diff --git a/go.mod b/go.mod index 332ad49d4c4..eda77a10983 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/elastic/go-sysinfo v1.7.1 // indirect github.com/elastic/go-ucfg v0.8.4 // indirect github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/package-spec v1.7.1 // indirect + github.com/elastic/package-spec v1.8.0 // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect @@ -164,3 +164,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace github.com/elastic/elastic-package => github.com/elastic/elastic-package v0.48.1-0.20220511104207-12db194afa2d diff --git a/go.sum b/go.sum index 6ce391afe4b..82d0d0ce1b6 100644 --- a/go.sum +++ b/go.sum @@ -409,8 +409,8 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elastic/elastic-package v0.48.2 h1:sIF8Shfsu+J96bllzEMgc7BDhpaE2b4gCXziYwyNRXw= -github.com/elastic/elastic-package v0.48.2/go.mod h1:tUXKdvUNGgV9myTfbeGmI4LNMUjuILAlXF8NfZNiCHw= +github.com/elastic/elastic-package v0.48.1-0.20220511104207-12db194afa2d h1:p38gJ7OEa58gawB8XDQ4sdzFfsHQlxvlmXh/vaiOEZ8= +github.com/elastic/elastic-package v0.48.1-0.20220511104207-12db194afa2d/go.mod h1:0xJUNGxEvB3+scNrdVf1TMXUMjpL6VGyLYQAIfMDZss= github.com/elastic/go-elasticsearch/v7 v7.17.1 h1:49mHcHx7lpCL8cW1aioEwSEVKQF3s+Igi4Ye/QTWwmk= github.com/elastic/go-elasticsearch/v7 v7.17.1/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= @@ -427,8 +427,8 @@ github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUt github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= github.com/elastic/package-registry v1.8.0 h1:c2nUbBZct3c2LZ6uw0HotB+11PmYM8xh0ynvyeuzFBY= github.com/elastic/package-registry v1.8.0/go.mod h1:zh8h1v9v2VYBQvlZK2KoD/uDJlYC7re5PLf4eDALEFA= -github.com/elastic/package-spec v1.7.1 h1:Q2THMEnG4sRy+XSty16S2JLnVsROq4Ddo80WgQJzbo0= -github.com/elastic/package-spec v1.7.1/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= +github.com/elastic/package-spec v1.8.0 h1:/5P4SwQhJgfULRg1b7I83TOzij4/L+J39o1LJiJTiJ0= +github.com/elastic/package-spec v1.8.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= diff --git a/packages/activemq/data_stream/audit/fields/ecs.yml b/packages/activemq/data_stream/audit/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/audit/fields/ecs.yml +++ b/packages/activemq/data_stream/audit/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/broker/fields/ecs.yml b/packages/activemq/data_stream/broker/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/broker/fields/ecs.yml +++ b/packages/activemq/data_stream/broker/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/log/fields/ecs.yml b/packages/activemq/data_stream/log/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/log/fields/ecs.yml +++ b/packages/activemq/data_stream/log/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/queue/fields/ecs.yml b/packages/activemq/data_stream/queue/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/queue/fields/ecs.yml +++ b/packages/activemq/data_stream/queue/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/topic/fields/ecs.yml b/packages/activemq/data_stream/topic/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/topic/fields/ecs.yml +++ b/packages/activemq/data_stream/topic/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/akamai/data_stream/siem/fields/ecs.yml b/packages/akamai/data_stream/siem/fields/ecs.yml index 22e38558e07..76130228c59 100644 --- a/packages/akamai/data_stream/siem/fields/ecs.yml +++ b/packages/akamai/data_stream/siem/fields/ecs.yml @@ -12,8 +12,6 @@ external: ecs - name: client.geo.continent_name external: ecs -- name: client.geo.country_iso_code - external: ecs - name: client.geo.region_iso_code external: ecs - name: client.geo.location diff --git a/packages/apache/data_stream/access/fields/ecs.yml b/packages/apache/data_stream/access/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/apache/data_stream/access/fields/ecs.yml +++ b/packages/apache/data_stream/access/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/apache/data_stream/error/fields/base-fields.yml b/packages/apache/data_stream/error/fields/base-fields.yml index e134277b8e1..15365c71bdd 100644 --- a/packages/apache/data_stream/error/fields/base-fields.yml +++ b/packages/apache/data_stream/error/fields/base-fields.yml @@ -10,11 +10,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword - name: event.module type: constant_keyword description: Event module diff --git a/packages/auditd/data_stream/log/fields/agent.yml b/packages/auditd/data_stream/log/fields/agent.yml index e313ec82874..ba1facea249 100644 --- a/packages/auditd/data_stream/log/fields/agent.yml +++ b/packages/auditd/data_stream/log/fields/agent.yml @@ -54,34 +54,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,12 +62,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - name: domain level: extended type: keyword diff --git a/packages/auditd/data_stream/log/fields/ecs.yml b/packages/auditd/data_stream/log/fields/ecs.yml index 8337d204ca3..027dc739fc9 100644 --- a/packages/auditd/data_stream/log/fields/ecs.yml +++ b/packages/auditd/data_stream/log/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs - name: container.name -- external: ecs - name: container.runtime + name: container - external: ecs name: destination.address - external: ecs diff --git a/packages/auditd/data_stream/log/fields/fields.yml b/packages/auditd/data_stream/log/fields/fields.yml index 90ad2435aea..4bc1b3ac817 100644 --- a/packages/auditd/data_stream/log/fields/fields.yml +++ b/packages/auditd/data_stream/log/fields/fields.yml @@ -36,9 +36,6 @@ type: keyword description: | The first argument to the system call. - - name: a0 - description: The first argument to the system call. - type: keyword - name: addr type: ip - name: rport diff --git a/packages/auditd/data_stream/log/fields/package-fields.yml b/packages/auditd/data_stream/log/fields/package-fields.yml index 208d48ec1f7..412bf41bb10 100644 --- a/packages/auditd/data_stream/log/fields/package-fields.yml +++ b/packages/auditd/data_stream/log/fields/package-fields.yml @@ -24,25 +24,6 @@ type: keyword description: | Name of the group. - - name: effective - type: group - fields: - - name: id - type: keyword - description: | - One or multiple unique identifiers of the user. - - name: name - type: keyword - description: | - Short name or login of the user. - - name: group.id - type: keyword - description: | - Unique identifier for the group on the system/platform. - - name: group.name - type: keyword - description: | - Name of the group. - name: filesystem type: group fields: diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md index 69ea153b6fc..5f9d12a83d7 100644 --- a/packages/auditd/docs/README.md +++ b/packages/auditd/docs/README.md @@ -183,10 +183,17 @@ An example event for `log` looks as following: | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host is running. | keyword | +| container.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. | scaled_float | +| container.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| container.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | | container.labels | Image labels. | object | +| container.memory.usage | Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000. | scaled_float | | container.name | Container name. | keyword | +| container.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection. | long | +| container.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the container since the last metric collection. | long | | container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | diff --git a/packages/auth0/data_stream/logs/fields/fields.yml b/packages/auth0/data_stream/logs/fields/fields.yml index fc2da86b51d..a1d734682ff 100644 --- a/packages/auth0/data_stream/logs/fields/fields.yml +++ b/packages/auth0/data_stream/logs/fields/fields.yml @@ -61,9 +61,6 @@ - name: strategy_type type: keyword description: Type of strategy involved in the event. - - name: log_id - type: keyword - description: Unique ID of the event. - name: is_mobile type: boolean description: Whether the client was a mobile device (true) or desktop/laptop/server (false). diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md index a40c20f6acb..a7919e3992a 100644 --- a/packages/auth0/docs/README.md +++ b/packages/auth0/docs/README.md @@ -71,7 +71,7 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword | | auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword | | auth0.logs.data.location_info.time_zone | Time zone name as found in the [tz database](https://www.iana.org/time-zones). | keyword | -| auth0.logs.data.log_id | Unique ID of the event. | keyword | +| auth0.logs.data.log_id | Unique log event identifier | keyword | | auth0.logs.data.login.completedAt | Time at which the operation was completed | date | | auth0.logs.data.login.elapsedTime | Number of milliseconds the operation took to complete. | long | | auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date | diff --git a/packages/aws/data_stream/billing/fields/agent.yml b/packages/aws/data_stream/billing/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/billing/fields/agent.yml +++ b/packages/aws/data_stream/billing/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/billing/fields/ecs.yml b/packages/aws/data_stream/billing/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/billing/fields/ecs.yml +++ b/packages/aws/data_stream/billing/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/billing/fields/package-fields.yml b/packages/aws/data_stream/billing/fields/package-fields.yml index 7adc9facb0c..eaacb160c09 100644 --- a/packages/aws/data_stream/billing/fields/package-fields.yml +++ b/packages/aws/data_stream/billing/fields/package-fields.yml @@ -30,3 +30,6 @@ description: > Name or alias used to identify linked account. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/cloudfront_logs/fields/agent.yml b/packages/aws/data_stream/cloudfront_logs/fields/agent.yml index da4e652c53b..c4046b50136 100644 --- a/packages/aws/data_stream/cloudfront_logs/fields/agent.yml +++ b/packages/aws/data_stream/cloudfront_logs/fields/agent.yml @@ -48,12 +48,6 @@ ignore_above: 1024 description: Region in which this host is running. example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml b/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml index ce27e3defb7..7c255e78153 100644 --- a/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml +++ b/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml @@ -6,3 +6,6 @@ description: |- The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number (for example, DFW3). The three-letter code typically corresponds with the International Air Transport Association (IATA) airport code for an airport near the edge location’s geographic location. path: aws.cloudfront.edge_location +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/cloudtrail/fields/agent.yml b/packages/aws/data_stream/cloudtrail/fields/agent.yml index da4e652c53b..f159d392948 100644 --- a/packages/aws/data_stream/cloudtrail/fields/agent.yml +++ b/packages/aws/data_stream/cloudtrail/fields/agent.yml @@ -5,14 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - name: availability_zone level: extended type: keyword @@ -42,12 +34,6 @@ ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - name: project.id type: keyword description: Name of the project in Google Cloud. diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml index 0422c9afed4..d466ecf0814 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml @@ -1,11 +1,6 @@ - name: aws type: group fields: - - name: dimensions.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Metric dimensions. - name: cloudwatch type: group fields: diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/dynamodb/fields/agent.yml b/packages/aws/data_stream/dynamodb/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/dynamodb/fields/agent.yml +++ b/packages/aws/data_stream/dynamodb/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/dynamodb/fields/ecs.yml b/packages/aws/data_stream/dynamodb/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/dynamodb/fields/ecs.yml +++ b/packages/aws/data_stream/dynamodb/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/dynamodb/fields/package-fields.yml b/packages/aws/data_stream/dynamodb/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/dynamodb/fields/package-fields.yml +++ b/packages/aws/data_stream/dynamodb/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/ebs/fields/agent.yml b/packages/aws/data_stream/ebs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/ebs/fields/agent.yml +++ b/packages/aws/data_stream/ebs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/ebs/fields/ecs.yml b/packages/aws/data_stream/ebs/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/ebs/fields/ecs.yml +++ b/packages/aws/data_stream/ebs/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/ebs/fields/package-fields.yml b/packages/aws/data_stream/ebs/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/ebs/fields/package-fields.yml +++ b/packages/aws/data_stream/ebs/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/ec2_metrics/fields/agent.yml b/packages/aws/data_stream/ec2_metrics/fields/agent.yml index 8603c3c91e2..0bea2e4e04b 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/agent.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml b/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/elb_logs/fields/agent.yml b/packages/aws/data_stream/elb_logs/fields/agent.yml index da4e652c53b..4351e0e8210 100644 --- a/packages/aws/data_stream/elb_logs/fields/agent.yml +++ b/packages/aws/data_stream/elb_logs/fields/agent.yml @@ -36,12 +36,6 @@ ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - name: region level: extended type: keyword diff --git a/packages/aws/data_stream/elb_metrics/fields/agent.yml b/packages/aws/data_stream/elb_metrics/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/elb_metrics/fields/agent.yml +++ b/packages/aws/data_stream/elb_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/elb_metrics/fields/ecs.yml b/packages/aws/data_stream/elb_metrics/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/elb_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/elb_metrics/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/elb_metrics/fields/package-fields.yml b/packages/aws/data_stream/elb_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/elb_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/elb_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/firewall_logs/fields/agent.yml b/packages/aws/data_stream/firewall_logs/fields/agent.yml index da4e652c53b..f159d392948 100644 --- a/packages/aws/data_stream/firewall_logs/fields/agent.yml +++ b/packages/aws/data_stream/firewall_logs/fields/agent.yml @@ -5,14 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - name: availability_zone level: extended type: keyword @@ -42,12 +34,6 @@ ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - name: project.id type: keyword description: Name of the project in Google Cloud. diff --git a/packages/aws/data_stream/firewall_metrics/fields/agent.yml b/packages/aws/data_stream/firewall_metrics/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/agent.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/firewall_metrics/fields/ecs.yml b/packages/aws/data_stream/firewall_metrics/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml b/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/lambda/fields/agent.yml b/packages/aws/data_stream/lambda/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/lambda/fields/agent.yml +++ b/packages/aws/data_stream/lambda/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/lambda/fields/ecs.yml b/packages/aws/data_stream/lambda/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/lambda/fields/ecs.yml +++ b/packages/aws/data_stream/lambda/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/lambda/fields/package-fields.yml b/packages/aws/data_stream/lambda/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/lambda/fields/package-fields.yml +++ b/packages/aws/data_stream/lambda/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/natgateway/fields/agent.yml b/packages/aws/data_stream/natgateway/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/natgateway/fields/agent.yml +++ b/packages/aws/data_stream/natgateway/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/natgateway/fields/ecs.yml b/packages/aws/data_stream/natgateway/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/natgateway/fields/ecs.yml +++ b/packages/aws/data_stream/natgateway/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/natgateway/fields/package-fields.yml b/packages/aws/data_stream/natgateway/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/natgateway/fields/package-fields.yml +++ b/packages/aws/data_stream/natgateway/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/rds/fields/agent.yml b/packages/aws/data_stream/rds/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/rds/fields/agent.yml +++ b/packages/aws/data_stream/rds/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/rds/fields/ecs.yml b/packages/aws/data_stream/rds/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/rds/fields/ecs.yml +++ b/packages/aws/data_stream/rds/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/rds/fields/package-fields.yml b/packages/aws/data_stream/rds/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/rds/fields/package-fields.yml +++ b/packages/aws/data_stream/rds/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3_daily_storage/fields/agent.yml b/packages/aws/data_stream/s3_daily_storage/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/agent.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml b/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml b/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3_request/fields/agent.yml b/packages/aws/data_stream/s3_request/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3_request/fields/agent.yml +++ b/packages/aws/data_stream/s3_request/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_request/fields/ecs.yml b/packages/aws/data_stream/s3_request/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/s3_request/fields/ecs.yml +++ b/packages/aws/data_stream/s3_request/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/s3_request/fields/package-fields.yml b/packages/aws/data_stream/s3_request/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/s3_request/fields/package-fields.yml +++ b/packages/aws/data_stream/s3_request/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3_storage_lens/fields/agent.yml b/packages/aws/data_stream/s3_storage_lens/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/agent.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml b/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml b/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3access/fields/agent.yml b/packages/aws/data_stream/s3access/fields/agent.yml index da4e652c53b..4351e0e8210 100644 --- a/packages/aws/data_stream/s3access/fields/agent.yml +++ b/packages/aws/data_stream/s3access/fields/agent.yml @@ -36,12 +36,6 @@ ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - name: region level: extended type: keyword diff --git a/packages/aws/data_stream/sns/fields/agent.yml b/packages/aws/data_stream/sns/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/sns/fields/agent.yml +++ b/packages/aws/data_stream/sns/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/sns/fields/ecs.yml b/packages/aws/data_stream/sns/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/sns/fields/ecs.yml +++ b/packages/aws/data_stream/sns/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/sns/fields/package-fields.yml b/packages/aws/data_stream/sns/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/sns/fields/package-fields.yml +++ b/packages/aws/data_stream/sns/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/sqs/fields/agent.yml b/packages/aws/data_stream/sqs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/sqs/fields/agent.yml +++ b/packages/aws/data_stream/sqs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/sqs/fields/ecs.yml b/packages/aws/data_stream/sqs/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/sqs/fields/ecs.yml +++ b/packages/aws/data_stream/sqs/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/sqs/fields/package-fields.yml b/packages/aws/data_stream/sqs/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/sqs/fields/package-fields.yml +++ b/packages/aws/data_stream/sqs/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/transitgateway/fields/agent.yml