ECS fields

edit

ECS Fields.

@timestamp

Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.

type: date

example: 2016-05-23T08:05:34.853Z

required: True

labels

Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

type: object

example: {application: foo-bar, env: production}

message

For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.

type: text

example: Hello World

tags

List of keywords used to tag each event.

type: keyword

example: ["production", "env2"]

agent

edit

The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.

agent.ephemeral_id

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

type: keyword

example: 8a4f500f

agent.id

Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.

type: keyword

example: 8a4f500d

agent.name

Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty.

type: keyword

example: foo

agent.type

Type of the agent. The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.

type: keyword

example: filebeat

agent.version

Version of the agent.

type: keyword

example: 6.0.0-rc2

client

edit

A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.

client.address

Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

client.bytes

Bytes sent from the client to the server.

type: long

example: 184

format: bytes

client.domain

Client domain.

type: keyword

client.geo.city_name

City name.

type: keyword

example: Montreal

client.geo.continent_name

Name of the continent.

type: keyword

example: North America

client.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

client.geo.country_name

Country name.

type: keyword

example: Canada

client.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

client.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

client.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

client.geo.region_name

Region name.

type: keyword

example: Quebec

client.ip

IP address of the client. Can be one or multiple IPv4 or IPv6 addresses.

type: ip

client.mac

MAC address of the client.

type: keyword

client.packets

Packets sent from the client to the server.

type: long

example: 12

client.port

Port of the client.

type: long

client.user.email

User email address.

type: keyword

client.user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

client.user.group.id

Unique identifier for the group on the system/platform.

type: keyword

client.user.group.name

Name of the group.

type: keyword

client.user.hash

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

client.user.id

One or multiple unique identifiers of the user.

type: keyword

client.user.name

Short name or login of the user.

type: keyword

example: albert

cloud

edit

Fields related to the cloud or infrastructure the events are coming from.

cloud.account.id

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

type: keyword

example: 666777888999

cloud.availability_zone

Availability zone in which this host is running.

type: keyword

example: us-east-1c

cloud.instance.id

Instance ID of the host machine.

type: keyword

example: i-1234567890abcdef0

cloud.instance.name

Instance name of the host machine.

type: keyword

cloud.machine.type

Machine type of the host machine.

type: keyword

example: t2.medium

cloud.provider

Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.

type: keyword

example: aws

cloud.region

Region in which this host is running.

type: keyword

example: us-east-1

container

edit

Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.

container.id

Unique container id.

type: keyword

container.image.name

Name of the image the container was built on.

type: keyword

container.image.tag

Container image tag.

type: keyword

container.labels

Image labels.

type: object

container.name

Container name.

type: keyword

container.runtime

Runtime managing this container.

type: keyword

example: docker

destination

edit

Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields.

destination.address

Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

destination.bytes

Bytes sent from the destination to the source.

type: long

example: 184

format: bytes

destination.domain

Destination domain.

type: keyword

destination.geo.city_name

City name.

type: keyword

example: Montreal

destination.geo.continent_name

Name of the continent.

type: keyword

example: North America

destination.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

destination.geo.country_name

Country name.

type: keyword

example: Canada

destination.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

destination.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

destination.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

destination.geo.region_name

Region name.

type: keyword

example: Quebec

destination.ip

IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.

type: ip

destination.mac

MAC address of the destination.

type: keyword

destination.packets

Packets sent from the destination to the source.

type: long

example: 12

destination.port

Port of the destination.

type: long

destination.user.email

User email address.

type: keyword

destination.user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

destination.user.group.id

Unique identifier for the group on the system/platform.

type: keyword

destination.user.group.name

Name of the group.

type: keyword

destination.user.hash

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

destination.user.id

One or multiple unique identifiers of the user.

type: keyword

destination.user.name

Short name or login of the user.

type: keyword

example: albert

ecs

edit

Meta-information specific to ECS.

ecs.version

ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices — which may conform to slightly different ECS versions — this field lets integrations adjust to the schema version of the events.

type: keyword

example: 1.0.0

required: True

error

edit

These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.

error.code

Error code describing the error.

type: keyword

error.id

Unique identifier for the error.

