2019-08-15 14:08:08 +02:00
# WARNING! Do not edit this file directly, it was generated by the ECS project,
2019-11-07 09:46:03 +01:00
# based on ECS version 1.1.0.
2019-08-15 14:08:08 +02:00
# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
- key : ecs
title : ECS
description : ECS Fields.
fields :
- name : '@timestamp'
level : core
required : true
type : date
description : 'Date/time when the event originated.
This is the date/time extracted from the event, typically representing when
the event was generated by the source.
If the event source has no original timestamp, this value is typically populated
by the first time the event was received by the pipeline.
Required field for all events.'
example : '2016-05-23T08:05:34.853Z'
- name : labels
level : core
type : object
object_type : keyword
description : 'Custom key/value pairs.
Can be used to add meta information to events. Should not contain nested objects.
All values are stored as keyword.
Example : `docker` and `k8s` labels.'
example :
application : foo-bar
env : production
- name : message
level : core
type : text
description : 'For log events the message field contains the log message, optimized
for viewing in a log viewer.
For structured logs without an original message field, other fields can be concatenated
to form a human-readable summary of the event.
If multiple messages exist, they can be combined into one message.'
example : Hello World
- name : tags
level : core
type : keyword
ignore_above : 1024
description : List of keywords used to tag each event.
example : '["production", "env2"]'
- name : agent
title : Agent
group : 2
description : 'The agent fields contain the data about the software entity, if
any, that collects, detects, or observes events on a host, or takes measurements
on a host.
Examples include Beats. Agents may also run on observers. ECS agent.* fields
shall be populated with details of the agent running on the host or observer
where the event happened or the measurement was taken.'
footnote: 'Examples : In the case of Beats for logs, the agent.name is filebeat.
For APM, it is the agent running in the app/service. The agent information does
not change if data is sent through queuing systems like Kafka, Redis, or processing
systems such as Logstash or APM Server.'
type : group
fields :
- name : ephemeral_id
level : extended
type : keyword
ignore_above : 1024
description : 'Ephemeral identifier of this agent (if one exists).
This id normally changes across restarts, but `agent.id` does not.'
example : 8a4f500f
- name : id
level : core
type : keyword
ignore_above : 1024
description : 'Unique identifier of this agent (if one exists).
Example : For Beats this would be beat.id.'
example : 8a4f500d
- name : name
level : core
type : keyword
ignore_above : 1024
description : 'Custom name of the agent.
This is a name that can be given to an agent. This can be helpful if for example
two Filebeat instances are running on the same host but a human readable separation
is needed on which Filebeat instance data is coming from.
If no name is given, the name is often left empty.'
example : foo
- name : type
level : core
type : keyword
ignore_above : 1024
description : 'Type of the agent.
The agent type stays always the same and should be given by the agent used.
In case of Filebeat the agent would always be Filebeat also if two Filebeat
instances are run on the same machine.'
example : filebeat
- name : version
level : core
type : keyword
ignore_above : 1024
description : Version of the agent.
example : 6.0 .0 -rc2
2019-11-07 09:46:03 +01:00
- name : as
title : Autonomous System
group : 2
description : An autonomous system (AS) is a collection of connected Internet Protocol
(IP) routing prefixes under the control of one or more network operators on
behalf of a single administrative entity or domain that presents a common, clearly
defined routing policy to the internet.
type : group
fields :
- name : number
level : extended
type : long
description : Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example : 15169
- name : organization.name
level : extended
type : keyword
ignore_above : 1024
description : Organization name.
example : Google LLC
2019-08-15 14:08:08 +02:00
- name : client
title : Client
group : 2
description : 'A client is defined as the initiator of a network connection for
events regarding sessions, connections, or bidirectional flow records.
For TCP events, the client is the initiator of the TCP connection that sends
the SYN packet(s). For other protocols, the client is generally the initiator
or requestor in the network transaction. Some systems use the term "originator"
to refer the client in TCP connections. The client fields describe details about
the system acting as the client in the network event. Client fields are usually
populated in conjunction with server fields. Client fields are generally not
populated for packet-level events.
Client / server representations can add semantic context to an exchange, which
is helpful to visualize the data in certain situations. If your context falls
in that category, you should still ensure that source and destination are filled
appropriately.'
type : group
fields :
- name : address
level : extended
type : keyword
ignore_above : 1024
description : 'Some event client addresses are defined ambiguously. The event
will sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
2019-11-07 09:46:03 +01:00
- name : as.number
level : extended
type : long
description : Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example : 15169
- name : as.organization.name
level : extended
type : keyword
ignore_above : 1024
description : Organization name.
example : Google LLC
2019-08-15 14:08:08 +02:00
- name : bytes
level : core
type : long
format : bytes
description : Bytes sent from the client to the server.
example : 184
- name : domain
level : core
type : keyword
ignore_above : 1024
description : Client domain.
- name : geo.city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : geo.continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : geo.country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : geo.country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : geo.location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : geo.name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : geo.region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : geo.region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : ip
level : core
type : ip
description : 'IP address of the client.
Can be one or multiple IPv4 or IPv6 addresses.'
- name : mac
level : core
type : keyword
ignore_above : 1024
description : MAC address of the client.
2019-11-07 09:46:03 +01:00
- name : nat.ip
level : extended
type : ip
description : 'Translated IP of source based NAT sessions (e.g. internal client
to internet).
Typically connections traversing load balancers, firewalls, or routers.'
- name : nat.port
level : extended
type : long
format : string
description : 'Translated port of source based NAT sessions (e.g. internal client
to internet).
Typically connections traversing load balancers, firewalls, or routers.'
2019-08-15 14:08:08 +02:00
- name : packets
level : core
type : long
description : Packets sent from the client to the server.
example : 12
- name : port
level : core
type : long
format : string
description : Port of the client.
2019-11-07 09:46:03 +01:00
- name : user.domain
level : extended
type : keyword
ignore_above : 1024
description : 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
2019-08-15 14:08:08 +02:00
- name : user.email
level : extended
type : keyword
ignore_above : 1024
description : User email address.
- name : user.full_name
level : extended
type : keyword
ignore_above : 1024
description : User's full name, if available.
example : Albert Einstein
- name : user.group.id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : user.group.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
- name : user.hash
level : extended
type : keyword
ignore_above : 1024
description : 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name : user.id
level : core
type : keyword
ignore_above : 1024
description : One or multiple unique identifiers of the user.
- name : user.name
level : core
type : keyword
ignore_above : 1024
description : Short name or login of the user.
example : albert
- name : cloud
title : Cloud
group : 2
description : Fields related to the cloud or infrastructure the events are coming
from.
footnote: 'Examples : If Metricbeat is running on an EC2 host and fetches data
from its host, the cloud info contains the data about this machine. If Metricbeat
runs on a remote machine outside the cloud and fetches data from a service running
in the cloud, the field contains cloud data from the machine the service is
running on.'
type : group
fields :
- name : account.id
level : extended
type : keyword
ignore_above : 1024
description : 'The cloud account or organization id used to identify different
entities in a multi-tenant environment.
Examples : AWS account id, Google Cloud ORG Id, or other unique identifier.'
example : 666777888999
- name : availability_zone
level : extended
type : keyword
ignore_above : 1024
description : Availability zone in which this host is running.
example : us-east-1c
- name : instance.id
level : extended
type : keyword
ignore_above : 1024
description : Instance ID of the host machine.
example : i-1234567890abcdef0
- name : instance.name
level : extended
type : keyword
ignore_above : 1024
description : Instance name of the host machine.
- name : machine.type
level : extended
type : keyword
ignore_above : 1024
description : Machine type of the host machine.
example : t2.medium
- name : provider
level : extended
type : keyword
ignore_above : 1024
description : Name of the cloud provider. Example values are aws, azure, gcp,
or digitalocean.
example : aws
- name : region
level : extended
type : keyword
ignore_above : 1024
description : Region in which this host is running.
example : us-east-1
- name : container
title : Container
group : 2
description : 'Container fields are used for meta information about the specific
container that is the source of information.
These fields help correlate data based containers from any runtime.'
type : group
fields :
- name : id
level : core
type : keyword
ignore_above : 1024
description : Unique container id.
- name : image.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the image the container was built on.
- name : image.tag
level : extended
type : keyword
ignore_above : 1024
description : Container image tag.
- name : labels
level : extended
type : object
object_type : keyword
description : Image labels.
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Container name.
- name : runtime
level : extended
type : keyword
ignore_above : 1024
description : Runtime managing this container.
example : docker
- name : destination
title : Destination
group : 2
description : 'Destination fields describe details about the destination of a packet/event.