b/packages/aws/data_stream/transitgateway/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/transitgateway/fields/agent.yml +++ b/packages/aws/data_stream/transitgateway/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/transitgateway/fields/ecs.yml b/packages/aws/data_stream/transitgateway/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/transitgateway/fields/ecs.yml +++ b/packages/aws/data_stream/transitgateway/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/transitgateway/fields/package-fields.yml b/packages/aws/data_stream/transitgateway/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/transitgateway/fields/package-fields.yml +++ b/packages/aws/data_stream/transitgateway/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/usage/fields/agent.yml b/packages/aws/data_stream/usage/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/usage/fields/agent.yml +++ b/packages/aws/data_stream/usage/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/usage/fields/ecs.yml b/packages/aws/data_stream/usage/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/usage/fields/ecs.yml +++ b/packages/aws/data_stream/usage/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/usage/fields/package-fields.yml b/packages/aws/data_stream/usage/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/usage/fields/package-fields.yml +++ b/packages/aws/data_stream/usage/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/vpcflow/fields/agent.yml b/packages/aws/data_stream/vpcflow/fields/agent.yml index da4e652c53b..f5878ee6bf7 100644 --- a/packages/aws/data_stream/vpcflow/fields/agent.yml +++ b/packages/aws/data_stream/vpcflow/fields/agent.yml @@ -5,26 +5,12 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - name: availability_zone level: extended type: keyword ignore_above: 1024 description: Availability zone in which this host is running. example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - name: instance.name level: extended type: keyword @@ -36,12 +22,6 @@ ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - name: region level: extended type: keyword diff --git a/packages/aws/data_stream/vpcflow/fields/ecs.yml b/packages/aws/data_stream/vpcflow/fields/ecs.yml index 0c0d9f73c4c..77b14a355c7 100644 --- a/packages/aws/data_stream/vpcflow/fields/ecs.yml +++ b/packages/aws/data_stream/vpcflow/fields/ecs.yml @@ -68,8 +68,6 @@ external: ecs - name: source.as.organization.name external: ecs -- name: source.as.organization.name - external: ecs - name: source.bytes external: ecs - name: source.geo.city_name diff --git a/packages/aws/data_stream/vpn/fields/agent.yml b/packages/aws/data_stream/vpn/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/vpn/fields/agent.yml +++ b/packages/aws/data_stream/vpn/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/vpn/fields/ecs.yml b/packages/aws/data_stream/vpn/fields/ecs.yml index 83e3f6f1225..5cf1142beb2 100644 --- a/packages/aws/data_stream/vpn/fields/ecs.yml +++ b/packages/aws/data_stream/vpn/fields/ecs.yml @@ -1,24 +1,8 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version - external: ecs name: error -- external: ecs - name: error.message - external: ecs name: service.type diff --git a/packages/aws/data_stream/vpn/fields/package-fields.yml b/packages/aws/data_stream/vpn/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/vpn/fields/package-fields.yml +++ b/packages/aws/data_stream/vpn/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/waf/fields/agent.yml b/packages/aws/data_stream/waf/fields/agent.yml index da4e652c53b..4351e0e8210 100644 --- a/packages/aws/data_stream/waf/fields/agent.yml +++ b/packages/aws/data_stream/waf/fields/agent.yml @@ -36,12 +36,6 @@ ignore_above: 1024 description: Machine type of the host machine. example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - name: region level: extended type: keyword diff --git a/packages/aws/docs/billing.md b/packages/aws/docs/billing.md index 197cf44ac2e..30ab544715e 100644 --- a/packages/aws/docs/billing.md +++ b/packages/aws/docs/billing.md @@ -97,7 +97,6 @@ An example event for `billing` looks as following: | aws.linked_account.name | Name or alias used to identify linked account. | keyword | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -105,9 +104,33 @@ An example event for `billing` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -116,8 +139,12 @@ An example event for `billing` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/cloudfront.md b/packages/aws/docs/cloudfront.md index d6faf5e11f4..9385659f60e 100644 --- a/packages/aws/docs/cloudfront.md +++ b/packages/aws/docs/cloudfront.md @@ -23,7 +23,6 @@ The `cloudfront` dataset collects standard logs(also called access logs) from AW | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | diff --git a/packages/aws/docs/cloudtrail.md b/packages/aws/docs/cloudtrail.md index 8a04a6d127f..f482e9994cc 100644 --- a/packages/aws/docs/cloudtrail.md +++ b/packages/aws/docs/cloudtrail.md @@ -63,7 +63,7 @@ events for the account. If user creates a trail, it delivers those events as log | cloud.machine.type | Machine type of the host machine. | keyword | | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/cloudwatch.md b/packages/aws/docs/cloudwatch.md index 6c3b055e878..550d0460241 100644 --- a/packages/aws/docs/cloudwatch.md +++ b/packages/aws/docs/cloudwatch.md @@ -153,17 +153,40 @@ An example event for `cloudwatch` looks as following: | aws.dimensions.\* | Metric dimensions. | object | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -172,8 +195,12 @@ An example event for `cloudwatch` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/dynamodb.md b/packages/aws/docs/dynamodb.md index 7d8081fc703..33f6d0c6d65 100644 --- a/packages/aws/docs/dynamodb.md +++ b/packages/aws/docs/dynamodb.md @@ -111,7 +111,6 @@ An example event for `dynamodb` looks as following: | aws.dynamodb.metrics.WriteThrottleEvents.sum | Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -119,9 +118,33 @@ An example event for `dynamodb` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -130,8 +153,12 @@ An example event for `dynamodb` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/ebs.md b/packages/aws/docs/ebs.md index f8f74442b8a..4ab4588e1d0 100644 --- a/packages/aws/docs/ebs.md +++ b/packages/aws/docs/ebs.md @@ -95,17 +95,40 @@ An example event for `ebs` looks as following: | aws.ebs.metrics.VolumeWriteOps.avg | The total number of write operations in a specified period of time. | double | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -114,8 +137,12 @@ An example event for `ebs` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/ec2.md b/packages/aws/docs/ec2.md index efaeacdcb53..98ddb98bdf6 100644 --- a/packages/aws/docs/ec2.md +++ b/packages/aws/docs/ec2.md @@ -299,17 +299,40 @@ An example event for `ec2` looks as following: | aws.ec2.status.check_failed_system | Reports whether the instance has passed the system status check in the last minute. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -318,8 +341,12 @@ An example event for `ec2` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/elb.md b/packages/aws/docs/elb.md index 5a9d2b07ad2..19d93e6394f 100644 --- a/packages/aws/docs/elb.md +++ b/packages/aws/docs/elb.md @@ -363,7 +363,6 @@ An example event for `elb` looks as following: | aws.networkelb.metrics.UnHealthyHostCount.max | The number of targets that are considered unhealthy. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -371,9 +370,33 @@ An example event for `elb` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -382,8 +405,12 @@ An example event for `elb` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/firewall.md b/packages/aws/docs/firewall.md index 23b902c76f7..da815d78c24 100644 --- a/packages/aws/docs/firewall.md +++ b/packages/aws/docs/firewall.md @@ -169,7 +169,7 @@ An example event for `firewall` looks as following: | cloud.machine.type | Machine type of the host machine. | keyword | | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -370,7 +370,6 @@ An example event for `firewall` looks as following: | aws.networkfirewall.ReceivedPackets.sum | The number of packets received by the Network Firewall. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -378,9 +377,33 @@ An example event for `firewall` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -389,8 +412,12 @@ An example event for `firewall` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/lambda.md b/packages/aws/docs/lambda.md index 97c154d2b9f..274cf05d534 100644 --- a/packages/aws/docs/lambda.md +++ b/packages/aws/docs/lambda.md @@ -91,7 +91,6 @@ An example event for `lambda` looks as following: | aws.lambda.metrics.UnreservedConcurrentExecutions.avg | For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency. | double | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -99,9 +98,33 @@ An example event for `lambda` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -110,8 +133,12 @@ An example event for `lambda` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/natgateway.md b/packages/aws/docs/natgateway.md index 8eccefa4668..99e023381ab 100644 --- a/packages/aws/docs/natgateway.md +++ b/packages/aws/docs/natgateway.md @@ -116,7 +116,6 @@ An example event for `natgateway` looks as following: | aws.natgateway.metrics.PacketsOutToSource.sum | The number of packets sent through the NAT gateway to the clients in your VPC. