- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- Additional Information
- Release Notes
Operating System Fields
editOperating System Fields
editThe OS fields contain information about the operating system.
Operating System Field Details
editField | Description | Level |
---|---|---|
OS family (such as redhat, debian, freebsd, windows). type: keyword example: |
extended |
|
Operating system name, including the version or code name. type: keyword Multi-fields:
example: |
extended |
|
Operating system kernel version as a raw string. type: keyword example: |
extended |
|
Operating system name, without the version. type: keyword Multi-fields:
example: |
extended |
|
Operating system platform (such centos, ubuntu, windows). type: keyword example: |
extended |
|
Use the If the OS you’re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. Expected values for this field:
type: keyword example: |
extended |
|
Operating system version as a raw string. type: keyword example: |
extended |
Field Reuse
editThe os
fields are expected to be nested at:
-
host.os
-
observer.os
-
user_agent.os
Note also that the os
fields are not expected to be used directly at the root of the events.
On this page