Logger
logger
The Logger object represents the device and product where events are stored with times for receipt and transmission. This may be at the source device where the event occurred, a remote scanning device, intermediate hops, or the ultimate destination.
Attributes
| Caption | Name | Type | Description |
|---|---|---|---|
| Device | device | Device[] | Entity: |
| Event UID | event_uid | String | The unique identifier of the event assigned by the logger. |
| Is Truncated | is_truncated | Boolean | Indicates whether the OCSF event data has been truncated due to size limitations. When true, some event data may have been omitted to fit within system constraints. |
| Log Level | log_level | String | The audit level at which an event was generated. |
| Log Name | log_name | String | The event log name. For example, syslog file name or Windows logging subsystem: Security. |
| Log Provider | log_provider | String | The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing. |
| Log Version | log_version | String | The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version. |
| Logged Time | logged_time | Timestamp | The time when the logging system collected and logged the event.This attribute is distinct from the event time in that event time typically contain the time extracted from the original event. Most of the time, these two times will be different. |
| Name | name | String | The name of the logging product instance. |
| Product | product | Product[] | The product logging the event. This may be the event source product, a management server product, a scanning product, a SIEM, etc. |
| Raw Data | raw_data | JSON | Group: |
| Record ID | record_id | String | Group: |
| Transmission Time | transmit_time | Timestamp | The time when the event was transmitted from the logging device to it's next destination. |
| Unique ID | uid | String | The unique identifier of the logging product instance. |
| Unmapped | unmapped | Unmapped[] | Data from the source that was not mapped into the schema. |
| Untruncated Size | untruncated_size | Integer | The original size of the OCSF event data in kilobytes before any truncation occurred. This field is typically populated when is_truncated is true to indicate the full size of the original event. |
| Version | version | String | The version of the logging product. |
Relationships
Inbound Relationships
These objects and events reference Logger in their attributes:
Outbound Relationships
Logger references the following objects and events in its attributes:
This page describes qdm-1.5.1+ocsf-1.6.0
Updated 15 days ago