Destination fields are usually populated in conjunction with source fields.'
type : group
fields :
- name : address
level : extended
type : keyword
ignore_above : 1024
description : 'Some event destination addresses are defined ambiguously. The
event will sometimes list an IP, a domain or a unix socket. You should always
store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
2019-11-07 09:46:03 +01:00
- name : as.number
level : extended
type : long
description : Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example : 15169
- name : as.organization.name
level : extended
type : keyword
ignore_above : 1024
description : Organization name.
example : Google LLC
2019-08-15 14:08:08 +02:00
- name : bytes
level : core
type : long
format : bytes
description : Bytes sent from the destination to the source.
example : 184
- name : domain
level : core
type : keyword
ignore_above : 1024
description : Destination domain.
- name : geo.city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : geo.continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : geo.country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : geo.country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : geo.location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : geo.name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : geo.region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : geo.region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : ip
level : core
type : ip
description : 'IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses.'
- name : mac
level : core
type : keyword
ignore_above : 1024
description : MAC address of the destination.
2019-11-07 09:46:03 +01:00
- name : nat.ip
level : extended
type : ip
description : 'Translated ip of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name : nat.port
level : extended
type : long
format : string
description : 'Port the source session is translated to by NAT Device.
Typically used with load balancers, firewalls, or routers.'
2019-08-15 14:08:08 +02:00
- name : packets
level : core
type : long
description : Packets sent from the destination to the source.
example : 12
- name : port
level : core
type : long
format : string
description : Port of the destination.
2019-11-07 09:46:03 +01:00
- name : user.domain
level : extended
type : keyword
ignore_above : 1024
description : 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
2019-08-15 14:08:08 +02:00
- name : user.email
level : extended
type : keyword
ignore_above : 1024
description : User email address.
- name : user.full_name
level : extended
type : keyword
ignore_above : 1024
description : User's full name, if available.
example : Albert Einstein
- name : user.group.id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : user.group.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
- name : user.hash
level : extended
type : keyword
ignore_above : 1024
description : 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name : user.id
level : core
type : keyword
ignore_above : 1024
description : One or multiple unique identifiers of the user.
- name : user.name
level : core
type : keyword
ignore_above : 1024
description : Short name or login of the user.
example : albert
2019-11-07 09:46:03 +01:00
- name : dns
title : DNS
group : 2
description : 'Fields describing DNS queries and answers.
DNS events should either represent a single DNS query prior to getting answers
(`dns.type:query`) or they should represent a full exchange and contain the
query details as well as all of the answers that were provided for this query
(`dns.type:answer`).'
type : group
fields :
- name : answers
level : extended
type : object
object_type : keyword
description : 'An array containing an object for each answer section returned
by the server.
The main keys that should be present in these objects are defined by ECS.
Records that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer
objects must contain the `data` key. If more information is available, map
as much of it to ECS as possible, and add any additional fields to the answer
objects as custom fields.'
- name : answers.class
level : extended
type : keyword
ignore_above : 1024
description : The class of DNS data contained in this resource record.
example : IN
- name : answers.data
level : extended
type : keyword
ignore_above : 1024
description : 'The data describing the resource.
The meaning of this data depends on the type and class of the resource record.'
example : 10.10 .10 .10
- name : answers.name
level : extended
type : keyword
ignore_above : 1024
description : 'The domain name to which this resource record pertains.
If a chain of CNAME is being resolved, each answer''s `name` should be the
one that corresponds with the answer''s `data`. It should not simply be the
original `question.name` repeated.'
example : www.google.com
- name : answers.ttl
level : extended
type : long
description : The time interval in seconds that this resource record may be cached
before it should be discarded. Zero values mean that the data should not be
cached.
example : 180
- name : answers.type
level : extended
type : keyword
ignore_above : 1024
description : The type of data contained in this resource record.
example : CNAME
- name : header_flags
level : extended
type : keyword
ignore_above : 1024
description : 'Array of 2 letter DNS header flags.
Expected values are : AA, TC, RD, RA, AD, CD, DO.'
example :
- RD
- RA
- name : id
level : extended
type : keyword
ignore_above : 1024
description : The DNS packet identifier assigned by the program that generated
the query. The identifier is copied to the response.
example : 62111
- name : op_code
level : extended
type : keyword
ignore_above : 1024
description : The DNS operation code that specifies the kind of query in the
message. This value is set by the originator of a query and copied into the
response.
example : QUERY
- name : question.class
level : extended
type : keyword
ignore_above : 1024
description : The class of of records being queried.
example : IN
- name : question.name
level : extended
type : keyword
ignore_above : 1024
description : 'The name being queried.
If the name field contains non-printable characters (below 32 or above 126),
those characters should be represented as escaped base 10 integers (\DDD).
Back slashes and quotes should be escaped. Tabs, carriage returns, and line
feeds should be converted to \t, \r, and \n respectively.'
example : www.google.com
- name : question.registered_domain
level : extended
type : keyword
ignore_above : 1024
description : 'The highest registered domain, stripped of the subdomain.
For example, the registered domain for "foo.google.com" is "google.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example : google.com
- name : question.type
level : extended
type : keyword
ignore_above : 1024
description : The type of record being queried.
example : AAAA
- name : resolved_ip
level : extended
type : ip
description : 'Array containing all IPs seen in `answers.data`.
The `answers` array can be difficult to use, because of the variety of data
formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
makes it possible to index them as IP addresses, and makes them easier to
visualize and query for.'
example :
- 10.10 .10 .10
- 10.10 .10 .11
- name : response_code
level : extended
type : keyword
ignore_above : 1024
description : The DNS response code.
example : NOERROR
- name : type
level : extended
type : keyword
ignore_above : 1024
description : 'The type of DNS event captured, query or answer.
If your source of DNS events only gives you DNS queries, you should only create
dns events of type `dns.type:query`.
If your source of DNS events gives you answers as well, you should create
one event per query (optionally as soon as the query is seen). And a second
event containing all query details as well as an array of answers.'
example : answer
2019-08-15 14:08:08 +02:00
- name : ecs
title : ECS
group : 2
description : Meta-information specific to ECS.
type : group
fields :
- name : version
level : core
required : true
type : keyword
ignore_above : 1024
description : 'ECS version this event conforms to. `ecs.version` is a required
field and must exist in all events.
When querying across multiple indices -- which may conform to slightly different
ECS versions -- this field lets integrations adjust to the schema version
of the events.'
example : 1.0 .0
- name : error
title : Error
group : 2
description : 'These fields can represent errors of any kind.
Use them for errors that happen while fetching events or in cases where the
event itself contains an error.'
type : group
fields :
- name : code
level : core
type : keyword
ignore_above : 1024
description : Error code describing the error.
- name : id
level : core
type : keyword
ignore_above : 1024
description : Unique identifier for the error.
- name : message
level : core
type : text
description : Error message.
- name : event
title : Event
group : 2
description : 'The event fields are used for context information about the log
or metric event itself.
A log is defined as an event containing details of something that happened.
Log events must include the time at which the thing happened. Examples of log
events include a process starting on a host, a network packet being sent from
a source to a destination, or a network connection between a client and a server
being initiated or closed. A metric is defined as an event containing one or
more numerical or categorical measurements and the time at which the measurement
was taken. Examples of metric events include memory pressure measured on a host,
or vulnerabilities measured on a scanned host.'
type : group
fields :
- name : action
level : core
type : keyword
ignore_above : 1024
description : 'The action captured by the event.
This describes the information in the event. It is more specific than `event.category`.
Examples are `group-add`, `process-started`, `file-created`. The value is
normally defined by the implementer.'
example : user-password-change
- name : category
level : core
type : keyword
ignore_above : 1024
description : 'Event category.
This contains high-level information about the contents of the event. It is
more generic than `event.action`, in the sense that typically a category contains
multiple actions. Warning : In future versions of ECS, we plan to provide a
list of acceptable values for this field, please use with caution.'
example : user-management
2019-11-07 09:46:03 +01:00
- name : code
level : extended
type : keyword
ignore_above : 1024
description : 'Identification code for this event, if one exists.
Some event sources use event codes to identify messages unambiguously, regardless
of message language or wording adjustments over time. An example of this is
the Windows Event ID.'
example : 4648
2019-08-15 14:08:08 +02:00
- name : created
level : core
type : date
description : 'event.created contains the date/time when the event was first
read by an agent, or by your pipeline.
This field is distinct from @timestamp in that @timestamp typically contain
the time extracted from the original event.
In most situations, these two timestamps will be slightly different. The difference
can be used to calculate the delay between your source generating an event,
and the time when your agent first processed it. This can be used to monitor
your agent''s or pipeline''s ability to keep up with your event source.
In case the two timestamps are identical, @timestamp should be used.'
