diff --git a/EVENTS.md b/EVENTS.md
new file mode 100644
index 0000000..4590e3b
--- /dev/null
+++ b/EVENTS.md
@@ -0,0 +1,190 @@
+# DECNET Honeypot Events
+
+This document details the events generated by each DECNET honeypot service, as found in their respective `server.py` files.
+
+## Service: `docker_api`
+| Event Type | Included Fields |
+| --- | --- |
+| `request` | `method`, `path`, `remote_addr`, `body` |
+| `startup` | *None* |
+
+## Service: `elasticsearch`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `post_request` | `src`, `method`, `path`, `body_preview`, `user_agent` |
+| `put_request` | `src`, `method`, `path`, `body_preview` |
+| `delete_request` | `src`, `method`, `path` |
+| `head_request` | `src`, `method`, `path` |
+| `root_probe` | `src`, `method`, `path` |
+| `cat_api` | `src`, `method`, `path` |
+| `cluster_recon` | `src`, `method`, `path` |
+| `nodes_recon` | `src`, `method`, `path` |
+| `security_probe` | `src`, `method`, `path` |
+| `request` | `src`, `method`, `path` |
+
+## Service: `ftp`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connection` | `src_ip`, `src_port` |
+| `user` | `username` |
+| `auth_attempt` | `username`, `password` |
+| `download_attempt` | `path` |
+| `disconnect` | `src_ip`, `src_port` |
+
+## Service: `http`
+| Event Type | Included Fields |
+| --- | --- |
+| `request` | `method`, `path`, `remote_addr`, `headers`, `body` |
+| `startup` | *None* |
+
+## Service: `imap`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `auth` | `src`, `username`, `password` |
+| `command` | `src`, `cmd` |
+
+## Service: `k8s`
+| Event Type | Included Fields |
+| --- | --- |
+| `request` | `method`, `path`, `remote_addr`, `auth`, `body` |
+| `startup` | *None* |
+
+## Service: `ldap`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `bind` | `src`, `dn`, `password` |
+| `disconnect` | `src` |
+
+## Service: `llmnr`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `query` | `proto`, `src`, `src_port`, `name`, `qtype` |
+| `raw_packet` | `proto`, `src`, `data`, `error` |
+
+## Service: `mongodb`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `message` | `src`, `opcode`, `length` |
+| `disconnect` | `src` |
+
+## Service: `mqtt`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `auth` | `src` |
+| `packet` | `src`, `pkt_type` |
+
+## Service: `mssql`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `auth` | `src`, `username` |
+| `unknown_packet` | `src`, `pkt_type` |
+
+## Service: `mysql`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `auth` | `src`, `username` |
+
+## Service: `pop3`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `user` | `src`, `username` |
+| `auth` | `src`, `username`, `password` |
+| `command` | `src`, `cmd` |
+
+## Service: `postgres`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `startup` | `src`, `username`, `database` |
+| `auth` | `src`, `pw_hash` |
+| `disconnect` | `src` |
+
+## Service: `rdp`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connection` | `src_ip`, `src_port` |
+| `data` | `src_ip`, `src_port`, `bytes`, `hex` |
+| `disconnect` | `src_ip`, `src_port` |
+
+## Service: `redis`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `command` | `src`, `cmd`, `args` |
+| `disconnect` | `src` |
+| `auth` | `src`, `password` |
+
+## Service: `sip`
+| Event Type | Included Fields |
+| --- | --- |
+| `request` | `src`, `src_port`, `method`, `from_`, `to`, `username`, `auth` |
+| `startup` | *None* |
+
+## Service: `smb`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `shutdown` | *None* |
+
+## Service: `smtp`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `ehlo` | `src`, `domain` |
+| `auth_attempt` | `src`, `command` |
+| `mail_from` | `src`, `value` |
+| `rcpt_to` | `src`, `value` |
+| `vrfy` | `src`, `value` |
+| `unknown_command` | `src`, `command` |
+
+## Service: `snmp`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `get_request` | `src`, `src_port`, `version`, `community`, `oids` |
+| `parse_error` | `src`, `error`, `data` |
+
+## Service: `tftp`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `request` | `src`, `src_port`, `op`, `filename`, `mode` |
+| `unknown_opcode` | `src`, `opcode`, `data` |
+
+## Service: `vnc`
+| Event Type | Included Fields |
+| --- | --- |
+| `startup` | *None* |
+| `connect` | `src`, `src_port` |
+| `disconnect` | `src` |
+| `version` | `src`, `client_version` |
+| `security_choice` | `src`, `type` |
+| `auth_response` | `src`, `response` |
+