Operating System Fields
editOperating System Fields
editThe OS fields contain information about the operating system.
Operating System Field Details
editField | Description | Level |
---|---|---|
OS family (such as redhat, debian, freebsd, windows). type: keyword example: |
extended |
|
Operating system name, including the version or code name. type: keyword Multi-fields:
example: |
extended |
|
Operating system kernel version as a raw string. type: keyword example: |
extended |
|
Operating system name, without the version. type: keyword Multi-fields:
example: |
extended |
|
Operating system platform (such centos, ubuntu, windows). type: keyword example: |
extended |
|
Use the If the OS you’re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. Expected values for this field:
type: keyword example: Note: The expected values in ECS for |
extended |
|
Operating system version as a raw string. type: keyword example: |
extended |
Field Reuse
editThe os
fields are expected to be nested at:
-
host.os
-
observer.os
-
user_agent.os
Note also that the os
fields are not expected to be used directly at the root of the events.