Windows Event Log

Windows Event Log is the native logging subsystem that records system, security, application and custom provider events.

Global Fields (4)

FieldType
ngs.id
Unique identifier for the log entry.
string
ngs.createdAt
Timestamp when the event was created locally.
pdate
ngs.indexedAt
Timestamp when the log was indexed into the SIEM.
pdate
ngs.source
Origin or source system of the log.
string

Reference-Specific Fields (380)

FieldType
winlog.EventData.LogonTypeName
string
winlog.EventData.PrivilegeList
string []
winlog.EventName
text_general
winlog.EventSource
string
winlog.EventData.AuditPolicyChanges
string []
winlog.EventData.CategoryId
string []
winlog.EventData.AuthenticationPackageName
text_general
winlog.EventData.FailureReason
text_general
winlog.EventData.IpAddress
text_general
winlog.EventData.IpPort
pint
winlog.EventData.DestAddress
text_general
winlog.EventData.SourceAddress
text_general
winlog.EventData.SourcePort
pint
winlog.EventData.DestPort
pint
winlog.DebugData.SequenceNumber
plong
winlog.DebugData.FlagsName
text_general
winlog.EventData.WorkstationName
text_general
winlog.DebugData.LevelName
text_general
winlog.DebugData.Component
text_general
winlog.DebugData.SubComponent
text_general
winlog.DebugData.FileLine
text_general
winlog.DebugData.Function
text_general
winlog.DebugData.Message
text_general
winlog.EventData.ReturnCode
string
winlog.EventData.ProcessId
string
winlog.EventData.Protocol
string
winlog.EventData.LogonType
plong
winlog.EventData.TargetDomainName
text_general
winlog.EventData.TargetLogonId
text_general
winlog.EventData.TargetUserName
text_general
winlog.EventData.TargetUserSid
text_general
winlog.ProcessingErrorData.ErrorCode
plong
winlog.ProcessingErrorData.DataItemName
text_general
winlog.ProcessingErrorData.EventPayload
text_general
winlog.RenderingInfo.CultureAttr
text_general
winlog.RenderingInfo.Message
text_general
winlog.RenderingInfo.Level
text_general
winlog.RenderingInfo.Opcode
text_general
winlog.RenderingInfo.Task
text_general
winlog.RenderingInfo.Channel
text_general
winlog.RenderingInfo.Provider
text_general
winlog.RenderingInfo.Keywords.Keywords
text_general []
winlog.System.Channel
text_general
winlog.System.Computer
text_general
winlog.System.Security.UserID
text_general
winlog.System.EventID
pint
winlog.System.EventRecordID
plong
winlog.System.Execution.ProcessID
plong
winlog.System.Execution.ThreadID
plong
winlog.System.Execution.ProcessorID
plong
winlog.System.Execution.SessionID
plong
winlog.System.Execution.KernelTime
plong
winlog.System.Execution.UserTime
plong
winlog.System.Execution.ProcessorTime
plong
winlog.System.Keywords
text_general
winlog.System.Level
plong
winlog.System.Opcode
plong
winlog.System.Correlation.ActivityID
text_general
winlog.System.Correlation.RelatedActivityID
text_general
winlog.System.Provider.Guid
text_general
winlog.System.Provider.Name
text_general
winlog.System.Provider.EventSourceName
text_general
winlog.System.Task
plong
winlog.System.TimeCreated.SystemTime
pdate
winlog.System.TimeCreated.RawTime
plong
winlog.System.Version
plong
winlog.EventData.CallerProcessId
text_general
winlog.EventData.CallerProcessName
text_general
winlog.EventData.SubjectDomainName
text_general
winlog.EventData.SubjectLogonId
text_general
winlog.EventData.SubjectUserName
text_general
winlog.EventData.SubjectUserSid
text_general
winlog.EventData.TargetSid
text_general
winlog.EventData.LogonID
string
winlog.EventData.ForceLogoff
string
winlog.EventData.FailureId
string
winlog.EventData.LocationInformation
text_general
winlog.EventData.CertThumbprint
string
winlog.EventData.DomainPolicyChanged
text_general
winlog.EventData.UserParameters
string
winlog.EventData.ProviderKey
string
winlog.EventData.TargetLinkedLogonId
string
winlog.EventData.DnsName
text_general
winlog.EventData.Identity
text_general
winlog.EventData.ReasonCode
string
winlog.EventData.MaxPasswordAge
