diff --git a/README.md b/README.md
index 37692fe..e203b1e 100644
--- a/README.md
+++ b/README.md
@@ -47,6 +47,7 @@ An XML Schema standard for describing audit events.
| Pack version | Stroom 5.0.x | Stroom 6.0.x | Stroom 7.0.x |
| --------------------------------------------------------------------------------------------- | ------------ | ------------ | -------------|
+| [v4.1.0](https://github.com/gchq/stroom-content/releases/tag/event-logging-xml-schema-v4.1.0) | Y | Y | Y |
| [v4.0.0](https://github.com/gchq/stroom-content/releases/tag/event-logging-xml-schema-v4.0.0) | Y | Y | Y |
| [v3.4.2](https://github.com/gchq/stroom-content/releases/tag/event-logging-xml-schema-v3.4.2) | Y | Y | Y |
| [v3.2.3](https://github.com/gchq/stroom-content/releases/tag/event-logging-xml-schema-v3.2.3) | Y | Y | Y |
diff --git a/source/event-logging-xml-schema/README.md b/source/event-logging-xml-schema/README.md
index 7e65557..6bc565f 100644
--- a/source/event-logging-xml-schema/README.md
+++ b/source/event-logging-xml-schema/README.md
@@ -6,6 +6,14 @@ The following represents the folder structure and content that will be imported
* _XML Schemas_
* _event-logging_
+ * **event-logging v4.1.0** `XMLSchema`
+
+ Version 4.1.0 of the event-logging XMLSchema.
+
+ * **event-logging v4.0.0** `XMLSchema`
+
+ Version 4.0.0 of the event-logging XMLSchema.
+
* **event-logging v3.4.2** `XMLSchema`
Version 3.4.2 of the event-logging XMLSchema.
diff --git a/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.data.xsd b/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.data.xsd
new file mode 100644
index 0000000..693bacd
--- /dev/null
+++ b/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.data.xsd
@@ -0,0 +1,4666 @@
+
+
+
+
+ This schema describes the allowed element structure for event logging. Please refer to the documentation and examples for a description of how to use this schema in addition to the descriptions given for each element within this schema.
+
+
+
+ The root element that contains multiple Event elements.
+
+
+
+ The root element that contains multiple Event elements.
+
+
+
+
+ This element contains data relating to the sharing of a set of events between different systems or organisations. The data contained within this element will confirm to a specification defined outside of this schema.
+
+
+
+
+ A single event that has occurred and been recorded.
+
+
+
+ A single event that has occurred and been recorded.
+
+
+
+
+ This element can be used to supply any metadata relating to the event as long as it conforms to an allowed format/specification (defined outside this XML Schema).
+
+
+
+
+ The classification for the event.
+
+
+
+
+ This element contains data relating to the sharing of an event between different systems or organisations. The data contained within this element will confirm to a specification defined outside of this schema.
+
+
+
+
+ This element contains information about the time the event was created.
+
+
+
+
+ This element details where the event came from, i.e. what generator created the event and on what device.
+
+
+
+
+ This element describes the details of what happened in the event: the type of the event, why it happened and the event action.
+
+
+
+
+ This element can be used to create relationships between different events, i.e. where one event is the child of another.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+
+
+ The version of the schema that this document conforms to.
+
+
+
+
+
+
+
+
+ Describes a field to search and what to search for using name, condition and value, e.g. Title Contains 'Fox' or Title Equals 'The Quick Brown Fox'.
+
+
+
+
+ All of the enclosed items are to be treated as being AND'd together.
+
+
+
+
+ All of the enclosed items are to be treated as being OR'd together.
+
+
+
+
+ The enclosed structure operators and terms are negated.
+
+
+
+
+
+
+
+
+ This element can be used to supply any metadata relating to an object as long as it conforms to an allowed format/specification (defined outside this XML Schema). This can be used for adding metadata to the event after receipt.
+
+
+
+
+ The type of the object in question and specific to the object type from the list above, e.g. a 'Resource' object may have a type such as 'image' or 'script'.
+
+
+
+
+ An identifier for the object, e.g a document ID in a document management system. This ID is likely to be specific to the system that generated the event.
+
+
+
+
+ The name of the object, e.g. a filename.
+
+
+
+
+ Human readable description of what the object is.
+
+
+
+
+ Any classification, protective marking or restrictions placed on the object, e.g. for commercially sensitive reports or user health records.
+
+
+
+
+ Any state information about the object, e.g. 'Archived'.
+
+
+
+
+ Any groups associated with the object, e.g. group membership of a user account.
+
+
+
+
+ The collection of permissions associated with the object, e.g. write access being granted to a list of named users.
+
+
+
+ The collection of permissions associated with the object, e.g. write access being granted to a list of named users.
+
+
+
+
+ A permission rule associated with an object, e.g. read and write access being granted to a user.
+
+
+
+ A permission rule associated with an object, e.g. read and write access being granted to a user.
+
+
+
+
+
+ A user that has been granted (or is prevented from having) some form of permission.
+
+
+
+
+ A named group of users that has been granted (or is prevented from having) some form of permission.
+
+
+
+
+
+ The permission attributes that have been explicitly allowed.
+
+
+
+
+ The permission attributes that have been explicitly denied.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+
+
+ Metadata tags that can be used for additional object tagging or categorisation. Object tagging allows for the labelling (or filtering) of objects using words that label, categorise or group similar items, using a taxonomy defined outside this schema. For example, an email could be tagged with tags like 'internal', 'spam', 'external', 'rich-content', etc.
+
+
+
+
+
+
+
+
+ A collection of Datasource definitions that are referenced by the criteria/query
+
+
+
+ A collection of Datasource definitions that are referenced by the criteria/query
+
+
+
+
+ The name or path of one or more datasources or datasets that are used by a criteria/query, e.g. 'EuroVoc XML distribution' or 'hdfs://mynamenode:8020/datasets/hr/grades.xml'
+
+
+
+
+
+
+
+ Structure used to describe the query associated with a search event.
+
+
+
+
+ Details of the page (or sub-set) of results actually displayed/returned to the user, if known at query time.
+
+
+
+ Details of the page (or sub-set) of results actually displayed/returned to the user, if known at query time.
+
+
+
+
+ The number of pages/sets that make up the complete result set.
+
+
+
+
+ The maximum number of results that will be displayed per page. E.g. 10 results per page.
+
+
+
+
+ The number of the page/set of results displayed/returned to the user, e.g. 3 out of 24 pages.
+
+
+
+
+ The index of the first result in the page out of the full result set (inclusive), e.g. 11 (in the case of showing results 11-20 of 453)
+
+
+
+
+ The index of the last result in the page out of the full result set (inclusive), e.g. 20 (in the case of showing results 11-20 of 453)
+
+
+
+
+
+
+
+ The total number of results returned by the query, if known at query time. In situations where only a sub-set of results are displayed/returned to the user then this element represents the count of ALL results and ResultPage should be used to provide details of which results are actually viewed/returned by the user.
+
+
+
+
+ Describes the results returned by the search if they are known at the time of the Search event (a synchronous search). If the results are not know at execution time (an asynchronous search) and will be viewed as part of a separate event then View/SearchResults can be used to model that event.