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -124,9 +123,33 @@ An example event for `natgateway` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -135,8 +158,12 @@ An example event for `natgateway` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/rds.md b/packages/aws/docs/rds.md index a95b2430896..17e2acf4872 100644 --- a/packages/aws/docs/rds.md +++ b/packages/aws/docs/rds.md @@ -198,7 +198,6 @@ An example event for `rds` looks as following: | aws.rds.write_io.ops_per_sec | The average number of disk write I/O operations per second. | float | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -206,9 +205,33 @@ An example event for `rds` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -217,8 +240,12 @@ An example event for `rds` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/s3.md b/packages/aws/docs/s3.md index baebc1ecbb6..4f8c063b1a3 100644 --- a/packages/aws/docs/s3.md +++ b/packages/aws/docs/s3.md @@ -310,17 +310,40 @@ An example event for `s3_daily_storage` looks as following: | aws.s3_daily_storage.bucket.size.bytes | The amount of data in bytes stored in a bucket. | long | | aws.s3_daily_storage.number_of_objects | The total number of objects stored in a bucket for all storage classes. | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -329,8 +352,12 @@ An example event for `s3_daily_storage` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | @@ -449,7 +476,6 @@ An example event for `s3_request` looks as following: | aws.s3_request.requests.total | The total number of HTTP requests made to an Amazon S3 bucket, regardless of type. | long | | aws.s3_request.uploaded.bytes | The number bytes uploaded that contain a request body, made to an Amazon S3 bucket. | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -457,9 +483,33 @@ An example event for `s3_request` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -468,8 +518,12 @@ An example event for `s3_request` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/s3_storage_lens.md b/packages/aws/docs/s3_storage_lens.md index a1482d649c6..1d5ee6a49ed 100644 --- a/packages/aws/docs/s3_storage_lens.md +++ b/packages/aws/docs/s3_storage_lens.md @@ -184,17 +184,40 @@ An example event for `s3_storage_lens` looks as following: | aws.s3_storage_lens.metrics.SelectScannedBytes.avg | The number of select bytes scanned. | long | | aws.s3_storage_lens.metrics.StorageBytes.avg | The total storage in bytes | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -203,8 +226,12 @@ An example event for `s3_storage_lens` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/sns.md b/packages/aws/docs/sns.md index a861dbd6b26..70d2efceb2d 100644 --- a/packages/aws/docs/sns.md +++ b/packages/aws/docs/sns.md @@ -90,7 +90,6 @@ An example event for `sns` looks as following: | aws.sns.metrics.SMSMonthToDateSpentUSD.sum | The charges you have accrued since the start of the current calendar month for sending SMS messages. | long | | aws.sns.metrics.SMSSuccessRate.avg | The rate of successful SMS message deliveries. | double | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -98,9 +97,33 @@ An example event for `sns` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -109,8 +132,12 @@ An example event for `sns` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/sqs.md b/packages/aws/docs/sqs.md index 7eb72d66a10..3faf5884524 100644 --- a/packages/aws/docs/sqs.md +++ b/packages/aws/docs/sqs.md @@ -81,7 +81,6 @@ An example event for `sqs` looks as following: | aws.sqs.queue.name | SQS queue name | keyword | | aws.sqs.sent_message_size.bytes | The size of messages added to a queue. | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -89,9 +88,33 @@ An example event for `sqs` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -100,8 +123,12 @@ An example event for `sqs` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/transitgateway.md b/packages/aws/docs/transitgateway.md index df9fe83c9d3..de223d2b6b5 100644 --- a/packages/aws/docs/transitgateway.md +++ b/packages/aws/docs/transitgateway.md @@ -88,7 +88,6 @@ An example event for `transitgateway` looks as following: | aws.transitgateway.metrics.PacketDropCountNoRoute.sum | The number of packets dropped because they did not match a route. | long | | aws.transitgateway.metrics.PacketsIn.sum | The number of packets received by the transit gateway. | long | | aws.transitgateway.metrics.PacketsOut.sum | The number of packets sent by the transit gateway. | long | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -96,9 +95,33 @@ An example event for `transitgateway` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -107,8 +130,12 @@ An example event for `transitgateway` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/usage.md b/packages/aws/docs/usage.md index 863a54aeb40..7d932b4635e 100644 --- a/packages/aws/docs/usage.md +++ b/packages/aws/docs/usage.md @@ -74,17 +74,40 @@ An example event for `usage` looks as following: | aws.tags.\* | Tag key value pairs from aws resources. | object | | aws.usage.metrics.CallCount.sum | The number of specified API operations performed in your account. | long | | aws.usage.metrics.ResourceCount.sum | The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric. | long | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -93,8 +116,12 @@ An example event for `usage` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/vpn.md b/packages/aws/docs/vpn.md index 51dd1dd69f1..c0eda9a54c4 100644 --- a/packages/aws/docs/vpn.md +++ b/packages/aws/docs/vpn.md @@ -73,7 +73,6 @@ An example event for `vpn` looks as following: | aws.vpn.metrics.TunnelDataIn.sum | The bytes received through the VPN tunnel. | double | | aws.vpn.metrics.TunnelDataOut.sum | The bytes sent through the VPN tunnel. | double | | aws.vpn.metrics.TunnelState.avg | The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. | double | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | @@ -81,9 +80,33 @@ An example event for `vpn` looks as following: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -92,8 +115,12 @@ An example event for `vpn` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/awsfargate/data_stream/task_stats/fields/ecs.yml b/packages/awsfargate/data_stream/task_stats/fields/ecs.yml index 60fce985c97..044b6b2acd7 100644 --- a/packages/awsfargate/data_stream/task_stats/fields/ecs.yml +++ b/packages/awsfargate/data_stream/task_stats/fields/ecs.yml @@ -1,53 +1,15 @@ # cloud - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region # version - external: ecs name: ecs.version # error - external: ecs name: error -- external: ecs - name: error.message # service - external: ecs name: service.type # container - external: ecs name: container -- external: ecs - name: container.id -- external: ecs - name: container.name -- external: ecs - name: container.image.name -# container + custom labels -- name: container.labels.com_amazonaws_ecs_cluster - type: keyword - description: ECS Cluster name -- name: container.labels.com_amazonaws_ecs_container-name - type: keyword - description: ECS container name -- name: container.labels.com_amazonaws_ecs_task-arn - type: keyword - description: ECS task ARN -- name: container.labels.com_amazonaws_ecs_task-definition-family - type: keyword - description: ECS task definition family -- name: container.labels.com_amazonaws_ecs_task-definition-version - type: keyword - description: ECS task definition version diff --git a/packages/awsfargate/docs/README.md b/packages/awsfargate/docs/README.md index 7659978eb8c..e6e0d4dcbc8 100644 --- a/packages/awsfargate/docs/README.md +++ b/packages/awsfargate/docs/README.md @@ -340,29 +340,55 @@ If you want to learn more about Amazon ECS metrics, take a look at the blog post | awsfargate.task_stats.network.\*.outbound.errors | Total errors on incoming packets. | long | | awsfargate.task_stats.network.\*.outbound.packets | Total number of incoming packets. | long | | awsfargate.task_stats.task_name | ECS task name | keyword | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | -| container | Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. | group | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | -| container.labels.com_amazonaws_ecs_cluster | ECS Cluster name | keyword | -| container.labels.com_amazonaws_ecs_container-name | ECS container name | keyword | -| container.labels.com_amazonaws_ecs_task-arn | ECS task ARN | keyword | -| container.labels.com_amazonaws_ecs_task-definition-family | ECS task definition family | keyword | -| container.labels.com_amazonaws_ecs_task-definition-version | ECS task definition version | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | | container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure/data_stream/activitylogs/fields/agent.yml b/packages/azure/data_stream/activitylogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/activitylogs/fields/agent.yml +++ b/packages/azure/data_stream/activitylogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/activitylogs/fields/ecs.yml b/packages/azure/data_stream/activitylogs/fields/ecs.yml index 2d534bbf331..981fa934174 100644 --- a/packages/azure/data_stream/activitylogs/fields/ecs.yml +++ b/packages/azure/data_stream/activitylogs/fields/ecs.yml @@ -110,7 +110,5 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs diff --git a/packages/azure/data_stream/auditlogs/fields/agent.yml b/packages/azure/data_stream/auditlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/auditlogs/fields/agent.yml +++ b/packages/azure/data_stream/auditlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/auditlogs/fields/ecs.yml b/packages/azure/data_stream/auditlogs/fields/ecs.yml index 989ae28f6db..b52fc0d77bc 100644 --- a/packages/azure/data_stream/auditlogs/fields/ecs.yml +++ b/packages/azure/data_stream/auditlogs/fields/ecs.yml @@ -94,8 +94,6 @@ external: ecs - name: source.ip external: ecs -- name: client.ip - external: ecs - name: source.port external: ecs - name: user.full_name @@ -106,7 +104,5 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs diff --git a/packages/azure/data_stream/eventhub/fields/agent.yml b/packages/azure/data_stream/eventhub/fields/agent.yml index bef5d2f6429..f78c40ec1b0 100644 --- a/packages/azure/data_stream/eventhub/fields/agent.yml +++ b/packages/azure/data_stream/eventhub/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/eventhub/fields/ecs.yml b/packages/azure/data_stream/eventhub/fields/ecs.yml index 58be539b413..cc5b94d7f8f 100644 --- a/packages/azure/data_stream/eventhub/fields/ecs.yml +++ b/packages/azure/data_stream/eventhub/fields/ecs.yml @@ -102,7 +102,5 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs diff --git a/packages/azure/data_stream/platformlogs/fields/agent.yml b/packages/azure/data_stream/platformlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/platformlogs/fields/agent.yml +++ b/packages/azure/data_stream/platformlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/platformlogs/fields/ecs.yml b/packages/azure/data_stream/platformlogs/fields/ecs.yml index fc439f82947..54b54083131 100644 --- a/packages/azure/data_stream/platformlogs/fields/ecs.yml +++ b/packages/azure/data_stream/platformlogs/fields/ecs.yml @@ -104,8 +104,6 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs - name: client.ip diff --git a/packages/azure/data_stream/signinlogs/fields/agent.yml b/packages/azure/data_stream/signinlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/signinlogs/fields/agent.yml +++ b/packages/azure/data_stream/signinlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/signinlogs/fields/ecs.yml b/packages/azure/data_stream/signinlogs/fields/ecs.yml index 0dc61a920f7..d898b0e80ab 100644 --- a/packages/azure/data_stream/signinlogs/fields/ecs.yml +++ b/packages/azure/data_stream/signinlogs/fields/ecs.yml @@ -104,8 +104,6 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: user_agent.device.name external: ecs - name: user_agent.name diff --git a/packages/azure/data_stream/springcloudlogs/fields/agent.yml b/packages/azure/data_stream/springcloudlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/springcloudlogs/fields/agent.yml +++ b/packages/azure/data_stream/springcloudlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/springcloudlogs/fields/ecs.yml b/packages/azure/data_stream/springcloudlogs/fields/ecs.yml index bb36c557383..1e5edd723f0 100644 --- a/packages/azure/data_stream/springcloudlogs/fields/ecs.yml +++ b/packages/azure/data_stream/springcloudlogs/fields/ecs.yml @@ -102,8 +102,6 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs - name: geo.name diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml +++ b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml b/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml index 4ac170ddf8d..1b60a77aa9f 100644 --- a/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml +++ b/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml +++ b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml b/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml index 4ac170ddf8d..1b60a77aa9f 100644 --- a/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml +++ b/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_application_insights/docs/README.md b/packages/azure_application_insights/docs/README.md index 52a291cad64..2e7df9c7b79 100644 --- a/packages/azure_application_insights/docs/README.md +++ b/packages/azure_application_insights/docs/README.md @@ -203,24 +203,45 @@ An example event for `app_insights` looks as following: | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_application_insights/docs/app_state.md b/packages/azure_application_insights/docs/app_state.md index 0e4d2b40d6d..99688ec36b2 100644 --- a/packages/azure_application_insights/docs/app_state.md +++ b/packages/azure_application_insights/docs/app_state.md @@ -70,24 +70,45 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_billing/data_stream/billing/fields/agent.yml b/packages/azure_billing/data_stream/billing/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_billing/data_stream/billing/fields/agent.yml +++ b/packages/azure_billing/data_stream/billing/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml +++ b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml b/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml +++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/container_service/fields/agent.yml b/packages/azure_metrics/data_stream/container_service/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/container_service/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_service/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/database_account/fields/agent.yml b/packages/azure_metrics/data_stream/database_account/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/database_account/fields/agent.yml +++ b/packages/azure_metrics/data_stream/database_account/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml b/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/monitor/fields/agent.yml b/packages/azure_metrics/data_stream/monitor/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/monitor/fields/agent.yml +++ b/packages/azure_metrics/data_stream/monitor/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml b/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/storage_account/fields/agent.yml b/packages/azure_metrics/data_stream/storage_account/fields/agent.yml index da4e652c53b..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/storage_account/fields/agent.yml +++ b/packages/azure_metrics/data_stream/storage_account/fields/agent.yml @@ -62,137 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml b/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/docs/README.md b/packages/azure_metrics/docs/README.md index bd45a464479..4c7a5a58ce2 100644 --- a/packages/azure_metrics/docs/README.md +++ b/packages/azure_metrics/docs/README.md @@ -94,24 +94,45 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -158,24 +179,45 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -222,24 +264,45 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -286,24 +349,45 @@ so the `period` for `storage_account` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -350,24 +434,45 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s` | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -414,24 +519,45 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s` | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -478,24 +604,45 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -542,24 +689,45 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/compute_vm.md b/packages/azure_metrics/docs/compute_vm.md index 2d1a69cbaf0..71ea2fac557 100644 --- a/packages/azure_metrics/docs/compute_vm.md +++ b/packages/azure_metrics/docs/compute_vm.md @@ -108,23 +108,44 @@ Authentication: Dedicated authentication token will be created and updated regul | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/compute_vm_scaleset.md b/packages/azure_metrics/docs/compute_vm_scaleset.md index cde27b0f3eb..d110d28053f 100644 --- a/packages/azure_metrics/docs/compute_vm_scaleset.md +++ b/packages/azure_metrics/docs/compute_vm_scaleset.md @@ -105,23 +105,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/container_instance.md b/packages/azure_metrics/docs/container_instance.md index 28cc4d368ee..e5d67268cd8 100644 --- a/packages/azure_metrics/docs/container_instance.md +++ b/packages/azure_metrics/docs/container_instance.md @@ -105,23 +105,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/container_registry.md b/packages/azure_metrics/docs/container_registry.md index b508e438544..e8d61dfc2e7 100644 --- a/packages/azure_metrics/docs/container_registry.md +++ b/packages/azure_metrics/docs/container_registry.md @@ -105,23 +105,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/container_service.md b/packages/azure_metrics/docs/container_service.md index b01622f9d7a..6208fbc38c2 100644 --- a/packages/azure_metrics/docs/container_service.md +++ b/packages/azure_metrics/docs/container_service.md @@ -106,23 +106,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/database_account.md b/packages/azure_metrics/docs/database_account.md index dc3653b9169..b55c63ade33 100644 --- a/packages/azure_metrics/docs/database_account.md +++ b/packages/azure_metrics/docs/database_account.md @@ -104,23 +104,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/monitor.md b/packages/azure_metrics/docs/monitor.md index af10b2be983..8a02b1f2a02 100644 --- a/packages/azure_metrics/docs/monitor.md +++ b/packages/azure_metrics/docs/monitor.md @@ -157,23 +157,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/storage_account.md b/packages/azure_metrics/docs/storage_account.md index 9887b0252db..f4f9dc82a6f 100644 --- a/packages/azure_metrics/docs/storage_account.md +++ b/packages/azure_metrics/docs/storage_account.md @@ -106,24 +106,45 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml b/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml index ba1aef8ef59..2e783256e84 100644 --- a/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml +++ b/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: barracuda.spamfirewall -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/barracuda/data_stream/waf/fields/base-fields.yml b/packages/barracuda/data_stream/waf/fields/base-fields.yml index 10f3201694a..d0d9b118b1d 100644 --- a/packages/barracuda/data_stream/waf/fields/base-fields.yml +++ b/packages/barracuda/data_stream/waf/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: barracuda.waf -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/bluecoat/data_stream/director/fields/base-fields.yml b/packages/bluecoat/data_stream/director/fields/base-fields.yml index 6a87280d3db..36c3bb3f0ed 100644 --- a/packages/bluecoat/data_stream/director/fields/base-fields.yml +++ b/packages/bluecoat/data_stream/director/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: bluecoat.director -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml index e313ec82874..bf2dfff6756 100644 --- a/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml @@ -105,38 +105,11 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -166,12 +139,6 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml index e313ec82874..c761dfb768a 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml @@ -105,22 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - name: ip level: core type: ip @@ -130,13 +114,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -149,29 +126,12 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml index e313ec82874..643c71067ef 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml @@ -105,61 +105,17 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml index e313ec82874..1ff9745963f 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml @@ -105,38 +105,11 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md index b07163713d4..6e6dc9efd2d 100644 --- a/packages/carbon_black_cloud/docs/README.md +++ b/packages/carbon_black_cloud/docs/README.md @@ -632,7 +632,7 @@ An example event for `endpoint_event` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -1029,7 +1029,7 @@ An example event for `asset_vulnerability_summary` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/carbonblack_edr/data_stream/log/fields/agent.yml b/packages/carbonblack_edr/data_stream/log/fields/agent.yml index 4d9a6f7b362..8d787b7c8dc 100644 --- a/packages/carbonblack_edr/data_stream/log/fields/agent.yml +++ b/packages/carbonblack_edr/data_stream/log/fields/agent.yml @@ -46,13 +46,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -65,17 +58,6 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword diff --git a/packages/cassandra/data_stream/metrics/fields/ecs.yml b/packages/cassandra/data_stream/metrics/fields/ecs.yml index ada632fe019..64eca720df2 100644 --- a/packages/cassandra/data_stream/metrics/fields/ecs.yml +++ b/packages/cassandra/data_stream/metrics/fields/ecs.yml @@ -86,22 +86,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/cassandra/data_stream/metrics/fields/fields.yml b/packages/cassandra/data_stream/metrics/fields/fields.yml index 9deb596f458..5058d2ab128 100644 --- a/packages/cassandra/data_stream/metrics/fields/fields.yml +++ b/packages/cassandra/data_stream/metrics/fields/fields.yml @@ -283,16 +283,6 @@ type: long - name: active type: long - - name: request_response_stage - type: group - fields: - - name: request - type: group - fields: - - name: pending - type: long - - name: active - type: long - name: read_stage type: group fields: diff --git a/packages/checkpoint/data_stream/firewall/fields/agent.yml b/packages/checkpoint/data_stream/firewall/fields/agent.yml index 79a7a39864b..915a21e22ae 100644 --- a/packages/checkpoint/data_stream/firewall/fields/agent.yml +++ b/packages/checkpoint/data_stream/firewall/fields/agent.yml @@ -58,11 +58,6 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword @@ -116,11 +111,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - name: os.family level: extended type: keyword @@ -133,29 +123,12 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index fc596238769..a0b057cdb9f 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -592,7 +592,7 @@ An example event for `firewall` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/cisco/data_stream/asa/fields/base-fields.yml b/packages/cisco/data_stream/asa/fields/base-fields.yml index 4d6bf1902fe..6036c4f4d9f 100644 --- a/packages/cisco/data_stream/asa/fields/base-fields.yml +++ b/packages/cisco/data_stream/asa/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco.asa -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index 26c8e662c42..ee8b04ed51f 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -48,8 +48,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -200,8 +198,6 @@ name: user.email - external: ecs name: user.name -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco/data_stream/ftd/fields/base-fields.yml b/packages/cisco/data_stream/ftd/fields/base-fields.yml index 919ded43d4a..0adbb933598 100644 --- a/packages/cisco/data_stream/ftd/fields/base-fields.yml +++ b/packages/cisco/data_stream/ftd/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco.ftd -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cisco/data_stream/ftd/fields/ecs.yml b/packages/cisco/data_stream/ftd/fields/ecs.yml index 1e4950c9bfe..f611e8ee32a 100644 --- a/packages/cisco/data_stream/ftd/fields/ecs.yml +++ b/packages/cisco/data_stream/ftd/fields/ecs.yml @@ -56,8 +56,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -230,8 +228,6 @@ name: user.name - external: ecs name: user_agent.original -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco/data_stream/ios/fields/base-fields.yml b/packages/cisco/data_stream/ios/fields/base-fields.yml index 00107880f51..5c2bd7ccbda 100644 --- a/packages/cisco/data_stream/ios/fields/base-fields.yml +++ b/packages/cisco/data_stream/ios/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco.ios -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cisco/data_stream/ios/fields/ecs.yml b/packages/cisco/data_stream/ios/fields/ecs.yml index f1b640bd5ec..7f5efc110d4 100644 --- a/packages/cisco/data_stream/ios/fields/ecs.yml +++ b/packages/cisco/data_stream/ios/fields/ecs.yml @@ -36,8 +36,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -88,8 +86,6 @@ name: source.port - external: ecs name: source.user.name -- external: ecs - name: source.address - external: ecs name: source.as.number - external: ecs diff --git a/packages/cisco/data_stream/meraki/fields/agent.yml b/packages/cisco/data_stream/meraki/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco/data_stream/meraki/fields/agent.yml +++ b/packages/cisco/data_stream/meraki/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco/data_stream/meraki/fields/base-fields.yml b/packages/cisco/data_stream/meraki/fields/base-fields.yml index 774b6eba7f9..e32ab63a97b 100644 --- a/packages/cisco/data_stream/meraki/fields/base-fields.yml +++ b/packages/cisco/data_stream/meraki/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module @@ -18,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco.meraki -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco/data_stream/nexus/fields/agent.yml b/packages/cisco/data_stream/nexus/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco/data_stream/nexus/fields/agent.yml +++ b/packages/cisco/data_stream/nexus/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco/data_stream/nexus/fields/base-fields.yml b/packages/cisco/data_stream/nexus/fields/base-fields.yml index b676b8221c0..4f3c8eaa3e0 100644 --- a/packages/cisco/data_stream/nexus/fields/base-fields.yml +++ b/packages/cisco/data_stream/nexus/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: cisco.nexus -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 7eca6d6e14b..750e050d29e 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -134,7 +134,7 @@ An example event for `asa` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | | cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | @@ -502,7 +502,7 @@ An example event for `ftd` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | | cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | @@ -806,7 +806,7 @@ An example event for `ios` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.ios.access_list | Name of the IP access list. | keyword | | cisco.ios.action | Action taken by the device | keyword | | cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | @@ -1930,7 +1930,7 @@ An example event for `meraki` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/cisco_asa/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/data_stream/log/fields/base-fields.yml index efbed64fadb..4a5f0534389 100644 --- a/packages/cisco_asa/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_asa/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_asa.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index 71143f2c0c2..6779904532a 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -50,8 +50,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -208,8 +206,6 @@ name: user.email - external: ecs name: user.name -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index 15283dd1563..a1b7a6d6170 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -127,7 +127,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | | cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | diff --git a/packages/cisco_ftd/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/data_stream/log/fields/base-fields.yml index e02b7e2a255..c867421badf 100644 --- a/packages/cisco_ftd/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_ftd/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_ftd.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml index 63bbe0f7fa4..23cf593c2ea 100644 --- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml @@ -58,8 +58,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -238,8 +236,6 @@ name: user.name - external: ecs name: user_agent.original -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco_ios/data_stream/log/fields/base-fields.yml b/packages/cisco_ios/data_stream/log/fields/base-fields.yml index 30f3b7cd066..2af9255d83b 100644 --- a/packages/cisco_ios/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_ios/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_ios.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_ios/data_stream/log/fields/ecs.yml b/packages/cisco_ios/data_stream/log/fields/ecs.yml index aa2cf73fd85..903e7852795 100644 --- a/packages/cisco_ios/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ios/data_stream/log/fields/ecs.yml @@ -36,8 +36,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs diff --git a/packages/cisco_ios/docs/README.md b/packages/cisco_ios/docs/README.md index 865021f3756..b07b3c65ef3 100644 --- a/packages/cisco_ios/docs/README.md +++ b/packages/cisco_ios/docs/README.md @@ -95,7 +95,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.ios.access_list | Name of the IP access list. | keyword | | cisco.ios.action | Action taken by the device | keyword | | cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml index 6e1bac042bc..98d2f9f38d5 100644 --- a/packages/cisco_ise/data_stream/log/fields/agent.yml +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -97,20 +97,11 @@ description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/cisco_ise/data_stream/log/fields/fields.yml b/packages/cisco_ise/data_stream/log/fields/fields.yml index 2426988f9f0..69f920b6ea1 100644 --- a/packages/cisco_ise/data_stream/log/fields/fields.yml +++ b/packages/cisco_ise/data_stream/log/fields/fields.yml @@ -726,8 +726,6 @@ fields: - name: version type: keyword - - name: state - type: text - name: static type: group fields: diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 9e7295a4111..22269231ceb 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -406,7 +406,7 @@ An example event for `log` looks as following: | cisco_ise.log.session.timeout | | long | | cisco_ise.log.severity.level | | long | | cisco_ise.log.software.version | | keyword | -| cisco_ise.log.state | | text | +| cisco_ise.log.state | | keyword | | cisco_ise.log.static.assignment | | boolean | | cisco_ise.log.status | | keyword | | cisco_ise.log.step | | keyword | diff --git a/packages/cisco_meraki/data_stream/events/fields/agent.yml b/packages/cisco_meraki/data_stream/events/fields/agent.yml index 162c9f3aa38..90bd07fa045 100644 --- a/packages/cisco_meraki/data_stream/events/fields/agent.yml +++ b/packages/cisco_meraki/data_stream/events/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml index ebba8d4244b..71da0e30206 100644 --- a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module @@ -18,15 