This is the multi-page printable view of this section. Click here to print.
Schema Actions
- 1: Import (Object)
- 2: Network (Close)
- 3: Print
- 4: Search
- 5: Send (Document)
- 6: Send (File)
- 7: Alert (Network)
- 8: Import (File)
1 - Import (Object)
Example of a user importing an Object.
<EventDetail>/<Import>//<Object>
The following example illustrates user jc101 importing some data into an application called Geology Image Database.
The application is based on geoimg v4.1 and is running on the server geodb.servers.mycloud.myorg.
The Object is of Type Image Archive and has an id 14131A.
It has a Classification of Geology.
There is no Success element in <Outcome>, so it is assumed that the action completed successfully.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<!-- Import Object event -->
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>Geology Image Database</Name>
<Environment>Live</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>geoimg v4.1</Generator>
<Device>
<HostName>geodb.servers.mycloud.myorg</HostName>
<IPAddress>104.105.106.107</IPAddress>
<MACAddress>AB:CB:BC:DE:EE:FF</MACAddress>
</Device>
<User>
<Id>jc101</Id>
</User>
</EventSource>
<EventDetail>
<TypeId>IMAGE-IMPORT-ARCHIVE</TypeId>
<Description>User has imported an image archive</Description>
<Import>
<Destination>
<Object>
<Type>Image Archive</Type>
<Id>14131A</Id>
<Description>Crater images</Description>
<Classification>
<Text>Geology</Text>
</Classification>
</Object>
</Destination>
<Outcome>
<Description>Image archive successfully imported</Description>
</Outcome>
</Import>
</EventDetail>
</Event>
</Events>
2 - Network (Close)
An example of closing a network connection.
<EventDetail>/<Network>/<Close>
This example illustrates the closing of a network connection between two devices.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<!-- Netowrk Close event -->
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>Geology Image Database</Name>
<Environment>Live</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>geoimg v4.1</Generator>
<Device>
<HostName>geodb.servers.mycloud.myorg</HostName>
<IPAddress>104.105.106.107</IPAddress>
<MACAddress>AB:CB:BC:DE:EE:FF</MACAddress>
</Device>
<User>
<Id>jc101</Id>
</User>
</EventSource>
<EventDetail>
<TypeId>ABC123</TypeId>
<Network>
<Close>
<Source>
<Device>
<IPAddress>192.168.1.2</IPAddress>
<Port>56123</Port>
</Device>
<TransportProtocol>UDP</TransportProtocol>
</Source>
<Destination>
<Device>
<IPAddress>192.168.1.3</IPAddress>
<Port>53</Port>
</Device>
<Application>Outlook</Application>
<TransportProtocol>TCP</TransportProtocol>
<ApplicationProtocol>IMAP</ApplicationProtocol>
<Port>80</Port>
</Destination>
</Close>
</Network>
</EventDetail>
</Event>
</Events>
3 - Print
An example of printing a document.
<EventDetail>/<Print>
The following example illustrates a document with the title Resume - J Coder being printed on prn01.luna1.lan.myorg.com
by user jc101.
The document is 2 pages in length and 3410212 bytes in length.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<!-- Print event
The following example illustrates a document with the title Resume - J Coder
being printed on prn01.luna1.lan.myorg.com by user jc101.
The document is 2 pages in length and 3410212 bytes in length.
-->
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>SPACEPRINT</Name>
<Environment>Luna1</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>ZeroGPrinter</Generator>
<Device>
<HostName>prn01.luna1.lan.myorg.com</HostName>
</Device>
<User>
<Id>jc101</Id>
</User>
<Interactive>true</Interactive>
</EventSource>
<EventDetail>
<TypeId>BWPrint</TypeId>
<Description>System has finished printing</Description>
<Print>
<Action>FinishPrint</Action>
<PrintJob>
<Document>
<Title>Resume - J Coder</Title>
</Document>
<Pages>2</Pages>
<Size>3410212</Size>
<Submitted>2017-01-02T03:03:51.234Z</Submitted>
</PrintJob>
<Outcome>
<Success>true</Success>
</Outcome>
</Print>
</EventDetail>
</Event>
</Events>
4 - Search
An example of a user performing a SQL query.
<EventDetail>/<Search>
The following example illustrates a query against a database application.
The action is that user jc101 execute a query select r.* from ROCK r where r.TYPE = 'r' and r.SIZE = 'large' and r.COLOUR = 'white' which returned 2 results.
The Interactive field is set to false, so it may be inferred that this was an automated operation of some kind.
The results were two Objects. Both were of type Rock.