+
+
+
+
+
+
+
+
+
+ Description of the software that was installed/uninstalled.
+
+
+
+
+ Description of the hardware that was installed/uninstalled.
+
+
+
+
+ Description of the media that was installed/uninstalled.
+
+
+
+
+
+ The outcome of the (un)installation.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes the association or link between two or more entities, e.g. the link between two web resources.
+
+
+
+
+ Describes a banner or message presented to a user, e.g. an acceptable use policy message shown on system login.
+
+
+
+
+ Describes part of a chat session between a user and one or more other users, e.g. in an instant messaging application.
+
+
+
+
+ Describes the configuration of entity, e.g. it can be used to describe the update to the configuration of a network device.
+
+
+
+
+ Structure used to describe a criteria used to filter or limit the scope of something, e.g. in a search, view, update or delete event.
+
+
+
+
+ Describes a document that may be stored electronically or in hard-copy form.
+
+
+
+
+ Describes an email sent from one user to one or more recipients.
+
+
+
+
+ A file object, e.g. a text file on file system
+
+
+
+
+ A folder object, e.g. a directory or folder on file system.
+
+
+
+
+ A group entity, e.g. a user group, an access control group or a named group of some kind that ties together a collection of entities/objects of some kind.
+
+
+
+
+ Describes the details of a chat event within a chat room or group.
+
+
+
+
+ A generic object or entity that cannot be described using any of the other more specific object types.
+
+
+
+
+ A set of search results from a query where the results are viewed or interacted with in a separate event to the execution of the query. E.g. for long-running queries where the results are stored for later viewing/processing. The Search schema action should be used to describe the event for the execution of the search. Query/Id or Query/Name can be used to associate the results event with the query event.
+
+
+
+
+ A shortcut to another file/object, such as a Windows Shortcut or linux symbolic link.
+
+
+
+
+ A user entity which may represent a person or some form of non-human processing user.
+
+
+
+
+ This is used to describe the session used when viewing another user's session, e.g. screen sharing or remote assistance type activities.
+
+
+
+
+ Describes a Voice Over Internet Protocol call.
+
+
+
+
+ This is used to describe a resource within a website or web application, such as an HTML file, image file or script, along with the details of that resource such as size or response codes. It can represent both successful and failed access to the resource object.
+
+
+
+
+
+
+
+
+ The initiator(s) of the object or resource sent or received. An initiator can be a user and/or device.
+
+
+
+ The initiator(s) of the object or resource sent or received. An initiator can be a user and/or device.
+
+
+
+
+ The user that sent the payload.
+
+
+
+
+ The device that sent the payload.
+
+
+
+
+
+
+
+ The destination(s) of the object or resource sent or received. A destination can be a user and/or device.
+
+
+
+ The destination(s) of the object or resource sent or received. A destination can be a user and/or device.
+
+
+
+
+ The user that the payload is being sent to
+
+
+
+
+ The device that the payload is being sent to
+
+
+
+
+
+
+
+ If the network action is related to message transfer from one place to another then this element describes the message.
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes a set of groups used to control access to protectively marked items.
+
+
+
+
+ The name of an access control group that is used to control access to protectively marked items. E.g. 'HR', 'Auditors', 'Management', etc.
+
+
+
+
+
+
+ Type that describes relationships between different events. For example in an asynchronous search the viewing of the results of the search may be a separate event from the execution of the query. In this instance the view event would be a child of the execution event.
+
+
+
+
+ The unique identifier of the event that is being referenced. This will be the value of Event/EventSource/EventId on the referenced event. E.g. where an event with Event/EventSource/EventId=101 is a child of an event with Event/EventSource/EventId=99, the value in this element would be 99.
+
+
+
+
+ A descriptive name for the referenced event.
+
+
+
+
+ The details of the event that is the parent of this referenced event. E.g. if event C is a child of event B which is a child of event A, this element would record an Id of A.
+
+
+
+
+
+
+ Type that describes and alert of some kind, e.g. an alert generated by an intrusion detection system, malware scanner, virus scanner, etc.
+
+
+
+
+ The type of alert that has been fired, e.g. Error, Malware, etc.
+
+
+
+
+ The severity of the alert.
+
+
+
+
+ The priority of the alert.
+
+
+
+
+ The name of the event or rule that fired or vulnerability or malware that has been scanned for or found.
+
+
+
+
+ The descriptive message for the alert.
+
+
+
+
+ Information about an IDS generated event.
+
+
+
+ Information about an IDS generated event.
+
+
+
+
+ The type of IDS event or rule that fired.
+
+
+
+
+ The source network device involved in the IDS event.
+
+
+
+
+ The destination network device involved in the IDS event.
+
+
+
+
+ Details about the payload being transmitted between the source and destination devices.
+
+
+
+
+
+
+
+ Type that describes a threat identified by an anti-malware scanner.
+
+
+
+
+ A type to describe part of a computer network or some activity on a network.
+
+
+
+
+ Any events to do with monitoring the status of files should use this element.
+
+
+
+ Information about an IDS generated event.
+
+
+
+
+ The action performed by the file monitor, e.g. starting to scan files for changes, or the detection of a file change.
+
+
+
+
+ Describes the last known state of the file before it was altered.
+
+
+
+
+ Describes the new state of the file now it has changed.
+
+
+
+
+ The file monitoring rule that was fired to generate this event.
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ All of the enclosed items are to be treated as being AND together.
+
+
+
+
+
+ Type that describes a threat identified by an anti-malware scanner.
+
+
+
+
+ Describes the anti-malware product used.
+
+
+
+
+ Describes the anti-malware signature used.
+
+
+
+ Describes the anti-malware signature used.
+
+
+
+
+ The version of the signature.
+
+
+
+
+ When the signature was last updated.
+
+
+
+
+
+
+
+ Describes the threat if one has been found.
+
+
+
+ Describes the threat if one has been found.
+
+
+
+
+ The category of the threat, e.g. Worm, Virus, etc.
+
+
+
+
+ The name of the threat, e.g. a virus name.
+
+
+
+
+
+
+
+ Describes the infected item if one has been found.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+ This type is used to contain any content conforming to an agreed format/specification that is defined outside this XML Schema.
+
+
+
+
+
+
+ String to describe the format type and specification of the content, e.g. JSON or XML. The valid values are defined outside this XML Schema.
+
+
+
+
+ Defines the version of data structure specification.
+
+
+
+
+ An identifier, name or key to distinguish this block of content from others in the document. It can either be globally unqiue, unique within the document or unique within its siblings.
+
+
+
+
+
+ This type describes an approval (or rejection) event in a workflow, e.g a workflow where a more privileged user is required to approve the work of another user.
+
+
+
+
+ The action that the approval event is capturing, e.g. Approve, Reject, etc.
+
+
+
+
+ An identifier associated with the approval step/process.
+
+
+
+
+ The object that this approval step (or request for approval) relates to, e.g. the document being approved.
+
+
+
+
+ The user(s) that requested the approval, e.g. jbloggs requesting approval from a manager for his finance report.
+
+
+
+ The user(s) that requested the approval, e.g. jbloggs requesting approval from a manager for his finance report.
