+
+ | Field |
+ Type |
+ Description |
+ Maps to Unified Model Field |
+
+
+ | @timestamp |
+ datetime |
+ Time the event was recorded |
+ Timestamp |
+
+
+ | message |
+ string |
+ Any type of message |
+ Body |
+
+
+ | labels |
+ key/value |
+ Arbitrary labels related to the event |
+ Attributes[*] |
+
+
+ | tags |
+ array of string |
+ List of values related to the event |
+ ? |
+
+
+ | trace.id |
+ string |
+ Trace ID |
+ TraceId |
+
+
+ | span.id* |
+ string |
+ Span ID |
+ SpanId |
+
+
+ | agent.ephemeral_id |
+ string |
+ Ephemeral ID created by agent |
+ **Resource |
+
+
+ | agent.id |
+ string |
+ Unique identifier of this agent |
+ **Resource |
+
+
+ | agent.name |
+ string |
+ Name given to the agent |
+ Resource["telemetry.sdk.name"] |
+
+
+ | agent.type |
+ string |
+ Type of agent |
+ Resource["telemetry.sdk.language"] |
+
+
+ | agent.version |
+ string |
+ Version of agent |
+ Resource["telemetry.sdk.version"] |
+
+
+ | source.ip, client.ip |
+ string |
+ The IP address that the request was made from. |
+ Attributes["net.sock.peer.addr"] or Attributes["net.sock.host.addr"] |
+
+
+ | cloud.account.id |
+ string |
+ ID of the account in the given cloud |
+ Resource["cloud.account.id"] |
+
+
+ | cloud.availability_zone |
+ string |
+ Availability zone in which this host is running. |
+ Resource["cloud.zone"] |
+
+
+ | cloud.instance.id |
+ string |
+ Instance ID of the host machine. |
+ **Resource |
+
+
+ | cloud.instance.name |
+ string |
+ Instance name of the host machine. |
+ **Resource |
+
+
+ | cloud.machine.type |
+ string |
+ Machine type of the host machine. |
+ **Resource |
+
+
+ | cloud.provider |
+ string |
+ Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
+ Resource["cloud.provider"] |
+
+
+ | cloud.region |
+ string |
+ Region in which this host is running. |
+ Resource["cloud.region"] |
+
+
+ | cloud.image.id* |
+ string |
+ |
+ Resource["host.image.name"] |
+
+
+ | container.id |
+ string |
+ Unique container id |
+ Resource["container.id"] |
+
+
+ | container.image.name |
+ string |
+ Name of the image the container was built on. |
+ Resource["container.image.name"] |
+
+
+ | container.image.tag |
+ Array of string |
+ Container image tags. |
+ **Resource |
+
+
+ | container.labels |
+ key/value |
+ Image labels. |
+ Attributes[*] |
+
+
+ | container.name |
+ string |
+ Container name. |
+ Resource["container.name"] |
+
+
+ | container.runtime |
+ string |
+ Runtime managing this container. Example: "docker" |
+ **Resource |
+
+
+ | destination.address |
+ string |
+ Destination address for the event |
+ Attributes["destination.address"] |
+
+
+ | error.code |
+ string |
+ Error code describing the error. |
+ Attributes["error.code"] |
+
+
+ | error.id |
+ string |
+ Unique identifier for the error. |
+ Attributes["error.id"] |
+
+
+ | error.message |
+ string |
+ Error message. |
+ Attributes["error.message"] |
+
+
+ | error.stack_trace |
+ string |
+ The stack trace of this error in plain text. |
+ Attributes["error.stack_trace] |
+
+
+ | host.architecture |
+ string |
+ Operating system architecture |
+ **Resource |
+
+
+ | host.domain |
+ string |
+ Name of the domain of which the host is a member.
+
+For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
+
+**Resource |
+
+
+ | host.hostname |
+ string |
+ Hostname of the host.
