Clearly define each category (e.g. host fields, event fields, network fields)

[drewmiranda-gl]

Please describe what you are requesting

While the schema documentation via https://schema.graylog.org/en/stable/schema/entities.html is very helpful, there isn't any explanation about the different field types, why they exist, how they are defined, what they are meant to be used for, what criteria goes into defining them (random example, what is a host field and what dictates what data populates host fields?)

I'm just noticing that some pages do have a note at the top, but not all.

[ccandreva]

A specific example that may warrant it's own issue:
The entire use of source_ is confusing. For packetbeat DNS logs , source will be the dns server, yet source_ip will be the IP of the machine that initiated the query. Destination is the DNS server itself -- the same as source.

Following this logic, I'm trying to normalize sshd logs. This makes even less sense now. source will be the ssh host, souce_ip will be the client connecting to the source ?

Or, if source was consistent, would the client SSHing to the server be the destination ? For this reason most people tend to use something like remote_ip , remote_hostname , but remote isn't part of the schema.

[rkmbaxed]

I think source would be better event_source -> Hostname or IP of source system that generated the event

But in GELF you have to set the field host and this field is transformed to source in Graylog.

My normalized logs used both. I duplicate the field value and source and event_source always have the same value.