He specifies the following 5 | separated fields:
Time - 32-bit POSIX (or Unix) epoch timestamp
It is unclear if negative timestamps are supported or how values that overflow the 32-bit should be represented.
Source - fixed-length field for the source of the data (i.e., file system, Registry, EVT/EVTX file, AV or application log file, etc.) and may require a key or legend.
As far known there is no list of predefined common sources.
Host - The host system, defined by IP or MAC address, NetBIOS or DNS name, etc. (may also require a key or legend)
User - User, defined by user name, SID, email address, IM screenname, etc. (may also require a key or legend)
Description - The description of what happened; this is where context comes in...
In addition the Description field seems to be allowed to be overloaded with ; separated values. An example from the same blog post:
Where it looks like the separated fields in the Description are not pre-defined.
Known variants of TLN are:
- l2tTLN (log2timeline TLN); which extends the format with a TZ (timezone) and Notes field.