Table Of Contents

Previous topic

Runtime Settings

Next topic

Filter Operators

The Reef Datamodel

The Reef Event Datamodel

Each Reef Event will consist of a set of fields, none of the fields are mandatory but to get the best out of Reef some have a special purpose and are used during event processing. The event fields aren’t described here, refer to the Reef Administration and Implementation Guide for more information on those. Post processing, we prefer to call the processed event simply an Event and each Event has a number of attributes which are described in the table below.

Attribute Description
key A unique identifier that defines the source of the event and can be any value. Reef uses the key to perform automatic event de-duplication and correlation.
label A short event descption.
type This attribute specifies the type of event and will be one of the following values; fault, clear, info, unknown. Reef uses the type attribute to perform event correlation.
severity This can be any value but Reef will colour-code event severities it recognises. Recognised severities include: critical, major, minor, info and unknown.
count This attribute records the number of Reef Events with matching key fields the event processor has encountered during an Event’s lifetime.
state The event processor will update the state of an event over its lifetime. A new Reef Event whose key has not been seen before will have a state of new. As subsequent Reef Events arrive, the processed Event will have its count increased and its state set to updated. If the event can be automatically correlated its state will be set to auto_cleared. If the event is manually cleared it’s state will be set to man_cleared.
node This is the host or fully-qualified domain name that was set by the event source. If the event source did not set a node name then Reef will attempt to infer it.
ip This is the IP address that was set by the event source. If the event source did not set an IP address then Reef will attempt to infer it. X-Forwarded-For headers will be used for this when available.
first This is the date and time the event with this key was first seen.
last This is the date and time the event with this key was most recently seen.
expires If the event has been automatically or manually correlated this attribute specifies the event’s expiry time. This is the time at which the event will be removed from the event list.
owner Users can take ownership of an event and as such this attribute will be populated with their username.
group A group identifier, user defined at the source with no special meaning to Reef.
source The source of the event.
description A long event description.