IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Organization Fields Package Fields »
Elastic Docs Elastic Common Schema (ECS) Reference [8.8] ECS Field Reference

Operating System Fields

edit

Operating System Fields

edit

The OS fields contain information about the operating system.

Operating System Field Details

edit
Field Description Level

os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

extended

os.full

Operating system name, including the version or code name.

type: keyword

Multi-fields:

  • os.full.text (type: match_only_text)

example: Mac OS Mojave

extended

os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

extended

os.name

Operating system name, without the version.

type: keyword

Multi-fields:

  • os.name.text (type: match_only_text)

example: Mac OS X

extended

os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

extended

os.type

Use the os.type field to categorize the operating system into one of the broad commercial families.

If the OS you’re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

Expected values for this field:

  • linux
  • macos
  • unix
  • windows
  • ios
  • android

type: keyword

example: macos

extended

os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

extended

Field Reuse

edit

The os fields are expected to be nested at:

  • host.os
  • observer.os
  • user_agent.os

Note also that the os fields are not expected to be used directly at the root of the events.

« Organization Fields Package Fields »