- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
Log Fields
editLog Fields
editDetails about the event’s logging mechanism or logging transport.
The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under log.syslog.*
.
The details specific to your event source are typically not logged under log.*
, but rather in event.*
or in other ECS fields.
Log Field Details
editField | Description | Level |
---|---|---|
Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn’t read from a log file, do not populate this field. type: keyword example: |
extended |
|
Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in Some examples are type: keyword example: |
core |
|
The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. type: keyword example: |
core |
|
The line number of the file containing the source code which originated the log event. type: long example: |
extended |
|
The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is type: keyword example: |
extended |
|
The name of the function or method which originated the log event. type: keyword example: |
extended |
|
The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. type: object |
extended |
|
The device or application that originated the Syslog message, if available. type: keyword example: |
extended |
|
The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. type: long example: |
extended |
|
The Syslog text-based facility of the log event, if available. type: keyword example: |
extended |
|
The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. type: keyword example: |
extended |
|
An identifier for the type of Syslog message, if available. Only applicable for RFC 5424 messages. type: keyword example: |
extended |
|
Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. type: long example: |
extended |
|
The process name or ID that originated the Syslog message, if available. type: keyword example: |
extended |
|
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to type: long example: |
extended |
|
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to type: keyword example: |
extended |
|
Structured data expressed in RFC 5424 messages, if available. These are key-value pairs formed from the structured data portion of the syslog message, as defined in RFC 5424 Section 6.3. type: flattened |
extended |
|
The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. type: keyword example: |
extended |
On this page