Closed miwent closed 6 days ago
Please update the schema table with the included CSV file contents as the GIM type code table in the page Content/Schema/Message Categories/Graylog Message Categories.htm
This should be incorporated in the current version (5.2) of the documentation.
Here is the CSV content:
"gim_event_type_code","gim_event_class","gim_event_category","gim_event_subcategory","gim_event_type" 000000,"","message","message.log_message","message" 100000,"","authentication","authentication.logon","logon" 100003,"","authentication","authentication.logon","logon with alternate credentials" 100004,"","authentication","authentication.logon","session reconnect" 100500,"","authentication","authentication.credential validation","credential validation" 100501,"","authentication","authentication.credential validation","error" 100502,"","authentication","authentication.credential validation","mfa" 100503,"","authentication","authentication.credential validation","sms_send_message" 100504,"","authentication","authentication.credential validation","voice_call" 101000,"","authentication","authentication.access notice","special logon" 101001,"","authentication","authentication.access notice","error" 101500,"","authentication","authentication.access policy","access policy violation" 101501,"","authentication","authentication.access policy","device policy violation" 101502,"","authentication","authentication.access policy","account policy violation" 102000,"","authentication","authentication.kerberos request","service ticket renewed" 102001,"","authentication","authentication.kerberos request","service ticket requested" 102002,"","authentication","authentication.kerberos request","tgt request" 102003,"","authentication","authentication.kerberos request","error" 102500,"","authentication","authentication.logoff","logoff" 102501,"","authentication","authentication.logoff","session disconnect" 109999,"","authentication","authentication.default","authentication message" 110000,"","iam","iam.object create","account created" 110001,"","iam","iam.object create","error" 110002,"","iam","iam.object create","group created" 110500,"","iam","iam.object delete","account deleted" 110501,"","iam","iam.object delete","group deleted" 111000,"","iam","iam.object modify","account modified" 111001,"","iam","iam.object modify","privileges assigned" 111002,"","iam","iam.object modify","privileges removed" 111003,"","iam","iam.object modify","account renamed" 111004,"","iam","iam.object modify","password change" 111005,"","iam","iam.object modify","administrative password reset" 111006,"","iam","iam.object modify","error" 111007,"","iam","iam.object modify","group member added" 111008,"","iam","iam.object modify","group member removed" 111009,"","iam","iam.object modify","group properties modified" 111500,"","iam","iam.object disable","account locked" 111501,"","iam","iam.object disable","account disabled" 112000,"","iam","iam.object enable","account unlocked" 112001,"","iam","iam.object enable","account enabled" 112002,"","iam","iam.object enable","error" 119500,"","iam","iam.information","group membership enumerated" 119999,"","iam","iam.default","iam message" 120000,"","network","network.network connection","network connection" 120100,"","network","network.routing","network routing" 120200,"","network","network.open","network connection initiated" 120300,"","network","network.close","network connection ended" 120500,"","network","network.flow","flow record" 120600,"","network","network.icmp_request","icmp_request" 120700,"","network","network.icmp_reply","icmp_reply" 129999,"","network","network.default","network message" 130000,"","messaging","messaging.email","email sent" 130500,"","messaging","messaging.email","email blocked" 131000,"","messaging","messaging.email","email rejected" 131500,"","messaging","messaging.email","email quarantined" 132000,"","messaging","messaging.email","email deleted" 139999,"","messaging","messaging.default","message" 140000,"protocol","name resolution","name resolution.dns request","dns query" 140200,"protocol","name resolution","name resolution.dns answer","dns response" 140300,"protocol","name resolution","name resolution.error","dns error" 140500,"protocol","name resolution","name resolution.ddns update","ddns update" 149999,"protocol","name resolution","name resolution.default","dns message" 150000,"","database","database.query","database query" 150500,"","database","database.update","update rows" 151000,"","database","database.add","insert rows" 151001,"","database","database.add","add table" 151002,"","database","database.add","create database" 151500,"","database","database.delete","delete rows" 151501,"","database","database.delete","drop table" 151502,"","database","database.delete","drop database" 159999,"","database","database.default","database message" 170000,"","alert","alert.network alert","ids alert" 170001,"","alert","alert.network alert","network alert" 170002,"","alert","alert.network alert","network dlp alert" 171000,"","alert","alert.host alert","malware alert" 171001,"","alert","alert.host alert","host dlp alert" 171002,"","alert","alert.host alert","hips alert" 171003,"","alert","alert.host alert","fim alert" 179999,"","alert","alert.default","alert message" 