Back in the early Log Insight days, I wrote about the types of fields in Log Insight and which static fields were provided automatically (more in this post). Today, I would like to discuss the automatic static fields that the Log Insight agent provides. Read on to learn more!

By default, the agent provides one additional static field depending on the type of configuration section you are using:

  • Filelog: filepath (the absolute path of the file)
  • Winlog: channel (as defined in Windows Event Viewer)

This single piece of information is extremely valuable as it can tell you where on the client the event is stored — something that is missing from the syslog protocol given that syslog comes before the filesystem write operation (if applicable).
In the case of winlog, automatic parsing occurs, which gives you a variety of fields:

  • eventid
  • eventrecordid
  • eventsourcename (optional)
  • keywords
  • level
  • opcode (optional)
  • providername
  • task
  • userid (optional)

While filelog does not parse your events by default, a variety of content packs are available which can do the parsing for you (e.g. Linux gives you syslog parsing fields).

