Operating System Fields
editOperating System Fields
editThe OS fields contain information about the operating system.
Operating System Field Details
editField | Description | Level |
---|---|---|
OS family (such as redhat, debian, freebsd, windows). type: keyword example: |
extended |
|
Operating system name, including the version or code name. type: keyword Multi-fields: * os.full.text (type: match_only_text) example: |
extended |
|
Operating system kernel version as a raw string. type: keyword example: |
extended |
|
Operating system name, without the version. type: keyword Multi-fields: * os.name.text (type: match_only_text) example: |
extended |
|
Operating system platform (such centos, ubuntu, windows). type: keyword example: |
extended |
|
Use the One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. type: keyword example: |
extended |
|
Operating system version as a raw string. type: keyword example: |
extended |
Field Reuse
editThe os
fields are expected to be nested at:
-
host.os
-
observer.os
-
user_agent.os
Note also that the os
fields are not expected to be used directly at the root of the events.