+
+
+
+
+ A user that requested the approval, e.g. jbloggs requesting approval from a manager for his finance report.
+
+
+
+
+
+
+
+ The user(s) that are providing the approval, e.g. a user requesting approval from manager fsmith for his finance report.
+
+
+
+ The user(s) that are providing the approval, e.g. a user requesting approval from manager fsmith for his finance report.
+
+
+
+
+ The user that is providing the approval, e.g. a user requesting approval from manager fsmith for his finance report.
+
+
+
+
+
+
+
+ The reason for the approval/rejection/request, e.g. why the approval was rejected.
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ This type describes the association or linking of a number of objects. For example, it may describe the link between two web resources.
+
+
+
+
+
+
+ The objects that have some form of link or association
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Used to record authentication events such as logon and logoff. All authentication events that originate from a client device should record details of the client device in the event source.
+
+
+
+
+ The authentication action that was performed, e.g. Logon, Logoff.
+
+
+
+
+ This indicates the type of logon. For example, Microsoft Windows has several logon types such as Interactive (logon to domain), RemoteInteractive (logon to remote machine), CachedInteractive (logon to local machine using cached domain information due to loss of network).
+
+
+
+
+
+ The user who the authentication action relates to.
+
+
+
+
+ Where a device authenticates with another device, this is the device that initiates the authentication action.
+
+
+
+
+ The group the authentication action relates to.
+
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Used to describe the outcome of an authentication event, including the reason for any failure.
+
+
+
+
+
+
+ An enumeration used to describe the reason why authentication failed.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes event actions related to account management such as adding and removing user and system accounts. It can also describe event actions related to the request for authorisation, e.g. when a user is checked against a set of permissions for the data/entities they are trying to access.
+
+
+
+
+
+ The type of the event action, e.g. a modification to authorisation rules/groups or the request to be authorised.
+
+
+
+
+ A list of roles or permissions that have been added to an object.
+
+
+
+ A list of roles or permissions that have been added to an object.
+
+
+
+
+ A role or permission that has been added to an object.
+
+
+
+
+
+
+
+ A list of roles or permissions that have been removed from an object.
+
+
+
+ A list of roles or permissions that have been removed from an object.
+
+
+
+
+ A role or permission that has been removed from an object.
+
+
+
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Structure used to describe a banner presented to a user. Typically, it displays legal information relating to the system.
+
+
+
+
+
+
+ If the text of the banner is versioned then this records the version of the banner that is displayed to the user.
+
+
+
+
+ The message text displayed on the banner.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes the details of a chat event, e.g. an instance message chat message from one user to another.
+
+
+
+
+
+
+ The ID for the chat session.
+
+
+
+
+ The name of the chat room or group.
+
+
+
+
+ The user that initiated the chat event.
+
+
+
+
+ The user(s) that the chat event (or message) is directed at.
+
+
+
+
+ The chat message or content sent by the user.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ A base type to describe a file object, e.g. a text file on file system
+
+
+
+
+
+
+ The full system file path.
+
+
+
+
+ The creation time of the file.
+
+
+
+
+ The modification time of the file.
+
+
+
+
+ The last access time of the file.
+
+
+
+
+ The size of the file in bytes.
+
+
+
+
+ Optional description of the media that the file exists on or that the file is being written to.
+
+
+
+
+ Describes the output of a hash function and the type of has function used.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ A base type to describe part of a computer network or some activity on a network.
+
+
+
+
+ The source device that is attempting the network action.
+
+
+
+
+ The destination device for the network action.
+
+
+
+
+ The name of the process responsible for the network action.
+
+
+
+
+ If the network action is related to message transfer from one place to another then this element describes the message.
+
+
+
+
+ The network boundary filter rule that was fired to generate this event.
+
+
+
+
+
+
+ A base type for describing some kind of object or entity.
+
+
+
+
+
+ Contains an item of data, e.g. a file, document, etc, and describes the outcome of the event as well as providing for additional event data that does not fit into the item of data element.
+
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the outcome of an event whether it is successful and whether it was permitted.
+
+
+
+
+ If the outcome of an event was successful then 'true', 'false' otherwise. Can be omitted if true as this is the default. The main exception to this default would be if there were many varied Descriptions for the success criteria and such Descriptions could provide additional context to the event.
+
+
+
+
+ If an action was permitted then 'true', 'false' otherwise. Can be omitted if true as this is the default. The main exception to this default would be if there were many varied Descriptions for the success criteria and such Descriptions could provide additional context to the event.
+
+
+
+
+ A description of the authorisation service that was used to decide if the action was permitted.
+
+
+
+ A description of the authorisation service that was used to decide if the action was permitted.
+
+
+
+
+ An identifier for the authorisation service, usually a URI string.
+
+
+
+
+ The number of seconds a system is allowed to cache this authorisation before it needs to be checked again.
+
+
+
+
+
+
+
+ Human readable text that describes the outcome.
+
+
+
+
+
+
+ Describes the details of a chat event, e.g. an instance message chat message from one user to another.
+
+
+
+
+
+
+
+ Describes the classification and access controls for an item such as a document, record, file, etc.
+
+
+
+
+ Optional full human-readable text of the protective marking that can combine the various elements in this Classification structure, e.g 'Commercial in Confidence'.
+
+
+
+
+ The originator or creator of the protectively marked item. The originator is described by an Organisation and optionally qualified by the organisation's Country.
+
+
+
+
+ The custodian or owner of the protectively marked item. The custodian is responsible for the lifecycle of the marked item. The custodian is described by an Organisation and optionally qualified by the organisation's Country.
+
+
+
+
+ The classification of the protectively marked item. E.g. 'OFFICIAL', 'COMMERCIAL IN CONFIDENCE', 'CONFIDENTIAL', 'INTERNAL' etc.
+
+
+
+
+ Additional descriptors or keywords to further qualify the Classification e.g. 'PERSONAL'
+
+
+
+ Additional descriptors or keywords to further qualify the Classification e.g. 'PERSONAL'
+
+
+
+
+ Descriptor or keyword to further qualify the Classification e.g. 'PERSONAL'
+
+
+
+
+
+
+
+ The groups that a person must belong to AT LEAST ONE OF in order to be permitted to access the protectively marked item. E.g. 'HR' OR 'Auditors'.
+
+
+
+
+ The groups that a person must belong to ALL OF in order to be permitted to access the protectively marked item. E.g. 'Sales' AND 'Management'.
+
+
+
+
+ The nationalities of people permitted to access this protectively marked item. E.g. 'GBR', 'USA'
+
+
+
+ The nationalities of people permitted to access this protectively marked item. E.g. 'GBR', 'USA'
+
+
+
+
+ An ISO 3166 alpha-3 trigraph for a nationality permitted to view this protectively marked item. E.g. 'GBR'.
+
+
+
+
+
+
+
+ The organisations permitted to access the protectively marked item.
+
+
+
+ The organisations permitted to access the protectively marked item.
+
+
+
+
+ An organisation permitted to access the protectively marked item. The PermittedOrganisation is described by an Organisation and optionally qualified by the organisation's country code.
+
+
+
+
+
+
+
+ Controls governing the onward handling of the protectively marked item
+
+
+
+ Controls governing the onward handling of the protectively marked item
+
+
+
+
+ A policy or control governing the onward handling of a protectively marked item. E.g. ORIGINATOR_CONTROLLED
+
+
+
+
+
+
+
+ Describes the timescale and process for the disposal of the protectively marked item
+
+
+
+ Describes the timescale and process for the disposal of the protectively marked item
+
+
+
+
+ Date/time that the disposition process must be enacted by
+
+
+
+
+ The action to be taken on expiry of the disposition date. E.g. 'DELETE' to delete the item.
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the configuration of entity, e.g. it can be used to describe the update to the configuration of a network device.
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ The geographic coordinates of the location (i.e. the latitude/longitude).
+
+
+
+
+ Geographic coordinate specifying the north/south position on the earth's surface, expressed as decimal degrees from the equator (0). -90 (South) to +90 (North).
+
+
+
+
+ Geographic coordinate specifying the east/west position on the earth's surface, expressed as decimal degrees from the Greenwich Meridian (0). -180 (West) to +180 (East).
+
+
+
+
+
+
+ Describes an event action relating to copying data, files, documents, etc.
+
+
+
+
+ The source of the data being copied.
+
+
+
+
+ The destination for the data being copied.
+
+
+
+
+ Used to determine if the copy was successful. If omitted it is assumed that the copy was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Used to describe the outcome of a copy or move event, including the reason for any failure.
+
+
+
+
+
+
+ Used to explain the reason for failure, e.g. Device full.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes an event action relating to creating data, files, documents, etc.
+
+
+
+
+
+
+
+ Structure used to describe a criteria used for search, view, update or delete.
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes any other event data that does not fit into a schema element but may be useful for the purpose of audit. The recursive nature of this type means it can be used to model a tree of data.
+
+
+
+
+ A child data item that may itself have descendants.
+
+
+
+
+
+ The name of the data item. The taxonomy of the data items may be defined by the system sending the events or defined centrally for all systems to use.
+
+
+
+
+ The simple string value for the data item.
+
+
+
+
+
+ Describes an event action relating to deleting data, files, documents, etc.
+
+
+
+
+
+
+
+ Describes a device, e.g. a workstation, server or item of network infrastructure.
+
+
+
+
+ Identifier used to uniquely identify the device within the organisation's asset register/system. Also, this can be used to identify a device that does not have HostName/IPAddress/MACAddress.
+
+
+
+
+ A descriptive name of the device, e.g. 'Sun Fire X4600', 'HP LaserJet 4+'.
+
+
+
+
+ The security classification associated with this device.
+
+
+
+
+ The network host name of the device, e.g. someserver.somenet.org.uk. Ideally this field should always contain a fully qualified DNS name of the host.
+
+
+
+
+ The network IP address of the device, e.g. 192.168.0.3. Ideally this should always be supplied.
+
+
+
+
+ The Media Access Control (MAC) address of the device.
+
+
+
+
+ The network port that is being used on the device, e.g. 443.
+
+
+
+
+ Describes the geographic location of the device.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes a document that may be stored electronically or in hard-copy form.
+
+
+
+
+
+
+ The title or name of the document.
+
+
+
+
+ A unique code or ID that can be used to reference the document.
+
+
+
+
+ The version or iteration of the document, e.g. v13 or v1.3.
+
+
+
+
+ The path that defines the location of the document on a file system or document management system, e.g. '/some/path/to/the/document.pdf'
+
+
+
+
+ The date that the document was created.
+
+
+
+
+ The date that the document was last modified.
+
+
+
+
+ The date that the document was last accessed.
+
+
+
+
+ The number of pages in the document.
+
+
+
+
+ The size of the document in bytes.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes an email sent from one user to one or more recipients.
+
+
+
+
+
+
+ The user that sent the email.
+
+
+
+
+ The user(s) and/or distribution group(s) that the email was sent to.
+
+
+
+
+ The user(s) and/or distribution group(s) that the email was CC'd (carbon copied) to.
+
+
+
+
+ The user(s) and/or distribution group(s) that the email was BCC'd (blind carbon copied) to.
+
+
+
+
+ The subject text of the email.
+
+
+
+
+ The content of the email, i.e. the message body. This may be plain text or some form of rich text like HTML.
+
+
+
+
+ The MIME (Multipurpose Internet Mail Extensions) type of the email body, i.e. the format of the message body, e.g. 'text/plain' or 'text/html'.
+
+
+
+
+ The date taken from the email 'Date' header. This date is in string form and in the format and timezone as produced by the email client. It may be local time or UTC depending on the client, therefore it may differ to the EventTime of this event. It is also possible it is invalid if the email client device is misconfigured, e.g. in the future.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ This type can be used to create relationships between different events, i.e. where one event is the child of another.
+
+
+
+
+ The event that this event has a relationship to or is referenced by.
+
+
+
+
+
+
+ This type describes the details of what happened in the event: the type of the event, why it happened and the event action.
+
+
+
+
+ A name/code/ID to uniquely identify the logical event type within the service providing the events. E.g. a Windows eventId (i.e. representing 'Failed logon', 'Change password attempt', etc.) or for application logging: SaveRecord, ViewUserRecord, ViewSearchResults, etc. The granularity will depend on the application. Typically, the number of unique TypeIds will be in the 10s. Note, the values of the TypeId are not meant to be globally consistent, they will only be relevant within that service providing the events.
+
+
+
+
+ Some human-readable descriptive text for the event type.
+
+
+
+
+ The purpose/justification assigned to this event for user actions that are required to be justified for reasons of corporate policy, e.g. transferring data to removable media, viewing personnel records or making a high value payment.
+
+
+
+
+
+ Used to record authentication events such as logon and logoff. Also used for recording authentication by physical access controls, e.g. doors/turnstiles. All authentication events that originate from a client device should record details of the client device in the event source.
+
+
+
+
+ All events related to account management such as adding and removing user and system accounts.
+
+
+
+
+ Any events related to searching for data should use this element.
+
+
+
+
+ All events related to copying data, files, documents, etc. should use this element.
+
+
+
+
+ All events related to moving data should use this element.
+
+
+
+
+ All events related to creating data should use this element.
+
+
+
+
+ All events related to viewing data should use this element. Note that viewing data is subtly different from reading data. This event is to be used when data is displayed to an end user and not for data read by an application.
+
+
+
+
+ All events related to importing data should use this element. An import could include any batch insert of data from an external source or uploading a file.
+
+
+
+
+ All events related to exporting data should use this element. An export could include activities such as downloading data from an application or generating a report.
+
+
+
+
+ All events related to updating data should use this element.
+
+
+
+
+ All events related to deleting data should use this element.
+
+
+
+
+ Whenever processes such as applications or services are started, stopped etc., this should be recorded in this element. It also covers the running of batch processes or jobs.
+
+
+
+
+ All events related to printing should use this element.
+
+
+
+
+ Details about installation of either hardware or software.
+
+
+
+
+ Details about removal of either hardware or software.
+
+
+
+
+ Any events related to network traffic, filtering or access should be recorded using this element.
+
+
+
+
+ An alert event according to the system producing the event, e.g. an event raised when an anti-malware system finds malware.
