- Elastic Common Schema (ECS) Reference: other versions:
- Overview
- Using ECS
- ECS Field Reference
- Base Fields
- Agent Fields
- Autonomous System Fields
- Client Fields
- Cloud Fields
- Code Signature Fields
- Container Fields
- Data Stream Fields
- Destination Fields
- Device Fields
- DLL Fields
- DNS Fields
- ECS Fields
- ELF Header Fields
- Email Fields
- Error Fields
- Event Fields
- FaaS Fields
- File Fields
- Geo Fields
- Group Fields
- Hash Fields
- Host Fields
- HTTP Fields
- Interface Fields
- Log Fields
- Mach-O Header Fields
- Network Fields
- Observer Fields
- Orchestrator Fields
- Organization Fields
- Operating System Fields
- Package Fields
- PE Header Fields
- Process Fields
- Registry Fields
- Related Fields
- Risk information Fields
- Rule Fields
- Server Fields
- Service Fields
- Source Fields
- Threat Fields
- TLS Fields
- Tracing Fields
- URL Fields
- User Fields
- User agent Fields
- VLAN Fields
- Volume Fields
- Vulnerability Fields
- x509 Certificate Fields
- ECS Categorization Fields
- Migrating to ECS
- ECS & OpenTelemetry
- Additional Information
- Release Notes
Overview
editOverview
editThis is the documentation of ECS version 9.0.0-dev.
What is ECS?
editThe Elastic Common Schema (ECS) is an open source specification, developed with support from the Elastic user community. ECS defines a common set of fields to be used when storing event data in Elasticsearch, such as logs and metrics.
ECS specifies field names and Elasticsearch datatypes for each field, and provides descriptions and example usage. ECS also groups fields into ECS levels, which are used to signal how much a field is expected to be present. You can learn more about ECS levels in Guidelines and Best Practices. Finally, ECS also provides a set of naming guidelines for adding custom fields.
The goal of ECS is to enable and encourage users of Elasticsearch to normalize their event data, so that they can better analyze, visualize, and correlate the data represented in their events. ECS has been scoped to accommodate a wide variety of events, spanning:
- Event sources: whether the source of your event is an Elastic product, a third- party product, or a custom application built by your organization.
- Ingestion architectures: whether the ingestion path for your events includes Beats processors, Logstash, Elasticsearch ingest node, all of the above, or none of the above.
- Consumers: whether consumed by API, Kibana queries, dashboards, apps, or other means.
New to ECS?
editIf you’re new to ECS and looking for an introduction to its benefits and examples of the core concepts, Getting Started is a great place to start.
My events don’t map with ECS
editECS is a permissive schema. If your events have additional data that cannot be mapped to ECS, you can simply add them to your events, using custom field names.
Maturity
editECS improvements are released following Semantic Versioning. Major ECS releases are planned to be aligned with major Elastic Stack releases.
Any feedback on the general structure, missing fields, or existing fields is appreciated. For contributions please read the Contribution Guidelines.
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now