Attributes naming convention

This article aims at providing guidelines about attributes naming convention. Due difference between log formats this is indeed very often difficult to make side-by-side comparison.

The purpose here is then to help teams normalising logs in order and facilitate the constructions of an efficient log management platform.

The following attributes are grouped into a few functional domains:

  • Syslog and log shippers
  • Network communications
  • HTTP Requests
  • Source code
  • Infrastructure metrics
  • User related attributes

Syslog and Log-shipper agents

Related to the data added by a syslog or a log-shipper agent. All fields and metrics are prefixed by syslog.

Fullname
Type
Description

syslog.hostname

string

The hostname related to the log event

syslog.appname

string

The application name (or tag) related to the log event

syslog.severity

string

The level of the severity of the log event

syslog.env

string

The environment name where the source of logs come from

Some integrations that rely on these are: Rsyslog, NxLog, Syslog-ng, Infrastructure, Fluentd, Logstash, etc.

Network

Related to the data used in a network communication. All fields and metrics are prefixed by network.

Fullname
Type
Description

network.client_ip

String

The IP address of the client which initiated the TCP connection

network.destination_ip

String

The IP address the client connected to

network.client_port

Number

The port of the client which initiated the connection.

network.destination_port

Number

The TCP port the client connected to

network.bytes_read

Number

Total number of bytes transmitted from the client to the server when the log is emitted

network.bytes_write

Number

Total number of bytes transmitted from the server to the client when the log is emitted

Integrations using it: Apache, Varnish, AWS ElasticBalancer, Nginx, etc.

HTTP Requests

Related to the data commonly used in HTTP requests & accesses. All attributes are prefixed by http.

Common fields

Fullname
Type
Description

http.request

String

The HTTP request

http.response_time

Number

Total time in milliseconds elapsed for the processing of the request

http.status_code

Number

The HTTP status code returned to the client

http.verb

String

The HTTP verb of the request
Url that the client reports having been referred from

http.referer

String

The HTTP referer

http.request_id

String

The HTTP request id

http.user_agent.raw

String

The User-Agent as it is sent (raw format). See bellow for all details about it

HTTP Request details fields

Details about the parts of HTTP requests.

Fullname
Type
Description

http.request_details.host

String

The HTTP host part of the request

http.request_details.port

Number

The HTTP port part of the request

http.request_details.path

String

The HTTP path part of the request

http.request_details.queryString

Object

The HTTP query string part of the request

User agent fields

Details about the meanings of user agents attributes.

Fullname
Type
Description

http.user_agent.os.family

String

The OS family reported by the user-agent

http.user_agent.browser.family

String

The Browser Family reported by the user-agent

http.user_agent.device.family

String

The Device family reported by the user-agent

Integrations relying on these attributes are: Apache, Rails, AWS CloudFront, NodeJs, etc.

Source code

Related to the data used when log and error are shipped via a logger. All attributes are prefixed either by logger or error.

Fullname
Type
Description

logger.logger_name

String

The name of the logger

logger.thread_name

String

The name of the current thread when the log is fired

logger.method_name

String

The class method name

error.name

String

The error name

error.code

Number

The code error

error.stack_trace

Object

The stack trace or the complementary information about the error

Integrations relying on these attributes are: Java Log4J, NodeJs, Goland, Source code, etc.

Infrastructure

Related to the OS metrics. All attributes are prefixed by infrastructure:

Fullname
Type
Description

infra.memory.total

Number

The total of memory

infra.memory.rss

Number

The resident set size used

infra.memory.cache

Number

The cache size used

infra.memory.swap

Number

The size of the swap used

infra.cpu

Number

The percent of cpu used

Integrations using it: Docker, Infrastructure, PerfStats, Elastic Beats etc.

User related attributes

Related to the data used when the application is logging data about the current context.

User related attributes

All fields and metrics are prefixed by user.

Fullname
Type
Description

user.name

String

The fullname of the user attached to the event

user.email

String

The user's email attached to the event

Attributes naming convention

This article aims at providing guidelines about attributes naming convention. Due difference between log formats this is indeed very often difficult to make side-by-side comparison.

The purpose here is then to help teams normalising logs in order and facilitate the constructions of an efficient log management platform.