Skip to content

Instantly share code, notes, and snippets.

@cwurm

cwurm/fields.yml

Created January 17, 2019 11:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save cwurm/03dd94229979ef11a132595f4f0b674d to your computer and use it in GitHub Desktop.
Save cwurm/03dd94229979ef11a132595f4f0b674d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
fields.yml
- key: ecs
title: ECS
description: >
ECS fields.
fields:
- name: "@timestamp"
type: date
level: core
required: true
example: "2016-05-23T08:05:34.853Z"
description: >
Date/time when the event originated.
For log events this is the date/time when the event was generated, and
not when it was read.
Required field for all events.
- name: tags
level: core
type: keyword
example: "[\"production\", \"env2\"]"
description: >
List of keywords used to tag each event.
- name: labels
level: core
type: object
example: {env: production, application: foo-bar}
description: >
Key/value pairs.
Can be used to add meta information to events. Should not contain nested
objects. All values are stored as keyword.
Example: `docker` and `k8s` labels.
- name: message
level: core
type: text
example: "Hello World"
description: >
For log events the message field contains the log message.
In other use cases the message field can be used to concatenate
different values which are then freely searchable. If multiple
messages exist, they can be combined into one message.
- name: agent
title: Agent
group: 2
description: >
The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
footnote: >
Examples: In the case of Beats for logs, the agent.name is filebeat. For APM, it is the
agent running in the app/service. The agent information does not change if
data is sent through queuing systems like Kafka, Redis, or processing systems
such as Logstash or APM Server.
type: group
fields:
- name: version
level: core
type: keyword
description: >
Version of the agent.
example: 6.0.0-rc2
- name: name
level: core
type: keyword
description: >
Name of the agent.
This is a name that can be given to an agent. This can be helpful if
for example two Filebeat instances are running on the same host
but a human readable separation is needed on which Filebeat instance
data is coming from.
If no name is given, the name is often left empty.
example: foo
- name: type
level: core
type: keyword
description: >
Type of the agent.
The agent type stays always the same and should be given by the agent used.
In case of Filebeat the agent would always be Filebeat also if two
Filebeat instances are run on the same machine.
example: filebeat
- name: id
level: core
type: keyword
description: >
Unique identifier of this agent (if one exists).
Example: For Beats this would be beat.id.
example: 8a4f500d
- name: ephemeral_id
level: extended
type: keyword
description: >
Ephemeral identifier of this agent (if one exists).
This id normally changes across restarts, but `agent.id` does not.
example: 8a4f500f
- name: client
title: Client
group: 2
description: >
A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
type: group
fields:
- name: address
level: extended
type: keyword
description: >
Some event client addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which
one it is.
- name: ip
level: core
type: ip
description: >
IP address of the client.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
level: core
type: long
description: >
Port of the client.
- name: mac
level: core
type: keyword
description: >
MAC address of the client.
- name: domain
level: core
type: keyword
description: >
Client domain.
# Metrics
- name: bytes
level: core
type: long
example: 184
description: >
Bytes sent from the client to the server.
- name: packets
level: core
type: long
example: 12
description: >
Packets sent from the client to the server.
- name: geo
title: Geo
group: 2
description: >
Geo fields can carry data about a specific location related to an event
or geo information derived from an IP field.
type: group
fields:
- name: location
level: core
type: geo_point
description: >
Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: continent_name
level: core
type: keyword
description: >
Name of the continent.
example: North America
- name: country_name
level: core
type: keyword
description: >
Country name.
example: Canada
- name: region_name
level: core
type: keyword
description: >
Region name.
example: Quebec
- name: city_name
level: core
type: keyword
description: >
City name.
example: Montreal
- name: country_iso_code
level: core
type: keyword
description: >
Country ISO code.
example: CA
- name: region_iso_code
level: core
type: keyword
description: >
Region ISO code.
example: CA-QC
- name: name
level: extended
type: keyword
description: >
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.
example: boston-dc
- name: cloud
title: Cloud
group: 2
description: >
Fields related to the cloud or infrastructure the events
are coming from.
footnote: >
Examples: If Metricbeat is running on an EC2 host and fetches data from its
host, the cloud info contains the data about this machine. If Metricbeat
runs on a remote machine outside the cloud and fetches data from a service
running in the cloud, the field contains cloud data from the machine the
service is running on.
type: group
fields:
- name: provider
level: extended
example: ec2
type: keyword
description: >
Name of the cloud provider. Example values are ec2, gce, or
digitalocean.
- name: availability_zone
level: extended
example: us-east-1c
type: keyword
description: >
Availability zone in which this host is running.
- name: region
level: extended
type: keyword
example: us-east-1
description: >
Region in which this host is running.
- name: instance.id
level: extended
type: keyword
example: i-1234567890abcdef0
description: >
Instance ID of the host machine.
- name: instance.name
level: extended
type: keyword
description: >
Instance name of the host machine.
- name: machine.type
level: extended
type: keyword
example: t2.medium
description: >
Machine type of the host machine.
- name: account.id
level: extended
type: keyword
example: 666777888999
description: >
The cloud account or organization id used to identify different
entities in a multi-tenant environment.
Examples: AWS account id, Google Cloud ORG Id, or other unique
identifier.
- name: container
title: Container
group: 2
description: >
Container fields are used for meta information about the specific container
that is the source of information. These fields help correlate data based
containers from any runtime.
type: group
fields:
- name: runtime
level: extended
type: keyword
description: >
Runtime managing this container.
example: docker
- name: id
level: core
type: keyword
description: >
Unique container id.
- name: image.name
level: extended
type: keyword
description: >
Name of the image the container was built on.
- name: image.tag
level: extended
type: keyword
description: >
Container image tag.
- name: name
level: extended
type: keyword
description: >
Container name.
- name: labels
level: extended
type: object
object_type: keyword
description: >
Image labels.
- name: destination
title: Destination
group: 2
description: >
Destination fields describe details about the destination of a packet/event.
Destination fields are usually populated in conjunction with source fields.
type: group
fields:
- name: address
level: extended
type: keyword
description: >
Some event destination addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which
one it is.
- name: ip
level: core
type: ip
description: >
IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
level: core
type: long
description: >
Port of the destination.
- name: mac
level: core
type: keyword
description: >
MAC address of the destination.
- name: domain
level: core
type: keyword
description: >
Destination domain.
# Metrics
- name: bytes
level: core
type: long
example: 184
description: >
Bytes sent from the destination to the source.
- name: packets
level: core
type: long
example: 12
description: >
Packets sent from the destination to the source.
