LogScale Collector Metadata | Falcon LogScale Collector 1.3.0-1.6.5 | LogScale Documentation

Skip to content

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Training API GraphQL API Contacting Support

LogScale Collector Metadata

Each event has some metadata attached to it on ingestion; all metadata fields start with @ to make them easy to identify. All events will contain the following metadata fields by default.

Metadata Field	Description
@collect.host	Name of the ingesting host
@collect.id	Unique ID of the collector
@collect.timezone	Timezone
@collect.timestamp	Timestamp
@collect.source_name	Name of the source.
@collect.source_type	(e.g. cmd, file, journald, syslog, syslog_tls, unifiedlog, wineventlog)
@collect.error	Error occurred while collecting data, e.g. wineventlog: could not parse names for event data.

The following additional metadata fields are source specific.

Source	Metadata Field	Description
`journald`	@collect.unit	Name of the unit, e.g. ntp.service
`file`	@collect.file	File name from where the event is collected.
`wineventlog`	@collect.channel	Channel of the collected event.
`syslog`	@collect.remote	Remote IP address and port.
`syslog`	@collect.socket	Local socket e.g. :514/UDP
`command`	@collect.cmd	The command which is executed.
	@collect.pid	The PID of the executed command
	@collect.stream	The output stream of the executed command, stdout or stderr.

Enter search term