question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

proposal for Event fields

See original GitHub issue

I would like to propose two new event fields that I think would be useful

  • event.level (keyword)
  • event.sequence (long)

event.level is the human readable companion field to event.severity, essentially identical in use to log.level (which could be deprecated/removed in favor of event.level).

event.sequence is another integrity field (like event.hash) for event sources that emit events in sequence, to detect missing events and/or order events that may have time stamps based on receipt time rather than emit time (syslog over UDP comes to mind).

While I’m on the topic of the Event group, is event.id meant to be a unique id for for an instance of an event (such that two identical events would have different and unique event.id) or is it meant to handle the case where events have numeric or coded identifiers, e.g.: %ASA-3-610001: NTP daemon interface interface_name : Packet denied from IP_address might look something like the following in ECS 1.0

{
  ...
  "message": "000045: %ASA-3-610001: NTP daemon interface interface_name : Packet denied from IP_address",
  "event": {
    "action": "denied",
    "category": "firewall",
    "id": "610001",
    "severity": 3,
    "level": "ERROR",
    "sequence": 45,
    "version": "1.0.0"
  }
  ...
}

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Reactions:2
  • Comments:14 (9 by maintainers)

github_iconTop GitHub Comments

2reactions
webmatcommented, Oct 5, 2018

For now I would start with only guidance on how to normalize event.level.

I would also be very careful to not map words from one to another. I would rather add PG’s “panic” than map it to “emergency”.

I would hold off for now on assigning a numeric value. Here are two reasons that come to mind:

  • Some products may rank the same words in a different order (product X: alert > critical vs product Y: critical > alert)
  • If we add levels we had missed, our severity mapping will have to change
    • or we insert a severity in between existing numeric values: once at 45, then at 42, like in the good old days of numbered code lines 😃

I’m thinking this mapping to numeric could very well be useful, but for now I would leave it out of the spec. Organizations are free to attempt this, see they derive value out of this normalization, and report back their findings.

Most up to date list, now including “panic”:

  • panic
  • emergency
  • fatal
  • alert
  • critical
  • error
  • warning
  • notice
  • informational
  • debug
  • trace
  • verbose
  • unknown
1reaction
dcodecommented, Oct 10, 2018

I think we should leave event.severity as a distinct value that is orthogonal to the use of the proposed event.level. I’m coming at this from a security perspective, where the severity may be ranked on a scale of 1 to 3 (in the case of Suricata/Snort alerts where 1 is the most severe) or 1 to 10 as a float with regards to something like CVSS vulnerability scores (where 10 is the most severe).

I think severity in particular is likely a very use-case specific thing.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Event Proposal Template - Sign Templates - Jotform
Create, track, and manage event proposals online. Gather e-signatures from any device. Drag and drop to customize the design. Turn into completed PDFs....
Read more >
Steps on How to Write a Proposal for an Event (With Tips)
An event proposal is a document an event planner or organizer submits to a client that provides a detailed view of the plan...
Read more >
Free Event Management Proposal Template for Quick Closing
Take your business to the next level using this free Event Management Proposal. Fully customizable documents with image and video embedding capabilities.
Read more >
How to Write an Event Planning Proposal
In case you do not have much experience planning events yet, you can mention any internships, volunteer work, coordination or project management ...
Read more >
How to Write an Event Proposal - Eventbrite Blog
Demonstrate you have the skills needed to organise a successful event by putting together a proposal that's clear, concise and comprehensive ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found