type: keyword

error.message

Error message.

type: text

event

edit

The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.

event.action

The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer.

type: keyword

example: user-password-change

event.category

Event category. This contains high-level information about the contents of the event. It is more generic than event.action, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.

type: keyword

example: user-management

event.created

event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.

type: date

event.dataset

Name of the dataset. The concept of a dataset (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.

type: keyword

example: stats

event.duration

Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.

type: long

format: duration

event.end

event.end contains the date when the event ended or when the activity was last observed.

type: date

event.hash

Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.

type: keyword

example: 123456789012345678901234567890ABCD

event.id

Unique ID to describe the event.

type: keyword

example: 8a4f500d

event.kind

The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are event, state, alarm. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.

type: keyword

example: state

event.module

Name of the module this data is coming from. This information is coming from the modules used in Beats or Logstash.

type: keyword

example: mysql

event.original

Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source.

type: keyword

example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232

event.outcome

The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are success and failure. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.

type: keyword

example: success

event.risk_score

Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.

type: float

event.risk_score_norm

Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.

type: float

event.severity

Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It’s up to the implementer to make sure severities are consistent across events.

type: long

example: 7

event.start

event.start contains the date when the event started or when the activity was first observed.

type: date

event.timezone

This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").

type: keyword

event.type

Reserved for future usage. Please avoid using this field for user data.

type: keyword

file

edit

A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.

file.ctime

Last time file metadata changed.

type: date

file.device

Device that is the source of the file.

type: keyword

file.extension

File extension. This should allow easy filtering by file extensions.

type: keyword

example: png

file.gid

Primary group ID (GID) of the file.

type: keyword

file.group

Primary group name of the file.

type: keyword

file.inode

Inode representing the file in the filesystem.

type: keyword

file.mode

Mode of the file in octal representation.

type: keyword

example: 416

file.mtime

Last time file content was modified.

type: date

file.owner

File owner’s username.

type: keyword

file.path

Path to the file.

type: keyword

file.size

File size in bytes (field is only added when type is file).

type: long

file.target_path

Target path for symlinks.

type: keyword

file.type

File type (file, dir, or symlink).

type: keyword

file.uid

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

geo

edit

Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.

geo.city_name

City name.

type: keyword

example: Montreal

geo.continent_name

Name of the continent.

type: keyword

example: North America

geo.country_iso_code

Country ISO code.

type: keyword

example: CA

geo.country_name

Country name.

type: keyword

example: Canada

geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

geo.region_name

Region name.

type: keyword

example: Quebec

group

edit

The group fields are meant to represent groups that are relevant to the event.

group.id

Unique identifier for the group on the system/platform.

type: keyword

group.name

Name of the group.

type: keyword

host

edit

A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.

host.architecture

Operating system architecture.

type: keyword

example: x86_64

host.geo.city_name

City name.

type: keyword

example: Montreal

host.geo.continent_name

Name of the continent.

type: keyword

example: North America

host.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

host.geo.country_name

Country name.

type: keyword

example: Canada

host.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

host.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

host.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

host.geo.region_name

Region name.

type: keyword

example: Quebec

host.hostname

Hostname of the host. It normally contains what the hostname command returns on the host machine.

type: keyword

host.id

Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.

type: keyword

host.ip

Host ip address.

type: ip

host.mac

Host mac address.

type: keyword

host.name

Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

type: keyword

host.os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

host.os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

host.os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

host.os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

host.os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

host.os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

host.type

Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.

type: keyword

host.user.email

User email address.

type: keyword

host.user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

host.user.group.id

Unique identifier for the group on the system/platform.

type: keyword

host.user.group.name

Name of the group.

type: keyword

host.user.hash

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

host.user.id

One or multiple unique identifiers of the user.

type: keyword

host.user.name

Short name or login of the user.

type: keyword

example: albert

http

edit

Fields related to HTTP activity. Use the url field set to store the url of the request.

http.request.body.bytes

Size in bytes of the request body.

type: long

example: 887

format: bytes

http.request.body.content

The full HTTP request body.

type: keyword

example: Hello world

http.request.bytes

Total size in bytes of the request (body and headers).

