It highly depends on the use case but from experience, rather than from any documents, I'd say that:

If written to a "continuous" medium (like a logfile or sent via network stream), they should be written atomicaly so that parts of different events are not intermixed. And they should be clearly delimited

Each event should contain a timestamp. Bonus points for reasonable timestamp format and logging in UTC or including timezone information. Points substracted for some exotic time formatting ideas (like specifying date by fortnights since last easter 😉 but seriously - I've seen timezone specified as number of minutes offset from UTC; please don't do that). Timestamp should have resolution relevant to your usecase. If you're logging entries/exits on a factory gate you probably don't need sub-second precission. OTOH you might not want to log your network sessions per hour.

All events from a single source should have the same timestamp format! Bonus points for "static" placement of timestamp within an event. Best solution - start your event with a timestamp.

Be consistent - elements common to multiple event "categories" from a single source should be expressed in the same way (so if you have - for example - "severity" field, put it in a well-known position, delimited or placed in a k-v pair; don't put it as a "third string in array delimited by pipes" in one event and a json field in another).

If there are several events refering to the same entity or process, include some form of ID so separate events can be correlated. Best scenario - let it be some form of ID that can be used outside your logs to find such object (e.g. message-id in email logs).

I'd say that it's a good practice to include in your log events both a strictly defined "machine-readable" part which allows for easy parsing/manipulating/searching as well as a human-readable descriptive part. Kinda similar to windows events.