- name : dataset
level : core
type : keyword
ignore_above : 1024
description : 'Name of the dataset.
2019-11-07 09:46:03 +01:00
If an event source publishes more than one type of log or events (e.g. access
log, error log), the dataset is used to specify which one the event comes
from.
It''s recommended but not required to start the dataset name with the module
name, followed by a dot, then the dataset name.'
example : apache.access
2019-08-15 14:08:08 +02:00
- name : duration
level : core
type : long
format : duration
input_format : nanoseconds
output_format : asMilliseconds
output_precision : 1
description : 'Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the difference
between the end and start time.'
- name : end
level : extended
type : date
description : event.end contains the date when the event ended or when the activity
was last observed.
- name : hash
level : extended
type : keyword
ignore_above : 1024
description : Hash (perhaps logstash fingerprint) of raw field to be able to
demonstrate log integrity.
example : 123456789012345678901234567890ABCD
- name : id
level : core
type : keyword
ignore_above : 1024
description : Unique ID to describe the event.
example : 8a4f500d
- name : kind
level : extended
type : keyword
ignore_above : 1024
description : 'The kind of the event.
This gives information about what type of information the event contains,
without being specific to the contents of the event. Examples are `event`,
`state`, `alarm`. Warning : In future versions of ECS, we plan to provide a
list of acceptable values for this field, please use with caution.'
example : state
- name : module
level : core
type : keyword
ignore_above : 1024
description : 'Name of the module this data is coming from.
2019-11-07 09:46:03 +01:00
If your monitoring agent supports the concept of modules or plugins to process
events of a given source (e.g. Apache logs), `event.module` should contain
the name of this module.'
example : apache
2019-08-15 14:08:08 +02:00
- name : original
level : core
type : keyword
ignore_above : 1024
description : 'Raw text message of entire event. Used to demonstrate log integrity.
This field is not indexed and doc_values are disabled. It cannot be searched,
but it can be retrieved from `_source`.'
example : Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100|
worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
- name : outcome
level : extended
type : keyword
ignore_above : 1024
description : 'The outcome of the event.
If the event describes an action, this fields contains the outcome of that
action. Examples outcomes are `success` and `failure`. Warning : In future
versions of ECS, we plan to provide a list of acceptable values for this field,
please use with caution.'
example : success
2019-11-07 09:46:03 +01:00
- name : provider
level : extended
type : keyword
ignore_above : 1024
description : 'Source of the event.
Event transports such as Syslog or the Windows Event Log typically mention
the source of an event. It can be the name of the software that generated
the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
(kernel, Microsoft-Windows-Security-Auditing).'
example : kernel
2019-08-15 14:08:08 +02:00
- name : risk_score
level : core
type : float
description : Risk score or priority of the event (e.g. security solutions).
Use your system's original value here.
- name : risk_score_norm
level : extended
type : float
description : 'Normalized risk score or priority of the event, on a scale of
0 to 100.
This is mainly useful if you use more than one system that assigns risk scores,
and you want to see a normalized value across all systems.'
2019-11-07 09:46:03 +01:00
- name : sequence
level : extended
type : long
format : string
description : 'Sequence number of the event.
The sequence number is a value published by some event sources, to make the
exact ordering of events unambiguous, regarless of the timestamp precision.'
2019-08-15 14:08:08 +02:00
- name : severity
level : core
type : long
format : string
description : Severity describes the original severity of the event. What the
different severity values mean can very different between use cases. It's
up to the implementer to make sure severities are consistent across events.
example : '7'
- name : start
level : extended
type : date
description : event.start contains the date when the event started or when the
activity was first observed.
- name : timezone
level : extended
type : keyword
ignore_above : 1024
description : 'This field should be populated when the event' 's timestamp does
not include timezone information already (e.g. default Syslog timestamps).
It''s optional otherwise.
Acceptable timezone formats are : a canonical ID (e.g. "Europe/Amsterdam"),
abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").'
- name : type
level : core
type : keyword
ignore_above : 1024
description : 'Reserved for future usage.
Please avoid using this field for user data.'
- name : file
title : File
group : 2
description : 'A file is defined as a set of information that has been created
on , or has existed on a filesystem.
File objects can be associated with host events, network events, and/or file
events (e.g., those produced by File Integrity Monitoring [FIM] products or
services). File fields provide details about the affected file associated with
the event or metric.'
type : group
fields :
2019-11-07 09:46:03 +01:00
- name : accessed
level : extended
type : date
description : 'Last time the file was accessed.
Note that not all filesystems keep track of access time.'
- name : created
level : extended
type : date
description : 'File creation time.
Note that not all filesystems store the creation time.'
2019-08-15 14:08:08 +02:00
- name : ctime
level : extended
type : date
2019-11-07 09:46:03 +01:00
description : 'Last time the file attributes or metadata changed.
Note that changes to the file content will update `mtime`. This implies `ctime`
will be adjusted at the same time, since `mtime` is an attribute of the file.'
2019-08-15 14:08:08 +02:00
- name : device
level : extended
type : keyword
ignore_above : 1024
description : Device that is the source of the file.
2019-11-07 09:46:03 +01:00
example : sda
- name : directory
level : extended
type : keyword
ignore_above : 1024
description : Directory where the file is located.
example : /home/alice
2019-08-15 14:08:08 +02:00
- name : extension
level : extended
type : keyword
ignore_above : 1024
2019-11-07 09:46:03 +01:00
description : File extension.
2019-08-15 14:08:08 +02:00
example : png
- name : gid
level : extended
type : keyword
ignore_above : 1024
description : Primary group ID (GID) of the file.
2019-11-07 09:46:03 +01:00
example : '1001'
2019-08-15 14:08:08 +02:00
- name : group
level : extended
type : keyword
ignore_above : 1024
description : Primary group name of the file.
2019-11-07 09:46:03 +01:00
example : alice
- name : hash.md5
level : extended
type : keyword
ignore_above : 1024
description : MD5 hash.
- name : hash.sha1
level : extended
type : keyword
ignore_above : 1024
description : SHA1 hash.
- name : hash.sha256
level : extended
type : keyword
ignore_above : 1024
description : SHA256 hash.
- name : hash.sha512
level : extended
type : keyword
ignore_above : 1024
description : SHA512 hash.
2019-08-15 14:08:08 +02:00
- name : inode
level : extended
type : keyword
ignore_above : 1024
description : Inode representing the file in the filesystem.
2019-11-07 09:46:03 +01:00
example : '256383'
2019-08-15 14:08:08 +02:00
- name : mode
level : extended
type : keyword
ignore_above : 1024
description : Mode of the file in octal representation.
2019-11-07 09:46:03 +01:00
example : '0640'
2019-08-15 14:08:08 +02:00
- name : mtime
level : extended
type : date
2019-11-07 09:46:03 +01:00
description : Last time the file content was modified.
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Name of the file including the extension, without the directory.
example : example.png
2019-08-15 14:08:08 +02:00
- name : owner
level : extended
type : keyword
ignore_above : 1024
description : File owner's username.
2019-11-07 09:46:03 +01:00
example : alice
2019-08-15 14:08:08 +02:00
- name : path
level : extended
type : keyword
ignore_above : 1024
2019-11-07 09:46:03 +01:00
description : Full path to the file.
example : /home/alice/example.png
2019-08-15 14:08:08 +02:00
- name : size
level : extended
type : long
2019-11-07 09:46:03 +01:00
description : 'File size in bytes.
Only relevant when `file.type` is "file".'
example : 16384
2019-08-15 14:08:08 +02:00
- name : target_path
level : extended
type : keyword
ignore_above : 1024
description : Target path for symlinks.
- name : type
level : extended
type : keyword
ignore_above : 1024
description : File type (file, dir, or symlink).
2019-11-07 09:46:03 +01:00
example : file
2019-08-15 14:08:08 +02:00
- name : uid
level : extended
type : keyword
ignore_above : 1024
description : The user ID (UID) or security identifier (SID) of the file owner.
2019-11-07 09:46:03 +01:00
example : '1001'
2019-08-15 14:08:08 +02:00
- name : geo
title : Geo
group : 2
description : 'Geo fields can carry data about a specific location related to an
event.
This geolocation information can be derived from techniques such as Geo IP,
or be user-supplied.'
type : group
fields :
- name : city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : group
title : Group
group : 2
description : The group fields are meant to represent groups that are relevant
to the event.
type : group
fields :
- name : id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
2019-11-07 09:46:03 +01:00
- name : hash
title : Hash
group : 2
description : 'The hash fields represent different hash algorithms and their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
other hashes by lowercasing the hash algorithm name and using underscore separators
as appropriate (snake case, e.g. sha3_512).'
type : group
fields :
- name : md5
level : extended
type : keyword
ignore_above : 1024
description : MD5 hash.