- name: geo
title: Geo
group: 2
description: >
Geo fields can carry data about a specific location related to an event
or geo information derived from an IP field.
type: group
fields:
- name: location
level: core
type: geo_point
description: >
Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: continent_name
level: core
type: keyword
description: >
Name of the continent.
example: North America
- name: country_name
level: core
type: keyword
description: >
Country name.
example: Canada
- name: region_name
level: core
type: keyword
description: >
Region name.
example: Quebec
- name: city_name
level: core
type: keyword
description: >
City name.
example: Montreal
- name: country_iso_code
level: core
type: keyword
description: >
Country ISO code.
example: CA
- name: region_iso_code
level: core
type: keyword
description: >
Region ISO code.
example: CA-QC
- name: name
level: extended
type: keyword
description: >
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.
example: boston-dc
- name: ecs
title: ECS
group: 2
description: >
Meta-information specific to ECS.
type: group
fields:
- name: version
level: core
type: keyword
required: true
description: >
ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
When querying across multiple indices -- which may conform to slightly
different ECS versions -- this field lets integrations adjust to the
schema version of the events.
The current version is 1.0.0-beta2 .
example: 1.0.0-beta2
- name: error
title: Error
group: 2
description: >
These fields can represent errors of any kind. Use them for errors that
happen while fetching events or in cases where the event itself contains an error.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Unique identifier for the error.
- name: message
level: core
type: text
description: >
Error message.
- name: code
level: core
type: keyword
description: >
Error code describing the error.
- name: event
title: Event
group: 2
description: >
The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Unique ID to describe the event.
example: 8a4f500d
- name: kind
level: extended
type: keyword
description: >
The kind of the event.
This gives information about what type of information the event
contains, without being specific to the contents of the event. Examples
are `event`, `state`, `alarm`. Warning: In future versions of ECS, we
plan to provide a list of acceptable values for this field, please use
with caution.
example: state
- name: category
level: core
type: keyword
description: >
Event category.
This contains high-level information about the contents of the event. It
is more generic than `event.action`, in the sense that typically a
category contains multiple actions. Warning: In future versions of ECS,
we plan to provide a list of acceptable values for this field, please
use with caution.
example: user-management
- name: action
level: core
type: keyword
description: >
The action captured by the event.
This describes the information in the event. It is more specific than
`event.category`. Examples are `group-add`, `process-started`,
`file-created`. The value is normally defined by the implementer.
example: user-password-change
- name: outcome
level: extended
type: keyword
description: >
The outcome of the event.
If the event describes an action, this fields contains the outcome of
that action. Examples outcomes are `success` and `failure`. Warning: In
future versions of ECS, we plan to provide a list of acceptable values
for this field, please use with caution.
example: success
- name: type
level: core
type: keyword
description: >
Reserved for future usage.
Please avoid using this field for user data.
- name: module
level: core
type: keyword
description: >
Name of the module this data is coming from.
This information is coming from the modules used in Beats or Logstash.
example: mysql
- name: dataset
level: core
type: keyword
description: >
Name of the dataset.
The concept of a `dataset` (fileset / metricset) is used in Beats as a
subset of modules. It contains the information which is currently
stored in metricset.name and metricset.module or fileset.name.
example: stats
- name: severity
level: core
type: long
example: "7"
description: >
Severity describes the severity of the event. What the different
severity values mean can very different between use cases. It's up to
the implementer to make sure severities are consistent across events.
- name: original
level: core
type: keyword
# Unfortunately this example is not shown correctly yet as | do not work
# in tables well
# Is | is the representation of | it works except for cases where
# used ticks.
example: "Sep 19 08:26:10 host CEF:0|Security|
threatmanager|1.0|100|
worm successfully stopped|10|src=10.0.0.1
dst=2.1.2.2spt=1232"
description: >
Raw text message of entire event. Used to demonstrate log integrity.
This field is not indexed and doc_values are disabled. It cannot be
searched, but it can be retrieved from `_source`.
index: false
doc_values: false
- name: hash
level: extended
type: keyword
example: "123456789012345678901234567890ABCD"
description: >
Hash (perhaps logstash fingerprint) of raw field to be able to
demonstrate log integrity.
- name: duration
level: core
type: long
description: >
Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the
difference between the end and start time.
- name: timezone
level: extended
type: keyword
description: >
This field should be populated when the event's timestamp does not include
timezone information already (e.g. default Syslog timestamps). It's
optional otherwise.
Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"),
abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
- name: created
level: core
type: date
description: >
event.created contains the date when the event was created.
This timestamp is distinct from @timestamp in that @timestamp contains
the processed timestamp. For logs these two timestamps can be different
as the timestamp in the log line and when the event is read for example
by Filebeat are not identical. `@timestamp` must contain the timestamp
extracted from the log line, event.created when the log line is read.
The same could apply to package capturing where @timestamp contains the
timestamp extracted from the network package and event.created when the
event was created.
In case the two timestamps are identical, @timestamp should be used.
- name: start
level: extended
type: date
description: >
event.start contains the date when the event started or when the
activity was first observed.
- name: end
level: extended
type: date
description: >
event.end contains the date when the event ended or when the activity
was last observed.
- name: risk_score
level: core
type: float
description: >
Risk score or priority of the event (e.g. security solutions).
Use your system's original value here.
- name: risk_score_norm
level: extended
type: float
description: >
Normalized risk score or priority of the event, on a scale of 0 to 100.
This is mainly useful if you use more than one system that assigns
risk scores, and you want to see a normalized value across all systems.
- name: file
group: 2
title: File
description: >
A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
type: group
fields:
- name: path
level: extended
type: keyword
description: Path to the file.
- name: target_path
level: extended
type: keyword
description: Target path for symlinks.
- name: extension
level: extended
type: keyword
description: >
File extension.
This should allow easy filtering by file extensions.
example: png
- name: type
level: extended
type: keyword
description: File type (file, dir, or symlink).
- name: device
level: extended
type: keyword
description: Device that is the source of the file.
- name: inode
level: extended
type: keyword
description: Inode representing the file in the filesystem.
- name: uid
level: extended
type: keyword
description: >
The user ID (UID) or security identifier (SID) of the file owner.
- name: owner
level: extended
type: keyword
description: File owner's username.
- name: gid
level: extended
type: keyword
description: Primary group ID (GID) of the file.
- name: group
level: extended
type: keyword
description: Primary group name of the file.
- name: mode
level: extended
type: keyword
example: 0640
description: Mode of the file in octal representation.
- name: size
level: extended
type: long
description: File size in bytes (field is only added when `type` is
`file`).
- name: mtime
level: extended
type: date
description: Last time file content was modified.
- name: ctime
level: extended
type: date
description: Last time file metadata changed.
- name: group
title: Group
group: 2
description: >
The group fields are meant to represent groups that are relevant to the
event.
type: group
fields:
- name: id
level: extended
type: keyword
description: >
Unique identifier for the group on the system/platform.
- name: name
level: extended
type: keyword
description: >
Name of the group.
- name: host
title: Host
group: 2
description: >
A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or on which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
type: group
fields:
- name: hostname
level: core
type: keyword
description: >
Hostname of the host.
It normally contains what the `hostname` command returns on the host machine.
- name: name
level: core
type: keyword
description: >
Name of the host.
It can contain what `hostname` returns on Unix systems, the fully
qualified domain name, or a name specified by the user. The sender
decides which value to use.
- name: id
level: core
type: keyword
description: >
Unique host id.
