Event
An Event
is the runtime representation of an item being processed by crowdsec, it can be:
-
a log line being parsed
-
an overflow being reprocessed
The Event
object is modified by parsers, scenarios, and directly via user statics expressions (for example).
The representation of the object can be found here :
LOG relevant fields
Type
istypes.LOG
Whitelisted
: iftrue
the LOG or OVFLW will be droppedLine
: representation of the raw lineRaw
: the raw line representationSrc
: a label for the sourceTime
: acquisition timestampLabels
: the static labels (from acquis.yaml) associated to the sourceProcess
: if set to false, processing of line will stop
Parsed
: amap[string]string
that can be used during parsing and enrichment. This is where GROK patterns will output their captures by defaultEnriched
: amap[string]string
that can be used during parsing and enrichment. This is where enrichment functions will output their captures by defaultMeta
: amap[string]string
that can be used to store important information about a log. This map is serialized into DB when storing event.Overflow
: representation of an Overflow ifType
is set toOVFLW
Time
: processing timestampStrTime
: string representation of log timestamp. Can be set by parsers that capture timestamp in logs. Will be automatically processed bycrowdsecurity/dateparse-enrich
when processing logs in forensic mode to setMarshaledTime
MarshaledTime
: if non-empty, the event's timestamp that will be used when processing buckets (for forensic mode)
OVERFLOW relevant fields
Type
istypes.OVFLW
Whitelisted
: iftrue
the LOG or OVFLW will be droppedOverflow
: representation of an Overflow ifType
is set toOVFLW
Time
: processing timestampStrTime
: string representation of log timestamp. Can be set by parsers that capture timestamp in logs. Will be automatically processed bycrowdsecurity/dateparse-enrich
when processing logs in forensic mode to setMarshaledTime
MarshaledTime
: if non-empty, the event's timestamp that will be used when processing buckets (for forensic mode)Overflow
:Whitelisted
: if true the OVFLW will be droppedReprocess
: if true, the OVFLOW will be reprocessed (inference)Sources
: amap[string]models.Source
representing the distinct sources that triggered the overflow, with their types and values. The key of the map is the IP address.Alert
andAPIAlerts
: representation of the signals that will be sent to LAPI.
Here is full evt.Overflow
object representation.
Source
Here is the representation of a models.Source
object.