- name : sha1
level : extended
type : keyword
ignore_above : 1024
description : SHA1 hash.
- name : sha256
level : extended
type : keyword
ignore_above : 1024
description : SHA256 hash.
- name : sha512
level : extended
type : keyword
ignore_above : 1024
description : SHA512 hash.
2019-08-15 14:08:08 +02:00
- name : host
title : Host
group : 2
description : 'A host is defined as a general computing instance.
ECS host.* fields should be populated with details about the host on which the
event happened, or from which the measurement was taken. Host types include
hardware, virtual machines, Docker containers, and Kubernetes nodes.'
type : group
fields :
- name : architecture
level : core
type : keyword
ignore_above : 1024
description : Operating system architecture.
example : x86_64
- name : geo.city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : geo.continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : geo.country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : geo.country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : geo.location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : geo.name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : geo.region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : geo.region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : hostname
level : core
type : keyword
ignore_above : 1024
description : 'Hostname of the host.
It normally contains what the `hostname` command returns on the host machine.'
- name : id
level : core
type : keyword
ignore_above : 1024
description : 'Unique host id.
As hostname is not always unique, use values that are meaningful in your environment.
Example : The current usage of `beat.name`.'
- name : ip
level : core
type : ip
description : Host ip address.
- name : mac
level : core
type : keyword
ignore_above : 1024
description : Host mac address.
- name : name
level : core
type : keyword
ignore_above : 1024
description : 'Name of the host.
It can contain what `hostname` returns on Unix systems, the fully qualified
domain name, or a name specified by the user. The sender decides which value
to use.'
- name : os.family
level : extended
type : keyword
ignore_above : 1024
description : OS family (such as redhat, debian, freebsd, windows).
example : debian
- name : os.full
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, including the version or code name.
example : Mac OS Mojave
- name : os.kernel
level : extended
type : keyword
ignore_above : 1024
description : Operating system kernel version as a raw string.
example : 4.4 .0 -112 -generic
- name : os.name
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, without the version.
example : Mac OS X
- name : os.platform
level : extended
type : keyword
ignore_above : 1024
description : Operating system platform (such centos, ubuntu, windows).
example : darwin
- name : os.version
level : extended
type : keyword
ignore_above : 1024
description : Operating system version as a raw string.
example : 10.14 .1
- name : type
level : core
type : keyword
ignore_above : 1024
description : 'Type of host.
For Cloud providers this can be the machine type like `t2.medium`. If vm,
this could be the container, for example, or other information meaningful
in your environment.'
2019-11-07 09:46:03 +01:00
- name : uptime
level : extended
type : long
description : Seconds the host has been up.
example : 1325
- name : user.domain
level : extended
type : keyword
ignore_above : 1024
description : 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
2019-08-15 14:08:08 +02:00
- name : user.email
level : extended
type : keyword
ignore_above : 1024
description : User email address.
- name : user.full_name
level : extended
type : keyword
ignore_above : 1024
description : User's full name, if available.
example : Albert Einstein
- name : user.group.id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : user.group.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
- name : user.hash
level : extended
type : keyword
ignore_above : 1024
description : 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name : user.id
level : core
type : keyword
ignore_above : 1024
description : One or multiple unique identifiers of the user.
- name : user.name
level : core
type : keyword
ignore_above : 1024
description : Short name or login of the user.
example : albert
- name : http
title : HTTP
group : 2
description : Fields related to HTTP activity. Use the `url` field set to store
the url of the request.
type : group
fields :
- name : request.body.bytes
level : extended
type : long
format : bytes
description : Size in bytes of the request body.
example : 887
- name : request.body.content
level : extended
type : keyword
ignore_above : 1024
description : The full HTTP request body.
example : Hello world
- name : request.bytes
level : extended
type : long
format : bytes
description : Total size in bytes of the request (body and headers).
example : 1437
- name : request.method
level : extended
type : keyword
ignore_above : 1024
description : 'HTTP request method.
The field value must be normalized to lowercase for querying. See the documentation
section "Implementing ECS".'
example : get, post, put
- name : request.referrer
level : extended
type : keyword
ignore_above : 1024
description : Referrer for this HTTP request.
example : https://blog.example.com/
- name : response.body.bytes
level : extended
type : long
format : bytes
description : Size in bytes of the response body.
example : 887
- name : response.body.content
level : extended
type : keyword
ignore_above : 1024
description : The full HTTP response body.
example : Hello world
- name : response.bytes
level : extended
type : long
format : bytes
description : Total size in bytes of the response (body and headers).
example : 1437
- name : response.status_code
level : extended
type : long
format : string
description : HTTP response status code.
example : 404
- name : version
level : extended
type : keyword
ignore_above : 1024
description : HTTP version.
example : 1.1
- name : log
title : Log
group : 2
description : Fields which are specific to log events.
type : group
fields :
- name : level
level : core
type : keyword
ignore_above : 1024
description : 'Original log level of the log event.
Some examples are `warn`, `error`, `i`.'
example : err
2019-11-07 09:46:03 +01:00
- name : logger
level : core
type : keyword
ignore_above : 1024
description : The name of the logger inside an application. This is usually the
name of the class which initialized the logger, or can be a custom name.
example : org.elasticsearch.bootstrap.Bootstrap
2019-08-15 14:08:08 +02:00
- name : original
level : core
type : keyword
ignore_above : 1024
description : 'This is the original log message and contains the full log message
before splitting it up in multiple parts.
In contrast to the `message` field which can contain an extracted part of
the log message, this field contains the original, full log message. It can
have already some modifications applied like encoding or new lines removed
to clean up the log message.
This field is not indexed and doc_values are disabled so it can''t be queried
but the value can be retrieved from `_source`.'
example : Sep 19 08:26:10 localhost My log
- name : network
title : Network
group : 2
description : 'The network is defined as the communication path over which a host
or network event happens.
The network.* fields should be populated with details about the network activity
associated with an event.'
type : group
fields :
- name : application
level : extended
type : keyword
ignore_above : 1024
description : 'A name given to an application level protocol. This can be arbitrarily
assigned for things like microservices, but also apply to things like skype,
icq, facebook, twitter. This would be used in situations where the vendor
or service can be decoded such as from the source/dest IP owners, ports, or
wire format.
The field value must be normalized to lowercase for querying. See the documentation
section "Implementing ECS".'
example : aim
- name : bytes
level : core
type : long
format : bytes
description : 'Total bytes transferred in both directions.
If `source.bytes` and `destination.bytes` are known, `network.bytes` is their
sum.'
example : 368
- name : community_id
level : extended
type : keyword
ignore_above : 1024
description : 'A hash of source and destination IPs and ports, as well as the
protocol used in a communication. This is a tool-agnostic standard to identify
flows.
Learn more at https://github.com/corelight/community-id-spec.'
example : 1 : hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
- name : direction
level : core
type : keyword
ignore_above : 1024
description : "Direction of the network traffic.\nRecommended values are:\n \
\ * inbound\n * outbound\n * internal\n * external\n * unknown\n\nWhen\
\ mapping events from a host-based monitoring context, populate this field\
\ from the host's point of view.\nWhen mapping events from a network or perimeter-based\
\ monitoring context, populate this field from the point of view of your network\
\ perimeter."
example : inbound
- name : forwarded_ip
level : core
type : ip
description : Host IP address when the source IP address is the proxy.
example : 192.1 .1 .2
- name : iana_number
level : extended
type : keyword
ignore_above : 1024
description : IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).
Standardized list of protocols. This aligns well with NetFlow and sFlow related
logs which use the IANA Protocol Number.
example : 6
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Name given by operators to sections of their network.
example : Guest Wifi
- name : packets
level : core
type : long
description : 'Total packets transferred in both directions.
If `source.packets` and `destination.packets` are known, `network.packets`
is their sum.'
example : 24
- name : protocol
level : core
type : keyword
ignore_above : 1024
description : 'L7 Network protocol name. ex. http, lumberjack, transport protocol.
The field value must be normalized to lowercase for querying. See the documentation
section "Implementing ECS".'
example : http
- name : transport
level : core
type : keyword
ignore_above : 1024
description : 'Same as network.iana_number, but instead using the Keyword name
of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying. See the documentation
section "Implementing ECS".'
example : tcp
- name : type
level : core
type : keyword
ignore_above : 1024
description : 'In the OSI Model this would be the Network Layer. ipv4, ipv6,
ipsec, pim, etc
The field value must be normalized to lowercase for querying. See the documentation
section "Implementing ECS".'
example : ipv4
- name : observer
title : Observer
group : 2
description : 'An observer is defined as a special network, security, or application
device used to detect, observe, or create network, security, or application-related
events and metrics.