string
winlog.EventData.SecurityPackageName
text_general
winlog.EventData.ObjectDN
text_general
winlog.EventData.NewSD
string
winlog.EventData.EndUSN
string
winlog.EventData.HardwareIds
string
winlog.EventData.RemoteEventLogging
string
winlog.EventData.SubcategoryGuid
string
winlog.EventData.VirtualAccount
string
winlog.EventData.DomainName
text_general
winlog.EventData.ConfiguredNames
string
winlog.EventData.AccountDomain
string
winlog.EventData.HomeDirectory
string
winlog.EventData.PackageName
text_general
winlog.EventData.TaskName
text_general
winlog.EventData.AlgorithmName
string
winlog.EventData.ServerNames
text_general []
winlog.EventData.Profiles
text_general
winlog.EventData.LayerRTID
plong
winlog.EventData.ServiceName
text_general
winlog.EventData.CompatibleIds
string
winlog.EventData.PeerMac
string
winlog.EventData.CalloutKey
string
winlog.EventData.OperationId
string
winlog.EventData.TransmittedServices
string
winlog.EventData.RemoteAdminEnabled
string
winlog.EventData.EventId
plong
winlog.EventData.EventCountTotal
plong
winlog.EventData.ObjectCollectionName
text_general
winlog.EventData.SettingValue
string
winlog.EventData.OldSD
string
winlog.EventData.OldTargetUserName
text_general
winlog.EventData.AccessRemoved
text_general
winlog.EventData.SourceProcessId
string
winlog.EventData.ObjectType
string
winlog.EventData.AttributeLDAPDisplayName
text_general
winlog.EventData.RuleAttr
string
winlog.EventData.OldMaxUsers
string
winlog.EventData.StatusCode
plong
winlog.EventData.FilterName
string
winlog.EventData.CertIssuerName
string
winlog.EventData.OldObjectDN
text_general
winlog.EventData.TicketEncryptionType
string
winlog.EventData.PreAuthType
string
winlog.EventData.RuleId
string
winlog.EventData.IntfGuid
string
winlog.EventData.NewProcessName
text_general
winlog.EventData.ClientName
text_general
winlog.EventData.StagingReason
text_general
winlog.EventData.TdoAttributes
string
winlog.EventData.PuaCount
plong
winlog.EventData.SSID
text_general
winlog.EventData.SourceHandleId
string
winlog.EventData.HypervisorLaunchType
string
winlog.EventData.PuaPolicyId
string
winlog.EventData.TokenElevationType
string
winlog.EventData.OldShareFlags
string
winlog.EventData.NewSd
string
winlog.EventData.DestinationDRA
text_general
winlog.EventData.TestSigning
string
winlog.EventData.NewValue
text_general
winlog.EventData.TargetServerName
text_general
winlog.EventData.TreeDelete
string
winlog.EventData.SidFilteringEnabled
string
winlog.EventData.ScriptPath
string
winlog.EventData.NotificationPackageName
string
winlog.EventData.TicketOptions
string
winlog.EventData.ServiceAccount
string
winlog.EventData.ShareName
text_general
winlog.EventData.TaskContentNew
text_general
winlog.EventData.MachineAccountQuota
string
winlog.EventData.SpnName
string
winlog.EventData.DSType
string
winlog.EventData.Operation
string
winlog.EventData.NamingContext
text_general
winlog.EventData.EAPErrorCode
string
winlog.EventData.PasswordLastSet
string
winlog.EventData.LockoutDuration
string
winlog.EventData.EntryType
string
winlog.EventData.GroupTypeChange
text_general
winlog.EventData.ObjectGUID
string
winlog.EventData.EventSourceId
string
winlog.EventData.ProcessName
text_general
winlog.EventData.Service
text_general
winlog.EventData.DnsHostName
text_general
winlog.EventData.RemoteMachineID
string
winlog.EventData.RuleName
text_general
winlog.EventData.NewTime
string
winlog.EventData.TransactionId
string
winlog.EventData.ReasonForRejection
text_general
winlog.EventData.LayerName
string
winlog.EventData.HomePath
string
winlog.EventData.ComputerAccountChange
string
winlog.EventData.AccessMask
string
winlog.EventData.HandleId
string
winlog.EventData.AccessGranted
text_general
winlog.EventData.TargetLogonGuid
string
winlog.EventData.ProfilePath
string
winlog.EventData.FilterType
string
winlog.EventData.LayerId
plong
winlog.EventData.AuditSourceName
text_general