180000,"protocol","http","http.default","http message" 180100,"protocol","http","http.request","http request" 180200,"protocol","http","http.communication","http communication" 180300,"protocol","http","http.proxied","http proxied communication" 190000,"endpoint","process","process.execute","process started" 190100,"endpoint","process","process.end","process stopped" 190500,"endpoint","process","process.interaction","process accessed" 190501,"endpoint","process","process.interaction","remote thread created" 191000,"endpoint","process","process.action","process altered" 191001,"endpoint","process","process.action","image loaded" 199990,"endpoint","process","process.default","process message" 200000,"endpoint","file","file.create","file created" 200100,"endpoint","file","file.delete","file deleted" 201000,"endpoint","file","file.modify","file modified" 201001,"endpoint","file","file.modify","file timestamp modified" 201002,"endpoint","file","file.modify","file stream created" 201500,"endpoint","file","file.access","file accessed" 201501,"endpoint","file","file.access","raw file access" 202000,"endpoint","file","file.integrity","file signature invalid" 202001,"endpoint","file","file.integrity","file integrity notice" 209999,"endpoint","file","file.default","file event" 210000,"endpoint","service","service.start","service started" 210100,"endpoint","service","service.stop","service stopped" 211000,"endpoint","service","service.configuration","service configuration change" 211500,"endpoint","service","service.state","service installed" 211501,"endpoint","service","service.state","service removed" 211502,"endpoint","service","service.state","service enabled" 211503,"endpoint","service","service.state","service disabled" 211504,"endpoint","service","service.state","service error" 219999,"endpoint","service","service.default","service event" 220000,"endpoint","audit","audit.integrity","audit log cleared" 220100,"endpoint","audit","audit.state","audit service started" 220101,"endpoint","audit","audit.state","audit service stopped" 220102,"endpoint","audit","audit.state","audit error" 220500,"endpoint","audit","audit.policy","audit policy changed" 229999,"endpoint","audit","audit.default","audit event" 230000,"endpoint","pipe","pipe.add","pipe created" 230100,"endpoint","pipe","pipe.remove","pipe deleted" 230500,"endpoint","pipe","pipe.state","pipe connected" 239999,"endpoint","pipe","pipe.default","pipe event" 240000,"endpoint","wmi","wmi.filter","wmi filter created" 240001,"endpoint","wmi","wmi.filter","wmi filter removed" 240500,"endpoint","wmi","wmi.consumer","wmi consumer created" 240501,"endpoint","wmi","wmi.consumer","wmi consumer removed" 241000,"endpoint","wmi","wmi.binding","wmi binding created" 249999,"endpoint","wmi","wmi.default","wmi event" 250000,"endpoint","registry","registry.value_change","registry value set" 250001,"endpoint","registry","registry.value_change","registry value added" 250002,"endpoint","registry","registry.value_change","registry value deleted" 250003,"endpoint","registry","registry.value_change","registry value modified" 250500,"endpoint","registry","registry.key_change","registry key added" 250501,"endpoint","registry","registry.key_change","registry key deleted" 250502,"endpoint","registry","registry.key_change","registry key renamed" 251000,"endpoint","registry","registry.object_renamed","registry object renamed" 259999,"endpoint","registry","registry.default","registry event" 260000,"endpoint","system_time","system_time.time_change","system time changed" 269999,"endpoint","system_time","system_time.default","system time event" 270000,"endpoint","driver","driver.loaded","system driver loaded" 270100,"endpoint","driver","driver.unloaded","system driver unloaded" 279999,"endpoint","driver","driver.default","system driver event" 280000,"endpoint","agent","agent.activity","agent activity" 280001,"endpoint","agent","agent.activity","antivirus and malware scan" 280100,"endpoint","agent","agent.update","agent update" 280200,"endpoint","agent","agent.status","agent status" 289999,"endpoint","agent","agent.default","agent default" 290000,"protocol","dhcp","dhcp.request","dhcp request" 290100,"protocol","dhcp","dhcp.offer","dhcp offer" 290200,"protocol","dhcp","dhcp.discovery","dhcp discovery" 290300,"protocol","dhcp","dhcp.acknowledgement","dhcp acknowledgement" 299999,"protocol","dhcp","dhcp.default","dhcp default event" 300000,"","detection","detection.network_detection","ids_detection" 300001,"","detection","detection.network_detection","network_detection" 300002,"","detection","detection.network_detection","network_dlp_detection" 301000,"","detection","detection.host_detection","host_malware_detection" 301001,"","detection","detection.host_detection","host_dlp_detection" 301002,"","detection","detection.host_detection","hips_detection" 301003,"","detection","detection.host_detection","fim_detection" 309999,"","detection","detection.default","detection_message"
Closed via #47
gormanbj
commented
6 days ago
Please update the schema table with the included CSV file contents as the GIM type code table in the page Content/Schema/Message Categories/Graylog Message Categories.htm
This should be incorporated in the current version (5.2) of the documentation.
Here is the CSV content: