",
"DeviceName",
"DeviceNameLength",
"DeviceTime",
"DeviceVersionMajor",
"DeviceVersionMinor",
"Domain",
"EventID",
"EventTime",
"EventType",
"FailureReason",
"FinalStatus",
"IpAddress",
"IpPort",
"KeyLength",
"LmPackageName",
"LogonGuid",
"LogonID",
"LogonProcessName",
"LogonType",
"NumberOfGroupPolicyObjects",
"PackageName",
"PreAuthType",
"ProcessID",
"ProcessName",
"ProcessingMode",
"ProcessingTimeInMilliseconds",
"ProviderGuid",
"ServiceName",
"ServiceSid",
"SessionName",
"Severity",
"SourceName",
"Status",
"SubStatus",
"SubjectDomainName",
"SubjectLogonId",
"SubjectUserName",
"SubjectUserSid",
"SupportInfo1",
"SupportInfo2",
"TSId",
"TargetDomainName",
"TargetInfo",
"TargetLogonGuid",
"TargetServerName",
"TargetSid",
"TargetUserName",
"TargetUserSid",
"TicketEncryptionType",
"TicketOptions",
"TransmittedServices",
"UserID",
"UserSid",
"Workstation",
"WorkstationName",
"param1",
"param2",
"param3",
"param4",
"Internal_CA:",
"NAT_addtnl_rulenum",
"__policy_id_tag",
"dn:",
"elapsed",
"has_accounting",
"i/f_dir",
"loc",
"methods:",
"path",
"scheme:",
"uuid",
"Account",
"AccountToReset",
"AvailableEtypes",
"Detail",
"ID",
"ImagePath",
"RequestedEtypes",
"ServiceType",
"StartType",
"Target",
"tloc",
"Address",
"AddressLength",
"ErrorCode",
"ErrorDescription",
"LookupType",
"QueryName",
"TimeSource",
"param5",
"Interface",
"NewTime",
"OldTime",
"ProtocolType",
"param10",
"param11",
"param12",
"param6",
"param7",
"param8",
"param9",
"short_user",
"ApplicationName",
"ErrorStatus",
"InterfaceId",
"Method",
"Type",
"is_admin",
"tags",
"username",
"password",
"salt",
"Group",
"IdleStateCount",
"Number",
"PerfStateCount",
"ThrottleStateCount",
"dashboard",
"title",
"BootMode",
"BuildVersion",
"DwordVal",
"MajorVersion",
"MinorVersion",
"QfeVersion",
"ServiceVersion",
"ShutdownActionType",
"ShutdownEventCode",
"ShutdownReason",
"StartTime",
"StopTime",
"ListenerAdapterProtocol"
],
"spyable": true,
"rest": false,
"size": 5,
"mode": "AND",
"exclude": [],
"history": [
"NOT host:server1",
"host:server1",
"*",
""
],
"remember": 10,
"title": "Recherche"
}
]
},
{
"title": "Filters",
"height": "50px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"title": "dashboard filters",
"error": false,
"span": 12,
"editable": true,
"group": [
"default"
],
"type": "filtering"
}
]
},
{
"title": "Graph",
"height": "200px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"span": 8,
"editable": true,
"group": [
"default"
],
"type": "histogram",
"mode": "count",
"time_field": "@timestamp",
"value_field": null,
"auto_int": true,
"resolution": 100,
"interval": "10s",
"fill": 1,
"linewidth": 2,
"timezone": "browser",
"spyable": true,
"zoomlinks": true,
"bars": false,
"stack": false,
"points": false,
"lines": true,
"legend": true,
"x-axis": true,
"y-axis": true,
"percentage": false,
"interactive": true,
"queries": {
"mode": "all",
"ids": [
0,
1,
5,
6,
7,
8
]
},
"title": "Events over time",
"intervals": [
"auto",
"1s",
"1m",
"5m",
"10m",
"30m",
"1h",
"3h",
"12h",
"1d",
"1w",
"1M",
"1y"
],
"options": true,
"tooltip": {
"value_type": "cumulative",
"query_as_alias": false
}
},
{
"error": false,
"span": 2,
"editable": true,
"type": "terms",
"loadingEditor": false,
"queries": {
"mode": "all",
"ids": [
0,
1,
5,
6,
7,
8
]
},
"field": "host",
"exclude": [],
"missing": false,
"other": true,
"size": 5,
"order": "count",
"style": {
"font-size": "10pt"
},
"donut": true,
"tilt": false,
"labels": false,
"arrangement": "horizontal",
"chart": "pie",
"counter_pos": "above",
"spyable": true,
"title": "Top hosts"
},
{
"span": 2,
"editable": true,
"type": "trends",
"loadingEditor": false,
"queries": {
"mode": "all",
"ids": [
0,
1,
5,
6,
7,
8
]
},
"style": {
"font-size": "18pt"
},
"ago": "1d",
"arrangement": "vertical",
"spyable": true,
"title": "Tendances"
}
]
},
{
"title": "Events",
"height": "350px",
"editable": true,
"collapse": false,
"collapsable": true,
"panels": [
{
"title": "",
"error": false,
"span": 12,
"editable": true,
"group": [
"default"
],
"type": "table",
"size": 100,
"pages": 5,
"offset": 0,
"sort": [
"@timestamp",
"desc"
],
"style": {
"font-size": "9pt"
},
"overflow": "min-height",
"fields": [
"@timestamp",
"host",
"EventID",
"Channel",
"Category",
"SourceName",
"message"
],
"highlight": [],
"sortable": true,
"header": true,
"paging": true,
"spyable": true,
"queries": {
"mode": "all",
"ids": [
0,
1,
5,
6,
7,
8
]
},
"field_list": false,
"status": "Stable",
"trimFactor": 300,
"normTimes": true
}
]
}
],
"editable": true,
"failover": false,
"index": {
"interval": "day",
"pattern": "[logstash-]YYYY.MM.DD",
"default": "NO_TIME_FILTER_OR_INDEX_PATTERN_NOT_MATCHED"
},
"style": "dark",
"panel_hints": true,
"loader": {
"save_gist": false,
"save_elasticsearch": true,
"save_local": true,
"save_default": true,
"save_temp": true,
"save_temp_ttl_enable": true,
"save_temp_ttl": "30d",
"load_gist": true,
"load_elasticsearch": true,
"load_elasticsearch_size": 20,
"load_local": true,
"hide": false
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment