IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Service Fields URL Fields »
Elastic Docs Elastic Common Schema (ECS) Reference [1.0] ECS Field Reference

Source Fields

edit

Source Fields

edit

Source fields describe details about the source of a packet/event.

Source fields are usually populated in conjunction with destination fields.

Source Field Details

edit
Field Description Level

source.address

Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.

Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

extended

source.bytes

Bytes sent from the source to the destination.

type: long

example: 184

core

source.domain

Source domain.

type: keyword

core

source.ip

IP address of the source.

Can be one or multiple IPv4 or IPv6 addresses.

type: ip

core

source.mac

MAC address of the source.

type: keyword

core

source.packets

Packets sent from the source to the destination.

type: long

example: 12

core

source.port

Port of the source.

type: long

core

Field Reuse

edit
Field sets that can be nested under Source
edit
Nested fields Description

source.geo.*

Fields describing a location.

source.user.*

Fields to describe the user relevant to the event.
« Service Fields URL Fields »