Normalization - field names

tmacgbay · September 14, 2021, 3:42pm

I was going to write up a snippet on field names we should consider normalizing between different inputs as you get into Graylog and post it under miscellaneous of Templates and Rule Exchange rather than having others add after I forgot a few there - posting to the wild so you can add in reply here and I will coalesce for post into TRE in a couple of days. Initial field names to normalize below (feel free to suggest better fieldnames and/or explanation of why)

src_ip
dst_ip
target_host
target_user
error_text

gsmith · September 14, 2021, 10:39pm

I personally think those are good, but how about adding to your list?

Example:
src_port
dst_port

shoothub · September 20, 2021, 8:09am

Or maybe follow Graylog Information Model Schema?
https://schema.graylog.org/en/stable/index.html

tmacgbay · September 20, 2021, 12:38pm

Well… yes… That is a much better list @shoothub… I must have missed that somewhere while I spent minutes pouring through documentation…

I will post it up now - not much more to add! haha!

system · October 4, 2021, 12:39pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
On start: field standards and normalization Miscellaneous	0	614	September 20, 2021
I dont find src_ip in message body and also how to create separate field for the same? New to Graylog Community? READ-ME FIRST Guides	1	280	March 21, 2023
Source field show is number id. not show hostname Graylog Central (peer support)	1	322	January 6, 2021
Fields shown in JSON extractor preview missing in processed messages Graylog Central (peer support)	2	1602	September 30, 2017
I have some questions about default field 'source' Graylog Central (peer support) pipeline-rules	5	4324	April 24, 2017

Normalization - field names

Related Topics