+
+It normally contains what the hostname command returns on the host machine. |
+
+Resource["host.hostname"] |
+
+
+
+ | host.id |
+ string |
+ Unique host id. |
+ Resource["host.id"] |
+
+
+ | host.ip |
+ Array of string |
+ Host IP |
+ Resource["host.ip"] |
+
+
+ | host.mac |
+ array of string |
+ MAC addresses of the host |
+ Resource["host.mac"] |
+
+
+ | host.name |
+ string |
+ Name of the host.
+
+It may contain what hostname returns on Unix systems, the fully qualified, or a name specified by the user. |
+
+Resource["host.name"] |
+
+
+
+ | host.type |
+ string |
+ Type of host. |
+ Resource["host.type"] |
+
+
+ | host.uptime |
+ string |
+ Seconds the host has been up. |
+ ? |
+
+
+ | service.ephemeral_id
+
+ |
+ string |
+ Ephemeral identifier of this service |
+ **Resource |
+
+
+ | service.id |
+ string |
+ Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes. |
+ **Resource |
+
+
+ | service.name |
+ string |
+ Name of the service data is collected from. |
+ Resource["service.name"] |
+
+
+ | service.node.name |
+ string |
+ Specific node serving that service |
+ Resource["service.instance.id"] |
+
+
+ | service.state |
+ string |
+ Current state of the service. |
+ Attributes["service.state"] |
+
+
+ | service.type |
+ string |
+ The type of the service data is collected from. |
+ **Resource |
+
+
+ | service.version |
+ string |
+ Version of the service the data was collected from. |
+ Resource["service.version"] |
+
+
+
+\* Not yet formalized into ECS.
+
+\*\* A resource that doesn’t exist in the
+[OpenTelemetry resource semantic convention](../resource/semantic_conventions/README.md).
+
+This is a selection of the most relevant fields. See
+[for the full reference](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html)
+for an exhaustive list.
+
+## Appendix B: `SeverityNumber` example mappings
+
+|Syslog |WinEvtLog |Log4j |Zap |java.util.logging|.NET (Microsoft.Extensions.Logging)|SeverityNumber|
+|-------------|-----------|------|------|-----------------|-----------------------------------|--------------|
+| | |TRACE | | FINEST |LogLevel.Trace |TRACE |
+|Debug |Verbose |DEBUG |Debug | FINER |LogLevel.Debug |DEBUG |
+| | | | | FINE | |DEBUG2 |
+| | | | | CONFIG | |DEBUG3 |
+|Informational|Information|INFO |Info | INFO |LogLevel.Information |INFO |
+|Notice | | | | | |INFO2 |
+|Warning |Warning |WARN |Warn | WARNING |LogLevel.Warning |WARN |
+|Error |Error |ERROR |Error | SEVERE |LogLevel.Error |ERROR |
+|Critical |Critical | |Dpanic| | |ERROR2 |
+|Alert | | |Panic | | |ERROR3 |
+|Emergency | |FATAL |Fatal | |LogLevel.Critical |FATAL |
diff --git a/specification/logs/data-model.md b/specification/logs/data-model.md
index 58faec0e78c..2c57f4915d7 100644
--- a/specification/logs/data-model.md
+++ b/specification/logs/data-model.md
@@ -34,18 +34,7 @@
* [Field: `Attributes`](#field-attributes)
+ [Errors and Exceptions](#errors-and-exceptions)
- [Example Log Records](#example-log-records)
-- [Appendix A. Example Mappings](#appendix-a-example-mappings)
- * [RFC5424 Syslog](#rfc5424-syslog)
- * [Windows Event Log](#windows-event-log)
- * [SignalFx Events](#signalfx-events)
- * [Splunk HEC](#splunk-hec)
- * [Log4j](#log4j)
- * [Zap](#zap)
- * [Apache HTTP Server access log](#apache-http-server-access-log)
- * [CloudTrail Log Event](#cloudtrail-log-event)
- * [Google Cloud Logging](#google-cloud-logging)
-- [Elastic Common Schema](#elastic-common-schema)
-- [Appendix B: `SeverityNumber` example mappings](#appendix-b-severitynumber-example-mappings)
+- [Example Mappings](#example-mappings)
- [References](#references)
@@ -147,7 +136,7 @@ fields:
conventions for key names and possible values that allow all parties that work
with the field to have the same interpretation of the data. See references to
semantic conventions for `Resource` and `Attributes` fields and examples in
- [Appendix A](#appendix-a-example-mappings).