As hostname is not always unique, use values that are meaningful
in your environment.
Example: The current usage of `beat.name`.
- name: ip
level: core
type: ip
description: >
Host ip address.
- name: mac
level: core
type: keyword
description: >
Host mac address.
- name: type
level: core
type: keyword
description: >
Type of host.
For Cloud providers this can be the machine type like `t2.medium`.
If vm, this could be the container, for example, or other information
meaningful in your environment.
- name: architecture
level: core
type: keyword
example: "x86_64"
description: >
Operating system architecture.
- name: os
title: Operating System
group: 2
description: >
The OS fields contain information about the operating system.
reusable:
top_level: false
expected:
- observer
- host
- user_agent
type: group
fields:
- name: platform
level: extended
type: keyword
description: >
Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: name
level: extended
type: keyword
example: "Mac OS X"
description: >
Operating system name, without the version.
- name: full
level: extended
type: keyword
example: "Mac OS Mojave"
description: >
Operating system name, including the version or code name.
- name: family
level: extended
type: keyword
example: "debian"
description: >
OS family (such as redhat, debian, freebsd, windows).
- name: version
level: extended
type: keyword
example: "10.14.1"
description: >
Operating system version as a raw string.
- name: kernel
level: extended
type: keyword
example: "4.4.0-112-generic"
description: >
Operating system kernel version as a raw string.
- name: geo
title: Geo
group: 2
description: >
Geo fields can carry data about a specific location related to an event
or geo information derived from an IP field.
type: group
fields:
- name: location
level: core
type: geo_point
description: >
Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: continent_name
level: core
type: keyword
description: >
Name of the continent.
example: North America
- name: country_name
level: core
type: keyword
description: >
Country name.
example: Canada
- name: region_name
level: core
type: keyword
description: >
Region name.
example: Quebec
- name: city_name
level: core
type: keyword
description: >
City name.
example: Montreal
- name: country_iso_code
level: core
type: keyword
description: >
Country ISO code.
example: CA
- name: region_iso_code
level: core
type: keyword
description: >
Region ISO code.
example: CA-QC
- name: name
level: extended
type: keyword
description: >
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.
example: boston-dc
- name: http
title: HTTP
group: 2
description: >
Fields related to HTTP activity.
type: group
fields:
- name: request.method
level: extended
type: keyword
description: >
Http request method.
The field value must be normalized to lowercase for querying. See
"Lowercase Capitalization" in the "Implementing ECS" section.
example: get, post, put
- name: request.body.content
level: extended
type: keyword
description: >
The full http request body.
example: Hello world
- name: request.referrer
level: extended
type: keyword
description: >
Referrer for this HTTP request.
example: https://blog.example.com/
- name: response.status_code
level: extended
type: long
description: >
Http response status code.
example: 404
- name: response.body.content
level: extended
type: keyword
description: >
The full http response body.
example: Hello world
- name: version
level: extended
type: keyword
description: >
Http version.
example: 1.1
# Metrics
- name: request.bytes
level: extended
type: long
description: >
Total size in bytes of the request (body and headers).
example: 1437
- name: request.body.bytes
level: extended
type: long
description: >
Size in bytes of the request body.
example: 887
- name: response.bytes
level: extended
type: long
description: >
Total size in bytes of the response (body and headers).
example: 1437
- name: response.body.bytes
level: extended
type: long
description: >
Size in bytes of the response body.
example: 887
- name: log
title: Log
description: >
Fields which are specific to log events.
type: group
fields:
- name: level
level: core
type: keyword
description: >
Log level of the log event.
Some examples are `WARN`, `ERR`, `INFO`.
example: ERR
- name: original
level: core
type: keyword
example: "Sep 19 08:26:10 localhost My log"
index: false
doc_values: false
description: >
This is the original log message and contains the full log message
before splitting it up in multiple parts.
In contrast to the `message` field which can contain an extracted part
of the log message, this field contains the original, full log message.
It can have already some modifications applied like encoding or new
lines removed to clean up the log message.
This field is not indexed and doc_values are disabled so it can't be
queried but the value can be retrieved from `_source`.
- name: network
title: Network
group: 2
description: >
The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
type: group
fields:
- name: name
level: extended
type: keyword
description: >
Name given by operators to sections of their network.
example: Guest Wifi
- name: type
level: core
type: keyword
description: >
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
The field value must be normalized to lowercase for querying. See
"Lowercase Capitalization" in the "Implementing ECS" section.
example: ipv4
- name: iana_number
level: extended
type: keyword
description: >
IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
Standardized list of protocols. This aligns well with NetFlow and
sFlow related logs which use the IANA Protocol Number.
example: 6
- name: transport
level: core
type: keyword
description: >
Same as network.iana_number, but instead using the Keyword name of the
transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying. See
"Lowercase Capitalization" in the "Implementing ECS" section.
example: tcp
- name: application
level: extended
type: keyword
description: >
A name given to an application. This can be arbitrarily assigned for
things like microservices, but also apply to things like skype, icq,
facebook, twitter. This would be used in situations where the vendor
or service can be decoded such as from the source/dest IP owners,
ports, or wire format.
The field value must be normalized to lowercase for querying. See
"Lowercase Capitalization" in the "Implementing ECS" section.
example: aim
- name: protocol
level: core
type: keyword
description: >
L7 Network protocol name. ex. http, lumberjack, transport protocol.
The field value must be normalized to lowercase for querying. See
"Lowercase Capitalization" in the "Implementing ECS" section.
example: http
- name: direction
level: core
type: keyword
description: >
Direction of the network traffic.
Recommended values are:
* inbound
* outbound
* internal
* external
* unknown
When mapping events from a host-based monitoring context, populate this
field from the host's point of view.
When mapping events from a network or perimeter-based monitoring context,
populate this field from the point of view of your network perimeter.
example: inbound
- name: forwarded_ip
level: core
type: ip
description: >
Host IP address when the source IP address is the proxy.
example: 192.1.1.2
- name: community_id
level: extended
type: keyword
description: >
A hash of source and destination IPs and ports, as well as the protocol
used in a communication. This is a tool-agnostic standard to identify
flows.
Learn more at https://github.com/corelight/community-id-spec.
example: '1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0='
# Metrics
- name: bytes
level: core
type: long
description: >
Total bytes transferred in both directions.
If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
example: 368
- name: packets
level: core
type: long
description: >
Total packets transferred in both directions.
If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
example: 24
- name: observer
title: Observer
group: 2
description: >
An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
type: group
fields:
- name: mac
level: core
type: keyword
description: >
MAC address of the observer
- name: ip
level: core
type: ip
description: >
IP address of the observer.
- name: hostname
level: core
type: keyword
description: >
Hostname of the observer.
- name: vendor
level: core
type: keyword
description: >
observer vendor information.
- name: version
level: core
type: keyword
description: >
Observer version.
- name: serial_number
level: extended
type: keyword
description: >
Observer serial number.
- name: type
level: core
type: keyword
description: >
The type of the observer the data is coming from.
