dedupid | events will deduplicate based on the value of this field. by default: device, component, eventClass, eventKey, severity |
device | name of device |
component | name of component (like eth0, httpd, etc) |
eclass | eventClass (if not specified maybe added by rule process if this fails will be /Unknown) |
eventKey | if a component needs further deduplication specification this field maybe used |
summary | message text truncated at 150 characters |
message | full message text |
severity | number from 0 to 5 |
eventState | state of event 0 = new, 1 = acknowledged, 2 = suppressed |
eventClassKey | key by which rules processing begins. Often equal to component. |
eventGroup | logical group of event source (syslog, ping, nteventlog etc) |
stateChange | last time event changed automatically updated |
firstTime | unix timestamp when event is received. |
lastTime | last time an event was received |
count | number of times an event has repeated |
prodState | prodState of the device context |
suppid | id of event that suppressed this event |
manager | fqdn of the collector from which this event came |
agent | collector name from which event came (zensyslog, zentrap, etc) |
DeviceClass | device class from device context |
Location | device location from device context |
Systems | device systems from device context separated by | |
DeviceGroups | device systems from device context separated by | |
ipAddress | ip from which event came |
facility | syslog facility of this is syslog event |
priority | syslog priority of this is syslog event |
ntevid | nt event id if this is nt eventlog event. |