+ [Appendix A](./data-model-appendix.md#appendix-a-example-mappings).
The reasons for having these 2 kinds of fields are:
@@ -178,7 +167,7 @@ top-level structure of the record.
## Log and Event Record Definition
-[Appendix A](#appendix-a-example-mappings) contains many examples that show how
+[Appendix A](./data-model-appendix.md#appendix-a-example-mappings) contains many examples that show how
existing log formats map to the fields defined below. If there are questions
about the meaning of the field reviewing the examples may be helpful.
@@ -348,7 +337,7 @@ define a severity or log level concept then it is recommended to set
record represents a non-erroneous event the `SeverityNumber` field may be
omitted or may be set to any numeric value less than ERROR (numeric 17). The
recommended value in this case is INFO (numeric 9). See
-[Appendix B](#appendix-b-severitynumber-example-mappings) for more mapping
+[Appendix B](./data-model-appendix.md#appendix-b-severitynumber-example-mappings) for more mapping
examples.
#### Displaying Severity
@@ -478,815 +467,10 @@ If included, they MUST follow the OpenTelemetry
For example log records see
[JSON File serialization](../protocol/file-exporter.md#examples).
-## Appendix A. Example Mappings
-
-This section contains examples of mapping of other events and logs formats to
-this data model.
-
-### RFC5424 Syslog
-
-
-
- | Property |
- Type |
- Description |
- Maps to Unified Model Field |
-
-
- | TIMESTAMP |
- Timestamp |
- Time when an event occurred measured by the origin clock. |
- Timestamp |
-
-
- | SEVERITY |
- enum |
- Defines the importance of the event. Example: `Debug` |
- Severity |
-
-
- | FACILITY |
- enum |
- Describes where the event originated. A predefined list of Unix processes. Part of event source identity. Example: `mail system` |
- Attributes["syslog.facility"] |
-
-
- | VERSION |
- number |
- Meta: protocol version, orthogonal to the event. |
- Attributes["syslog.version"] |
-
-
- | HOSTNAME |
- string |
- Describes the location where the event originated. Possible values are FQDN, IP address, etc. |
- Resource["host.hostname"] |
-
-
- | APP-NAME |
- string |
- User-defined app name. Part of event source identity. |
- Resource["service.name"] |
-
-
- | PROCID |
- string |
- Not well defined. May be used as a meta field for protocol operation purposes or may be part of event source identity. |
- Attributes["syslog.procid"] |
-
-
- | MSGID |
- string |
- Defines the type of the event. Part of event source identity. Example: "TCPIN" |
- Attributes["syslog.msgid"] |
-
-
- | STRUCTURED-DATA |
- array of maps of string to string |
- A variety of use cases depending on the SDID:
-Can describe event source identity
-Can include data that describes particular occurrence of the event.
