Source Fields

source.address

Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the .address field.

Then it should be duplicated to .ip or .domain, depending on which one it is.

type: keyword

extended

source.bytes

Bytes sent from the source to the destination.

type: long

example: 184

core

source.domain

Source domain.

type: keyword

core

source.ip

IP address of the source.

Can be one or multiple IPv4 or IPv6 addresses.

type: ip

core

source.mac

MAC address of the source.

type: keyword

core

source.nat.ip

Translated ip of source based NAT sessions (e.g. internal client to internet)

Typically connections traversing load balancers, firewalls, or routers.

type: ip

extended

source.nat.port

Translated port of source based NAT sessions. (e.g. internal client to internet)

Typically used with load balancers, firewalls, or routers.

type: long

extended

source.packets

Packets sent from the source to the destination.

type: long

example: 12

core

source.port

Port of the source.

type: long

core

source.as.*

Fields describing an Autonomous System (Internet routing prefix).

source.geo.*

Fields describing a location.

source.user.*

Fields to describe the user relevant to the event.