There is no predefined list of observer types. Some examples are
`forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
example: firewall
- name: os
title: Operating System
group: 2
description: >
The OS fields contain information about the operating system.
reusable:
top_level: false
expected:
- observer
- host
- user_agent
type: group
fields:
- name: platform
level: extended
type: keyword
description: >
Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: name
level: extended
type: keyword
example: "Mac OS X"
description: >
Operating system name, without the version.
- name: full
level: extended
type: keyword
example: "Mac OS Mojave"
description: >
Operating system name, including the version or code name.
- name: family
level: extended
type: keyword
example: "debian"
description: >
OS family (such as redhat, debian, freebsd, windows).
- name: version
level: extended
type: keyword
example: "10.14.1"
description: >
Operating system version as a raw string.
- name: kernel
level: extended
type: keyword
example: "4.4.0-112-generic"
description: >
Operating system kernel version as a raw string.
- name: geo
title: Geo
group: 2
description: >
Geo fields can carry data about a specific location related to an event
or geo information derived from an IP field.
type: group
fields:
- name: location
level: core
type: geo_point
description: >
Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: continent_name
level: core
type: keyword
description: >
Name of the continent.
example: North America
- name: country_name
level: core
type: keyword
description: >
Country name.
example: Canada
- name: region_name
level: core
type: keyword
description: >
Region name.
example: Quebec
- name: city_name
level: core
type: keyword
description: >
City name.
example: Montreal
- name: country_iso_code
level: core
type: keyword
description: >
Country ISO code.
example: CA
- name: region_iso_code
level: core
type: keyword
description: >
Region ISO code.
example: CA-QC
- name: name
level: extended
type: keyword
description: >
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.
example: boston-dc
- name: organization
title: Organization
group: 2
description: >
The organization fields enrich data with information about the company or entity
the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple
organizations.
type: group
fields:
- name: name
level: extended
type: keyword
description: >
Organization name.
- name: id
level: extended
type: keyword
description: >
Unique identifier for the organization.
- name: os
title: Operating System
group: 2
description: >
The OS fields contain information about the operating system.
reusable:
top_level: false
expected:
- observer
- host
- user_agent
type: group
fields:
- name: platform
level: extended
type: keyword
description: >
Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: name
level: extended
type: keyword
example: "Mac OS X"
description: >
Operating system name, without the version.
- name: full
level: extended
type: keyword
example: "Mac OS Mojave"
description: >
Operating system name, including the version or code name.
- name: family
level: extended
type: keyword
example: "debian"
description: >
OS family (such as redhat, debian, freebsd, windows).
- name: version
level: extended
type: keyword
example: "10.14.1"
description: >
Operating system version as a raw string.
- name: kernel
level: extended
type: keyword
example: "4.4.0-112-generic"
description: >
Operating system kernel version as a raw string.
- name: process
title: Process
group: 2
description: >
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and is
copied to the global field for correlation.
type: group
fields:
- name: pid
level: core
type: long
description: >
Process id.
exmple: ssh
- name: name
level: extended
type: keyword
description: >
Process name.
Sometimes called program name or similar.
example: ssh
- name: ppid
level: extended
type: long
description: >
Process parent id.
- name: args
level: extended
type: keyword
description: >
Process arguments.
May be filtered to protect sensitive information.
example: ["ssh", "-l", "user", "10.0.0.16"]
- name: executable
level: extended
type: keyword
description: >
Absolute path to the process executable.
example: /usr/bin/ssh
- name: title
level: extended
type: keyword
description: >
Process title.
The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.
- name: thread.id
level: extended
type: long
example: 4242
description: >
Thread ID.
- name: start
level: extended
type: date
example: "2016-05-23T08:05:34.853Z"
description: >
The time the process started.
- name: working_directory
level: extended
type: keyword
example: /home/alice
description: >
The working directory of the process.
- name: related
title: Related
group: 2
description: >
This field set is meant to facilitate pivoting around a piece of data.
Some pieces of information can be seen in many places in ECS. To facilitate
searching for them, append values to their corresponding field in
`related.`.
A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.
type: group
fields:
- name: ip
level: extended
type: ip
description: >
All of the IPs seen on your event.
- name: server
title: Server
group: 2
description: >
A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
type: group
fields:
- name: address
level: extended
type: keyword
description: >
Some event server addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which
one it is.
- name: ip
level: core
type: ip
description: >
IP address of the server.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
level: core
type: long
description: >
Port of the server.
- name: mac
level: core
type: keyword
description: >
MAC address of the server.
- name: domain
level: core
type: keyword
description: >
Server domain.
# Metrics
- name: bytes
level: core
type: long
example: 184
description: >
Bytes sent from the server to the client.
- name: packets
level: core
type: long
example: 12
description: >
Packets sent from the server to the client.
- name: geo
title: Geo
group: 2
description: >
Geo fields can carry data about a specific location related to an event
or geo information derived from an IP field.
type: group
fields:
- name: location
level: core
type: geo_point
description: >
Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: continent_name
level: core
type: keyword
description: >
Name of the continent.
example: North America
- name: country_name
level: core
type: keyword
description: >
Country name.
example: Canada
- name: region_name
level: core
type: keyword
description: >
Region name.
example: Quebec
- name: city_name
level: core
type: keyword
description: >
City name.
example: Montreal
- name: country_iso_code
level: core
type: keyword
description: >
Country ISO code.
example: CA
- name: region_iso_code
level: core
type: keyword
description: >
Region ISO code.
example: CA-QC
- name: name
level: extended
type: keyword
description: >
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.
example: boston-dc
- name: service
title: Service
group: 2
description: >
The service fields describe the service for or from which the data was
collected. These fields help you find and correlate logs for a specific
service and version.
type: group
fields:
- name: id
level: core
type: keyword
description: >
Unique identifier of the running service.
This id should uniquely identify this service. This makes it possible
to correlate logs and metrics for one specific service.
Example: If you are experiencing issues with one redis instance, you
can filter on that id to see metrics and logs for that single instance.
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
- name: name
level: core
type: keyword
example: "elasticsearch-metrics"
description: >
Name of the service data is collected from.
The name of the service is normally user given. This allows if two
instances of the same service are running on the same machine
they can be differentiated by the `service.name`.
Also it allows for distributed services that run on multiple hosts to
correlate the related instances based on the name.
In the case of Elasticsearch the service.name could contain the cluster
name. For Beats the service.name is by default a copy of the `service.type`
field if no name is specified.
- name: type
level: core
type: keyword
example: "elasticsearch"
description: >
The type of the service data is collected from.
The type can be used to group and correlate logs and metrics from one
service type.
Example: If logs or metrics are collected from Elasticsearch, `service.type` would be
`elasticsearch`.
- name: state
level: core
type: keyword
description: >
Current state of the service.
- name: version
level: core
type: keyword
example: "3.2.4"
description: >
Version of the service the data was collected from.
This allows to look at a data set only for a specific version of a
service.
- name: ephemeral_id
level: extended
type: keyword
description: >
Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.
example: 8a4f500f
- name: source
title: Source
group: 2
description: >
Source fields describe details about the source of a packet/event.