This could be a custom hardware appliance or a server that has been configured
to run special network, security, or application software. Examples include
firewalls, intrusion detection/prevention systems, network monitoring sensors,
web application firewalls, data loss prevention systems, and APM servers. The
observer.* fields shall be populated with details of the system, if any, that
detects, observes and/or creates a network, security, or application event or
metric. Message queues and ETL components used in processing events or metrics
are not considered observers in ECS.'
type : group
fields :
- name : geo.city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : geo.continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : geo.country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : geo.country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : geo.location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : geo.name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : geo.region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : geo.region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : hostname
level : core
type : keyword
ignore_above : 1024
description : Hostname of the observer.
- name : ip
level : core
type : ip
description : IP address of the observer.
- name : mac
level : core
type : keyword
ignore_above : 1024
description : MAC address of the observer
- name : os.family
level : extended
type : keyword
ignore_above : 1024
description : OS family (such as redhat, debian, freebsd, windows).
example : debian
- name : os.full
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, including the version or code name.
example : Mac OS Mojave
- name : os.kernel
level : extended
type : keyword
ignore_above : 1024
description : Operating system kernel version as a raw string.
example : 4.4 .0 -112 -generic
- name : os.name
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, without the version.
example : Mac OS X
- name : os.platform
level : extended
type : keyword
ignore_above : 1024
description : Operating system platform (such centos, ubuntu, windows).
example : darwin
- name : os.version
level : extended
type : keyword
ignore_above : 1024
description : Operating system version as a raw string.
example : 10.14 .1
- name : serial_number
level : extended
type : keyword
ignore_above : 1024
description : Observer serial number.
- name : type
level : core
type : keyword
ignore_above : 1024
description : 'The type of the observer the data is coming from.
There is no predefined list of observer types. Some examples are `forwarder`,
`firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.'
example : firewall
- name : vendor
level : core
type : keyword
ignore_above : 1024
description : observer vendor information.
- name : version
level : core
type : keyword
ignore_above : 1024
description : Observer version.
- name : organization
title : Organization
group : 2
description : 'The organization fields enrich data with information about the company
or entity the data is associated with.
These fields help you arrange or filter data stored in an index by one or multiple
organizations.'
type : group
fields :
- name : id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the organization.
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Organization name.
- name : os
title : Operating System
group : 2
description : The OS fields contain information about the operating system.
type : group
fields :
- name : family
level : extended
type : keyword
ignore_above : 1024
description : OS family (such as redhat, debian, freebsd, windows).
example : debian
- name : full
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, including the version or code name.
example : Mac OS Mojave
- name : kernel
level : extended
type : keyword
ignore_above : 1024
description : Operating system kernel version as a raw string.
example : 4.4 .0 -112 -generic
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, without the version.
example : Mac OS X
- name : platform
level : extended
type : keyword
ignore_above : 1024
description : Operating system platform (such centos, ubuntu, windows).
example : darwin
- name : version
level : extended
type : keyword
ignore_above : 1024
description : Operating system version as a raw string.
example : 10.14 .1
- name : process
title : Process
group : 2
description : 'These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name
from a log message. The `process.pid` often stays in the metric itself and
is copied to the global field for correlation.'
type : group
fields :
- name : args
level : extended
type : keyword
ignore_above : 1024
description : 'Array of process arguments.
May be filtered to protect sensitive information.'
example :
- ssh
- -l
- user
- 10.0 .0 .16
- name : executable
level : extended
type : keyword
ignore_above : 1024
description : Absolute path to the process executable.
example : /usr/bin/ssh
2019-11-07 09:46:03 +01:00
- name : hash.md5
level : extended
type : keyword
ignore_above : 1024
description : MD5 hash.
- name : hash.sha1
level : extended
type : keyword
ignore_above : 1024
description : SHA1 hash.
- name : hash.sha256
level : extended
type : keyword
ignore_above : 1024
description : SHA256 hash.
- name : hash.sha512
level : extended
type : keyword
ignore_above : 1024
description : SHA512 hash.
2019-08-15 14:08:08 +02:00
- name : name
level : extended
type : keyword
ignore_above : 1024
description : 'Process name.
Sometimes called program name or similar.'
example : ssh
2019-11-07 09:46:03 +01:00
- name : pgid
level : extended
type : long
format : string
description : Identifier of the group of processes the process belongs to.
2019-08-15 14:08:08 +02:00
- name : pid
level : core
type : long
format : string
description : Process id.
example : 4242
- name : ppid
level : extended
type : long
format : string
description : Parent process' pid.
example : 4241
- name : start
level : extended
type : date
description : The time the process started.
example : '2016-05-23T08:05:34.853Z'
- name : thread.id
level : extended
type : long
format : string
description : Thread ID.
example : 4242
2019-11-07 09:46:03 +01:00
- name : thread.name
level : extended
type : keyword
ignore_above : 1024
description : Thread name.
example : thread-0
2019-08-15 14:08:08 +02:00
- name : title
level : extended
type : keyword
ignore_above : 1024
description : 'Process title.
The proctitle, some times the same as process name. Can also be different :
for example a browser setting its title to the web page currently opened.'
2019-11-07 09:46:03 +01:00
- name : uptime
level : extended
type : long
description : Seconds the process has been up.
example : 1325
2019-08-15 14:08:08 +02:00
- name : working_directory
level : extended
type : keyword
ignore_above : 1024
description : The working directory of the process.
example : /home/alice
- name : related
title : Related
group : 2
description : 'This field set is meant to facilitate pivoting around a piece of
data.
Some pieces of information can be seen in many places in an ECS event. To facilitate
searching for them, store an array of all seen values to their corresponding
field in `related.`.
A concrete example is IP addresses, which can be under host, observer, source,
destination, client, server, and network.forwarded_ip. If you append all IPs
to `related.ip`, you can then search for a given IP trivially, no matter where
it appeared, by querying `related.ip:a.b.c.d`.'
type : group
fields :
- name : ip
level : extended
type : ip
description : All of the IPs seen on your event.
- name : server
title : Server
group : 2
description : 'A Server is defined as the responder in a network connection for
events regarding sessions, connections, or bidirectional flow records.
For TCP events, the server is the receiver of the initial SYN packet(s) of the
TCP connection. For other protocols, the server is generally the responder in
the network transaction. Some systems actually use the term "responder" to refer
the server in TCP connections. The server fields describe details about the
system acting as the server in the network event. Server fields are usually
populated in conjunction with client fields. Server fields are generally not
populated for packet-level events.
Client / server representations can add semantic context to an exchange, which
is helpful to visualize the data in certain situations. If your context falls
in that category, you should still ensure that source and destination are filled
appropriately.'
type : group
fields :
- name : address
level : extended
type : keyword
ignore_above : 1024
description : 'Some event server addresses are defined ambiguously. The event
will sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
2019-11-07 09:46:03 +01:00
- name : as.number
level : extended
type : long
description : Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example : 15169
- name : as.organization.name
level : extended
type : keyword
ignore_above : 1024
description : Organization name.
example : Google LLC
2019-08-15 14:08:08 +02:00
- name : bytes
level : core
type : long
format : bytes
description : Bytes sent from the server to the client.
example : 184
- name : domain
level : core
type : keyword
ignore_above : 1024
description : Server domain.
- name : geo.city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : geo.continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : geo.country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : geo.country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : geo.location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : geo.name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : geo.region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : geo.region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : ip
level : core
type : ip
description : 'IP address of the server.
Can be one or multiple IPv4 or IPv6 addresses.'
- name : mac
level : core
type : keyword
ignore_above : 1024
description : MAC address of the server.
2019-11-07 09:46:03 +01:00
- name : nat.ip
level : extended
type : ip
description : 'Translated ip of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name : nat.port
level : extended
type : long
format : string
description : 'Translated port of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
2019-08-15 14:08:08 +02:00
- name : packets
level : core
type : long
description : Packets sent from the server to the client.
example : 12
- name : port
level : core
type : long
format : string
description : Port of the server.
2019-11-07 09:46:03 +01:00
- name : user.domain
level : extended
type : keyword
ignore_above : 1024
description : 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
2019-08-15 14:08:08 +02:00
- name : user.email
level : extended
type : keyword
ignore_above : 1024
description : User email address.
- name : user.full_name
level : extended
type : keyword
ignore_above : 1024
description : User's full name, if available.
example : Albert Einstein
- name : user.group.id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : user.group.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
- name : user.hash
level : extended
type : keyword
ignore_above : 1024
description : 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name : user.id
level : core
type : keyword
ignore_above : 1024
description : One or multiple unique identifiers of the user.
