System fields
editSystem fields
editThese are the fields generated by the system module.
-
event.origin
-
type: keyword
Origin of the event. This can be a file path (e.g.
/var/log/log.1
), or the name of the system component that supplied the data (e.g.netlink
). -
event.outcome
-
type: keyword
example: success
The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are
success
andfailure
. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. -
user.entity_id
-
type: keyword
ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.
-
user.terminal
-
type: keyword
Terminal of the user.
-
process.entity_id
-
type: keyword
ID uniquely identifying the process. It is computed as a SHA-256 hash of the host ID, PID, and process start time.
-
socket.entity_id
-
type: keyword
ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port.
system.audit fields
edithost fields
edithost
contains general host information.
-
system.audit.host.uptime
-
type: long
format: duration
Uptime in nanoseconds.
-
system.audit.host.boottime
-
type: date
Boot time.
-
system.audit.host.containerized
-
type: boolean
Set if host is a container.
-
system.audit.host.timezone.name
-
type: keyword
Name of the timezone of the host, e.g. BST.
-
system.audit.host.timezone.offset.sec
-
type: long
Timezone offset in seconds.
-
system.audit.host.hostname
-
type: keyword
Hostname.
-
system.audit.host.id
-
type: keyword
Host ID.
-
system.audit.host.architecture
-
type: keyword
Host architecture (e.g. x86_64).
-
system.audit.host.mac
-
type: keyword
MAC addresses.
-
system.audit.host.ip
-
type: ip
IP addresses.
os fields
editos
contains information about the operating system.
-
system.audit.host.os.platform
-
type: keyword
OS platform (e.g. centos, ubuntu, windows).
-
system.audit.host.os.name
-
type: keyword
OS name (e.g. Mac OS X).
-
system.audit.host.os.family
-
type: keyword
OS family (e.g. redhat, debian, freebsd, windows).
-
system.audit.host.os.version
-
type: keyword
OS version.
-
system.audit.host.os.kernel
-
type: keyword
The operating system’s kernel version.
package fields
editpackage
contains information about an installed or removed package.
-
system.audit.package.entity_id
-
type: keyword
ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.
-
system.audit.package.name
-
type: keyword
Package name.
-
system.audit.package.version
-
type: keyword
Package version.
-
system.audit.package.release
-
type: keyword
Package release.
-
system.audit.package.arch
-
type: keyword
Package architecture.
-
system.audit.package.license
-
type: keyword
Package license.
-
system.audit.package.installtime
-
type: date
Package install time.
-
system.audit.package.size
-
type: long
Package size.
-
system.audit.package.summary
-
Package summary.
-
system.audit.package.url
-
type: keyword
Package URL.
user fields
edituser
contains information about the users on a system.
-
system.audit.user.name
-
type: keyword
User name.
-
system.audit.user.uid
-
type: keyword
User ID.
-
system.audit.user.gid
-
type: keyword
Group ID.
-
system.audit.user.dir
-
type: keyword
User’s home directory.
-
system.audit.user.shell
-
type: keyword
Program to run at login.
-
system.audit.user.user_information
-
type: text
General user information. On Linux, this is the gecos field.
-
system.audit.user.group
-
type: object
group
contains information about any groups the user is part of (beyond the user’s primary group).
password fields
editpassword
contains information about a user’s password (not the password itself).
-
system.audit.user.password.type
-
type: keyword
A user’s password type. Possible values are
shadow_password
(the password hash is in the shadow file),password_disabled
,no_password
(this is dangerous as anyone can log in), andcrypt_password
(when the password field in /etc/passwd seems to contain an encrypted password). -
system.audit.user.password.last_changed
-
type: date
The day the user’s password was last changed.