Unified path for log source/vendor name (POLL #3)

[paveljos]

Background:
OCSF needs a unified place to identify a data source. Previously, OCSF implementations utilized origin.product for certain types of data, but origin.cloud.service for others. For this essential, central, identification mechanism, OCSF would benefit from a unified path.

Cascading proposals:
These are stand-alone considerations that, when considered holistically, should address the whole proposal of identifying source data. This is NOT intended to represent other logging facilities that may be a part of the transmission of the log (log scrapers, forwarders, parsers, proxies, etc.); these fields are meant to provide a universal path for data that identifies the VENDOR of the data provided and the TYPE of data provided; e.g.,

  "Apache" "HTTP Access Log"
  "Apache" "HTTP Error Log"
  "Microsoft" "Windows Security Event Log"
  "AWS" "VPC Flowlogs"

While it is certain that there are scenarios where this may be challenging (e.g., when a 3rd party gathers raw data about Windows processes - that could conceivably be a vendor of "Microsoft" or the 3rd party), these fields should allow for the data that conforms to this schema to be identified.

Open questions:
Is it fair to expect ALL data to be represented in OCSF to have a vendor and a name?
Is there a desire to extend an enum for vendors/names? (HTTP Access Log vs. httpd_access)

Future considerations (acknowledged, but not in scope for this proposal):
Do we want to provide a place in the schema for data transmission to be logged? e.g., ETL timestamps, log forwarder(s), etc.

This poll should be considered simultaneously with the polls with the same title.

---

What fields should be included (can always be modified later)

1. Minimal
   - vendor_name / required / string
   - name / required / string
   - version / optional / string

2. Robust
   - vendor_name / required / string
   - name / required / string
   - version / optional / string
   - path / optional / string
   - uid / optional / string
   - language / optional / string
   - labels / optional / array of kvp

[rroupski]

I am voting foe the minimal, assuming we can add vendor_name to the product object.