IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Observer Fields

edit

Observer Fields

edit

An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.

This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.

Observer Field Details

edit

Field	Description	Level
observer.hostname	Hostname of the observer. type: keyword	core
observer.ip	IP address of the observer. type: ip	core
observer.mac	MAC address of the observer type: keyword	core
observer.serial_number	Observer serial number. type: keyword	extended
observer.type	The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. type: keyword example: `firewall`	core
observer.vendor	observer vendor information. type: keyword	core
observer.version	Observer version. type: keyword	core

Field Reuse

edit

Field sets that can be nested under Observer

edit

Nested fields	Description
observer.geo.*	Fields describing a location.
observer.os.*	OS fields contain information about the operating system.

« Network Fields Organization Fields »