+
+
+
+
+ Used for send events that are at a higher level than a network/send event, e.g. sending an email
+
+
+
+
+ Used for receive events that are at a higher level than a network/receive event, e.g. receiving an email
+
+
+
+
+ Any events relating to the action of approving/accepting or rejecting something, e.g. an approval step in a workflow, accepting a license agreement, or acceptable use policy. The event may relate to one user approving the work/action of another user or a single user accepting something.
+
+
+
+
+ This element should be used were the type of the event cannot be described by any of the other event actions, or the event type is unknown.
+
+
+
+
+
+
+
+ Details where the event came from, i.e. what generator created the event and on what device.
+
+
+
+
+ A unique identifier known to the source system that created the event. This identifier may not be unique outside the source system. It can be used for linking related events within the source system, e.g. where an event is part of a chain of events or is child of another event. Linking of events can be recorded with the Event/EventChain element.
+
+
+
+
+ Where an event is part of a session the identifier for that session can be recorded here to allow subsequent grouping of events for the same session. The SessionId should be a unique identifier for the session within the source system. It is not expected that the SessionId have meaning or be unique outside the source system.
+
+
+
+
+ The system that generated the event. This is not the same as the generator as the generator is merely the application or component that created the event, e.g. auditd. The system describes the higher level project/service or capability that uses the generator as a component, e.g. 'Payroll System'.
+
+
+
+
+ The thing that generated the event. This could be the name of an application, service or OS entity. Multiple devices may host the same generator, e.g. many copies of the same OS. The event type within the event description will describe an event that is unique to the generator, i.e. the generator is treated as a namespace for event type ids.
+
+
+
+
+ A description of the device that the event generator is hosted upon.
+
+
+
+
+ In situations where an event has been created as a result of an interaction with a client device, the client should be recorded. This will be the case for web applications that are responding to input from users with active sessions. All authentication events that originate from a connected client should populate this element.
+
+
+
+
+ In situations where an event has been created as a result of an interaction with a server device, the server should be recorded.
+
+
+
+
+ Physical access events are generated by doors, barriers, turnstiles, etc. This element provides details of the door and its location and access control properties.
+
+
+
+ Physical access events are generated by doors, barriers, turnstiles, etc. This type provides details of the door and its location and access control properties.
+
+
+
+
+ The site-wide name/identifier for the door.
+
+
+
+
+ A user readable description of the door.
+
+
+
+
+ Describes the geographic location of the device.
+
+
+
+
+ It is assumed that doors only allow for a single authenticated person to enter at a time, e.g. in the case of turnstiles. Where single entry is true this element can be omitted as this is expected by default.
+
+
+
+
+ This element is used to tell us to remove all access zones from the list of currently accessible zones for a user before adding a new one. This is the case whenever a user moves from one zone to another and loses all possible access to the zones they were previously in, i.e. they would need to re-authenticate to regain access rather than just pass back through the door. If not specified this element is considered to be true as most movement through a door removes access to previously accessible zones. Removal of all access zones provides anti pass-back protection.
+
+
+
+
+ A list of access zones that have been added by this event assuming it is successful. For example if a person successfully enters a building at door A, the system then adds the access zone for room X within that building which ensures the person must have correctly entered the building at door A before being able to access room X.
+
+
+
+
+
+ An area within a building that is accessible only via an authenticated access method, e.g. a turnstile or door with an access control system.
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+
+ Where events are created as a result of a user action or within the context of a user account, the user should be recorded. To achieve this it may be necessary to map the user identifier in an application to a common user identifier when populating this element. Where an identifier exists that is unique across the organisation, such as a distinguished name (User DN) from a certificate authority or directory service, then this should be used in the <Id> element in preference to any other user identifier.
+
+
+
+
+ In some cases an account may switch to another account in order to run a process or perform a privileged action, e.g. use of sudo. Where this happens the <User> element should still refer to the real user and this element should indicate what the temporary user was when the event was created, e.g. root. This is also often used when a system user (processing account) executes scheduled jobs on behalf of the real user that scheduled the job. Where an identifier exists that is unique across the organisation, such as a distinguished name (User DN) from a certificate authority or directory service, then this should be used in the <Id> element in preference to any other user identifier.
+
+
+
+
+ Indicates whether the event was produced as a result of direct interaction, i.e. user was directly responsible for the event being created and was present at the time it was created. This element will be false where an event may have been created after the user was present, e.g. where scheduled processing is performed or an action has been queued for execution later, as is the case when some form of asynchronous processing is used. All interactive events must provide the Id for the user. Can be omitted if true as this is the default.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the time the event was created.
+
+
+
+
+ This element contains information about the time the event was created.
+
+
+
+
+ This is an optional element to be used to indicate the time source that the event creation time has been synchronised with. In most circumstances it is assumed that the event time has been synchronised with the corporate time service where the generating device resides so the inclusion of this element is not required.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+ Captures data relevant to an export operation.
+
+
+
+
+ The source of the data being exported.
+
+
+
+
+ The destination for the data being exported.
+
+
+
+
+ Used to determine if the export was successful. If omitted it is assumed that the export was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ A type to describe a file object, e.g. a text file on file system
+
+
+
+
+
+
+
+ Describes a folder object, e.g. a directory or folder on file system.
+
+
+
+
+
+
+
+ Describes the details of a chat event within a chat room or group.
+
+
+
+
+
+
+
+ A group entity, e.g. a user group, an access control group or a named group of some kind that ties together a collection of entities/objects of some kind.
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes a collection of group entities, e.g. user groups or access control groups.
+
+
+
+
+ One or more group entities, e.g. user groups or access control groups.
+
+
+
+
+
+
+ Used to describe a hardware item that may be added or removed from a system.
+
+
+
+
+ The type of hardware, e.g. hard disk drive.
+
+
+
+
+ A unique identifier for the piece of hardware, e.g. an asset number.
+
+
+
+
+ A friendly name for the hardware, e.g. a name that has been defined in an asset management or device monitoring system.
+
+
+
+
+ The model name as defined by the manufacturer.
+
+
+
+
+ The manufacturer of the piece of hardware.
+
+
+
+
+ The capacity of the device in bytes.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the output of a hash function and the type of has function used.
+
+
+
+
+ The value obtained from applying a hash function (e.g. MD5, SHA-256, etc.) to the contents of the file.
+
+
+
+ The type of hashing algorithm used, e.g. MD5, SHA-256, etc.
+
+
+
+
+
+
+
+ Captures data relevant to an import operation, e.g. importing a file from outside an application into the application.
+
+
+
+
+ The source of the data being imported.
+
+
+
+
+ The destination for the data being imported.
+
+
+
+
+ Used to determine if the import was successful. If omitted it is assumed that the import was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the installation of either hardware or software.
+
+
+
+
+
+ Describes the geographic location of the device.
+
+
+
+
+ The ISO-3166 country short name, e.g. 'UNITED KINGDOM OF GREAT BRITAIN AND NORTHERN IRELAND' or 'ANDORRA'
+
+
+
+
+ The location State or Province.
+
+
+
+
+ The location City.
+
+
+
+
+ The location Town.
