/ecs-example.json
Last active Apr 11, 2019
Example ECS event
| { | |
| "@timestamp": "2018-12-07T11:05:07.000Z", | |
| "agent" : { | |
| "type": "filebeat", | |
| "version": "7.0.0-beta1" | |
| }, | |
| "ecs": { "version": "1.0.0" }, | |
| "event": { | |
| "action": "get", | |
| "dataset": "apache.access", | |
| "original": "10.42.42.42 - - [07/Dec/2018:11:05:07 +0100] \"GET /blog HTTP/1.1\" 200 2571 \"-\" \"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36\"" | |
| }, | |
| "http" : { | |
| "request": { | |
| "method": "get", | |
| "referrer": "-" | |
| }, | |
| "response": { | |
| "body": { "bytes": 2571 }, | |
| "status_code": 200 | |
| }, | |
| "version": "1.1" | |
| }, | |
| "host": { | |
| "architecture": "x86_64", | |
| "hostname": "webserver-blog-prod", | |
| "id": "i-1234567890abcdef0", | |
| "ip": "10.166.166.166" | |
| }, | |
| "message": "\"GET /blog HTTP/1.1\" 200 2571", | |
| "service": { | |
| "name": "Company blog", | |
| "type": "apache" | |
| }, | |
| "source": { | |
| "geo": { | |
| "continent_name" : "Asia", | |
| "location" : { | |
| "lon" : 126.97409999999999, | |
| "lat" : 37.5112 | |
| }, | |
| "country_iso_code" : "KR" | |
| }, | |
| "ip": "10.42.42.42" | |
| }, | |
| "url": { "original": "/blog" }, | |
| "user": { "name": "-" }, | |
| "user_agent" : { | |
| "name" : "Chrome", | |
| "original" : "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", | |
| "os" : { | |
| "name" : "Mac OS X", | |
| "version" : "10.14.0", | |
| "full" : "Mac OS X 10.14.0" | |
| }, | |
| "device" : { | |
| "name" : "Other" | |
| }, | |
| "version" : "70.0.3538" | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This comment has been minimized.
domankus commentedApr 11, 2019
•
edited
The
@timestampshould be2018-12-07T10:05:07.000Z(if it's taken from "[07/Dec/2018:11:05:07 +0100]").