winlog.EventData.ObjectName
text_general
winlog.EventData.NewValueType
string
winlog.EventData.StartUSN
string
winlog.EventData.ReplicationEvent
string
winlog.EventData.KeyName
string
winlog.EventData.LmPackageName
string
winlog.EventData.ObjectIdentifyingProperties
text_general
winlog.EventData.SidHistory
string
winlog.EventData.NewProcessId
string
winlog.EventData.OldSd
string
winlog.EventData.OldValueType
string
winlog.EventData.InterfaceName
text_general
winlog.EventData.SubcategoryId
string
winlog.EventData.TargetServer
text_general
winlog.EventData.RelativeTargetName
text_general
winlog.EventData.CredType
string
winlog.EventData.TargetProcessId
string
winlog.EventData.SamAccountName
text_general
winlog.EventData.UserSid
string
winlog.EventData.AuditStatusCode
plong
winlog.EventData.MemberSid
string
winlog.EventData.OldRemark
string
winlog.EventData.Status
string
winlog.EventData.Application
text_general
winlog.EventData.AdditionalInfo
string
winlog.EventData.DisabledPrivilegeList
string
winlog.EventData.AccountExpires
string
winlog.EventData.AdvancedOptions
string
winlog.EventData.Options
plong
winlog.EventData.UserAccountControl
string
winlog.EventData.AccountName
text_general
winlog.EventData.SessionID
plong
winlog.EventData.TargetHandleId
string
winlog.EventData.GroupMembership
string
winlog.EventData.UserUPN
text_general
winlog.EventData.ObjectClass
text_general
winlog.EventData.SessionName
text_general
winlog.EventData.OemInformation
string
winlog.EventData.ServicePrincipalNames
text_general
winlog.EventData.ProfileUsed
text_general
winlog.EventData.AttributeValue
string
winlog.EventData.ServiceFileName
text_general
winlog.EventData.KeyLength
plong
winlog.EventData.EAPReasonCode
string
winlog.EventData.ProfileChanged
text_general
winlog.EventData.SubjectUserDomainName
text_general
winlog.EventData.TargetProcessName
text_general
winlog.EventData.LogonProcessName
text_general
winlog.EventData.ForestRoot
text_general
winlog.EventData.ComputerName
text_general
winlog.EventData.OpCorrelationID
string
winlog.EventData.ConfigAccessPolicy
string
winlog.EventData.LogDroppedPacketsEnabled
string
winlog.EventData.NewUacValue
string
winlog.EventData.ResourceAttributes
string
winlog.EventData.DomainBehaviorVersion
string
winlog.EventData.UserName
text_general
winlog.EventData.ActiveProfile
text_general
winlog.EventData.ChangeType
string
winlog.EventData.TopLevelName
string
winlog.EventData.LinkName
text_general
winlog.EventData.DomainSid
string
winlog.EventData.ProcessID
plong
winlog.EventData.LogonHours
string
winlog.EventData.CertSerialNumber
string
winlog.EventData.KeyType
string
winlog.EventData.NetbiosName
text_general
winlog.EventData.SourceAddr
string
winlog.EventData.NewObjectDN
text_general
winlog.EventData.ImpersonationLevel
string
winlog.EventData.LogSuccessfulConnectionsEnabled
string
winlog.EventData.FilterId
string
winlog.EventData.ObjectServer
text_general
winlog.EventData.OldUacValue
string
winlog.EventData.DeviceClaims
string
winlog.EventData.RemoteUserID
string
winlog.EventData.Duration
string
winlog.EventData.TargetInfo
text_general
winlog.EventData.FlightSigning
string
winlog.EventData.NewTargetUserName
text_general
winlog.EventData.FileName
text_general
winlog.EventData.CalloutName
text_general
winlog.EventData.EventCount
plong
winlog.EventData.LockoutThreshold
string
winlog.EventData.PrimaryGroupId
plong
winlog.EventData.NewRemark
string
winlog.EventData.EventIdx
plong
winlog.EventData.AllowedToDelegateTo
string
winlog.EventData.RecoveryKeyId
string
winlog.EventData.MinPasswordAge
string
winlog.EventData.TargetUserDomain
text_general
winlog.EventData.FilterKey
string
winlog.EventData.LayerKey
string
winlog.EventData.ClassName
text_general
winlog.EventData.UserPrincipalName
text_general
winlog.EventData.SubStatus
string
winlog.EventData.MulticastFlowsEnabled
string
winlog.EventData.ParentProcessName
text_general
winlog.EventData.Package
