||The subsystem or application that is providing the event data.
||Additional detail about the source facility. For example, details could include a the name of a particular application instance (such as a database name) or a path to a monitored log file.
||The unique identifier of the facility.
||The type of the source from which the event was derived.
|1||System||The information was collected from the operating system event log such as Syslog on Unix/Linux and the System event file on Windows.|
|2||Application||The information was collected from an application log|
|3||Security||The event was logged from a security subsystem.|
|5||ETW||The event was logged from the Event Tracing for Windows(ETW) facility.|