Added source and type to the metadata object. Updated the log_* attributes and descriptions for consistency.

CHANGELOG.md

@@ -50,6 +50,7 @@ Thankyou! -->
 * #### Platform Extensions
 * #### Dictionary Attributes
  1. Added `vendor_id_list` as a `string_t` array. [#1471](https://github.com/ocsf/ocsf-schema/pull/1471)
+ 1. Added `log_source` `log_format` as `string_t`. [#1483] https://github.com/ocsf/ocsf-schema/pull/1483
 
 ### Improved
 * #### Categories
@@ -60,6 +61,7 @@ Thankyou! -->
  1. Added `type`, `type_uid`, and `vendor_id_list` to the `peripheral_device` object. [#1471](https://github.com/ocsf/ocsf-schema/pull/1471)
  1. Relaxed the `class` attribute requirement to `optional` in the `peripheral_device` object. [#1471](https://github.com/ocsf/ocsf-schema/pull/1471)
  1. Set the `vendor_name` requirement to `recommended` in the `peripheral_device` object. [#1471](https://github.com/ocsf/ocsf-schema/pull/1471)
+ 1. Added `source` `type` `log_source` `log_format` `transmit_time` to `metadata`. `log_format` to `logger`[#1483] https://github.com/ocsf/ocsf-schema/pull/1483
 
 * #### Platform Extensions
 * #### Dictionary Attributes
@@ -69,6 +71,7 @@ Thankyou! -->
 ### Bugfixes
 
 ### Deprecated
+1. Deprecated `version` attribute in `logger` for `log_version`. [#1483] https://github.com/ocsf/ocsf-schema/pull/1483
 
 ### Breaking changes
 

dictionary.json

@@ -3584,19 +3584,29 @@
       "type": "location",
       "is_array": true
     },
+    "log_format": {
+      "caption": "Log Format",
+      "description": "The format of data in the log. See specific usage.",
+      "type": "string_t"
+    },
     "log_level": {
       "caption": "Log Level",
-      "description": "The audit level at which an event was generated.",
+      "description": "The log specific level at which an event was generated. See specific usage.",
       "type": "string_t"
     },
     "log_name": {
       "caption": "Log Name",
-      "description": "The event log name. For example, syslog file name or Windows logging subsystem: Security.",
+      "description": "The log name. See specific usage.",
       "type": "string_t"
     },
     "log_provider": {
       "caption": "Log Provider",
-      "description": "The logging provider or logging service that logged the event. For example, Microsoft-Windows-Security-Auditing.",
+      "description": "The logging provider or logging service that logged the event. See specific usage.",
+      "type": "string_t"
+    },
+    "log_source": {
+      "caption": "Log Source",
+      "description": "The log where the data originated. See specific usage.",
       "type": "string_t"
     },
     "log_type": {
@@ -3630,7 +3640,7 @@
     },
     "log_version": {
       "caption": "Log Version",
-      "description": "The event log schema version that specifies the format of the original event. For example syslog version or Cisco Log Schema Version.",
+      "description": "The log version. See specific usage.",
       "type": "string_t"
     },
     "logged_time": {
@@ -3640,7 +3650,7 @@
     },
     "loggers": {
       "caption": "Loggers",
-      "description": "An array of Logger objects that describe the devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow.",
+      "description": "An array of Logger objects that describe the pipeline of devices and logging products between the event source and its eventual destination. Note, this attribute can be used when there is a complex end-to-end path of event flow and/or to track the chain of custody of the data.",
       "type": "logger",
       "is_array": true
     },

objects/logger.json

@@ -16,16 +16,24 @@
       "description": "Indicates whether the OCSF event data has been truncated due to size limitations. When <code>true</code>, some event data may have been omitted to fit within system constraints.",
       "requirement": "optional"
     },
+    "log_format": {
+      "description": "The format of data in the log. For example JSON, syslog or CSV.",
+      "requirement": "optional"
+    },
     "log_level": {
+      "description": "The level at which an event was logged. This can be log provider specific. For example the audit level.",
       "requirement": "optional"
     },
     "log_name": {
+      "description": "The log name for the logging provider log, or the file name of the system log. This may be an intermediate store-and-forward log or a vendor destination log. For example /archive/server1/var/log/messages.0 or /var/log/.",
       "requirement": "recommended"
     },
     "log_provider": {
+      "description": "The logging provider or logging service that logged the event. This may be an intermediate application store-and-forward log or a vendor destination log.",
       "requirement": "recommended"
     },
     "log_version": {
+      "description": "The version of the log provider.",
       "requirement": "optional"
     },
     "logged_time": {
@@ -41,7 +49,7 @@
     },
     "transmit_time": {
       "description": "The time when the event was transmitted from the logging device to it's next destination.",
-      "requirement": "optional"
+      "requirement": "recommended"
     },
     "uid": {
       "description": "The unique identifier of the logging product instance.",
@@ -52,6 +60,10 @@
       "requirement": "optional"
     },
     "version": {
+    "@deprecated": {
+      "message": "Use the <code>log_version</code> attribute.",
+      "since": "1.7.0"
+    },
       "description": "The version of the logging product.",
       "requirement": "optional"
     }

objects/metadata.json

@@ -14,6 +14,7 @@
       "requirement": "optional"
     },
     "event_code": {
+      "description": "The identifier of the original event. For example the numerical Windows Event Code or Cisco syslog code.",
       "requirement": "optional"
     },
     "extension": {
@@ -30,16 +31,30 @@
       "description": "The list of labels attached to the event. For example: <code>[\"sample\", \"dev\"]</code>",
       "requirement": "optional"
     },
+    "log_format": {
+      "caption": "Log Source Format",
+      "description": "The format of data in the log where the data originated. For example JSON, syslog or CSV.",
+      "requirement": "optional"
+    },
     "log_level": {
+      "description": "The level at which an event was logged. This can be log provider specific. For example the audit level.",
       "requirement": "optional"
     },
     "log_name": {
+      "description": "The event log name, typically for the consumer of the event. For example, the storage bucket name, SIEM repository index name, etc.",
       "requirement": "recommended"
     },
     "log_provider": {
-      "requirement": "recommended"
+      "description": "The logging provider or logging service that logged the event. For example AWS CloudWatch or Splunk.",
+      "requirement": "optional"
+    },
+    "log_source": {
+      "description": "The log where the data originated. For example, syslog server name or Windows hostname and logging subsystem: Security.",
+      "requirement": "optional"
     },
     "log_version": {
+      "caption": "Log Version",
+      "description": "The log version of the log provider. For example syslog version or Windows Event Log version.",
       "requirement": "optional"
     },
     "logged_time": {
@@ -67,6 +82,10 @@
     "sequence": {
       "requirement": "optional"
     },
+    "source": {
+      "description": "The source of the event or finding. This can be any distinguishing name for the data origin, or a resource from where the data originated. For example 'attack simulations.' In some situations this may be the <code>log_source</code>.",
+      "requirement": "optional"
+    },
     "tags": {
       "description": "The list of tags; <code>{key:value}</code> pairs associated to the event.",
       "requirement": "optional"
@@ -77,6 +96,14 @@
     "transformation_info_list": {
       "requirement": "optional"
     },
+    "transmit_time": {
+      "description": "The time when the event was transmitted from the logging device to it's next destination.",
+      "requirement": "optional"
+    },
+    "type": {
+      "description": "The type of the event or finding. This can be any distinguishing characteristic of the data. For example 'firewall connections' or 'flow data'. In some situations this may be the same as the <code>log_format</code>.",
+      "requirement": "optional"
+    },
     "uid": {
       "caption": "Event UID",
       "description": "The logging system-assigned unique identifier of an event instance.",