Data Model Appendix
Note: this document is NOT a spec, it is provided to support the Logs Data Model specification. These examples provided purely for demonstrative purposes and are not exhaustive or canonical; please refer to the respective exporter documentation if exact details are required.
Appendix A. Example Mappings
This section contains examples of mapping of other events and logs formats to this data model.
RFC5424 Syslog
| Property | Type | Description | Maps to Unified Model Field |
| TIMESTAMP | Timestamp | Time when an event occurred measured by the origin clock. | Timestamp |
| SEVERITY | enum | Defines the importance of the event. Example: Debug |
Severity |
| FACILITY | enum | Describes where the event originated. A predefined list of Unix processes. Part of event source identity. Example: mail system |
Attributes["syslog.facility"] |
| VERSION | number | Meta: protocol version, orthogonal to the event. | Attributes["syslog.version"] |
| HOSTNAME | string | Describes the location where the event originated. Possible values are FQDN, IP address, etc. | Resource["host.name"] |
| APP-NAME | string | User-defined app name. Part of event source identity. | Resource["service.name"] |
| PROCID | string | Not well defined. May be used as a meta field for protocol operation purposes or may be part of event source identity. | Attributes["syslog.procid"] |
| MSGID | string | Defines the type of the event. Part of event source identity. Example: "TCPIN" | Attributes["syslog.msgid"] |
| STRUCTURED-DATA | array of maps of string to string | A variety of use cases depending on the SDID: Can describe event source identity. Can include data that describes particular occurrence of the event. Can be meta-information, e.g. quality of timestamp value. |
SDID origin.swVersion map to Resource["service.version"]. SDID origin.ip map to Attributes["client.address"]. Rest of SDIDs -> Attributes["syslog.*"] |
| MSG | string | Free-form text message about the event. Typically human readable. | Body |
Windows Event Log
| Property | Type | Description | Maps to Unified Model Field |
| TimeCreated | Timestamp | The time stamp that identifies when the event was logged. | Timestamp |
| Level | enum | Contains the severity level of the event. | Severity |
| Computer | string | The name of the computer on which the event occurred. | Resource["host.name"] |
| EventID | uint | The identifier that the provider used to identify the event. | Attributes["winlog.event_id"] |
| Message | string | The message string. | Body |
| Rest of the fields. | any | All other fields in the event. | Attributes["winlog.*"] |
SignalFx Events
| Field | Type | Description | Maps to Unified Model Field |
| Timestamp | Timestamp | Time when the event occurred measured by the origin clock. | Timestamp |
| EventType | string | Short machine understandable string describing the event type. SignalFx specific concept. Non-namespaced. Example: k8s Event Reason field. | Attributes["com.splunk.signalfx.event_type"] |
| Category | enum | Describes where the event originated and why. SignalFx specific concept. Example: AGENT. | Attributes["com.splunk.signalfx.event_category"] |
| Dimensions | map<string, string> | Helps to define the identity of the event source together with EventType and Category. Multiple occurrences of events coming from the same event source can happen across time and they all have the value of Dimensions. | Resource |
| Properties | map<string, any> | Additional information about the specific event occurrence. Unlike Dimensions which are fixed for a particular event source, Properties can have different values for each occurrence of the event coming from the same event source. | Attributes |
Splunk HEC
We apply this mapping from HEC to the unified model:
| Field | Type | Description | Maps to Unified Model Field |
| time | numeric, string | The event time in epoch time format, in seconds. | Timestamp |
| host | string | The host value to assign to the event data. This is typically the host name of the client that you are sending data from. | Resource["host.name"] |
| source | string | The source value to assign to the event data. For example, if you are sending data from an app you are developing, you could set this key to the name of the app. | Resource["com.splunk.source"] |
| sourcetype | string | The sourcetype value to assign to the event data. | Resource["com.splunk.sourcetype"] |
| event | any | The JSON representation of the raw body of the event. It can be a string, number, string array, number array, JSON object, or a JSON array. | Body |
| fields | map<string, any> | Specifies a JSON object that contains explicit custom fields. | Attributes |
| index | string | The name of the index by which the event data is to be indexed. The index you specify here must be within the list of allowed indexes if the token has the indexes parameter set. | Attributes["com.splunk.index"] |
