TALES Event Attributes

The following table lists available event attributes.

Attribute Description
agent Collector name from which the event came (such as zensyslog or zentrap).
component Component of the associated device, if applicable. (Examples: eth0, httpd.)
count Number of times this event has been seen.
dedupid Key used to correlate duplicate events. By default, this is: device, component, eventClass, eventKey, severity.
device ID of the associated device, if applicable.
DeviceClass Device class from device context.
DeviceGroups Device systems from device context, separated by |.
eventClass Event class associated with this device. If not specified, may be added by the rule process. If this fails, then will be /Unknown.
eventClassKey Key by which rules processing begins. Often equal to component.
eventGroup Logical group of event source (such as syslog, ping, or nteventlog).
eventKey Primary criteria for mapping events into event classes. Use if a component needs further de-duplication specification.
eventState State of event. 0 = new, 1 = acknowledged, 2 = suppressed.
evid Unique ID for the event.
facility syslog facility, if this is a syslog event.
firstTime UNIX timestamp when event is received.
ipAddress IP Address of the associated device, if applicable.
lastTime Last time this event was seen and its count incremented.
Location Device location from device context.
manager Fully qualified domain name of the collector from which this event came.
message Full message text.
ntevid nt event ID, if this is an nt eventlog event.
priority syslog priority, if this is a syslog event.
prodState prodState of the device context.
severity the severity of the event expressed as a number (0, 1, 2, 3, 4, or 5)
severityString the severity of the event expressed as a string (Clear, Debug, Info, Warning, Error, or Critical)
stateChange Time the MySQLrecord for this event was last modified.
summary Text description of the event. Limited to 150 characters.
suppid ID of the event that suppressed this event.
Systems Device systems from device context, separated by |.

Configuration Properties and Custom Properties

Configuration properties and custom properties also are available for devices, and use the same syntax as shown in the previous sections.