- name : user.name
level : core
type : keyword
ignore_above : 1024
description : Short name or login of the user.
example : albert
- name : service
title : Service
group : 2
description : 'The service fields describe the service for or from which the data
was collected.
These fields help you find and correlate logs for a specific service and version.'
type : group
fields :
- name : ephemeral_id
level : extended
type : keyword
ignore_above : 1024
description : 'Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.'
example : 8a4f500f
- name : id
level : core
type : keyword
ignore_above : 1024
2019-11-07 09:46:03 +01:00
description : 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
2019-08-15 14:08:08 +02:00
2019-11-07 09:46:03 +01:00
This id should uniquely identify the service. This makes it possible to correlate
logs and metrics for one specific service, no matter which particular node
emitted the event.
2019-08-15 14:08:08 +02:00
2019-11-07 09:46:03 +01:00
Note that if you need to see the events from one specific host of the service,
you should filter on that `host.name` or `host.id` instead.'
2019-08-15 14:08:08 +02:00
example : d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
- name : name
level : core
type : keyword
ignore_above : 1024
description : 'Name of the service data is collected from.
The name of the service is normally user given. This allows if two instances
of the same service are running on the same machine they can be differentiated
by the `service.name`.
Also it allows for distributed services that run on multiple hosts to correlate
the related instances based on the name.
In the case of Elasticsearch the service.name could contain the cluster name.
For Beats the service.name is by default a copy of the `service.type` field
if no name is specified.'
example : elasticsearch-metrics
- name : state
level : core
type : keyword
ignore_above : 1024
description : Current state of the service.
- name : type
level : core
type : keyword
ignore_above : 1024
description : 'The type of the service data is collected from.
The type can be used to group and correlate logs and metrics from one service
type.
Example : If logs or metrics are collected from Elasticsearch, `service.type`
would be `elasticsearch`.'
example : elasticsearch
- name : version
level : core
type : keyword
ignore_above : 1024
description : 'Version of the service the data was collected from.
This allows to look at a data set only for a specific version of a service.'
example : 3.2 .4
- name : source
title : Source
group : 2
description : 'Source fields describe details about the source of a packet/event.
Source fields are usually populated in conjunction with destination fields.'
type : group
fields :
- name : address
level : extended
type : keyword
ignore_above : 1024
description : 'Some event source addresses are defined ambiguously. The event
will sometimes list an IP, a domain or a unix socket. You should always store
the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.'
2019-11-07 09:46:03 +01:00
- name : as.number
level : extended
type : long
description : Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example : 15169
- name : as.organization.name
level : extended
type : keyword
ignore_above : 1024
description : Organization name.
example : Google LLC
2019-08-15 14:08:08 +02:00
- name : bytes
level : core
type : long
format : bytes
description : Bytes sent from the source to the destination.
example : 184
- name : domain
level : core
type : keyword
ignore_above : 1024
description : Source domain.
- name : geo.city_name
level : core
type : keyword
ignore_above : 1024
description : City name.
example : Montreal
- name : geo.continent_name
level : core
type : keyword
ignore_above : 1024
description : Name of the continent.
example : North America
- name : geo.country_iso_code
level : core
type : keyword
ignore_above : 1024
description : Country ISO code.
example : CA
- name : geo.country_name
level : core
type : keyword
ignore_above : 1024
description : Country name.
example : Canada
- name : geo.location
level : core
type : geo_point
description : Longitude and latitude.
example : '{ "lon": -73.614830, "lat": 45.505918 }'
- name : geo.name
level : extended
type : keyword
ignore_above : 1024
description : 'User-defined description of a location, at the level of granularity
they care about.
Could be the name of their data centers, the floor number, if this describes
a local physical entity, city names.
Not typically used in automated geolocation.'
example : boston-dc
- name : geo.region_iso_code
level : core
type : keyword
ignore_above : 1024
description : Region ISO code.
example : CA-QC
- name : geo.region_name
level : core
type : keyword
ignore_above : 1024
description : Region name.
example : Quebec
- name : ip
level : core
type : ip
description : 'IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.'
- name : mac
level : core
type : keyword
ignore_above : 1024
description : MAC address of the source.
2019-11-07 09:46:03 +01:00
- name : nat.ip
level : extended
type : ip
description : 'Translated ip of source based NAT sessions (e.g. internal client
to internet)
Typically connections traversing load balancers, firewalls, or routers.'
- name : nat.port
level : extended
type : long
format : string
description : 'Translated port of source based NAT sessions. (e.g. internal client
to internet)
Typically used with load balancers, firewalls, or routers.'
2019-08-15 14:08:08 +02:00
- name : packets
level : core
type : long
description : Packets sent from the source to the destination.
example : 12
- name : port
level : core
type : long
format : string
description : Port of the source.
2019-11-07 09:46:03 +01:00
- name : user.domain
level : extended
type : keyword
ignore_above : 1024
description : 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
2019-08-15 14:08:08 +02:00
- name : user.email
level : extended
type : keyword
ignore_above : 1024
description : User email address.
- name : user.full_name
level : extended
type : keyword
ignore_above : 1024
description : User's full name, if available.
example : Albert Einstein
- name : user.group.id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : user.group.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
- name : user.hash
level : extended
type : keyword
ignore_above : 1024
description : 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name : user.id
level : core
type : keyword
ignore_above : 1024
description : One or multiple unique identifiers of the user.
- name : user.name
level : core
type : keyword
ignore_above : 1024
description : Short name or login of the user.
example : albert
2019-11-07 09:46:03 +01:00
- name : tracing
title : Tracing
group : 2
description : Distributed tracing makes it possible to analyze performance throughout
a microservice architecture all in one view. This is accomplished by tracing
all of the requests - from the initial web request in the front-end service
- to queries made through multiple back-end services.
type : group
fields :
- name : trace.id
level : extended
type : keyword
ignore_above : 1024
description : 'Unique identifier of the trace.
A trace groups multiple events like transactions that belong together. For
example, a user request handled by multiple inter-connected services.'
example : 4bf92f3577b34da6a3ce929d0e0e4736
- name : transaction.id
level : extended
type : keyword
ignore_above : 1024
description : 'Unique identifier of the transaction.
A transaction is the highest level of work measured within a service, such
as a request to a server.'
example : 00f067aa0ba902b7
2019-08-15 14:08:08 +02:00
- name : url
title : URL
group : 2
description : URL fields provide support for complete or partial URLs, and supports
the breaking down into scheme, domain, path, and so on.
type : group
fields :
- name : domain
level : extended
type : keyword
ignore_above : 1024
description : 'Domain of the url, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain
name. In this case, the IP address would go to the `domain` field.'
example : www.elastic.co
- name : fragment
level : extended
type : keyword
ignore_above : 1024
description : 'Portion of the url after the `#`, such as "top".
The `#` is not part of the fragment.'
- name : full
level : extended
type : keyword
ignore_above : 1024
description : If full URLs are important to your use case, they should be stored
in `url.full`, whether this field is reconstructed or present in the event
source.
example : https://www.elastic.co:443/search?q=elasticsearch#top
- name : original
level : extended
type : keyword
ignore_above : 1024
description : 'Unmodified original url as seen in the event source.
Note that in network monitoring, the observed URL may be a full URL, whereas
in access logs, the URL is often just represented as a path.
This field is meant to represent the URL as it was observed, complete or not.'
example : https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
- name : password
level : extended
type : keyword
ignore_above : 1024
description : Password of the request.
- name : path
level : extended
type : keyword
ignore_above : 1024
description : Path of the request, such as "/search".
- name : port
level : extended
type : long
format : string
description : Port of the request, such as 443.
example : 443
- name : query
level : extended
type : keyword
ignore_above : 1024
description : 'The query field describes the query string of the request, such
as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains no `?`, there
is no query field. If there is a `?` but no query, the query field exists
with an empty string. The `exists` query can be used to differentiate between
the two cases.'
- name : scheme
level : extended
type : keyword
ignore_above : 1024
description : 'Scheme of the request, such as "https".
Note : The `:` is not part of the scheme.'
example : https
- name : username
level : extended
type : keyword
ignore_above : 1024
description : Username of the request.
- name : user
title : User
group : 2
description : 'The user fields describe information about the user that is relevant
to the event.
Fields can have one entry or multiple entries. If a user has more than one id,
provide an array that includes all of them.'
type : group
fields :
2019-11-07 09:46:03 +01:00
- name : domain
level : extended
type : keyword
ignore_above : 1024
description : 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
2019-08-15 14:08:08 +02:00
- name : email
level : extended
type : keyword
ignore_above : 1024
description : User email address.