Source fields are usually populated in conjunction with destination fields.
type: group
fields:
- name: address
level: extended
type: keyword
description: >
Some event source addresses are defined ambiguously. The event will
sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which
one it is.
- name: ip
level: core
type: ip
description: >
IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.
- name: port
level: core
type: long
description: >
Port of the source.
- name: mac
level: core
type: keyword
description: >
MAC address of the source.
- name: domain
level: core
type: keyword
description: >
Source domain.
# Metrics
- name: bytes
level: core
type: long
example: 184
description: >
Bytes sent from the source to the destination.
- name: packets
level: core
type: long
example: 12
description: >
Packets sent from the source to the destination.
- name: geo
title: Geo
group: 2
description: >
Geo fields can carry data about a specific location related to an event
or geo information derived from an IP field.
type: group
fields:
- name: location
level: core
type: geo_point
description: >
Longitude and latitude.
example: '{ "lon": -73.614830, "lat": 45.505918 }'
- name: continent_name
level: core
type: keyword
description: >
Name of the continent.
example: North America
- name: country_name
level: core
type: keyword
description: >
Country name.
example: Canada
- name: region_name
level: core
type: keyword
description: >
Region name.
example: Quebec
- name: city_name
level: core
type: keyword
description: >
City name.
example: Montreal
- name: country_iso_code
level: core
type: keyword
description: >
Country ISO code.
example: CA
- name: region_iso_code
level: core
type: keyword
description: >
Region ISO code.
example: CA-QC
- name: name
level: extended
type: keyword
description: >
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.
example: boston-dc
- name: url
title: URL
description: >
URL fields provide a complete URL, with scheme, host, and path.
type: group
fields:
- name: original
level: extended
type: keyword
description: >
Unmodified original url as seen in the event source.
Note that in network monitoring, the observed URL may be a full URL,
whereas in access logs, the URL is often just represented as a path.
This field is meant to represent the URL as it was observed, complete
or not.
example: >
https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
- name: full
level: extended
type: keyword
description: >
If full URLs are important to your use case, they should be stored in
`url.full`, whether this field is reconstructed or present in the
event source.
example: https://www.elastic.co:443/search?q=elasticsearch#top
- name: scheme
level: extended
type: keyword
description: >
Scheme of the request, such as "https".
Note: The `:` is not part of the scheme.
example: https
- name: domain
level: extended
type: keyword
description: >
Domain of the request, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a
domain name. In this case, the IP address would go to the `domain` field.
example: www.elastic.co
- name: port
level: extended
type: integer
description: >
Port of the request, such as 443.
example: 443
- name: path
level: extended
type: keyword
description: >
Path of the request, such as "/search".
- name: query
level: extended
type: keyword
description: >
The query field describes the query string of the request,
such as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains
no `?`, there is no query field. If there is a `?` but no query,
the query field exists with an empty string. The `exists`
query can be used to differentiate between the two cases.
- name: fragment
level: extended
type: keyword
description: >
Portion of the url after the `#`, such as "top".
The `#` is not part of the fragment.
- name: username
level: extended
type: keyword
description: >
Username of the request.
- name: password
level: extended
type: keyword
description: >
Password of the request.
- name: user
title: User
group: 2
description: >
The user fields describe information about the user that is relevant
to the event. Fields can have one entry or multiple entries. If a
user has more than one id, provide an array that includes all of
them.
reusable:
top_level: true
expected:
- client
- destination
- host
- server
- source
type: group
fields:
- name: id
level: core
type: keyword
description: >
One or multiple unique identifiers of the user.
- name: name
level: core
type: keyword
example: albert
description: >
Short name or login of the user.
- name: full_name
level: extended
type: keyword
example: Albert Einstein
description: >
User's full name, if available.
- name: email
level: extended
type: keyword
description: >
User email address.
- name: hash
level: extended
type: keyword
description: >
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and
cannot be used.
- name: group
level: extended
type: keyword
description: >
Group the user is a part of. This field can contain a list of groups, if
necessary.
- name: user_agent
title: User agent
group: 2
description: >
The user_agent fields normally come from a browser request. They often
show up in web service logs coming from the parsed user agent string.
type: group
fields:
- name: original
level: extended
type: keyword
description: >
Unparsed version of the user_agent.
example: "Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1"
- name: name
level: extended
type: keyword
example: Safari
description: >
Name of the user agent.
- name: version
level: extended
type: keyword
description: >
Version of the user agent.
example: 12.0
- name: device.name
level: extended
type: keyword
example: iPhone
description: >
Name of the device.
- name: os
title: Operating System
group: 2
description: >
The OS fields contain information about the operating system.
reusable:
top_level: false
expected:
- observer
- host
- user_agent
type: group
fields:
- name: platform
level: extended
type: keyword
description: >
Operating system platform (such centos, ubuntu, windows).
example: darwin
- name: name
level: extended
type: keyword
example: "Mac OS X"
description: >
Operating system name, without the version.
- name: full
level: extended
type: keyword
example: "Mac OS Mojave"
description: >
Operating system name, including the version or code name.
- name: family
level: extended
type: keyword
example: "debian"
description: >
OS family (such as redhat, debian, freebsd, windows).
- name: version
level: extended
type: keyword
example: "10.14.1"
description: >
Operating system version as a raw string.
- name: kernel
level: extended
type: keyword
example: "4.4.0-112-generic"
description: >
Operating system kernel version as a raw string.
# Temporary fix to get 7.0 dashboards working.
# This must go in the ecs.yml as otherwise tests don't work.
- name: beat.name
type: alias
path: agent.type
migration: true
- name: beat.hostname
type: alias
path: agent.hostname
migration: true
# This is not in ECS.
# TODO: https://github.com/elastic/ecs/issues/178
- name: agent.hostname
type: keyword
description: >
Hostname of the agent.
# Several user_agent fields were removed from ECS.
# TODO: Update filebeat/iis/access accordingly.
- name: user_agent.patch
type: keyword
description: >
Patch version of the user agent.
- name: user_agent.minor
type: keyword
description: >
Minor version of the user agent.
- name: user_agent.major
type: keyword
description: >
Major version of the user agent.
- name: user_agent.device
type: keyword
description: >
Name of the physical device.
- name: user_agent.os.major
type: long
description: >
Major version of the operating system.
- name: user_agent.os.minor
type: long
description: >
Minor version of the operating system.
# url.hostname was removed from ECS.
# TODO: Update Suricata module to use url.domain.
- name: url.hostname
type: keyword
description: >
Hostname of the request, such as "elastic.co".
- key: beat
title: Beat
description: >
Contains common beat fields available in all event types.
fields:
- name: beat.timezone
type: alias
migration: true
path: event.timezone
migration: true
- name: fields
type: object
object_type: keyword
description: >
Contains user configurable fields.
- name: error
type: group
description: >
Error fields containing additional info in case of errors.
fields:
- name: type
type: keyword
description: >
Error type.