When mapping from the unified model to HEC, we apply this additional mapping:
| Unified model element | Type | Description | Maps to HEC |
| SeverityText | string | The severity of the event as a human-readable string. | fields['otel.log.severity.text'] |
| SeverityNumber | string | The severity of the event as a number. | fields['otel.log.severity.number'] |
| Name | string | Short event identifier that does not contain varying parts. | fields['otel.log.name'] |
| TraceId | string | Request trace id. | fields['trace_id'] |
| SpanId | string | Request span id. | fields['span_id'] |
| TraceFlags | string | W3C trace flags. | fields['trace_flags'] |
Log4j
| Field | Type | Description | Maps to Unified Model Field |
| Instant | Timestamp | Time when an event occurred measured by the origin clock. | Timestamp |
| Level | enum | Log level. | Severity |
| Message | string | Human readable message. | Body |
| All other fields | any | Structured data. | Attributes |
Zap
| Field | Type | Description | Maps to Unified Model Field |
| ts | Timestamp | Time when an event occurred measured by the origin clock. | Timestamp |
| level | enum | Logging level. | Severity |
| caller | string | Calling function's filename and line number. | Attributes, key=TBD |
| msg | string | Human readable message. | Body |
| All other fields | any | Structured data. | Attributes |
Apache HTTP Server access log
| Field | Type | Description | Maps to Unified Model Field |
| %t | Timestamp | Time when an event occurred measured by the origin clock. | Timestamp |
| %a | string | Client address | Attributes["client.socket.address"] |
| %A | string | Server address | Attributes["server.socket.address"] |
| %h | string | Client hostname. | Attributes["client.address"] |
| %m | string | The request method. | Attributes["http.request.method"] |
| %v,%p,%U,%q | string | Multiple fields that can be composed into URL. | Attributes["url.full"] |
| %>s | string | Response status. | Attributes["http.response.status_code"] |
| All other fields | any | Structured data. | Attributes, key=TBD |
CloudTrail Log Event
| Field | Type | Description | Maps to Unified Model Field |
| eventTime | string | The date and time the request was made, in coordinated universal time (UTC). | Timestamp |
| eventSource | string | The service that the request was made to. This name is typically a short form of the service name without spaces plus .amazonaws.com. | Resource["service.name"]? |
| awsRegion | string | The AWS region that the request was made to, such as us-east-2. | Resource["cloud.region"] |
| sourceIPAddress | string | The IP address that the request was made from. | Attributes["client.address"] |
| errorCode | string | The AWS service error if the request returns an error. | Attributes["cloudtrail.error_code"] |
| errorMessage | string | If the request returns an error, the description of the error. | Body |
| All other fields | * | Attributes["cloudtrail.*"] |
Google Cloud Logging
| Field | Type | Description | Maps to Unified Model Field |
|---|---|---|---|
| timestamp | string | The time the event described by the log entry occurred. | Timestamp |
| resource | MonitoredResource | The monitored resource that produced this log entry. | Resource |
| log_name | string | The URL-encoded LOG_ID suffix of the log_name field identifies which log stream this entry belongs to. | Attributes[“gcp.log_name”] |
| json_payload | google.protobuf.Struct | The log entry payload, represented as a structure that is expressed as a JSON object. | Body |
| proto_payload | google.protobuf.Any | The log entry payload, represented as a protocol buffer. | Body |
| text_payload | string | The log entry payload, represented as a Unicode string (UTF-8). | Body |
| severity | LogSeverity | The severity of the log entry. | Severity |
| trace | string | The trace associated with the log entry, if any. | TraceId |
| span_id | string | The span ID within the trace associated with the log entry. | SpanId |
| labels | map<string,string> | A set of user-defined (key, value) data that provides additional information about the log entry. | Attributes |
| http_request | HttpRequest | The HTTP request associated with the log entry, if any. | Attributes[“gcp.http_request”] |
| trace_sampled | boolean | The sampling decision of the trace associated with the log entry. | TraceFlags.SAMPLED |
| All other fields | Attributes[“gcp.*”] |
Elastic Common Schema
| Field | Type | Description | Maps to Unified Model Field |
| @timestamp | datetime | Time the event was recorded | Timestamp |
| message | string | Any type of message | Body |
| labels | key/value | Arbitrary labels related to the event | Attributes[*] |
| tags | array of string | List of values related to the event | ? |
| trace.id | string | Trace ID | TraceId |
