Observer Fields
editObserver Fields
editAn observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
Observer Field Details
editField | Description | Level |
---|---|---|
observer.hostname |
Hostname of the observer. type: keyword |
core |
observer.ip |
IP address of the observer. type: ip |
core |
observer.mac |
MAC address of the observer type: keyword |
core |
observer.serial_number |
Observer serial number. type: keyword |
extended |
observer.type |
The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are type: keyword example: |
core |
observer.vendor |
observer vendor information. type: keyword |
core |
observer.version |
Observer version. type: keyword |
core |
Field Reuse
editField sets that can be nested under Observer
editNested fields | Description |
---|---|
Fields describing a location. |
|
OS fields contain information about the operating system. |