- key: common
title: Common
description: >
Contains common fields available in all event types.
fields:
- name: file
type: group
description: File attributes.
fields:
- name: setuid
type: boolean
example: true
description: Set if the file has the `setuid` bit set. Omitted otherwise.
- name: setgid
type: boolean
example: true
description: Set if the file has the `setgid` bit set. Omitted otherwise.
- name: origin
type: text
description: >
An array of strings describing a possible external origin for
this file. For example, the URL it was downloaded from. Only
supported in macOS, via the kMDItemWhereFroms attribute.
Omitted if origin information is not available.
multi_fields:
- name: raw
type: keyword
description: >
This is a non-analyzed field that is useful for aggregations on the
origin data.
- name: selinux
type: group
description: The SELinux identity of the file.
fields:
- name: user
type: keyword
description: The owner of the object.
- name: role
type: keyword
description: The object's SELinux role.
- name: domain
type: keyword
description: The object's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The object's SELinux level.
- key: cloud
title: Cloud provider metadata
description: >
Metadata from cloud providers added by the add_cloud_metadata processor.
fields:
- name: cloud.project.id
example: project-x
description: >
Name of the project in Google Cloud.
# Alias for old fields
- name: meta.cloud.provider
type: alias
path: cloud.provider
migration: true
- name: meta.cloud.instance_id
type: alias
path: cloud.instance.id
migration: true
- name: meta.cloud.instance_name
type: alias
path: cloud.instance.name
migration: true
- name: meta.cloud.machine_type
type: alias
path: cloud.machine.type
migration: true
- name: meta.cloud.availability_zone
type: alias
path: cloud.availability_zone
migration: true
- name: meta.cloud.project_id
type: alias
path: cloud.project.id
migration: true
- name: meta.cloud.region
type: alias
path: cloud.region
migration: true
- key: docker
title: Docker
description: >
Docker stats collected from Docker.
short_config: false
anchor: docker-processor
fields:
- name: docker
type: group
fields:
- name: container.id
type: alias
path: container.id
migration: true
- name: container.image
type: alias
path: container.image.name
migration: true
- name: container.name
type: alias
path: container.name
migration: true
- name: container.labels # TODO: How to map these?
type: object
object_type: keyword
description: >
Image labels.
- key: host
title: Host
description: >
Info collected for the host machine.
anchor: host-processor
fields: {}
- key: kubernetes
title: Kubernetes
description: >
Kubernetes metadata added by the kubernetes processor
short_config: false
anchor: kubernetes-processor
fields:
- name: kubernetes
type: group
fields:
- name: pod.name
type: keyword
description: >
Kubernetes pod name
- name: pod.uid
type: keyword
description: >
Kubernetes Pod UID
- name: namespace
type: keyword
description: >
Kubernetes namespace
- name: node.name
type: keyword
description: >
Kubernetes node name
- name: labels
type: object
description: >
Kubernetes labels map
- name: annotations
type: object
description: >
Kubernetes annotations map
- name: container.name
type: keyword
description: >
Kubernetes container name
- name: container.image
type: keyword
description: >
Kubernetes container image
- key: process
title: Process
description: >
Process metadata fields
fields:
- name: process
type: group
fields:
- name: exe
type: alias
path: process.executable
migration: true
- key: auditd
title: Auditd
description: These are the fields generated by the auditd module.
fields:
- name: user
type: group
fields:
- name: auid
type: keyword
description: login user ID
- name: uid
type: keyword
description: user ID
- name: euid
type: keyword
description: effective user ID
- name: fsuid
type: keyword
description: file system user ID
- name: suid
type: keyword
description: sent user ID
- name: gid
type: keyword
description: group ID
- name: egid
type: keyword
description: effective group ID
- name: sgid
type: keyword
description: set group ID
- name: fsgid
type: keyword
description: file system group ID
- name: name_map
type: group
description: >
If `resolve_ids` is set to true in the configuration then `name_map`
will contain a mapping of uid field names to the resolved name
(e.g. auid -> root).
fields:
- name: auid
type: keyword
description: login user name
- name: uid
type: keyword
description: user name
- name: euid
type: keyword
description: effective user name
- name: fsuid
type: keyword
description: file system user name
- name: suid
type: keyword
description: sent user name
- name: gid
type: keyword
description: group name
- name: egid
type: keyword
description: effective group name
- name: sgid
type: keyword
description: set group name
- name: fsgid
type: keyword
description: file system group name
- name: selinux
type: group
description: The SELinux identity of the actor.
fields:
- name: user
type: keyword
description: account submitted for authentication
- name: role
type: keyword
description: user's SELinux role
- name: domain
type: keyword
description: The actor's SELinux domain or type.
- name: level
type: keyword
example: s0
description: The actor's SELinux level.
- name: category
type: keyword
description: The actor's SELinux category or compartments.
- name: process
type: group
description: Process attributes.
fields:
- name: cwd
type: keyword
description: The current working directory.
- name: source
type: group
description: Source that triggered the event.
fields:
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: destination
type: group
description: Destination address that triggered the event.
fields:
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: auditd
type: group
fields:
- name: sequence
type: long
description: >
The sequence number of the event as assigned by the kernel. Sequence
numbers are stored as a uint32 in the kernel and can rollover.
- name: session
type: keyword
description: >
The session ID assigned to a login. All events related to a login
session will have the same value.
- name: result
type: keyword
example: success or fail
description: The result of the audited operation (success/fail).
- name: summary
type: group
fields:
- name: actor
type: group
description: The actor is the user that triggered the audit event.
fields:
- name: primary
type: keyword
description: >
The primary identity of the actor. This is the actor's original login
ID. It will not change even if the user changes to another account.
- name: secondary
type: keyword
description: The secondary identity of the actor. This is typically
the same as the primary, except for when the user has used `su`.
- name: object
type: group
description: >
This is the thing or object being acted upon in the event.
fields:
- name: type
type: keyword
description: >
A description of the what the "thing" is (e.g. file, socket,
user-session).
- name: primary
type: keyword
description: ""
- name: secondary
type: keyword
description: ""
- name: how
type: keyword
description: >
This describes how the action was performed. Usually this is the exe
or command that was being executed that triggered the event.