The first with an id of 7811 and a name of Surpisingly Heavy Chunk and the second with an id of 11418 and a name of Possible Gold Ore.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<!-- Search event -->
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<!--
An identifier for the user's session (e.g. a JSessionId) which can be used to group
events that are part of the same session
-->
<SessionId>5EFDA7655A8D72E7D04AC2E88E754956</SessionId>
<System>
<Name>Rock Sample Database</Name>
<Environment>Space</Environment>
<Organisation>ACMECoolResearch</Organisation>
<Version>R8.1</Version>
</System>
<Generator>db-query</Generator>
<Device>
<HostName>db56.serverfarm.mydomain.org</HostName>
<IPAddress>191.181.171.161</IPAddress>
</Device>
<Client>
<HostName>desktop4.moonbase-a.mydomain.org</HostName>
<IPAddress>111.101.101.111</IPAddress>
</Client>
<User>
<Id>jc101</Id>
</User>
<Interactive>true</Interactive>
</EventSource>
<EventDetail>
<TypeId>findByConstraint</TypeId>
<Description>User has queried database using specified constraints</Description>
<Search>
<Query>
<Id>query-538393</Id>
<Description>Large, white, type 'r'</Description>
<Raw>select r.* from ROCK r where r.TYPE = 'r' and r.SIZE = 'large' and r.COLOUR = 'white'</Raw>
</Query>
<TotalResults>2</TotalResults>
<Results>
<Object>
<Type>Rock</Type>
<Id>78121</Id>
<Name>Surpisingly Heavy Chunk</Name>
</Object>
<Object>
<Type>Rock</Type>
<Id>11418</Id>
<Name>Possible Gold Ore</Name>
</Object>
</Results>
</Search>
</EventDetail>
</Event>
</Events>
5 - Send (Document)
An example of a user transferring a document to another user.
<EventDetail>/<Send>//<Document>
The following example illustrates an application being used to transfer a file to from one user to another user.
The action is that the file samples1.zip of size 14127312 bytes was sent by the user jc101 to
the user C=GB, O=WeDoRocksCo, OU=Space, CN=Tom Thumb(UID=tthumb01).
The file was transferred successfully.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>FileSharer21</Name>
<Description>Interactive File Sharing</Description>
<Environment>Operational</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>fs-21-v2.2</Generator>
<Device>
<HostName>fs04.fs.myorg.com</HostName>
<IPAddress>131.141.151.161</IPAddress>
<MACAddress>A1:B1:C1:D1:E1:F1</MACAddress>
</Device>
<Client>
<IPAddress>121.121.121.121</IPAddress>
</Client>
<User>
<Id>jc101</Id>
<UserDetails>
<!-- Fully populated here to illustrate a decorated event-->
<Id>jc101</Id>
<StaffNumber>101</StaffNumber>
<Surname>Coder</Surname>
<Initials>JD</Initials>
<Title>Mr</Title>
<KnownAs>Jolly</KnownAs>
<PersonType>Employee</PersonType>
<Group>Technology</Group>
<Unit>Geology</Unit>
<Position>T.SD/42</Position>
<Role>Geologist</Role>
<GradeOfPost>E.5</GradeOfPost>
<EmploymentType>Employee</EmploymentType>
<EmploymentStatus>Active</EmploymentStatus>
<Nationality>GB</Nationality>
<Location>Moon Base Alpha</Location>
<RoomNumber>4/31</RoomNumber>
<Phone>11223</Phone>
<SupervisorStaffNumber>421</SupervisorStaffNumber>
<Organisation>ACMECoolResearch</Organisation>
<HostOrganisation>MoonCo</HostOrganisation>
</UserDetails>
</User>
</EventSource>
<EventDetail>
<TypeId>NormalSend</TypeId>
<Description>A user sends a file to another user</Description>
<Purpose>
<Justification>Rock sample spectrum for analysis</Justification>
</Purpose>
<Send>
<Source>
<User>
<Id>jc101</Id>
<!-- User belongs to the organisation generating the event
so only an Id is required -->
</User>
</Source>
<Destination>
<User>
<Id>C=GB, O=WeDoRocksCo, OU=Space, CN=Tom Thumb (UID=tthumb01)</Id>
<!-- User is external to the organisation generating the event so
a rich UserDetails element is required-->
<UserDetails>
<Id>tthumb011</Id>
<Surname>Thumb</Surname>
<Initials>T</Initials>
<Group>Space</Group>
<Nationality>GB</Nationality>
<Organisation>WeDoRocksCo</Organisation>
</UserDetails>
</User>
</Destination>
<Payload>
<Document>
<Name>samples1.zip</Name>
<Size>14127312</Size>
</Document>
</Payload>
<Outcome>
<Success>true</Success>
<Description>Transfer Succeeded</Description>
</Outcome>
</Send>
</EventDetail>
</Event>
</Events>
6 - Send (File)
An example of an application transferring a file to a remote server.
<EventDetail>/<Send>//<File>
The following example illustrates an application transferring a file to a remote server.
This reflects an automated service, so attribution of the sender and receiver is to a host, not a user.
The action is that the file /appdata/alldata/gooddata/bestdata.xml of type text/xml is being sent from myhost.mydomain.org to yourhost.yourdomain.com.