- name : full_name
level : extended
type : keyword
ignore_above : 1024
description : User's full name, if available.
example : Albert Einstein
- name : group.id
level : extended
type : keyword
ignore_above : 1024
description : Unique identifier for the group on the system/platform.
- name : group.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the group.
- name : hash
level : extended
type : keyword
ignore_above : 1024
description : 'Unique user hash to correlate information for a user in anonymized
form.
Useful if `user.id` or `user.name` contain confidential information and cannot
be used.'
- name : id
level : core
type : keyword
ignore_above : 1024
description : One or multiple unique identifiers of the user.
- name : name
level : core
type : keyword
ignore_above : 1024
description : Short name or login of the user.
example : albert
- name : user_agent
title : User agent
group : 2
description : 'The user_agent fields normally come from a browser request.
They often show up in web service logs coming from the parsed user agent string.'
type : group
fields :
- name : device.name
level : extended
type : keyword
ignore_above : 1024
description : Name of the device.
example : iPhone
- name : name
level : extended
type : keyword
ignore_above : 1024
description : Name of the user agent.
example : Safari
- name : original
level : extended
type : keyword
ignore_above : 1024
description : Unparsed version of the user_agent.
example : Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15
(KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
- name : os.family
level : extended
type : keyword
ignore_above : 1024
description : OS family (such as redhat, debian, freebsd, windows).
example : debian
- name : os.full
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, including the version or code name.
example : Mac OS Mojave
- name : os.kernel
level : extended
type : keyword
ignore_above : 1024
description : Operating system kernel version as a raw string.
example : 4.4 .0 -112 -generic
- name : os.name
level : extended
type : keyword
ignore_above : 1024
description : Operating system name, without the version.
example : Mac OS X
- name : os.platform
level : extended
type : keyword
ignore_above : 1024
description : Operating system platform (such centos, ubuntu, windows).
example : darwin
- name : os.version
level : extended
type : keyword
ignore_above : 1024
description : Operating system version as a raw string.
example : 10.14 .1
- name : version
level : extended
type : keyword
ignore_above : 1024
description : Version of the user agent.
example : 12.0
- key : beat
anchor : beat-common
title : Beat
description : >
Contains common beat fields available in all event types.
fields :
- name : agent.hostname
type : keyword
description : Hostname of the agent.
- name : beat.timezone
type : alias
path : event.timezone
migration : true
- name : fields
type : object
object_type : keyword
description : >
Contains user configurable fields.
- name : error
type : group
description : >
Error fields containing additional info in case of errors.
fields :
- name : type
type : keyword
description : >
Error type.
- name : beat.name
type : alias
path : host.name
migration : true
- name : beat.hostname
type : alias
path : agent.hostname
migration : true
- name : timeseries.instance
type : keyword
description : Time series instance id
- key : cloud
title : Cloud provider metadata
description : >
Metadata from cloud providers added by the add_cloud_metadata processor.
fields :
- name : cloud.project.id
example : project-x
description : >
Name of the project in Google Cloud.
- name : cloud.image.id
example : ami-abcd1234
description : >
Image ID for the cloud instance.
# Alias for old fields
- name : meta.cloud.provider
type : alias
path : cloud.provider
migration : true
- name : meta.cloud.instance_id
type : alias
path : cloud.instance.id
migration : true
- name : meta.cloud.instance_name
type : alias
path : cloud.instance.name
migration : true
- name : meta.cloud.machine_type
type : alias
path : cloud.machine.type
migration : true
- name : meta.cloud.availability_zone
type : alias
path : cloud.availability_zone
migration : true
- name : meta.cloud.project_id
type : alias
path : cloud.project.id
migration : true
- name : meta.cloud.region
type : alias
path : cloud.region
migration : true
- key : docker
title : Docker
description : >
Docker stats collected from Docker.
short_config : false
anchor : docker-processor
fields :
- name : docker
type : group
fields :
- name : container.id
type : alias
path : container.id
migration : true
- name : container.image
type : alias
path : container.image.name
migration : true
- name : container.name
type : alias
path : container.name
migration : true
- name: container.labels # TODO : How to map these?
type : object
object_type : keyword
description : >
Image labels.
- key : host
title : Host
description : >
Info collected for the host machine.
anchor : host-processor
fields :
# ECS fields are in fields.ecs.yml.
# These are the non-ECS fields.
- name : host
type : group
fields :
- name : containerized
type : boolean
description : >
If the host is a container.
- name : os.build
type : keyword
example : "18D109"
description : >
OS build information.
- name : os.codename
type : keyword
example : "stretch"
description : >
OS codename, if any.
- key : kubernetes
title : Kubernetes
description : >
Kubernetes metadata added by the kubernetes processor
short_config : false
anchor : kubernetes-processor
fields :
- name : kubernetes
type : group
fields :
- name : pod.name
type : keyword
description : >
Kubernetes pod name
- name : pod.uid
type : keyword
description : >
Kubernetes Pod UID
- name : namespace
type : keyword
description : >
Kubernetes namespace
- name : node.name
type : keyword
description : >
Kubernetes node name
2019-11-07 09:46:03 +01:00
- name : labels.*
2019-08-15 14:08:08 +02:00
type : object
2019-11-07 09:46:03 +01:00
object_type : keyword
object_type_mapping_type : "*"
2019-08-15 14:08:08 +02:00
description : >
Kubernetes labels map
2019-11-07 09:46:03 +01:00
- name : annotations.*
2019-08-15 14:08:08 +02:00
type : object
2019-11-07 09:46:03 +01:00
object_type : keyword
object_type_mapping_type : "*"
2019-08-15 14:08:08 +02:00
description : >
Kubernetes annotations map
- name : replicaset.name
type : keyword
description : >
Kubernetes replicaset name
- name : deployment.name
type : keyword
description : >
Kubernetes deployment name
- name : statefulset.name
type : keyword
description : >
Kubernetes statefulset name
- name : container.name
type : keyword
description : >
Kubernetes container name
- name : container.image
type : keyword
description : >
Kubernetes container image
- key : process
title : Process
description : >
Process metadata fields
fields :
- name : process
type : group
fields :
- name : exe
type : alias
path : process.executable
migration : true
- key : jolokia-autodiscover
title : Jolokia Discovery autodiscover provider
description : >
Metadata from Jolokia Discovery added by the jolokia provider.
fields :
- name : jolokia.agent.version
type : keyword
description : >
Version number of jolokia agent.
- name : jolokia.agent.id
type : keyword
description : >
Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts : The IP, the process id, hashcode of the agent and its type.
- name : jolokia.server.product
type : keyword
description : >
The container product if detected.
- name : jolokia.server.version
type : keyword
description : >
The container's version (if detected).
- name : jolokia.server.vendor
type : keyword
description : >
The vendor of the container the agent is running in.
- name : jolokia.url
type : keyword
description : >
The URL how this agent can be contacted.
- name : jolokia.secured
type : boolean
description : >
Whether the agent was configured for authentication or not.
