NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Common fields
editCommon fields
editContains common fields available in all event types.
-
event.module
-
The name of the module that generated the event.
-
event.dataset
-
The name of the module’s dataset that generated the event.
-
event.action
-
type: keyword
example: logged-in
Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
-
event.id
-
type: keyword
example: 8a4f500d
Unique ID to describe the event.
-
event.kind
-
type: keyword
example: state
The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are
event
,state
,alarm
. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. -
message
-
type: text
example: Hello World
For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.
process fields
editThese fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The process.pid
often stays in the metric itself and is copied to the global field for correlation.
-
process.start
-
type: date
example: 2016-05-23T08:05:34.853Z
The time the process started.
-
process.working_directory
-
type: keyword
example: /home/alice
The working directory of the process.
-
process.executable
-
type: keyword
example: /usr/bin/ssh
Absolute path to the process executable.
-
network.type
-
type: keyword
example: IPv4
In the OSI Model this would be the Network Layer. IPv4, IPv6, IPSec, PIM, etc
user fields
editThe user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
-
user.id
-
type: keyword
One or multiple unique identifiers of the user.
-
user.name
-
type: keyword
example: albert
Short name or login of the user.
group fields
editThe group fields are meant to represent groups that are relevant to the event.
-
user.group.id
-
type: keyword
Unique identifier for the group on the system/platform.
-
user.group.name
-
type: keyword
Name of the group.
file fields
editFile attributes.
-
file.path
-
type: text
The path to the file.
-
file.path.raw
-
type: keyword
The path to the file. This is a non-analyzed field that is useful for aggregations.
-
file.target_path
-
type: keyword
The target path for symlinks.
-
file.type
-
type: keyword
The file type (file, dir, or symlink).
-
file.device
-
type: keyword
The device.
-
file.inode
-
type: keyword
The inode representing the file in the filesystem.
-
file.uid
-
type: keyword
The user ID (UID) or security identifier (SID) of the file owner.
-
file.owner
-
type: keyword
The file owner’s username.
-
file.gid
-
type: keyword
The primary group ID (GID) of the file.
-
file.group
-
type: keyword
The primary group name of the file.
-
file.mode
-
type: keyword
example: 416
The mode of the file in octal representation.
-
file.setuid
-
type: boolean
example: True
Set if the file has the
setuid
bit set. Omitted otherwise. -
file.setgid
-
type: boolean
example: True
Set if the file has the
setgid
bit set. Omitted otherwise. -
file.size
-
type: long
The file size in bytes (field is only added when
type
isfile
). -
file.mtime
-
type: date
The last modified time of the file (time when content was modified).
-
file.ctime
-
type: date
The last change time of the file (time when metadata was changed).
-
file.origin
-
type: text
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
-
file.origin.raw
-
type: keyword
This is a non-analyzed field that is useful for aggregations on the origin data.
selinux fields
editThe SELinux identity of the file.
-
file.selinux.user
-
type: keyword
The owner of the object.
-
file.selinux.role
-
type: keyword
The object’s SELinux role.
-
file.selinux.domain
-
type: keyword
The object’s SELinux domain or type.
-
file.selinux.level
-
type: keyword
example: s0
The object’s SELinux level.
user fields
editUser information.
effective fields
editEffective user information.
-
user.effective.id
-
type: keyword
Effective user ID.
group fields
editEffective group information.
-
user.effective.group.id
-
type: keyword
Effective group ID.
saved fields
editSaved user information.
-
user.saved.id
-
type: keyword
Saved user ID.
group fields
editSaved group information.
-
user.saved.group.id
-
type: keyword
Saved group ID.