Request trial
Request Trial

NXLog Docs

5.07.5961

Fields

There is one thing common in all event log messages. All contain important data such as user names, IP addresses, application names, etc. This way an event can be represented as a list of key-value pairs which we call a "field". The name of the field is the key and the field data is the value. In another terminology this meta-data is sometimes referred to as event property or message tag.

As NX-Log4ensics and NXLog operate with a set of fields belonging to a log message, it is important to manage these as well. Fields in NX-Log4ensics are typed, this allows complex operations and efficient storage of event log data. All of the major components depend on fields and these are used in various places in Log4ensics, including Patterns, Correlation, and Agent Configuration.

Log4ensics comes with a set of predefiend fields which should be enough for the general cases but can be extended to suit custom requirements.

To list the available fields, click on the Fields menu item under the PATTERN menu. A list similar to the following should appear:

Listing fields

The field properties will be explained shortly as we look at creating and modifying fields. To do this, click on Create or Edit under the field list.

Creating a field

The field properties are as follows:

Name

The name of the field will be used to refer to the field from various places in Log4ensics and NXLog.

Type

The following types can be chosen for a field:

  • STRING

  • INTEGER

  • BINARY

  • DATETIME

  • IPV4ADDR

  • IPV6ADDR

  • BOOLEAN

Persist

If this option is not enabled, field values will only be available to the NXLog agent for correlation and pattern matching. Fields should be persisted if the information is needed in additional functions.

Lookup

This is a special property and only takes effect when the field is persistent and is a string type. The lookup property should be enabled for fields whose values are highly repetitive such as user names, enumerations, hostnames, etc. This enables the storage engine to map the value to an integer which yields significant compression and performance boost.

Description

The description is only used for information about the field.

The field list is kept in the configuration database.

Subscribe to our newsletter to get the latest updates, news, and products releases.

© Copyright 2024 NXLog Ltd.

PRIVACY POLICY GENERAL TERMS OF BUSINESS