Event Fields
editEvent Fields
editThe event fields are used for context information about the log or metric event itself.
A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host and device temperature. See the event.kind
definition in this section for additional details about metric and state events.
Event Field Details
editField | Description | Level |
---|---|---|
The action captured by the event. This describes the information in the event. It is more specific than type: keyword example: |
core |
|
Agents are normally responsible for populating the For example if the agent’s connection is authenticated with mTLS and the client cert contains the ID of the agent to which the cert was issued then the If no validation is performed then the field should be omitted. The allowed values are:
type: keyword example: |
extended |
|
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy.
This field is an array. This will allow proper categorization of some events that fall in multiple categories. type: keyword Note: this field should contain an array of values. Important: The field value must be one of the following: authentication, configuration, database, driver, email, file, host, iam, intrusion_detection, malware, network, package, process, registry, session, threat, vulnerability, web To learn more about when to use which value, visit the page allowed values for event.category |
core |
|
Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. type: keyword example: |
extended |
|
event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent’s or pipeline’s ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. type: date example: |
core |
|
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It’s recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. type: keyword example: |
core |
|
Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. type: long |
core |
|
event.end contains the date when the event ended or when the activity was last observed. type: date |
extended |
|
Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. type: keyword example: |
extended |
|
Unique ID to describe the event. type: keyword example: |
core |
|
Timestamp when an event arrived in the central data store. This is different from In normal conditions, assuming no tampering, the timestamps should chronologically look like this: type: date example: |
core |
|
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy.
The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. type: keyword Important: The field value must be one of the following: alert, enrichment, event, metric, state, pipeline_error, signal To learn more about when to use which value, visit the page allowed values for event.kind |
core |
|
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), type: keyword example: |
core |
|
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from type: keyword example: |
core |
|
This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy.
Note that when a single transaction is described in multiple events, each event may populate different values of Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with type: keyword Important: The field value must be one of the following: failure, success, unknown To learn more about when to use which value, visit the page allowed values for event.outcome |
core |
|
Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). type: keyword example: |
extended |
|
Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where type: keyword example: |
extended |
|
Reference URL linking to additional information about this event. This URL links to a static definition of this event. Alert events, indicated by type: keyword example: |
extended |
|
Risk score or priority of the event (e.g. security solutions). Use your system’s original value here. type: float |
core |
|
Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. type: float |
extended |
|
Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. type: long |
extended |
|
The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It’s up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in type: long example: |
core |
|
event.start contains the date when the event started or when the activity was first observed. type: date |
extended |
|
This field should be populated when the event’s timestamp does not include timezone information already (e.g. default Syslog timestamps). It’s optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). type: keyword |
extended |
|
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy.
This field is an array. This will allow proper categorization of some events that fall in multiple event types. type: keyword Note: this field should contain an array of values. Important: The field value must be one of the following: access, admin, allowed, change, connection, creation, deletion, denied, end, error, group, indicator, info, installation, protocol, start, user To learn more about when to use which value, visit the page allowed values for event.type |
core |
|
URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by type: keyword example: |
extended |