type: long

example: 1437

format: bytes

http.request.method

HTTP request method. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: get, post, put

http.request.referrer

Referrer for this HTTP request.

type: keyword

example: https://blog.example.com/

http.response.body.bytes

Size in bytes of the response body.

type: long

example: 887

format: bytes

http.response.body.content

The full HTTP response body.

type: keyword

example: Hello world

http.response.bytes

Total size in bytes of the response (body and headers).

type: long

example: 1437

format: bytes

http.response.status_code

HTTP response status code.

type: long

example: 404

http.version

HTTP version.

type: keyword

example: 1.1

log

edit

Fields which are specific to log events.

log.level

Original log level of the log event. Some examples are warn, error, i.

type: keyword

example: err

log.original

This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the message field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can’t be queried but the value can be retrieved from _source.

type: keyword

example: Sep 19 08:26:10 localhost My log

network

edit

The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.

network.application

A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: aim

network.bytes

Total bytes transferred in both directions. If source.bytes and destination.bytes are known, network.bytes is their sum.

type: long

example: 368

format: bytes

network.community_id

A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec.

type: keyword

example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=

network.direction

Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown

When mapping events from a host-based monitoring context, populate this field from the host’s point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.

type: keyword

example: inbound

network.forwarded_ip

Host IP address when the source IP address is the proxy.

type: ip

example: 192.1.1.2

network.iana_number

IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.

type: keyword

example: 6

network.name

Name given by operators to sections of their network.

type: keyword

example: Guest Wifi

network.packets

Total packets transferred in both directions. If source.packets and destination.packets are known, network.packets is their sum.

type: long

example: 24

network.protocol

L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: http

network.transport

Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: tcp

network.type

In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: ipv4

observer

edit

An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.

observer.geo.city_name

City name.

type: keyword

example: Montreal

observer.geo.continent_name

Name of the continent.

type: keyword

example: North America

observer.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

observer.geo.country_name

Country name.

type: keyword

example: Canada

observer.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

observer.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

observer.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

observer.geo.region_name

Region name.

type: keyword

example: Quebec

observer.hostname

Hostname of the observer.

type: keyword

observer.ip

IP address of the observer.

type: ip

observer.mac

MAC address of the observer

type: keyword

observer.os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

observer.os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

observer.os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

observer.os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

observer.os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

observer.os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

observer.serial_number

Observer serial number.

type: keyword

observer.type

The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

type: keyword

example: firewall

observer.vendor

observer vendor information.

type: keyword

observer.version

Observer version.

type: keyword

organization

edit

The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.

organization.id

Unique identifier for the organization.

type: keyword

organization.name

Organization name.

type: keyword

The OS fields contain information about the operating system.

os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

process

edit

These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

process.args

Array of process arguments. May be filtered to protect sensitive information.

type: keyword

example: [ssh, -l, user, 10.0.0.16]

process.executable

Absolute path to the process executable.

type: keyword

example: /usr/bin/ssh

process.name

Process name. Sometimes called program name or similar.

type: keyword

example: ssh

process.pid

Process id.

type: long

process.ppid

Process parent id.

type: long

process.start

The time the process started.

type: date

example: 2016-05-23T08:05:34.853Z

process.thread.id

Thread ID.

type: long

example: 4242

process.title

Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.

type: keyword

process.working_directory

The working directory of the process.

type: keyword

example: /home/alice

related

edit

This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in related.. A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to related.ip, you can then search for a given IP trivially, no matter where it appeared, by querying related.ip:a.b.c.d.

related.ip

All of the IPs seen on your event.

type: ip

server

edit

A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.

server.address

Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

server.bytes

Bytes sent from the server to the client.

type: long

example: 184

format: bytes

server.domain

Server domain.

type: keyword

server.geo.city_name

City name.

type: keyword

example: Montreal

server.geo.continent_name

Name of the continent.

type: keyword

example: North America

server.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

server.geo.country_name

Country name.

type: keyword

example: Canada

server.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

server.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

server.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

server.geo.region_name

Region name.

type: keyword

example: Quebec

server.ip

IP address of the server. Can be one or multiple IPv4 or IPv6 addresses.