This file is 12345321 bytes in size and has a digest/checksum/hash of efd1dffd90296a69a8aecd7ecb1832b7.
N.B. The type of digest used is application specific and not specified in this event.
The Outcome of the event is not defined, so we assume that the transfer was successful.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>File Distribution</Name>
<Environment>Live</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>File Distributor 1.5</Generator>
<Device>
<IPAddress>123.12.3.123</IPAddress>
</Device>
</EventSource>
<EventDetail>
<TypeId>File Transfer</TypeId>
<Send>
<Source>
<Device>
<HostName>myhost.mydomain.org</HostName>
</Device>
</Source>
<Destination>
<Device>
<HostName>yourhost.yourdomain.com</HostName>
</Device>
</Destination>
<Payload>
<File>
<Type>text/xml</Type>
<Path>/appdata/alldata/gooddata/bestdata.xml</Path>
<Size>12345321</Size>
<Hash Type="MD5">efd1dffd90296a69a8aecd7ecb1832b7</Hash>
</File>
</Payload>
</Send>
</EventDetail>
</Event>
</Events>
7 - Alert (Network)
An example of an alert being fired from a network device.
<EventDetail>/<Alert>/<Network>
This example illustrates an alert being fired by from a network device performing packet filtering:
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<!-- Alert Network event -->
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>Geology Image Database</Name>
<Environment>Live</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>geoimg v4.1</Generator>
<Device>
<HostName>geodb.servers.mycloud.myorg</HostName>
<IPAddress>104.105.106.107</IPAddress>
<MACAddress>AB:CB:BC:DE:EE:FF</MACAddress>
</Device>
<User>
<Id>jc101</Id>
</User>
</EventSource>
<EventDetail>
<TypeId>4921</TypeId>
<Description>A packet was rejected by filter xyz</Description>
<Alert>
<Type>Network</Type>
<Severity>Minor</Severity>
<Priority>High</Priority>
<Subject>Filter XYZ</Subject>
<Network>
<Source>
<Device>
<IPAddress>192.168.0.4</IPAddress>
<Port>56123</Port>
</Device>
</Source>
<Destination>
<Device>
<IPAddress>192.168.7.5</IPAddress>
<Port>53</Port>
</Device>
</Destination>
</Network>
</Alert>
</EventDetail>
</Event>
</Events>
8 - Import (File)
<EventDetail>/<Import>//<File>
The following example illustrates how removable media use could be represented within the events-logging schema.
The action is that user jc101 has read the file E:/DCIM/Spacecam101/141516.jpg from a removable USB drive onto the workstation LUNA/LUNADESK35.
N.B. Although the user might not have actually read the object represented in the EventDetail, all read operations (including file system read/open operations and web page accesses, etc) are represented in the schema as View.
The nature of the event (type of View) can be indicated within <EventDetail>/<TypeId> as we have done in this example, and where possible a more human-readable explanation within <EventDetail>/<Description>.
<?xml version="1.0" encoding="UTF-8"?>
<Events
xmlns="event-logging:3"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="event-logging:3 file://event-logging-v999.99.9-documentation.xsd"
Version="999.99.9">
<Event>
<EventTime>
<TimeCreated>2017-01-02T03:04:05.678Z</TimeCreated>
</EventTime>
<EventSource>
<System>
<Name>Space Desk</Name>
<Environment>LunaDomain</Environment>
<Organisation>ACMECoolResearch</Organisation>
</System>
<Generator>RMMaster2000 RM Control</Generator>
<Device>
<HostName>rmmaster.luna.mydomain.org</HostName>
</Device>
<Client>
<Name>LUNA/LUNADESK35</Name>
<HostName>lunadesk35.lunadesk.luna.mydomain.org</HostName>
</Client>
<User>
<Id>jc101</Id>
<Domain>ACMECoolResearch/Users</Domain>
</User>
<Interactive>true</Interactive>
</EventSource>
<EventDetail>
<TypeId>ReadRM</TypeId>
<Description>User has read a file from removable media</Description>
<Import>
<Source>
<File>
<Name>141516.jpg</Name>
<Description>JPG Image</Description>
<Permissions>
<Permission>
<User>
<Id>jc101</Id>
<Domain>ACMECoolResearch/Users</Domain>
</User>
<Allow>Read</Allow>
</Permission>
</Permissions>
<Path>E:/DCIM/Spacecam101/141516.jpg</Path>
<Size>5445121</Size>
<Media>
<Type>USBMassStorage</Type>
<Removable>true</Removable>
</Media>
<Hash Type="SHA-256">66E0E8221E8B899F08658DA444064E631FA9B8ABE9068A208AFE051BD4E7B960</Hash>
</File>
</Source>
<Outcome>
<Permitted>true</Permitted>
</Outcome>
</Import>
</EventDetail>
</Event>
</Events>