# Licensed to Elasticsearch B.V. under one or more contributor
# license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright
# ownership. Elasticsearch B.V. licenses this file to you under
# the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# 	http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
---
- name: log
  title: Log
  group: 2
  short: Details about the event's logging mechanism.
  description: >
    Details about the event's logging mechanism or logging transport.

    The log.* fields are typically populated with details about the logging
    mechanism used to create and/or transport the event.
    For example, syslog details belong under `log.syslog.*`.

    The details specific to your event source are typically not logged under `log.*`,
    but rather in `event.*` or in other ECS fields.
  type: group
  fields:

    - name: level
      level: core
      type: keyword
      short: Log level of the log event.
      description: >
        Original log level of the log event.

        If the source of the event provides a log level or textual severity,
        this is the one that goes in `log.level`. If your source doesn't specify
        one, you may put your event transport's severity here (e.g. Syslog severity).

        Some examples are `warn`, `err`, `i`, `informational`.
      example: error

    - name: file.path
      level: extended
      type: keyword
      short: Full path to the log file this event came from.
      description: >
        Full path to the log file this event came from, including the file name.
        It should include the drive letter, when appropriate.

        If the event wasn't read from a log file, do not populate this field.
      example: "/var/log/fun-times.log"

    - name: logger
      level: core
      type: keyword
      example: org.elasticsearch.bootstrap.Bootstrap
      short: Name of the logger.
      description: >
        The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.

    - name: origin.file.name
      level: extended
      type: keyword
      example: Bootstrap.java
      short: The code file which originated the log event.
      description: >
        The name of the file containing the source code which originated the log event.

        Note that this field is not meant to capture the log file.
        The correct field to capture the log file is `log.file.path`.

    - name: origin.file.line
      level: extended
      type: long
      example: 42
      short: The line number of the file which originated the log event.
      description: >
        The line number of the file containing the source code which originated the log event.

    - name: origin.function
      level: extended
      type: keyword
      example: init
      short: The function which originated the log event.
      description: >
        The name of the function or method which originated the log event.


    - name: syslog
      level: extended
      type: object
      short: Syslog metadata
      description: >
        The Syslog metadata of the event, if the event was transmitted via Syslog.
        Please see RFCs 5424 or 3164.

    - name: syslog.severity.code
      level: extended
      type: long
      example: 3
      short: Syslog numeric severity of the event.
      description: >
        The Syslog numeric severity of the log event, if available.

        If the event source publishing via Syslog provides a different numeric severity
        value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`.
        If the event source does not specify a distinct severity,
        you can optionally copy the Syslog severity to `event.severity`.

    - name: syslog.severity.name
      level: extended
      type: keyword
      example: Error
      short: Syslog text-based severity of the event.
      description: >
        The Syslog numeric severity of the log event, if available.

        If the event source publishing via Syslog provides a different severity
        value (e.g. firewall, IDS), your source's text severity should go to `log.level`.
        If the event source does not specify a distinct severity,
        you can optionally copy the Syslog severity to `log.level`.

    - name: syslog.facility.code
      format: string
      level: extended
      type: long
      example: 23
      short: Syslog numeric facility of the event.
      description: >
        The Syslog numeric facility of the log event, if available.

        According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.

    - name: syslog.facility.name
      level: extended
      type: keyword
      example: local7
      short: Syslog text-based facility of the event.
      description: >
        The Syslog text-based facility of the log event, if available.

    - name: syslog.priority
      format: string
      level: extended
      type: long
      example: 135
      short: Syslog priority of the event.
      description: >
        Syslog numeric priority of the event, if available.

        According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
        This number is therefore expected to contain a value between 0 and 191.

    - name: syslog.version
      level: extended
      type: keyword
      example: 1
      short: Syslog protocol version.
      description: >
        The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.

    - name: syslog.hostname
      level: extended
      type: keyword
      example: example-host
      short: The host that originated the Syslog message.
      description: >
        The hostname, FQDN, or IP of the machine that originally sent the Syslog
        message. This is sourced from the hostname field of the syslog header.
        Depending on the environment, this value may be different from the host
        that handled the event, especially if the host handling the events is acting
        as a collector.

    - name: syslog.appname
      level: extended
      type: keyword
      example: sshd
      short: The device or application that originated the Syslog message.
      description: >
        The device or application that originated the Syslog message, if available.

    - name: syslog.procid
      level: extended
      type: keyword
      example: 12345
      short: The process name or ID that originated the Syslog message.
      description: >
        The process name or ID that originated the Syslog message, if available.

    - name: syslog.msgid
      level: extended
      type: keyword
      example: ID47
      short: An identifier for the type of Syslog message.
      description: >
        An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages.

    - name: syslog.structured_data
      level: extended
      type: flattened
      short: Structured data expressed in RFC 5424 messages.
      description: >
        Structured data expressed in RFC 5424 messages, if available. These are
        key-value pairs formed from the structured data portion of the syslog
        message, as defined in RFC 5424 Section 6.3.