text_general
winlog.EventData.AppCorrelationID
string
winlog.EventData.SettingType
string
winlog.EventData.VsmLaunchType
string
winlog.EventData.TaskContent
text_general
winlog.EventData.Properties
string
winlog.EventData.Weight
plong
winlog.EventData.KeyFilePath
text_general
winlog.EventData.RestrictedAdminMode
string
winlog.EventData.Dummy
string
winlog.EventData.ObjectValueName
text_general
winlog.EventData.GroupPolicyApplied
string
winlog.EventData.ElevatedToken
string
winlog.EventData.Conditions
text_general
winlog.EventData.AddedCAPs
text_general
winlog.EventData.PreviousTime
pdate
winlog.EventData.HypervisorDebug
string
winlog.EventData.ErrorCode
string
winlog.EventData.TargetOutboundUserName
text_general
winlog.EventData.LoadOptions
string
winlog.EventData.AccessReason
string
winlog.EventData.PasswordHistoryLength
plong
winlog.EventData.KernelDebug
string
winlog.EventData.AttributeSyntaxOID
string
winlog.EventData.PasswordProperties
string
winlog.EventData.SourceDRA
text_general
winlog.EventData.ClientAddress
text_general
winlog.EventData.ProviderName
text_general
winlog.EventData.RecoveryReason
string
winlog.EventData.ClassId
string
winlog.EventData.ModifiedObjectProperties
text_general
winlog.EventData.ForestRootSid
string
winlog.EventData.NewState
string
winlog.EventData.MinPasswordLength
plong
winlog.EventData.ServiceSid
string
winlog.EventData.UserWorkstations
text_general
winlog.EventData.RecoveryServer
text_general
winlog.EventData.GPOList
text_general
winlog.EventData.DSName
text_general
winlog.EventData.OperationMode
string
winlog.EventData.ObjectProperties
text_general
winlog.EventData.ResourceManager
string
winlog.EventData.TdoDirection
string
winlog.EventData.MandatoryLabel
string
winlog.EventData.LockoutObservationWindow
string
winlog.EventData.EnabledPrivilegeList
text_general
winlog.EventData.Flags
string
winlog.EventData.TargetOutboundDomainName
string
winlog.EventData.UserClaims
text_general
winlog.EventData.TdoType
string
winlog.EventData.CrashOnAuditFailValue
string
winlog.EventData.FilterRTID
plong
winlog.EventData.ServiceType
string
winlog.EventData.Profile
text_general
winlog.EventData.Action
string
winlog.EventData.HypervisorLoadOptions
string
winlog.EventData.DeviceDescription
text_general
winlog.EventData.NewShareFlags
string
winlog.EventData.VendorIds
text_general
winlog.EventData.IpAddresses
text_general []
winlog.EventData.NewMaxUsers
string
winlog.EventData.Workstation
text_general
winlog.EventData.SessionId
plong
winlog.EventData.OperationType
string
winlog.EventData.Direction
string
winlog.EventData.RestrictedSidCount
plong
winlog.EventData.KerberosPolicyChange
string
winlog.EventData.MasterKeyId
string
winlog.EventData.DeviceId
text_general
winlog.EventData.LogonGuid
string
winlog.EventData.ShareLocalPath
text_general
winlog.EventData.SidList
string
winlog.EventData.ServiceStartType
string
winlog.EventData.MixedDomainMode
string
winlog.EventData.ReasonText
text_general
winlog.EventData.MemberName
text_general
winlog.EventData.DisplayName
text_general
winlog.EventData.DisableIntegrityChecks
string
winlog.EventData.LocalMac
text_general
winlog.EventData.AccessList
string
winlog.EventData._Data
text_general []
winlog.EventData.param1
text_general
winlog.EventData.param2
text_general
winlog.EventData.param3
string
winlog.EventData.param4
string
winlog.EventData.param5
string
winlog.EventData.param6
string
winlog.EventData.param7
string
winlog.EventData.param8
string
winlog.EventData.param9
string
winlog.EventData.param10
string
winlog.EventData.param11
string
winlog.EventData.param12
string
winlog.EventData.param13
string
winlog.EventData.RemoteID
pint
winlog.EventData.LocalUser
text_general

Sample Log Event

Below is a representative JSON log entry showing key fields as they're emitted by the system. Depending on the context of the event, some fields may be omitted if they're not applicable.