| span.id* | string | Span ID | SpanId |
| agent.ephemeral_id | string | Ephemeral ID created by agent | **Resource |
| agent.id | string | Unique identifier of this agent | **Resource |
| agent.name | string | Name given to the agent | Resource["telemetry.sdk.name"] |
| agent.type | string | Type of agent | Resource["telemetry.sdk.language"] |
| agent.version | string | Version of agent | Resource["telemetry.sdk.version"] |
| source.ip, client.ip | string | The IP address that the request was made from. | Attributes["client.address"] |
| cloud.account.id | string | ID of the account in the given cloud | Resource["cloud.account.id"] |
| cloud.availability_zone | string | Availability zone in which this host is running. | Resource["cloud.zone"] |
| cloud.instance.id | string | Instance ID of the host machine. | **Resource |
| cloud.instance.name | string | Instance name of the host machine. | **Resource |
| cloud.machine.type | string | Machine type of the host machine. | **Resource |
| cloud.provider | string | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | Resource["cloud.provider"] |
| cloud.region | string | Region in which this host is running. | Resource["cloud.region"] |
| cloud.image.id* | string | Resource["host.image.name"] | |
| container.id | string | Unique container id | Resource["container.id"] |
| container.image.name | string | Name of the image the container was built on. | Resource["container.image.name"] |
| container.image.tag | Array of string | Container image tags. | **Resource |
| container.labels | key/value | Image labels. | Attributes[*] |
| container.name | string | Container name. | Resource["container.name"] |
| container.runtime | string | Runtime managing this container. Example: "docker" | **Resource |
| destination.address | string | Destination address for the event | Attributes["destination.address"] |
| error.code | string | Error code describing the error. | Attributes["error.code"] |
| error.id | string | Unique identifier for the error. | Attributes["error.id"] |
| error.message | string | Error message. | Attributes["error.message"] |
| error.stack_trace | string | The stack trace of this error in plain text. | Attributes["error.stack_trace] |
| host.architecture | string | Operating system architecture | **Resource |
| host.domain | string | Name of the domain of which the host is a member. For example, on Windows this could be the host’s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host’s LDAP provider. |
**Resource |
| host.name | string | Hostname of the host. It normally contains what the hostname command returns on the host machine. |
Resource["host.name"] |
| host.id | string | Unique host id. | Resource["host.id"] |
| host.ip | Array of string | Host IP | Resource["host.ip"] |
| host.mac | array of string | MAC addresses of the host | Resource["host.mac"] |
| host.name | string | Name of the host. It may contain what hostname returns on Unix systems, the fully qualified, or a name specified by the user. |
Resource["host.name"] |
| host.type | string | Type of host. | Resource["host.type"] |
| host.uptime | string | Seconds the host has been up. | ? |
| service.ephemeral_id | string | Ephemeral identifier of this service | **Resource |
| service.id | string | Unique identifier of the running service. If the service is comprised of many nodes, the service.id should be the same for all nodes. | **Resource |
| service.name | string | Name of the service data is collected from. | Resource["service.name"] |
| service.node.name | string | Specific node serving that service | Resource["service.instance.id"] |
| service.state | string | Current state of the service. | Attributes["service.state"] |
| service.type | string | The type of the service data is collected from. | **Resource |
| service.version | string | Version of the service the data was collected from. | Resource["service.version"] |
* Not yet formalized into ECS.
** A resource that doesn’t exist in the OpenTelemetry resource semantic convention.
This is a selection of the most relevant fields. See for the full reference for an exhaustive list.
Appendix B: SeverityNumber example mappings
| Syslog | WinEvtLog | Log4j | Zap | java.util.logging | .NET (Microsoft.Extensions.Logging) | SeverityNumber |
|---|---|---|---|---|---|---|
| TRACE | FINEST | LogLevel.Trace | TRACE | |||
| Debug | Verbose | DEBUG | Debug | FINER | LogLevel.Debug | DEBUG |
| FINE | DEBUG2 | |||||
| CONFIG | DEBUG3 | |||||
| Informational | Information | INFO | Info | INFO | LogLevel.Information | INFO |
| Notice | INFO2 | |||||
| Warning | Warning | WARN | Warn | WARNING | LogLevel.Warning | WARN |
| Error | Error | ERROR | Error | SEVERE | LogLevel.Error | ERROR |
| Critical | Critical | Dpanic | ERROR2 | |||
| Alert | Panic | ERROR3 | ||||
| Emergency | FATAL | Fatal | LogLevel.Critical | FATAL |