File: //usr/share/nxlog-ce/im_msvistalog-fields.xml
<fields>
<module>im_msvistalog</module>
<field>
<name>raw_event</name>
<type>string</type>
<persist>FALSE</persist>
<description>
<en>
A string containing the EventTime, Hostname, Severity,
EventID, and Message from the event.
</en>
</description>
</field>
<field>
<name>Message</name>
<type>string</type>
<persist>FALSE</persist>
<lookup>FALSE</lookup>
<description>
<en>
The message from the event.
</en>
</description>
</field>
<field>
<name>EventTime</name>
<type>datetime</type>
<persist>TRUE</persist>
<description>
<en>
The EvtSystemTimeCreated field.
</en>
</description>
</field>
<field>
<name>Hostname</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The EvtSystemComputer field.
</en>
</description>
</field>
<field>
<name>SourceName</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The event source which produced the event, from the
EvtSystemProviderName field.
</en>
</description>
</field>
<field>
<name>EventID</name>
<type>integer</type>
<persist>TRUE</persist>
<description>
<en>
The event ID (specific to the event source) from the EvtSystemEventID
field.
</en>
</description>
</field>
<field>
<name>Task</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The task number from the EvtSystemTask field.
</en>
</description>
</field>
<field>
<name>Category</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The category name resolved from Task.
</en>
</description>
</field>
<field>
<name>Keywords</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The value of the Keywords field from EvtSystemKeywords.
</en>
</description>
</field>
<field>
<name>Channel</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The Channel of the event source (for example, `Security` or
`Application`).
</en>
</description>
</field>
<field>
<name>AccountName</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The username associated with the event.
</en>
</description>
</field>
<field>
<name>AccountType</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The type of the account. Possible values are: `User`, `Group`,
`Domain`, `Alias`, `Well Known Group`, `Deleted Account`,
`Invalid`, `Unknown`, and `Computer`.
</en>
</description>
</field>
<field>
<name>Domain</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The domain name of the user.
</en>
</description>
</field>
<field>
<name>UserID</name>
<type>string</type>
<persist>FALSE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The Security Identifier (SID) which resolves to
<<im_msvistalog_field_AccountName,$AccounteName>>, stored
in EvtSystemUserID.
</en>
</description>
</field>
<field>
<name>SeverityValue</name>
<type>integer</type>
<persist>TRUE</persist>
<description>
<en>
The normalized severity number of the event, mapped as follows.
[cols="2", options="header,autowidth"]
|===
|Event Log Severity
|Normalized Severity
|0/Audit Success
|2/INFO
|0/Audit Failure
|4/ERROR
|1/Critical
|5/CRITICAL
|2/Error
|4/ERROR
|3/Warning
|3/WARNING
|4/Information
|2/INFO
|5/Verbose
|1/DEBUG
|===
</en>
</description>
</field>
<field>
<name>Severity</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The normalized severity name of the event. See
<<im_msvistalog_field_SeverityValue,$SeverityValue>>.
</en>
</description>
</field>
<field>
<name>EventType</name>
<type>string</type>
<persist>TRUE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The type of the event, which is a string describing the
severity. This is translated to its string representation from
EvtSystemLevel. Possible values are: `CRITICAL`, `ERROR`,
`AUDIT_FAILURE`, `AUDIT_SUCCESS`, `INFO`, `WARNING`, and
`VERBOSE`.
</en>
</description>
</field>
<field>
<name>ProviderGuid</name>
<type>string</type>
<persist>FALSE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The globally unique identifier of the event's provider as stored in
EvtSystemProviderGuid. This corresponds to the name of the provider in
the <<im_msvistalog_field_SourceName,$SourceName>> field.
</en>
</description>
</field>
<field>
<name>Version</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The Version number of the event as in EvtSystemVersion.
</en>
</description>
</field>
<field>
<name>OpcodeValue</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The Opcode number of the event as in EvtSystemOpcode.
</en>
</description>
</field>
<field>
<name>Opcode</name>
<type>string</type>
<persist>TRUE</persist>
<description>
<en>
The Opcode string resolved from OpcodeValue.
</en>
</description>
</field>
<field>
<name>ActivityID</name>
<type>string</type>
<persist>FALSE</persist>
<lookup>TRUE</lookup>
<description>
<en>
A globally unique identifier for the current activity, as stored in
EvtSystemActivityID.
</en>
</description>
</field>
<field>
<name>RelatedActivityID</name>
<type>string</type>
<persist>FALSE</persist>
<lookup>TRUE</lookup>
<description>
<en>
The RelatedActivityID as stored in EvtSystemRelatedActivityID.
</en>
</description>
</field>
<field>
<name>ProcessID</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The process identifier of the event producer as in
EvtSystemProcessID.
</en>
</description>
</field>
<field>
<name>ThreadID</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The thread identifier of the event producer as in
EvtSystemThreadID.
</en>
</description>
</field>
<field>
<name>RecordNumber</name>
<type>integer</type>
<persist>FALSE</persist>
<description>
<en>
The number of the event record.
</en>
</description>
</field>
</fields>