Basic reports for SO Linux, Unix, Windows, Solaris ...

Question asked by Omar Garcia Gilio on May 25, 2018


I need to make some basic report rules for many SO (mostly linux and WIndows), so I was thinking to use '' meta, because I guess this meta exist for all SOs logs. So I was wondering:


Is there a list of all possible values of this meta?

How this meta is generated? Because I can't see it on the device's parser.

Is it correct suppose that this meta is generated for all SOs log? And have the same value between them? Eg: All event of user successful logins (no matter the device type) have < = 'user.activity.successful logins'>


Is there other metakey that works better than "" for this kind of reports?


My goal is crete reports like: successful logins, Login fail, user changes, ect.