- name: paths
type: group
description: List of paths associated with the event.
fields:
- name: inode
type: keyword
description: inode number
- name: dev
type: keyword
description: device name as found in /dev
- name: obj_user
type: keyword
description: ""
- name: obj_role
type: keyword
description: ""
- name: obj_domain
type: keyword
description: ""
- name: obj_level
type: keyword
description: ""
- name: objtype
type: keyword
description: ""
- name: ouid
type: keyword
description: file owner user ID
- name: rdev
type: keyword
description: the device identifier (special files only)
- name: nametype
type: keyword
description: kind of file operation being referenced
- name: ogid
type: keyword
description: file owner group ID
- name: item
type: keyword
description: which item is being recorded
- name: mode
type: keyword
description: mode flags on a file
- name: name
type: keyword
description: file name in avcs
- name: data
type: group
description: The data from the audit messages.
fields:
- name: action
type: keyword
description: netfilter packet disposition
- name: minor
type: keyword
description: device minor number
- name: acct
type: keyword
description: a user's account name
- name: addr
type: keyword
description: the remote address that the user is connecting from
- name: cipher
type: keyword
description: name of crypto cipher selected
- name: id
type: keyword
description: during account changes
- name: entries
type: keyword
description: number of entries in the netfilter table
- name: kind
type: keyword
description: server or client in crypto operation
- name: ksize
type: keyword
description: key size for crypto operation
- name: spid
type: keyword
description: sent process ID
- name: arch
type: keyword
description: the elf architecture flags
- name: argc
type: keyword
description: the number of arguments to an execve syscall
- name: major
type: keyword
description: device major number
- name: unit
type: keyword
description: systemd unit
- name: table
type: keyword
description: netfilter table name
- name: terminal
type: keyword
description: terminal name the user is running programs on
- name: grantors
type: keyword
description: pam modules approving the action
- name: direction
type: keyword
description: direction of crypto operation
- name: op
type: keyword
description: the operation being performed that is audited
- name: tty
type: keyword
description: tty udevice the user is running programs on
- name: syscall
type: keyword
description: syscall number in effect when the event occurred
- name: data
type: keyword
description: TTY text
- name: family
type: keyword
description: netfilter protocol
- name: mac
type: keyword
description: crypto MAC algorithm selected
- name: pfs
type: keyword
description: perfect forward secrecy method
- name: items
type: keyword
description: the number of path records in the event
- name: a0
type: keyword
description: ""
- name: a1
type: keyword
description: ""
- name: a2
type: keyword
description: ""
- name: a3
type: keyword
description: ""
- name: hostname
type: keyword
description: the hostname that the user is connecting from
- name: lport
type: keyword
description: local network port
- name: rport
type: keyword
description: remote port number
- name: exit
type: keyword
description: syscall exit code
- name: fp
type: keyword
description: crypto key finger print
- name: laddr
type: keyword
description: local network address
- name: sport
type: keyword
description: local port number
- name: capability
type: keyword
description: posix capabilities
- name: nargs
type: keyword
description: the number of arguments to a socket call
- name: new-enabled
type: keyword
description: new TTY audit enabled setting
- name: audit_backlog_limit
type: keyword
description: audit system's backlog queue size
- name: dir
type: keyword
description: directory name
- name: cap_pe
type: keyword
description: process effective capability map
- name: model
type: keyword
description: security model being used for virt
- name: new_pp
type: keyword
description: new process permitted capability map
- name: old-enabled
type: keyword
description: present TTY audit enabled setting
- name: oauid
type: keyword
description: object's login user ID
- name: old
type: keyword
description: old value
- name: banners
type: keyword
description: banners used on printed page
- name: feature
type: keyword
description: kernel feature being changed
- name: vm-ctx
type: keyword
description: the vm's context string
- name: opid
type: keyword
description: object's process ID
- name: seperms
type: keyword
description: SELinux permissions being used
- name: seresult
type: keyword
description: SELinux AVC decision granted/denied
- name: new-rng
type: keyword
description: device name of rng being added from a vm
- name: old-net
type: keyword
description: present MAC address assigned to vm
- name: sigev_signo
type: keyword
description: signal number
- name: ino
type: keyword
description: inode number
- name: old_enforcing
type: keyword
description: old MAC enforcement status
- name: old-vcpu
type: keyword
description: present number of CPU cores
- name: range
type: keyword
description: user's SE Linux range
- name: res
type: keyword
description: result of the audited operation(success/fail)
- name: added
type: keyword
description: number of new files detected
- name: fam
type: keyword
description: socket address family
- name: nlnk-pid
type: keyword
description: pid of netlink packet sender
- name: subj
type: keyword
description: lspp subject's context string
- name: a[0-3]
type: keyword
description: the arguments to a syscall
- name: cgroup
type: keyword
description: path to cgroup in sysfs
- name: kernel
type: keyword
description: kernel's version number
- name: ocomm
type: keyword
description: object's command line name
- name: new-net
type: keyword
description: MAC address being assigned to vm
- name: permissive
type: keyword
description: SELinux is in permissive mode
- name: class
type: keyword
description: resource class assigned to vm
- name: compat
type: keyword
description: is_compat_task result
- name: fi
type: keyword
description: file assigned inherited capability map
- name: changed
type: keyword
description: number of changed files
- name: msg
type: keyword
description: the payload of the audit record
- name: dport
type: keyword
description: remote port number
- name: new-seuser
type: keyword
description: new SELinux user
- name: invalid_context
type: keyword
description: SELinux context
- name: dmac
type: keyword
description: remote MAC address
- name: ipx-net
type: keyword
description: IPX network number
- name: iuid
type: keyword
description: ipc object's user ID
- name: macproto
type: keyword
description: ethernet packet type ID field
- name: obj
type: keyword
description: lspp object context string
- name: ipid
type: keyword
description: IP datagram fragment identifier
- name: new-fs
type: keyword
description: file system being added to vm
- name: vm-pid
type: keyword
description: vm's process ID
- name: cap_pi
type: keyword
description: process inherited capability map
- name: old-auid
type: keyword
description: previous auid value
- name: oses
type: keyword
description: object's session ID
- name: fd
type: keyword
description: file descriptor number
- name: igid
type: keyword
description: ipc object's group ID
- name: new-disk
type: keyword
description: disk being added to vm
- name: parent
type: keyword
description: the inode number of the parent file
- name: len
type: keyword
description: length
- name: oflag
type: keyword
description: open syscall flags
- name: uuid
type: keyword
description: a UUID
- name: code
type: keyword
description: seccomp action code
- name: nlnk-grp
type: keyword
description: netlink group number
- name: cap_fp
type: keyword
description: file permitted capability map
- name: new-mem
type: keyword
description: new amount of memory in KB
- name: seperm
type: keyword
description: SELinux permission being decided on
- name: enforcing
type: keyword
description: new MAC enforcement status
- name: new-chardev
type: keyword
description: new character device being assigned to vm
- name: old-rng
type: keyword
description: device name of rng being removed from a vm
- name: outif
type: keyword
description: out interface number
- name: cmd
type: keyword
description: command being executed
- name: hook
type: keyword
description: netfilter hook that packet came from
- name: new-level
type: keyword
description: new run level
- name: sauid
type: keyword
description: sent login user ID
- name: sig
type: keyword
description: signal number
- name: audit_backlog_wait_time
type: keyword
description: audit system's backlog wait time
- name: printer
type: keyword