+
+
+
+
+ The name of the site of the location, e.g. where an organisation has multiple distinct sites or campuses. Specifying the site is particularly important when the sites are in the same town/city.
+
+
+
+
+
+ The name of the building.
+
+
+
+
+ The floor of the building that the location refers to.
+
+
+
+
+ The identifier (e.g. name) of the room that the location refers to.
+
+
+
+
+
+ The identifier (e.g. name) of the desk that the location refers to.
+
+
+
+
+
+ The identifier for the rack/cabinet where the location refers to a rack mounted device, e.g. a rack mounted 4U server in a cabinet.
+
+
+
+
+ The position of the device where the location refers to a rack mounted device in a rack/cabinet. E.g. where a 4U device occupies U positions 1-4 in a cabinet (numbered from the bottom of the cabinet, starting from 1), the position would be '1'.
+
+
+
+
+
+
+
+ The timezone name for the location as defined by the IANA Timezone Database (https://www.iana.org/time-zones), e.g. 'Europe/London' or 'Australia/NSW'.
+
+
+
+
+ The geographic coordinates of the location (i.e. the latitude/longitude).
+
+
+
+
+ The name of a zone within a building or site with some form of access control/monitoring for entry/exit to the zone.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+ Used to describe media added or removed from a computer system, or as a location for reading and writing files.
+
+
+
+
+ The type of the removable media, e.g. MemoryCard
+
+
+
+
+ The identifier for the removable media. This may be an identifier provided by the media (e.g. the Card Identification or CID of an SD card) or assigned by device monitoring software.
+
+
+
+
+ A friendly name for the media, possibly assigned by device monitoring system..
+
+
+
+
+ Indicates if this media is removable, e.g. USB storage device or soft media such as DVD.
+
+
+
+
+ Indicates if a device has read-write access. Most devices are read-write so this is assumed to be true and can therefore be omitted where this is the case.
+
+
+
+
+ The capacity of the media in bytes.
+
+
+
+
+ The classification of the media.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Metadata tags that can be used for additional object tagging or categorisation. Object tagging allows for the labelling (or filtering) of objects using words that label, categorise or group similar items, using a taxonomy defined outside this schema. For example, an email could be tagged with tags like 'internal', 'spam', 'external', 'rich-content', etc.
+
+
+
+
+ A categorisation tag or label
+
+
+
+
+
+
+ Captures data relevant to move events, e.g. moving a file from one folder/device to another.
+
+
+
+
+ The source of the data being moved.
+
+
+
+
+ The destination for the data being moved.
+
+
+
+
+ Used to determine if the move was successful. If omitted it is assumed that the move was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes a collection of objects/entities that may be of different types.
+
+
+
+
+
+ A type to describe part of a computer network or some activity on a network.
+
+
+
+
+
+
+
+ Describes an event involving some form of activity on a computer network.
+
+
+
+
+ The action of a server binding a network socket to a port and IP address.
+
+
+
+
+ The action of a client system establishing a connection with a server.
+
+
+
+
+ The action of opening an unnamed socket that is bound to an address.
+
+
+
+
+ The action of closing an open socket or connection.
+
+
+
+
+ The action of sending data on a socket.
+
+
+
+
+ The action of receiving data on a socket.
+
+
+
+
+ The action of making a socket listen for connections.
+
+
+
+
+ The action of network traffic being permitted by an Access Control List (ACL).
+
+
+
+
+ The action of network traffic being denied by an Access Control List (ACL).
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+ Describes an end point within a network. This may be an application running on a device or a network appliance such as a switch.
+
+
+
+
+ A device at the source or destination involved in the network activity.
+
+
+
+
+ The application being used by the source or destination.
+
+
+
+
+ The transport protocol being used by the source or destination.
+
+
+
+
+ The Internet Control Message Protocol type number. See https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
+
+
+
+
+ The HTTP method, e.g. GET, POST, DELETE, PUT etc
+
+
+
+
+ The application protocol being used by the source or destination.
+
+
+
+
+ The port being used by the source or destination.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ A type to describe some activity on a network along with the outcome of that activity.
+
+
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ The enclosed structure operators and terms are negated.
+
+
+
+
+
+ Describes a generic object or entity that cannot be described using any of the other more specific object types.
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ All of the enclosed items are to be treated as being OR together.
+
+
+
+
+
+ Describes an organisation optionally qualified by its country
+
+
+
+
+ An ISO 3166 alpha-3 trigraph for the country the organisation belongs to. E.g. 'GBR'.
+
+
+
+
+ The code or name for the organisation. E.g. 'Group HQ', 'Telecoms Division', etc.
+
+
+
+
+
+
+ Describes the outcome of an event whether it is successful and whether it was permitted.
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes an event relating to a printer, e.g. printing a document.
+
+
+
+
+ The print action that was performed, e.g. CreateJob.
+
+
+
+
+ Describes the print job that the event relates to.
+
+
+
+ Describes the print job that the event relates to.
+
+
+
+
+ Describes the document being printed.
+
+
+
+
+ The number of pages being printed.
+
+
+
+
+ The size of the print job in bytes.
+
+
+
+
+ The time that the print job was submitted.
+
+
+
+
+
+
+
+ The printer settings that are to be used for the print job.
+
+
+
+ The printer settings that are to be used for the print job.
+
+
+
+
+ The paper size, e.g. A4.
+
+
+
+
+ The paper orientation, e.g. Portrait, Landscape.
+
+
+
+
+ True if printing in colour. Most printing is performed in black and white so this defaults to false and can therefore be omitted if printing in black and white.
+
+
+
+
+ True if fonts are to be used on the printing device. Using device fonts reduces the size of the print job as no font information needs to be supplied to the printer. However, using device fonts will result in different output on different printers. Most print jobs will not use device fonts so this defaults to false and can therefore be omitted if device fonts are not being used.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+ Describes the printer to use for the print job.
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes various actions such as the startup/shutdown/install of operating systems, services, applications. It also describes the execution of operating system commands, shell scripts and batch processes.
+
+
+
+
+ The action that the process event is capturing, e.g. Startup, Shutdown.
+
+
+
+
+ The type of process, e.g. Application, OS, Service.
+
+
+
+
+ The name of the process.
+
+
+
+
+ The process command arguments/parameters.
+
+
+
+
+ The system identifier for the process.
+
+
+
+
+ The thread identifier for the process.
+
+
+
+
+ The rule that was triggered when this process event happened.
+
+
+
+
+ Any objects used as input to the process.
+
+
+
+
+ Any objects output by the process
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the purpose and justification for the event along with details of any authorisations that were required for the event to happen.
+
+
+
+
+ The classification of this task.
+
+
+
+
+ A description of the task.
+
+
+
+
+ Names of stakeholders.
+
+
+
+
+ Business case supporting task.
+
+
+
+
+ Expected outcome from task.
+
+
+
+
+ The authorisations that were granted to allow this event action to take place.
+
+
+
+ Details of authorisations that were granted to allow this event action to take place.
+
+
+
+
+ An authorisation that was granted to allow this event action to take place.
+
+
+
+ Details of an authorisation that was granted to allow this event action to take place.
+
+
+
+
+ The reference number, code or ID for the authorisation.
