Observer Fields

edit

An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.

This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.

Observer Field Details

edit
Field Description Level

observer.hostname

Hostname of the observer.

type: keyword

core

observer.ip

IP address of the observer.

type: ip

core

observer.mac

MAC address of the observer

type: keyword

core

observer.serial_number

Observer serial number.

type: keyword

extended

observer.type

The type of the observer the data is coming from.

There is no predefined list of observer types. Some examples are forwarder, firewall, ids, ips, proxy, poller, sensor, APM server.

type: keyword

example: firewall

core

observer.vendor

observer vendor information.

type: keyword

core

observer.version

Observer version.

type: keyword

core

Field Reuse

edit
Field sets that can be nested under Observer
edit
Nested fields Description

observer.geo.*

Fields describing a location.

observer.os.*

OS fields contain information about the operating system.