IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Event Fields Geo Fields »
Elastic Docs Elastic Common Schema (ECS) Reference [1.0] ECS Field Reference

File Fields

edit

File Fields

edit

A file is defined as a set of information that has been created on, or has existed on a filesystem.

File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.

File Field Details

edit
Field Description Level

file.ctime

Last time file metadata changed.

type: date

extended

file.device

Device that is the source of the file.

type: keyword

extended

file.extension

File extension.

This should allow easy filtering by file extensions.

type: keyword

example: png

extended

file.gid

Primary group ID (GID) of the file.

type: keyword

extended

file.group

Primary group name of the file.

type: keyword

extended

file.inode

Inode representing the file in the filesystem.

type: keyword

extended

file.mode

Mode of the file in octal representation.

type: keyword

example: 416

extended

file.mtime

Last time file content was modified.

type: date

extended

file.owner

File owner’s username.

type: keyword

extended

file.path

Path to the file.

type: keyword

extended

file.size

File size in bytes (field is only added when type is file).

type: long

extended

file.target_path

Target path for symlinks.

type: keyword

extended

file.type

File type (file, dir, or symlink).

type: keyword

extended

file.uid

The user ID (UID) or security identifier (SID) of the file owner.

type: keyword

extended
« Event Fields Geo Fields »