+
+
+
+
+ A textual description of the authorisation or any additional detail.
+
+
+
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ An identifier to uniquely identify the query that was executed. This may be used to link the execution of a query (i.e. Search/Query/Id) with the results that are persisted and viewed at another time (i.e. View/SearchResults/Query/Id).
+
+
+
+
+ The name of the query that was executed. This may be used to link the execution of a query with the results that are persisted and viewed at another time.
+
+
+
+
+ A human-readable description of what the query is searching for.
+
+
+
+
+ A complex boolean tree or operators and terms that describes the query.
+
+
+
+ A complex boolean tree or operators and terms that describes the query.
+
+
+
+
+
+
+ A simple representation of a query using includes and excludes terms. This is suitable for simple filtered lists, e.g. for a list of names excluding "John,Bob".
+
+
+
+ A simple representation of a query using includes and excludes terms. This is suitable for simple filtered lists, e.g. for a list of names excluding "John,Bob".
+
+
+
+
+ Values to include in the query results, typically delimited by a comma.
+
+
+
+
+ Values to exclude in the query results, typically delimited by a comma.
+
+
+
+
+
+
+
+ The raw query in the query language used by the application executing the query, e.g. SQL, xpath, etc.
+
+
+
+
+
+
+ Describes the action of receiving an object or entity, e.g. receiving a push notification.
+
+
+
+
+
+ Describes a resource within a website or web application, such as an HTML file, image file or script, along with the details of that resource such as size or response codes. It can represent both successful and failed access to the resource object.
+
+
+
+
+
+
+ The title of the resource or of the object the resource presents.
+
+
+
+
+ The URL of the resource the event relates to
+
+
+
+
+ The URL of the resource that referred to the URL of this event
+
+
+
+
+ The session identifier or token used to identify a session or series of related message exchanges.
+
+
+
+
+ The HTTP method, e.g. GET, POST, DELETE, PUT etc
+
+
+
+
+ The HTTP version, e.g. 1.1
+
+
+
+
+ This is a string provided by the initiating software agent used to identify itself, its application type, operating system, software vendor or software version. This string typically appears as a field in a request message with a field header name of 'User-Agent'.
+
+
+
+
+ The size in bytes received, including the request and HTTP headers.
+
+
+
+
+ The size in bytes of the incoming data, EXCLUDING HTTP headers.
+
+
+
+
+ The HTTP request header.
+
+
+
+
+ The size in bytes of the outgoing data, including HTTP headers.
+
+
+
+
+ The size in bytes of the outgoing data, EXCLUDING HTTP headers.
+
+
+
+
+ The HTTP response header.
+
+
+
+
+ The number of microseconds the server took to handle the request.
+
+
+
+
+ The connection status of the client connection.
+
+
+
+
+ The status code of the original request.
+
+
+
+
+ The final status code of the request, after any internal redirections may have taken place.
+
+
+
+
+ The Internet Media Type identifying the file format of the resource provided (format of request or response body). This string typically appears in the 'Content-Type' field of a Request or Response Header.
+
+
+
+
+ The category of a web page or resource where a categorisation engine is used, e.g. News, Search Engine, Social Media, etc.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Contains a criteria and describes the outcome of the event.
+
+
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Structure used to describe a set of search results from a query where the results are viewed or interacted with in a separate event to the execution of the query. E.g. for long-running queries where the results are stored for later viewing/processing. The Search schema action should be used to describe the event for the execution of the search. Query/Id or Query/Name can be used to associate the results event with the query event.
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes the action of sending something (e.g. a file, data, object, etc.) from a source location/application/system/user to a destination.
+
+
+
+
+
+ Describes a shortcut to another file/object, such as a Windows Shortcut or linux symbolic link.
+
+
+
+
+
+
+
+ Used to describe a software asset.
+
+
+
+
+ An identifier for the software asset.
+
+
+
+
+ The name of the software product.
+
+
+
+
+ The version of the software product, e.g. v3.1.
+
+
+
+
+ The manufacturer of the software product, e.g. Borland
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the system that generated the event. This is not the same as the generator as the generator is merely the application or component that created the event, e.g. auditd. The system describes the higher level project/service or capability that uses the generator as a component, e.g. 'Payroll System'.
+
+
+
+
+ The name of the system.
+
+
+
+
+ An optional description of the system.
+
+
+
+
+ An optional classification or protective marking of the overall system.
+
+
+
+
+ The environment describes a specific instance of a system. A system may have multiple deployment for various purposes, e.g. a development, reference or operational deployment. An instance may also be site specific e.g. a deployment at a particular data center. The way an environment is described will differ depending on the system and the way it is deployed however a good example would be REF_DC1 to indicate that the environment is a reference deployment in data center 1.
+
+
+
+
+ Describes the organisation that owns or has responsibility for the system.
+
+
+
+
+ An optional element to define the domain that the system exists in.
+
+
+
+
+ The version of the system's software, e.g. 1.3.2
+
+
+
+
+ Optional tags that can be used for additional tagging or categorisation of the system. These tags allow for the grouping or filtering of similar systems.
+
+
+
+ Optional tags that can be used for additional tagging or categorisation of the system. These tags allow for the grouping or filtering of similar systems.
+
+
+
+
+ A categorisation tag or label, e.g. 'critical-system', 'operational-data', 'non-operational-test-data', etc.
+
+
+
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit. Can also be used for appending data about the event after it has been received or processed, e.g. for recording details relating to the processing of the event such as the feed name.
+
+
+
+
+
+
+ Describes a field to search and what to search for using name, condition and value, e.g. Title Contains 'Fox' or Title Equals 'The Quick Brown Fox'.
+
+
+
+
+ The name of the search field.
+
+
+
+
+ The search condition, e.g. Contains, !Contains, Exists etc.
+
+
+
+
+ The value that the condition is operating on.
+
+
+
+
+
+
+ Describes the removal of either hardware or software.
+
+
+
+
+
+ This type should be used were the type of the event cannot be described by any of the other event actions, or the event type is unknown.
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes the update/modification/change to a file, object, entity, piece of data, etc. The update can be recorded by providing the Before and After state to describe the change. Alternatively, if the change is a small change to an object with many parts, it may be preferable to record the individual changes rather than the whole state. As a minimum the After state should be recorded to describe the object being changed with/without the detail of its state.
+
+
+
+
+ Describes the state of one or more object properties before it was changed. Essentially a snapshot of the object before the change.
+
+
+
+
+ Describes the state of one or more object properties after it was changed. Essentially a snapshot of the object after the change.
+
+
+
+
+ Describe one or more differences that have been applied to an object. When using this element, the object that the changes/differences are applied to should be described in the After element.
+
+
+
+
+
+ Describes the addition of one of more parts of an object or entity. For example if the user is adding two files to a zip file containing 1000 files, this can be recorded as the addition of the two files. The details of the zip file can be recorded in the After element without the need to record the before and after state of all 1000/1002 files.
+
+
+
+
+ Describes the replacement of one of more parts of an object or entity. For example if the user is updating a single file in a zip file containing 1000 files, this can be recorded as the replacement of just that file. The details of the zip file can be record in the After element without the need to recorded the before and after state of all 1000 files.
