Observer Fields
editObserver Fields
editAn observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
Observer Field Details
edit| Field | Description | Level |
|---|---|---|
observer.hostname |
Hostname of the observer. type: keyword |
core |
observer.ip |
IP address of the observer. type: ip |
core |
observer.mac |
MAC address of the observer type: keyword |
core |
observer.name |
Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. type: keyword example: |
extended |
observer.product |
The product name of the observer. type: keyword example: |
extended |
observer.serial_number |
Observer serial number. type: keyword |
extended |
observer.type |
The type of the observer the data is coming from. There is no predefined list of observer types. Some examples are type: keyword example: |
core |
observer.vendor |
Vendor name of the observer. type: keyword example: |
core |
observer.version |
Observer version. type: keyword |
core |
Field Reuse
editField sets that can be nested under Observer
edit| Nested fields | Description |
|---|---|
Fields describing a location. |
|
OS fields contain information about the operating system. |