2018-12-20 14:36:18 +01:00
- key : icingabeat
title : icingabeat
description : Data received from the Icinga 2 API
fields :
- name : type
type : keyword
description : >
Type of the document
- name : icinga
type : group
fields :
- name : timestamp
type : date
description : >
Timestamp of event occurrence
- name : type
type : keyword
description : >
Type of the document
- name : host
type : keyword
description : >
Host that triggered the event
- name : service
type : keyword
description : >
Service that triggered the event
- name : state
type : integer
description : >
State of the check
- name : state_type
type : integer
description : >
State type of the check
- name : author
type : keyword
description : >
Author of a message
- name : notification_type
type : keyword
description : >
Type of notification
- name : text
type : text
description : >
Text of a message
- name : users
type : keyword
description : >
Affected users of a notification
- name : acknowledgement_type
type : integer
description : >
Type of an acknowledgement
- name : expiry
type : date
description : >
Expiry of an acknowledgement
- name : notify
type : keyword
description : >
If has been sent out
- name : check_result.active
type : boolean
description : >
If check was active or passive
- name : check_result.check_source
type : keyword
description : >
Icinga instance that scheduled the check
- name : check_result.command
type : text
description : >
Command that was executed
- name : check_result.execution_end
type : date
description : >
Time when execution of check ended
- name : check_result.execution_start
type : date
description : >
Time when execution of check started
- name : check_result.exit_status
type : integer
description : >
Exit status
- name : check_result.output
type : text
description : >
Output of check
- name : check_result.performance_data
type : text
description : >
Performance data in text format
- name : check_result.schedule_end
type : date
description : >
Time when scheduling of the check ended
- name : check_result.schedule_start
type : date
description : >
Time when check was scheduled
- name : check_result.state
type : integer
description : >
State of the check
- name : check_result.ttl
type : integer
description : >
TTL, only valid if passive check
- name : check_result.type
type : keyword
description : >
Type of this event
- name : check_result.vars_after.attempt
type : integer
description : >
Check attempt after check execution
- name : check_result.vars_after.reachable
type : boolean
description : >
Reachable state after check execution
- name : check_result.vars_after.state
type : integer
description : >
State of the check after execution
- name : check_result.vars_after.state_type
type : integer
description : >
State type after execution
- name : check_result.vars_before.attempt
type : integer
description : >
Check attempt before check execution
- name : check_result.vars_before.reachable
type : boolean
description : >
Reachable state before check execution
- name : check_result.vars_before.state
type : integer
description : >
Check state before check execution
- name : check_result.vars_before.state_type
type : integer
description : >
State type before check execution
- name : comment.__name
type : text
description : >
Unique identifier of a comment
- name : comment.author
type : keyword
description : >
Author of a comment
- name : comment.entry_time
type : date
description : >
Entry time of a comment
- name : comment.entry_type
type : integer
description : >
Entry type of a comment
- name : comment.expire_time
type : date
description : >
Expire time of a comment
- name : comment.host_name
type : keyword
description : >
Host name of a comment
- name : comment.legacy_id
type : integer
description : >
Legacy ID of a comment
- name : comment.name
type : keyword
description : >
Identifier of a comment
- name : comment.package
type : keyword
description : >
Config package of a comment
- name : comment.service_name
type : keyword
description : >
Service name of a comment
- name : comment.templates
type : text
description : >
Templates used by a comment
- name : comment.text
type : text
description : >
Text of a comment
- name : comment.type
type : keyword
description : >
Comment type
- name : comment.version
type : keyword
description : >
Config version of comment object
- name : comment.zone
type : keyword
description : >
Zone where comment was generated
- name : downtime.__name
type : text
description : >
Unique identifier of a downtime
- name : downtime.author
type : keyword
description : >
Author of a downtime
- name : downtime.comment
type : text
description : >
Text of a downtime
- name : downtime.config_owner
type : text
description : >
Config owner
- name : downtime.duration
type : integer
description : >
Duration of a downtime
- name : downtime.end_time
type : date
description : >
Timestamp of downtime end
- name : downtime.entry_time
type : date
description : >
Timestamp when downtime was created
- name : downtime.fixed
type : boolean
description : >
If downtime is fixed or flexible
- name : downtime.host_name
type : keyword
description : >
Hostname of a downtime
- name : downtime.legacy_id
type : integer
description : >
The integer ID of a downtime
- name : downtime.name
type : keyword
description : >
Downtime config identifier
- name : downtime.package
type : keyword
description : >
Configuration package of downtime
- name : downtime.scheduled_by
type : text
description : >
By whom downtime was scheduled
- name : downtime.service_name
type : keyword
description : >
Service name of a downtime
- name : downtime.start_time
type : date
description : >
Timestamp when downtime starts
- name : downtime.templates
type : text
description : >
Templates used by this downtime
- name : downtime.trigger_time
type : date
description : >
Timestamp when downtime was triggered
- name : downtime.triggered_by
type : text
description : >
By whom downtime was triggered
- name : downtime.triggers
type : text
description : >
Downtime triggers
- name : downtime.type
type : keyword
description : >
Downtime type
- name : downtime.version
type : keyword
description : >
Config version of downtime
- name : downtime.was_cancelled
type : boolean
description : >
If downtime was cancelled
- name : downtime.zone
type : keyword
description : >
Zone of downtime
- name : status.active_host_checks
type : integer
description : >
Active host checks
- name : status.active_host_checks_15min
type : integer
description : >
Active host checks in the last 15 minutes
- name : status.active_host_checks_1min
type : integer
description : >
Acitve host checks in the last minute
- name : status.active_host_checks_5min
type : integer
description : >
Active host checks in the last 5 minutes
- name : status.active_service_checks
type : integer
description : >
Active service checks
- name : status.active_service_checks_15min
type : integer
description : >
Active service checks in the last 15 minutes
- name : status.active_service_checks_1min
type : integer
description : >
Active service checks in the last minute
- name : status.active_service_checks_5min
type : integer
description : >
Active service checks in the last 5 minutes
- name : status.api.identity
type : keyword
description : >
API identity
- name : status.api.num_conn_endpoints
type : integer
description : >
Number of connected endpoints
- name : status.api.num_endpoints
type : integer
description : >
Total number of endpoints
- name : status.api.num_not_conn_endpoints
type : integer
description : >
Number of not connected endpoints
- name : status.avg_execution_time
type : integer
description : >
Average execution time of checks
- name : status.avg_latency
type : integer
description : >
Average latency time
- name : status.checkercomponent.checker.idle
type : integer
description : >
Idle checks
- name : status.checkercomponent.checker.pending
type : integer
description : >
Pending checks
- name : status.filelogger.main-log
type : integer
description : >
Mainlog enabled
- name : status.icingaapplication.app.enable_event_handlers
type : boolean
description : >
Event handlers enabled
- name : status.icingaapplication.app.enable_flapping
type : boolean
description : >
Flapping detection enabled
- name : status.icingaapplication.app.enable_host_checks
type : boolean
description : >
Host checks enabled
- name : status.icingaapplication.app.enable_notifications
type : boolean
description : >
Notifications enabled
- name : status.icingaapplication.app.enable_perfdata
type : boolean
description : >
Perfdata enabled
- name : status.icingaapplication.app.enable_service_checks
type : boolean
description : >
Service checks enabled
- name : status.icingaapplication.app.node_name
type : keyword
description : >
Node name
- name : status.icingaapplication.app.pid
type : integer
description : >
PID
- name : status.icingaapplication.app.program_start
type : integer
description : >
Time when Icinga started
- name : status.icingaapplication.app.version
type : keyword
description : >
Version
- name : status.idomysqlconnection.ido-mysql.connected
type : boolean
description : >
IDO connected
- name : status.idomysqlconnection.ido-mysql.instance_name
type : keyword
description : >
IDO Instance name
- name : status.idomysqlconnection.ido-mysql.query_queue_items
type : integer
description : >
IDO query items in the queue
- name : status.idomysqlconnection.ido-mysql.version
type : keyword
description : >
IDO schema version
- name : status.max_execution_time
type : integer
description : >
Max execution time
- name : status.max_latency
type : integer
description : >
Max latency
- name : status.min_execution_time
type : integer
description : >
Min execution time
- name : status.min_latency
type : integer
description : >
Min latency
- name : status.notificationcomponent.notification
type : integer
description : >
Notification
- name : status.num_hosts_acknowledged
type : integer
description : >
Amount of acknowledged hosts
- name : status.num_hosts_down
type : integer
description : >
Amount of down hosts
- name : status.num_hosts_flapping
type : integer
description : >
Amount of flapping hosts
- name : status.num_hosts_in_downtime
type : integer
description : >
Amount of hosts in downtime
- name : status.num_hosts_pending
type : integer
description : >
Amount of pending hosts
- name : status.num_hosts_unreachable
type : integer
description : >
Amount of unreachable hosts
- name : status.num_hosts_up
type : integer
description : >
Amount of hosts in up state
- name : status.num_services_acknowledged
type : integer
description : >
Amount of acknowledged services
- name : status.num_services_critical
type : integer
description : >
Amount of critical services
- name : status.num_services_flapping
type : integer
description : >
Amount of flapping services
- name : status.num_services_in_downtime
type : integer
description : >
Amount of services in downtime
- name : status.num_services_ok
type : integer
description : >
Amount of services in ok state
- name : status.num_services_pending
type : integer
description : >
Amount of pending services
- name : status.num_services_unknown
type : integer
description : >
Amount of unknown services
- name : status.num_services_unreachable
type : integer
description : >
Amount of unreachable services
- name : status.num_services_warning
type : integer
description : >
Amount of services in warning state
- name : status.passive_host_checks
type : integer
description : >
Amount of passive host checks
- name : status.passive_host_checks_15min
type : integer
description : >
Amount of passive host checks in the last 15 minutes
- name : status.passive_host_checks_1min
type : integer
description : >
Amount of passive host checks in the last minute
- name : status.passive_host_checks_5min
type : integer
description : >
Amount of passive host checks in the last 5 minutes
- name : status.passive_service_checks
type : integer
description : >
Amount of passive service checks
- name : status.passive_service_checks_15min
type : integer
description : >
Amount of passive service checks in the last 15 minutes
- name : status.passive_service_checks_1min
type : integer
description : >
Amount of passive service checks in the last minute
- name : status.passive_service_checks_5min
type : integer
description : >
Amount of passive service checks in the last 5 minutes
- name : status.uptime
type : integer
description : >
Uptime