-Can be meta-information, e.g. quality of timestamp value. |
- SDID origin.swVersion map to Resource["service.version"]
-
-SDID origin.ip map to attribute["net.sock.host.addr"]
-
-Rest of SDIDs -> Attributes["syslog.*"] |
-
-
- | MSG |
- string |
- Free-form text message about the event. Typically human readable. |
- Body |
-
-
-
-### Windows Event Log
-
-
-
- | Field |
- Type |
- Description |
- Maps to Unified Model Field |
-
-
- | Timestamp |
- Timestamp |
- Time when the event occurred measured by the origin clock. |
- Timestamp |
-
-
- | EventType |
- string |
- Short machine understandable string describing the event type. SignalFx specific concept. Non-namespaced. Example: k8s Event Reason field. |
- Attributes["com.splunk.signalfx.event_type"] |
-
-
- | Category |
- enum |
- Describes where the event originated and why. SignalFx specific concept. Example: AGENT. |
- Attributes["com.splunk.signalfx.event_category"] |
-
-
- | Dimensions |
- map<string, string> |
- Helps to define the identity of the event source together with EventType and Category. Multiple occurrences of events coming from the same event source can happen across time and they all have the value of Dimensions. |
- Resource |
-
-
- | Properties |
- map<string, any> |
- Additional information about the specific event occurrence. Unlike Dimensions which are fixed for a particular event source, Properties can have different values for each occurrence of the event coming from the same event source. |
- Attributes |
-
-
-
-### Splunk HEC
-
-We apply this mapping from HEC to the unified model:
-
-
-
- | Field |
- Type |
- Description |
- Maps to Unified Model Field |
-
-
- | time |
- numeric, string |
- The event time in epoch time format, in seconds. |
- Timestamp |
-
-
- | host |
- string |
- The host value to assign to the event data. This is typically the host name of the client that you are sending data from. |
- Resource["host.name"] |
-
-
- | source |
- string |
- The source value to assign to the event data. For example, if you are sending data from an app you are developing, you could set this key to the name of the app. |
- Resource["com.splunk.source"] |
-
-
- | sourcetype |
- string |
- The sourcetype value to assign to the event data. |
- Resource["com.splunk.sourcetype"] |
-
-
- | event |
- any |
- The JSON representation of the raw body of the event. It can be a string, number, string array, number array, JSON object, or a JSON array. |
- Body |
-
-
- | fields |
- map<string, any> |
- Specifies a JSON object that contains explicit custom fields. |
- Attributes |
-
-
- | index |
- string |
- The name of the index by which the event data is to be indexed. The index you specify here must be within the list of allowed indexes if the token has the indexes parameter set. |
- Attributes["com.splunk.index"] |
-
-
-
-When mapping from the unified model to HEC, we apply this additional mapping:
-
-
-
- | Field |
- Type |
- Description |
- Maps to Unified Model Field |
-
-
- | eventTime |
- string |
- The date and time the request was made, in coordinated universal time (UTC). |
- Timestamp |
-
-
- | eventSource |
- string |
- The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. |
- Resource["service.name"]? |
-
-
- | awsRegion |
- string |
- The AWS region that the request was made to, such as us-east-2. |
- Resource["cloud.region"] |
-
-
- | sourceIPAddress |
- string |
- The IP address that the request was made from. |
- Attributes["net.sock.peer.addr"] or Attributes["net.sock.host.addr"] |
-
-
- | errorCode |
- string |
- The AWS service error if the request returns an error. |
- Attributes["cloudtrail.error_code"] |
-
-
- | errorMessage |
- string |
- If the request returns an error, the description of the error. |
- Body |
-
-
- | All other fields |
- * |
- |
- Attributes["cloudtrail.*"] |
-
-
-
-### Google Cloud Logging
-
-Field | Type | Description | Maps to Unified Model Field
------------------|--------------------| ------------------------------------------------------- | ---------------------------
-timestamp | string | The time the event described by the log entry occurred. | Timestamp
-resource | MonitoredResource | The monitored resource that produced this log entry. | Resource
-log_name | string | The URL-encoded LOG_ID suffix of the log_name field identifies which log stream this entry belongs to. | Attributes["gcp.log_name"]
-json_payload | google.protobuf.Struct | The log entry payload, represented as a structure that is expressed as a JSON object. | Body
-proto_payload | google.protobuf.Any | The log entry payload, represented as a protocol buffer. | Body
-text_payload | string | The log entry payload, represented as a Unicode string (UTF-8). | Body
-severity | LogSeverity | The severity of the log entry. | Severity
-trace | string | The trace associated with the log entry, if any. | TraceId
-span_id | string | The span ID within the trace associated with the log entry. | SpanId
-labels | map