NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
System fields
editSystem fields
editThese are the fields generated by the system module.
-
event.origin
-
type: keyword
Origin of the event. This can be a file path (e.g.
/var/log/log.1
), or the name of the system component that supplied the data (e.g.netlink
). -
event.outcome
-
type: keyword
example: success
The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are
success
andfailure
. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. -
user.entity_id
-
type: keyword
ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.
-
user.terminal
-
type: keyword
Terminal of the user.
-
process.entity_id
-
type: keyword
ID uniquely identifying the process. It is computed as a SHA-256 hash of the host ID, PID, and process start time.
-
socket.entity_id
-
type: keyword
ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port.
system.audit fields
edithost fields
edithost
contains general host information.
-
system.audit.host.uptime
-
type: long
format: duration
Uptime in nanoseconds.
-
system.audit.host.boottime
-
type: date
Boot time.
-
system.audit.host.containerized
-
type: boolean
Set if host is a container.
-
system.audit.host.timezone.name
-
type: keyword
Name of the timezone of the host, e.g. BST.
-
system.audit.host.timezone.offset.sec
-
type: long
Timezone offset in seconds.
-
system.audit.host.hostname
-
type: keyword
Hostname.
-
system.audit.host.id
-
type: keyword
Host ID.
-
system.audit.host.architecture
-
type: keyword
Host architecture (e.g. x86_64).
-
system.audit.host.mac
-
type: keyword
MAC addresses.
-
system.audit.host.ip
-
type: ip
IP addresses.
os fields
editos
contains information about the operating system.
-
system.audit.host.os.platform
-
type: keyword
OS platform (e.g. centos, ubuntu, windows).
-
system.audit.host.os.name
-
type: keyword
OS name (e.g. Mac OS X).
-
system.audit.host.os.family
-
type: keyword
OS family (e.g. redhat, debian, freebsd, windows).
-
system.audit.host.os.version
-
type: keyword
OS version.
-
system.audit.host.os.kernel
-
type: keyword
The operating system’s kernel version.
package fields
editpackage
contains information about an installed or removed package.
-
system.audit.package.entity_id
-
type: keyword
ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.
-
system.audit.package.name
-
type: keyword
Package name.
-
system.audit.package.version
-
type: keyword
Package version.
-
system.audit.package.release
-
type: keyword
Package release.
-
system.audit.package.arch
-
type: keyword
Package architecture.
-
system.audit.package.license
-
type: keyword
Package license.
-
system.audit.package.installtime
-
type: date
Package install time.
-
system.audit.package.size
-
type: long
Package size.
-
system.audit.package.summary
-
Package summary.
-
system.audit.package.url
-
type: keyword
Package URL.
user fields
edituser
contains information about the users on a system.
-
system.audit.user.name
-
type: keyword
User name.
-
system.audit.user.uid
-
type: keyword
User ID.
-
system.audit.user.gid
-
type: keyword
Group ID.
-
system.audit.user.dir
-
type: keyword
User’s home directory.
-
system.audit.user.shell
-
type: keyword
Program to run at login.
-
system.audit.user.user_information
-
type: text
General user information. On Linux, this is the gecos field.
-
system.audit.user.group
-
type: object
group
contains information about any groups the user is part of (beyond the user’s primary group).
password fields
editpassword
contains information about a user’s password (not the password itself).
-
system.audit.user.password.type
-
type: keyword
A user’s password type. Possible values are
shadow_password
(the password hash is in the shadow file),password_disabled
,no_password
(this is dangerous as anyone can log in), andcrypt_password
(when the password field in /etc/passwd seems to contain an encrypted password). -
system.audit.user.password.last_changed
-
type: date
The day the user’s password was last changed.