type: ip

server.mac

MAC address of the server.

type: keyword

server.packets

Packets sent from the server to the client.

type: long

example: 12

server.port

Port of the server.

type: long

server.user.email

User email address.

type: keyword

server.user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

server.user.group.id

Unique identifier for the group on the system/platform.

type: keyword

server.user.group.name

Name of the group.

type: keyword

server.user.hash

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

server.user.id

One or multiple unique identifiers of the user.

type: keyword

server.user.name

Short name or login of the user.

type: keyword

example: albert

service

edit

The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.

service.ephemeral_id

Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but service.id does not.

type: keyword

example: 8a4f500f

service.id

Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.

type: keyword

example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6

service.name

Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the service.name. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the service.type field if no name is specified.

type: keyword

example: elasticsearch-metrics

service.state

Current state of the service.

type: keyword

service.type

The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, service.type would be elasticsearch.

type: keyword

example: elasticsearch

service.version

Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

type: keyword

example: 3.2.4

source

edit

Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields.

source.address

Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field. Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

source.bytes

Bytes sent from the source to the destination.

type: long

example: 184

format: bytes

source.domain

Source domain.

type: keyword

source.geo.city_name

City name.

type: keyword

example: Montreal

source.geo.continent_name

Name of the continent.

type: keyword

example: North America

source.geo.country_iso_code

Country ISO code.

type: keyword

example: CA

source.geo.country_name

Country name.

type: keyword

example: Canada

source.geo.location

Longitude and latitude.

type: geo_point

example: { "lon": -73.614830, "lat": 45.505918 }

source.geo.name

User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.

type: keyword

example: boston-dc

source.geo.region_iso_code

Region ISO code.

type: keyword

example: CA-QC

source.geo.region_name

Region name.

type: keyword

example: Quebec

source.ip

IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.

type: ip

source.mac

MAC address of the source.

type: keyword

source.packets

Packets sent from the source to the destination.

type: long

example: 12

source.port

Port of the source.

type: long

source.user.email

User email address.

type: keyword

source.user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

source.user.group.id

Unique identifier for the group on the system/platform.

type: keyword

source.user.group.name

Name of the group.

type: keyword

source.user.hash

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

source.user.id

One or multiple unique identifiers of the user.

type: keyword

source.user.name

Short name or login of the user.

type: keyword

example: albert

url

edit

URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.

url.domain

Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field.

type: keyword

example: www.elastic.co

url.fragment

Portion of the url after the #, such as "top". The # is not part of the fragment.

type: keyword

url.full

If full URLs are important to your use case, they should be stored in url.full, whether this field is reconstructed or present in the event source.

type: keyword

example: https://www.elastic.co:443/search?q=elasticsearch#top

url.original

Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not.

type: keyword

example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch

url.password

Password of the request.

type: keyword

url.path

Path of the request, such as "/search".

type: keyword

url.port

Port of the request, such as 443.

type: long

example: 443

url.query

The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

type: keyword

url.scheme

Scheme of the request, such as "https". Note: The : is not part of the scheme.

type: keyword

example: https

url.username

Username of the request.

type: keyword

user

edit

The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

user.email

User email address.

type: keyword

user.full_name

User’s full name, if available.

type: keyword

example: Albert Einstein

user.group.id

Unique identifier for the group on the system/platform.

type: keyword

user.group.name

Name of the group.

type: keyword

user.hash

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

type: keyword

user.id

One or multiple unique identifiers of the user.

type: keyword

user.name

Short name or login of the user.

type: keyword

example: albert

user_agent

edit

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.device.name

Name of the device.

type: keyword

example: iPhone

user_agent.name

Name of the user agent.

type: keyword

example: Safari

user_agent.original

Unparsed version of the user_agent.

type: keyword

example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1

user_agent.os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

user_agent.os.full

Operating system name, including the version or code name.

type: keyword

example: Mac OS Mojave

user_agent.os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

user_agent.os.name

Operating system name, without the version.

type: keyword

example: Mac OS X

user_agent.os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

user_agent.os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

user_agent.version

Version of the user agent.

type: keyword

example: 12.0