System fields

edit

These are the fields generated by the system module.

event.origin

type: keyword

Origin of the event. This can be a file path (e.g. /var/log/log.1), or the name of the system component that supplied the data (e.g. netlink).

event.outcome

type: keyword

example: success

The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are success and failure. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.

user.entity_id

type: keyword

ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.

user.terminal

type: keyword

Terminal of the user.

process.entity_id

type: keyword

ID uniquely identifying the process. It is computed as a SHA-256 hash of the host ID, PID, and process start time.

socket.entity_id

type: keyword

ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port.

system.audit fields

edit

host fields

edit

host contains general host information.

system.audit.host.uptime

type: long

format: duration

Uptime in nanoseconds.

system.audit.host.boottime

type: date

Boot time.

system.audit.host.containerized

type: boolean

Set if host is a container.

system.audit.host.timezone.name

type: keyword

Name of the timezone of the host, e.g. BST.

system.audit.host.timezone.offset.sec

type: long

Timezone offset in seconds.

system.audit.host.hostname

type: keyword

Hostname.

system.audit.host.id

type: keyword

Host ID.

system.audit.host.architecture

type: keyword

Host architecture (e.g. x86_64).

system.audit.host.mac

type: keyword

MAC addresses.

system.audit.host.ip

type: ip

IP addresses.

os fields

edit

os contains information about the operating system.

system.audit.host.os.platform

type: keyword

OS platform (e.g. centos, ubuntu, windows).

system.audit.host.os.name

type: keyword

OS name (e.g. Mac OS X).

system.audit.host.os.family

type: keyword

OS family (e.g. redhat, debian, freebsd, windows).

system.audit.host.os.version

type: keyword

OS version.

system.audit.host.os.kernel

type: keyword

The operating system’s kernel version.

package fields

edit

package contains information about an installed or removed package.

system.audit.package.entity_id

type: keyword

ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.

system.audit.package.name

type: keyword

Package name.

system.audit.package.version

type: keyword

Package version.

system.audit.package.release

type: keyword

Package release.

system.audit.package.arch

type: keyword

Package architecture.

system.audit.package.license

type: keyword

Package license.

system.audit.package.installtime

type: date

Package install time.

system.audit.package.size

type: long

Package size.

system.audit.package.summary

Package summary.

system.audit.package.url

type: keyword

Package URL.

user fields

edit

user contains information about the users on a system.

system.audit.user.name

type: keyword

User name.

system.audit.user.uid

type: keyword

User ID.

system.audit.user.gid

type: keyword

Group ID.

system.audit.user.dir

type: keyword

User’s home directory.

system.audit.user.shell

type: keyword

Program to run at login.

system.audit.user.user_information

type: text

General user information. On Linux, this is the gecos field.

system.audit.user.group

type: object

group contains information about any groups the user is part of (beyond the user’s primary group).

password fields

edit

password contains information about a user’s password (not the password itself).

system.audit.user.password.type

type: keyword

A user’s password type. Possible values are shadow_password (the password hash is in the shadow file), password_disabled, no_password (this is dangerous as anyone can log in), and crypt_password (when the password field in /etc/passwd seems to contain an encrypted password).

system.audit.user.password.last_changed

type: date

The day the user’s password was last changed.