description: printer name
- name: old-mem
type: keyword
description: present amount of memory in KB
- name: perm
type: keyword
description: the file permission being used
- name: old_pi
type: keyword
description: old process inherited capability map
- name: state
type: keyword
description: audit daemon configuration resulting state
- name: format
type: keyword
description: audit log's format
- name: new_gid
type: keyword
description: new group ID being assigned
- name: tcontext
type: keyword
description: the target's or object's context string
- name: maj
type: keyword
description: device major number
- name: watch
type: keyword
description: file name in a watch record
- name: device
type: keyword
description: device name
- name: grp
type: keyword
description: group name
- name: bool
type: keyword
description: name of SELinux boolean
- name: icmp_type
type: keyword
description: type of icmp message
- name: new_lock
type: keyword
description: new value of feature lock
- name: old_prom
type: keyword
description: network promiscuity flag
- name: acl
type: keyword
description: access mode of resource assigned to vm
- name: ip
type: keyword
description: network address of a printer
- name: new_pi
type: keyword
description: new process inherited capability map
- name: default-context
type: keyword
description: default MAC context
- name: inode_gid
type: keyword
description: group ID of the inode's owner
- name: new-log_passwd
type: keyword
description: new value for TTY password logging
- name: new_pe
type: keyword
description: new process effective capability map
- name: selected-context
type: keyword
description: new MAC context assigned to session
- name: cap_fver
type: keyword
description: file system capabilities version number
- name: file
type: keyword
description: file name
- name: net
type: keyword
description: network MAC address
- name: virt
type: keyword
description: kind of virtualization being referenced
- name: cap_pp
type: keyword
description: process permitted capability map
- name: old-range
type: keyword
description: present SELinux range
- name: resrc
type: keyword
description: resource being assigned
- name: new-range
type: keyword
description: new SELinux range
- name: obj_gid
type: keyword
description: group ID of object
- name: proto
type: keyword
description: network protocol
- name: old-disk
type: keyword
description: disk being removed from vm
- name: audit_failure
type: keyword
description: audit system's failure mode
- name: inif
type: keyword
description: in interface number
- name: vm
type: keyword
description: virtual machine name
- name: flags
type: keyword
description: mmap syscall flags
- name: nlnk-fam
type: keyword
description: netlink protocol number
- name: old-fs
type: keyword
description: file system being removed from vm
- name: old-ses
type: keyword
description: previous ses value
- name: seqno
type: keyword
description: sequence number
- name: fver
type: keyword
description: file system capabilities version number
- name: qbytes
type: keyword
description: ipc objects quantity of bytes
- name: seuser
type: keyword
description: user's SE Linux user acct
- name: cap_fe
type: keyword
description: file assigned effective capability map
- name: new-vcpu
type: keyword
description: new number of CPU cores
- name: old-level
type: keyword
description: old run level
- name: old_pp
type: keyword
description: old process permitted capability map
- name: daddr
type: keyword
description: remote IP address
- name: old-role
type: keyword
description: present SELinux role
- name: ioctlcmd
type: keyword
description: The request argument to the ioctl syscall
- name: smac
type: keyword
description: local MAC address
- name: apparmor
type: keyword
description: apparmor event information
- name: fe
type: keyword
description: file assigned effective capability map
- name: perm_mask
type: keyword
description: file permission mask that triggered a watch event
- name: ses
type: keyword
description: login session ID
- name: cap_fi
type: keyword
description: file inherited capability map
- name: obj_uid
type: keyword
description: user ID of object
- name: reason
type: keyword
description: text string denoting a reason for the action
- name: list
type: keyword
description: the audit system's filter list number
- name: old_lock
type: keyword
description: present value of feature lock
- name: bus
type: keyword
description: name of subsystem bus a vm resource belongs to
- name: old_pe
type: keyword
description: old process effective capability map
- name: new-role
type: keyword
description: new SELinux role
- name: prom
type: keyword
description: network promiscuity flag
- name: uri
type: keyword
description: URI pointing to a printer
- name: audit_enabled
type: keyword
description: audit systems's enable/disable status
- name: old-log_passwd
type: keyword
description: present value for TTY password logging
- name: old-seuser
type: keyword
description: present SELinux user
- name: per
type: keyword
description: linux personality
- name: scontext
type: keyword
description: the subject's context string
- name: tclass
type: keyword
description: target's object classification
- name: ver
type: keyword
description: audit daemon's version number
- name: new
type: keyword
description: value being set in feature
- name: val
type: keyword
description: generic value associated with the operation
- name: img-ctx
type: keyword
description: the vm's disk image context string
- name: old-chardev
type: keyword
description: present character device assigned to vm
- name: old_val
type: keyword
description: current value of SELinux boolean
- name: success
type: keyword
description: whether the syscall was successful or not
- name: inode_uid
type: keyword
description: user ID of the inode's owner
- name: removed
type: keyword
description: number of deleted files
- name: socket
type: group
fields:
- name: port
type: keyword
description: The port number.
- name: saddr
type: keyword
description: The raw socket address structure.
- name: addr
type: keyword
description: The remote address.
- name: family
type: keyword
example: unix
description: The socket family (unix, ipv4, ipv6, netlink).
- name: path
type: keyword
description: This is the path associated with a unix socket.
- name: messages
type: text
description: >
An ordered list of the raw messages received from the kernel that
were used to construct this document. This field is present if an error
occurred processing the data or if `include_raw_message` is set
in the config.
- name: warnings
type: keyword
description: >
The warnings generated by the Beat during the construction of the event.
These are disabled by default and are used for development and debug
purposes only.
- name: geoip
type: group
description: >
The geoip fields are defined as a convenience in case you decide to
enrich the data using a geoip filter in Logstash or Ingest Node.
fields:
- name: continent_name
type: keyword
description: >
The name of the continent.
- name: city_name
type: keyword
description: >
The name of the city.
- name: region_name
type: keyword
description: >
The name of the region.
- name: country_iso_code
type: keyword
description: >
Country ISO code.
- name: location
type: geo_point
description: >
The longitude and latitude.
- key: file_integrity
title: File Integrity
description: These are the fields generated by the file_integrity module.
fields:
- name: hash
type: group
description: >
Hashes of the file. The keys are algorithm names and the values are
the hex encoded digest values.
fields:
- name: blake2b_256
type: keyword
description: BLAKE2b-256 hash of the file.
- name: blake2b_384
type: keyword
description: BLAKE2b-384 hash of the file.
- name: blake2b_512
type: keyword
description: BLAKE2b-512 hash of the file.
- name: md5
type: keyword
description: MD5 hash of the file.
- name: sha1
type: keyword
description: SHA1 hash of the file.
- name: sha224
type: keyword
description: SHA224 hash of the file.
- name: sha256
type: keyword
description: SHA256 hash of the file.
- name: sha384
type: keyword
description: SHA384 hash of the file.
- name: sha3_224
type: keyword
description: SHA3_224 hash of the file.
- name: sha3_256
type: keyword
description: SHA3_256 hash of the file.
- name: sha3_384
type: keyword
description: SHA3_384 hash of the file.
- name: sha3_512
type: keyword
description: SHA3_512 hash of the file.
- name: sha512
type: keyword
description: SHA512 hash of the file.
- name: sha512_224
type: keyword
description: SHA512/224 hash of the file.
- name: sha512_256
type: keyword
description: SHA512/256 hash of the file.
- name: xxh64
type: keyword
description: XX64 hash of the file.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment