Skip to main content
Version: Next

Event

An Event is the runtime representation of an item being processed by crowdsec, it can be:

  • a log line being parsed

  • an overflow being reprocessed

The Event object is modified by parsers, scenarios, and directly via user statics expressions (for example).

The representation of the object can be found here :

Event object documentation

LOG relevant fields#

  • Type is types.LOG
  • Whitelisted : if true the LOG or OVFLW will be dropped
  • Line : representation of the raw line
    • Raw : the raw line representation
    • Src : a label for the source
    • Time : acquisition timestamp
    • Labels : the static labels (from acquis.yaml) associated to the source
    • Process: if set to false, processing of line will stop
  • Parsed : a map[string]string that can be used during parsing and enrichment. This is where GROK patterns will output their captures by default
  • Enriched : a map[string]string that can be used during parsing and enrichment. This is where enrichment functions will output their captures by default
  • Meta : a map[string]string that can be used to store important information about a log. This map is serialized into DB when storing event.
  • Overflow : representation of an Overflow if Type is set to OVFLW
  • Time : processing timestamp
  • StrTime : string representation of log timestamp. Can be set by parsers that capture timestamp in logs. Will be automatically processed by crowdsecurity/dateparse-enrich when processing logs in forensic mode to set MarshaledTime
  • MarshaledTime : if non-empty, the event's timestamp that will be used when processing buckets (for forensic mode)

OVERFLOW relevant fields#

  • Type is types.OVFLW
  • Whitelisted : if true the LOG or OVFLW will be dropped
  • Overflow : representation of an Overflow if Type is set to OVFLW
  • Time : processing timestamp
  • StrTime : string representation of log timestamp. Can be set by parsers that capture timestamp in logs. Will be automatically processed by crowdsecurity/dateparse-enrich when processing logs in forensic mode to set MarshaledTime
  • MarshaledTime : if non-empty, the event's timestamp that will be used when processing buckets (for forensic mode)
  • Overflow :
    • Whitelisted : if true the OVFLW will be dropped
    • Reprocess : if true, the OVFLOW will be reprocessed (inference)
    • Sources : a map[string]models.Source representing the distinct sources that triggered the overflow, with their types and values. The key of the map is the IP address.
    • Alert and APIAlerts : representation of the signals that will be sent to LAPI.

Here is full evt.Overflow object representation.

Source#

Here is the representation of a models.Source object.