+
+
+
+
+ Describes the removal of one of more parts of an object or entity. For example if the user is removing two files from a zip file containing 1000 files, this can be recorded as the addition of the two files. The details of the zip file can be recorded in the After element without the need to record the before and after state of all 1000/998 files.
+
+
+
+
+
+
+
+ Used to determine if the action was successful. If omitted it is assumed that the event was successful and was permitted.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes a user entity that may represent a human or be a processing user account.
+
+
+
+
+
+
+ The security domain that the user exists within, e.g. an Active Directory or OpenLDAP domain.
+
+
+
+
+ The email address of the user.
+
+
+
+
+ The details of the person represented by the user account or identity.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes the person represented by a user account or identity.
+
+
+
+
+ A unique identifier used across the business to identify this person.
+
+
+
+
+ A person's staff number.
+
+
+
+
+ The person's surname.
+
+
+
+
+ The person's initials.
+
+
+
+
+ The person's title.
+
+
+
+
+ The person's given name. If a preferred name also exists then use KnownAs for this preferred name, otherwise use the same name for both elements.
+
+
+
+
+ The name that this person is known as.
+
+
+
+
+ Is the person an employee or a contractor.
+
+
+
+
+ The business group.
+
+
+
+
+ The business unit within the business group.
+
+
+
+
+ The position within the business unit.
+
+
+
+
+ The role that the person is in.
+
+
+
+
+ The grade required for the current post.
+
+
+
+
+ Is the person full-time, part-time etc.
+
+
+
+
+ The employment status of the person, e.g. Active, Retired, Maternity Leave, Sabbatical Leave, etc.
+
+
+
+
+ The person's nationality.
+
+
+
+
+ The building that the person usually works in.
+
+
+
+
+ The room number or name that the person usually works in.
+
+
+
+
+ The person's primary or internal phone number or extension.
+
+
+
+
+ The person's secondary phone number or extension.
+
+
+
+
+ The staff number of the person's supervisor or line manager.
+
+
+
+
+ When this person's current position is scheduled to end, e.g. the end date of a fixed term employment contract.
+
+
+
+
+ Describes a person's main employing organisation irrespective of who they are contracted or seconded to, or are performing an internship with.
+
+
+
+
+ Describes which organisation is currently hosting a person if they are on secondment, internship or are contracted to work for.
+
+
+
+
+ Any other user data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+ Describes a Voice Over Internet Protocol call.
+
+
+
+
+
+
+ The phone number of the initiator of the call.
+
+
+
+
+ The user that initiated the call.
+
+
+
+
+ The user that is the recipient of the call or a collection of users in the case of a conference type call.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ Describes events related to viewing data. Note that viewing data is subtly different from reading data. This event action is to be used when data is displayed to an end user and not for data read by an application.
+
+
+
+
+
+
+
+ Describes the session used when viewing another user's session, e.g. screen sharing or remote assistance type activities.
+
+
+
+
+
+
+ The state of the virtual session at the time of the event.
+
+
+
+
+ Any other event data that does not fit into a schema element but may be useful for the purpose of audit.
+
+
+
+
+
+
+
+
+ The priorities that can be assigned to an alert, e.g. an error in a system or the alert from the detection of malware. They indicate how important it is to resolve or mitigate the alert.
+
+
+
+
+
+
+
+
+
+
+
+
+ The severities that can be assigned to an alert, e.g. an error in a system or the alert from the detection of malware. They indicate how far-reaching the symptoms of the cause of the alert are.
+
+
+
+
+
+
+
+
+
+
+ The types of alert that can be fired, for example errors in an application log, malware or antivirus detection alerts.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The stages in an approval workflow. E.g. when presenting a document for review before publishing.
+
+
+
+
+
+
+
+
+
+
+
+ The types of action in an authentication step.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The types of session that a logon event will relate to.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The types of outcome from an authentication event.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The type of action in an authorisation event, e.g. the modification of authorisation permissions/groups or the request to be authorised.
+
+
+
+
+ A request to be authorised to do a subsequent action.
+
+
+
+
+ The action of modifying the permissions/rules/groups involved in an authorisation process.
+
+
+
+
+
+
+ The action performed by the file/directory monitor, e.g. starting to scan files for changes, or the detection of a file change.
+
+
+
+
+ The file/directory monitor is started.
+
+
+
+
+ The file/directory monitor is stopped.
+
+
+
+
+ A new file had been added to the monitored directory.
+
+
+
+
+ A file has been removed from the monitored directory.
+
+
+
+
+ A monitored file has been modified.
+
+
+
+
+
+
+ The types of reason for failure during copy or move operations.
+
+
+
+
+
+
+
+
+
+
+
+ An ISO 3166 alpha-3 country/nationality code. E.g 'GBR'
+
+
+
+
+
+
+
+ This type constrains the date time format further so that it is always represented as 'yyyy-MM-ddThh:mm:ss.sssZ'.
+
+
+
+
+
+
+
+ This type constrains the format of a MAC address.
+
+
+
+
+
+
+
+
+ A type to define an email address.
+
+
+
+
+
+ The types of hardware that can be added or removed from a system.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A type to constrain an IP address.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Latitude from the equator in decimal degrees.
+
+
+
+
+
+
+
+
+ Longitude from the Greenwich Meridian in decimal degrees.
+
+
+
+
+
+
+
+
+ The types of removable media.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The different types of network protocol.
+
+
+
+
+
+
+
+
+
+
+
+ The types of permission that can be assigned to an entity such as a document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ A type to constrain the format of a network port number.
+
+
+
+
+
+
+
+
+ The types of action relating to the use of a printer.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The orientation types of a document when it is printed.
+
+
+
+
+
+
+
+
+ The types of action in a process event, e.g. executing a shell script.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The types of a process event, e.g. a background process running within an application.
+
+
+
+
+
+
+
+
+
+ A type to allow constraining of metadata tag values in future.
+
+
+
+
+
+ The types of term used in query predicates.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ The types of threat assigned to detected malware.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Type for specifying the version numbers of XML documents that are supported by this version of the XMLSchema.
+
+
+
+
+
+
+
+ Describes the state of a virtual session when viewing another user's session, e.g. screen sharing or remote assistance type activities.
+
+
+
+
+
+
+
diff --git a/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.node b/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.node
new file mode 100644
index 0000000..af9e028
--- /dev/null
+++ b/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.node
@@ -0,0 +1,4 @@
+name=event-logging v4.1.0
+path=XML Schemas/event-logging
+type=XMLSchema
+uuid=befcc474-36e4-4db4-a610-bd1fe6825cb1
diff --git a/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.xml b/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.xml
new file mode 100644
index 0000000..6e59331
--- /dev/null
+++ b/source/event-logging-xml-schema/stroomContent/XML Schemas/event-logging/event_logging_v4_1_0.XMLSchema.befcc474-36e4-4db4-a610-bd1fe6825cb1.xml
@@ -0,0 +1,10 @@
+
+
+ false
+
+ event-logging v4.1.0
+ event-logging:3
+ EVENTS
+ file://event-logging-v4.1.0.xsd
+ befcc474-36e4-4db4-a610-bd1fe6825cb1
+