<a href="https://github.com/rabbitstack/fibratus/blob/master/docs/kevents/anatomy.md" rel="nofollow">https://github.com/rabbitstack/fibratus/blob/master/docs/kev...</a><p>>"Canonical fields<p>Each kernel event contains a series of canonical fields that describe the nature of the event such as its name, the process identifier that generated the event and such. The following is the list of all canonical fields.<p>Sequence is a monotonically increasing integer value that uniquely identifies an event. The sequence value is guaranteed to increment monotonically as long as the machine is not rebooted. After the restart, the sequence is restored to the zero value.<p>PID represents the process identifier that triggered the kernel event.<p>TID is the thread identifier connected to the kernel event.<p>CPU designates the logical CPU core on which the event was originated.<p>Name is the human-readable event name such as CreateProcess or RegOpenKey.<p>Timestamp denotes the timestamp expressed in nanosecond precision as the instant the event occurred.<p>Category designates the category to which the event pertains, e.g. file or thread. Each particular category is explained thoroughly in the next sections.<p>Description is a short explanation about the purpose of the event. For example, CreateFile kernel event creates or opens a file, directory, I/O device, pipe, console buffer or other block/pseudo device.<p>Host represents the host name where the event was produced.<p>Parameters<p>Also called as kparams in Fibratus parlance, contain each of the event's parameters. Internally, they are modeled as a collection of key/value pairs where the key is mapped to the structure consisting of parameter name, parameter type and the value. An example of the parameter tuple could be the dip parameter that denotes a destination IP address with value 172.17.0.2 and therefore IPv4 type. Additionally, parameter types can be scalar values, strings, slices, enumerations, and timestamps among others.<p>Process state<p>Each event stores the process state that represents an extended information about the process including its allocated resources such as handles, dynamically-linked libraries, exported environment variables and other attributes. The process state internals are thoroughly explained in the Process events section. (<a href="https://github.com/rabbitstack/fibratus/blob/master/docs/kevents/process.md" rel="nofollow">https://github.com/rabbitstack/fibratus/blob/master/docs/kev...</a>)<p>Metadata<p>Metadata are an arbitrary sequence of tags in form of key/value pairs that you can squash into the event on behalf of transformers. A tag can be virtually any string data that you find meaningful to either identify the event or apply filtering/grouping once event is persisted in the data store."<p>PDS: It would be interesting if a future OS -- <i>was completely designed around such a descriptive Event Log at its heart</i>...<p>That is, the future OS -- would automatically put ALL of its events into such an Event Log in memory, where programmers, through various tools and means (much like Fibratus) could ask it to filter out and log messages of interest, if they had appropriate rights.<p>Yes, it might be slow to do this... but perhaps there would be software/algorithmic mitigations to that...<p>For logging/capturing OS events (in this case, Windows 7+, but perhaps in the future, any OS, or future OS'es that are specifically designed for it),<p><i>Fibratus has a lot of good ideas!</i>