TALES event attributes
The following table lists available event attributes.
| Attribute | Description |
|---|---|
| agent | Collector name from which the event came (such as zensyslog or zentrap). |
| component | Component of the associated device, if applicable. (Examples: eth0, httpd.) |
| count | Number of times this event has been seen. |
| dedupid | Key used to correlate duplicate events. By default, this is: device, component, eventClass, eventKey, severity. |
| device | ID of the associated device, if applicable. |
| DeviceClass | Device class from device context. |
| DeviceGroups | Device systems from device context, separated by |. |
| eventClass | Event class associated with this device. If not specified, may be added by the rule process. If this fails, then will be /Unknown. |
| eventClassKey | Key by which rules processing begins. Often equal to component. |
| eventGroup | Logical group of event source (such as syslog, ping, or nteventlog). |
| eventKey | Primary criteria for mapping events into event classes. Use if a component needs further de-duplication specification. |
| eventState | State of event. 0 = new, 1 = acknowledged, 2 = suppressed. |
| evid | Unique ID for the event. |
| facility | syslog facility, if this is a syslog event. |
| firstTime | UNIX timestamp when event is received. |
| ipAddress | IP Address of the associated device, if applicable. |
| lastTime | Last time this event was seen and its count incremented. |
| Location | Device location from device context. |
| message | Full message text. |
| monitor | Collector name from which this event came. Note: It is not the FQDN. |
| ntevid | nt event ID, if this is an nt eventlog event. |
| priority | syslog priority, if this is a syslog event. |
| prodState | prodState of the device context. |
| severity | The event severity level. |
| severityString | the severity of the event expressed as a string (Clear, Debug, Info, Warning,Error, or Critical) |
| stateChange | Time the MySQLrecord for this event was last modified. |
| summary | Text description of the event. Limited to 255 characters. |
| suppid | ID of the event that suppressed this event. |
| Systems | Device systems from device context, separated by |. |
Configuration properties and custom properties also are available for devices, and use the same syntax as shown in the previous sections.