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/data_stream/events/fields/ecs.yml index 1689c91fbc3..0ad0ce22490 100644 --- a/packages/cisco_meraki/data_stream/events/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/events/fields/ecs.yml @@ -280,10 +280,6 @@ name: threat.indicator.file.name - external: ecs name: threat.indicator.file.hash.sha256 -- external: ecs - name: network.direction -- external: ecs - name: network.protocol - external: ecs name: client.geo.city_name - external: ecs diff --git a/packages/cisco_meraki/data_stream/log/fields/agent.yml b/packages/cisco_meraki/data_stream/log/fields/agent.yml index 162c9f3aa38..90bd07fa045 100644 --- a/packages/cisco_meraki/data_stream/log/fields/agent.yml +++ b/packages/cisco_meraki/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml index 7691cacc73e..57cd7d544ae 100644 --- a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module @@ -18,10 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index d0f1e65d677..81eccba0695 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -280,10 +280,6 @@ name: threat.indicator.file.name - external: ecs name: threat.indicator.file.hash.sha256 -- external: ecs - name: network.direction -- external: ecs - name: network.protocol - external: ecs name: client.geo.city_name - external: ecs diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index baea4f77535..4e5897bfe75 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -57,7 +57,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco_meraki.8021x_auth | | flattened | | cisco_meraki.8021x_deauth | | flattened | | cisco_meraki.8021x_eap_failure | | flattened | @@ -190,7 +190,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | +| input.type | Input type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | @@ -387,7 +387,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | | cisco_meraki.event.alertId | ID for this alert message | keyword | | cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | @@ -512,7 +512,7 @@ An example event for `log` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | +| input.type | Input type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | diff --git a/packages/cisco_nexus/data_stream/log/fields/agent.yml b/packages/cisco_nexus/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco_nexus/data_stream/log/fields/agent.yml +++ b/packages/cisco_nexus/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_nexus/data_stream/log/fields/base-fields.yml b/packages/cisco_nexus/data_stream/log/fields/base-fields.yml index 40f5ce6158c..2edfc68eac0 100644 --- a/packages/cisco_nexus/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_nexus/data_stream/log/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: cisco_nexus.log -- name: "@timestamp" - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml index 0b6fbd185e1..5b8eee05bcb 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml +++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml @@ -502,5 +502,3 @@ - name: type type: keyword description: Input type. -- name: input.type - type: keyword diff --git a/packages/cisco_secure_email_gateway/docs/README.md b/packages/cisco_secure_email_gateway/docs/README.md index 31559fa4eec..601a29c3afc 100644 --- a/packages/cisco_secure_email_gateway/docs/README.md +++ b/packages/cisco_secure_email_gateway/docs/README.md @@ -500,7 +500,7 @@ An example event for `log` looks as following: | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.response.status_code | HTTP response status code. | long | | http.version | HTTP version. | keyword | -| input.type | | keyword | +| input.type | Input type | keyword | | log.file.path | File path from which the log event was read / sent from. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml index 351ac771303..7e2ae7c8427 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml @@ -18,10 +18,6 @@ type: constant_keyword description: Event dataset value: cisco_secure_endpoint.event -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml index e6934866f97..a111f41da68 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml @@ -24,8 +24,6 @@ name: event.category - external: ecs name: event.id -- external: ecs - name: event.code - external: ecs name: event.timezone - name: related.ip diff --git a/packages/cisco_umbrella/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/agent.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml index 1fb9b67d579..2c6581fc21d 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md index 6af338e67e9..9836bb86213 100644 --- a/packages/cisco_umbrella/docs/README.md +++ b/packages/cisco_umbrella/docs/README.md @@ -202,7 +202,7 @@ An example event for `log` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/cloudflare/data_stream/logpull/fields/ecs.yml b/packages/cloudflare/data_stream/logpull/fields/ecs.yml index 9a9a6402b06..a76befc86ca 100644 --- a/packages/cloudflare/data_stream/logpull/fields/ecs.yml +++ b/packages/cloudflare/data_stream/logpull/fields/ecs.yml @@ -12,8 +12,6 @@ external: ecs - name: client.geo.continent_name external: ecs -- name: client.geo.country_iso_code - external: ecs - name: client.geo.region_iso_code external: ecs - name: client.geo.location diff --git a/packages/cockroachdb/data_stream/status/fields/agent.yml b/packages/cockroachdb/data_stream/status/fields/agent.yml index 79a7a39864b..bb0bad1faae 100644 --- a/packages/cockroachdb/data_stream/status/fields/agent.yml +++ b/packages/cockroachdb/data_stream/status/fields/agent.yml @@ -58,123 +58,8 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cockroachdb/docs/README.md b/packages/cockroachdb/docs/README.md index 5725dfdac26..1ec587efe73 100644 --- a/packages/cockroachdb/docs/README.md +++ b/packages/cockroachdb/docs/README.md @@ -41,24 +41,42 @@ exposing metrics in Prometheus format. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/cyberark/data_stream/corepas/fields/base-fields.yml b/packages/cyberark/data_stream/corepas/fields/base-fields.yml index 21c3c25647b..96b7f318d5a 100644 --- a/packages/cyberark/data_stream/corepas/fields/base-fields.yml +++ b/packages/cyberark/data_stream/corepas/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: cyberark.corepas -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml b/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml index 62b68b8872e..1e7939f992a 100644 --- a/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml +++ b/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml @@ -7,10 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cyberarkpas - name: event.dataset type: constant_keyword description: Event dataset diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index 21b6c5fe40f..40413f958cb 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -247,7 +247,7 @@ An example event for `audit` looks as following: | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | diff --git a/packages/cylance/data_stream/protect/fields/base-fields.yml b/packages/cylance/data_stream/protect/fields/base-fields.yml index f7a828b7532..669ad8ae0b3 100644 --- a/packages/cylance/data_stream/protect/fields/base-fields.yml +++ b/packages/cylance/data_stream/protect/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: cylance.protect -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/docker/data_stream/container/fields/ecs.yml b/packages/docker/data_stream/container/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/container/fields/ecs.yml +++ b/packages/docker/data_stream/container/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/cpu/fields/ecs.yml b/packages/docker/data_stream/cpu/fields/ecs.yml index c663e96a2c3..2c41a23e678 100644 --- a/packages/docker/data_stream/cpu/fields/ecs.yml +++ b/packages/docker/data_stream/cpu/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.cpu.usage type: scaled_float format: percent diff --git a/packages/docker/data_stream/diskio/fields/ecs.yml b/packages/docker/data_stream/diskio/fields/ecs.yml index 4f2946b7865..8759671c888 100644 --- a/packages/docker/data_stream/diskio/fields/ecs.yml +++ b/packages/docker/data_stream/diskio/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.disk.read.bytes type: long format: bytes diff --git a/packages/docker/data_stream/event/fields/ecs.yml b/packages/docker/data_stream/event/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/event/fields/ecs.yml +++ b/packages/docker/data_stream/event/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/healthcheck/fields/ecs.yml b/packages/docker/data_stream/healthcheck/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/healthcheck/fields/ecs.yml +++ b/packages/docker/data_stream/healthcheck/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/image/fields/ecs.yml b/packages/docker/data_stream/image/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/image/fields/ecs.yml +++ b/packages/docker/data_stream/image/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/info/fields/ecs.yml b/packages/docker/data_stream/info/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/info/fields/ecs.yml +++ b/packages/docker/data_stream/info/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/memory/fields/ecs.yml b/packages/docker/data_stream/memory/fields/ecs.yml index 4c757034615..2e9d0438675 100644 --- a/packages/docker/data_stream/memory/fields/ecs.yml +++ b/packages/docker/data_stream/memory/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.memory.usage type: scaled_float format: percent diff --git a/packages/docker/data_stream/network/fields/ecs.yml b/packages/docker/data_stream/network/fields/ecs.yml index f41461110e1..3131eac8a02 100644 --- a/packages/docker/data_stream/network/fields/ecs.yml +++ b/packages/docker/data_stream/network/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.network.egress.bytes type: long format: bytes diff --git a/packages/docker/docs/README.md b/packages/docker/docs/README.md index fefa34071a7..860023c146d 100644 --- a/packages/docker/docs/README.md +++ b/packages/docker/docs/README.md @@ -61,11 +61,31 @@ running Docker containers. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -73,8 +93,22 @@ running Docker containers. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -178,11 +212,31 @@ The Docker `cpu` data stream collects runtime CPU metrics. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -190,8 +244,22 @@ The Docker `cpu` data stream collects runtime CPU metrics. | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.email | User email address. | keyword | | | +| host.user.full_name | User's full name, if available. | keyword | | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| host.user.group.name | Name of the group. | keyword | | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| host.user.id | Unique identifier of the user. | keyword | | | +| host.user.name | Short name or login of the user. | keyword | | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -363,11 +431,31 @@ The Docker `diskio` data stream collects disk I/O metrics. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -375,8 +463,22 @@ The Docker `diskio` data stream collects disk I/O metrics. | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.email | User email address. | keyword | | | +| host.user.full_name | User's full name, if available. | keyword | | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| host.user.group.name | Name of the group. | keyword | | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| host.user.id | Unique identifier of the user. | keyword | | | +| host.user.name | Short name or login of the user. | keyword | | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -465,11 +567,31 @@ The Docker `event` data stream collects docker events | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -477,8 +599,22 @@ The Docker `event` data stream collects docker events | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.email | User email address. | keyword | +| host.user.full_name | User's full name, if available. | keyword | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| host.user.group.name | Name of the group. | keyword | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| host.user.id | Unique identifier of the user. | keyword | +| host.user.name | Short name or login of the user. | keyword | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | +| host.user.roles | Array of user roles at the time of the event. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -547,11 +683,31 @@ docker `HEALTHCHECK` instruction has been used to build the docker image. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -559,8 +715,22 @@ docker `HEALTHCHECK` instruction has been used to build the docker image. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -655,11 +825,31 @@ The Docker `image` data stream collects metrics on docker images | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -667,8 +857,22 @@ The Docker `image` data stream collects metrics on docker images | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -746,11 +950,31 @@ https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-s | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -758,8 +982,22 @@ https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-s | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -829,11 +1067,31 @@ The Docker `memory` data stream collects memory metrics from docker. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -841,8 +1099,22 @@ The Docker `memory` data stream collects memory metrics from docker. | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.email | User email address. | keyword | | | +| host.user.full_name | User's full name, if available. | keyword | | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| host.user.group.name | Name of the group. | keyword | | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| host.user.id | Unique identifier of the user. | keyword | | | +| host.user.name | Short name or login of the user. | keyword | | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -958,11 +1230,31 @@ The Docker `network` data stream collects network metrics. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -970,8 +1262,22 @@ The Docker `network` data stream collects network metrics. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | diff --git a/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml b/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml index 0c063d19aee..b33ee877b00 100644 --- a/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml +++ b/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml @@ -1,81 +1,3 @@ - name: beat.type descripion: Beat type. type: keyword -- name: beat.stats - description: Beat stats - type: group - fields: - - name: libbeat - type: group - description: > - Fields common to all Beats - - fields: - - name: output - type: group - description: > - Output stats - - fields: - - name: events - type: group - description: > - Event counters - - fields: - - name: acked - type: long - description: > - Number of events acknowledged - - - name: active - type: long - description: > - Number of active events - - - name: batches - type: long - description: > - Number of event batches - - - name: dropped - type: long - description: > - Number of events dropped - - - name: duplicates - type: long - description: > - Number of events duplicated - - - name: failed - type: long - description: > - Number of events failed - - - name: toomany - type: long - description: > - Number of too many events - - - name: total - type: long - description: > - Total number of events - - - name: write - type: group - description: > - Write stats - - fields: - - name: bytes - type: long - description: > - Number of bytes written - - - name: errors - type: long - description: > - Number of write errors - diff --git a/packages/elasticsearch/data_stream/audit/fields/ecs.yml b/packages/elasticsearch/data_stream/audit/fields/ecs.yml index b59e389809c..b0e9dad68d3 100644 --- a/packages/elasticsearch/data_stream/audit/fields/ecs.yml +++ b/packages/elasticsearch/data_stream/audit/fields/ecs.yml @@ -1,16 +1,8 @@ - external: ecs name: http -- external: ecs - name: http.request.body.content - external: ecs name: source -- external: ecs - name: source.ip - external: ecs name: url -- external: ecs - name: url.original - external: ecs name: user -- external: ecs - name: user.name diff --git a/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml b/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml index 7c798f4534c..a3e80e3a547 100644 --- a/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml +++ b/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml @@ -7,6 +7,3 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml b/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml index 7c798f4534c..a3e80e3a547 100644 --- a/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml +++ b/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml @@ -7,6 +7,3 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/elasticsearch/docs/README.md b/packages/elasticsearch/docs/README.md index 456dc33182c..9c7d3a9f0f8 100644 --- a/packages/elasticsearch/docs/README.md +++ b/packages/elasticsearch/docs/README.md @@ -50,17 +50,123 @@ The Elasticsearch package is compatible with logs from Elasticsearch 6.2 and new | elasticsearch.node.id | ID of the node | keyword | | elasticsearch.node.name | Name of the node | keyword | | elasticsearch.shard.id | Id of the shard | keyword | -| http | Fields related to HTTP activity. Use the `url` field set to store the url of the request. | group | +| http.request.body.bytes | Size in bytes of the request body. | long | | http.request.body.content | The full HTTP request body. | wildcard | | http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | -| url | URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. | group | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | url.original.text | Multi-field of `url.original`. | match_only_text | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Deprecation diff --git a/packages/f5/data_stream/bigipafm/fields/base-fields.yml b/packages/f5/data_stream/bigipafm/fields/base-fields.yml index a4f2b5492fe..62774970e58 100644 --- a/packages/f5/data_stream/bigipafm/fields/base-fields.yml +++ b/packages/f5/data_stream/bigipafm/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: f5.bigipafm -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/f5/data_stream/bigipapm/fields/base-fields.yml b/packages/f5/data_stream/bigipapm/fields/base-fields.yml index 88bd33161a9..6735d33f76a 100644 --- a/packages/f5/data_stream/bigipapm/fields/base-fields.yml +++ b/packages/f5/data_stream/bigipapm/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: f5.bigipapm -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fim/data_stream/event/fields/agent.yml b/packages/fim/data_stream/event/fields/agent.yml index e313ec82874..f027c185f47 100644 --- a/packages/fim/data_stream/event/fields/agent.yml +++ b/packages/fim/data_stream/event/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,12 +85,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - name: domain level: extended type: keyword diff --git a/packages/fireeye/data_stream/nx/fields/agent.yml b/packages/fireeye/data_stream/nx/fields/agent.yml index a371c03d96d..368be734273 100644 --- a/packages/fireeye/data_stream/nx/fields/agent.yml +++ b/packages/fireeye/data_stream/nx/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/fireeye/data_stream/nx/fields/ecs.yml b/packages/fireeye/data_stream/nx/fields/ecs.yml index f1d3ef0500a..e42fbd85c1a 100644 --- a/packages/fireeye/data_stream/nx/fields/ecs.yml +++ b/packages/fireeye/data_stream/nx/fields/ecs.yml @@ -62,8 +62,6 @@ name: source.ip - external: ecs name: destination.address -- external: ecs - name: destination.port - external: ecs name: destination.as.number - external: ecs diff --git a/packages/fortinet/data_stream/clientendpoint/fields/agent.yml b/packages/fortinet/data_stream/clientendpoint/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/fortinet/data_stream/clientendpoint/fields/agent.yml +++ b/packages/fortinet/data_stream/clientendpoint/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml b/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml index 82f01336920..08b97d5f8d8 100644 --- a/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml +++ b/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.clientendpoint -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/data_stream/firewall/fields/agent.yml b/packages/fortinet/data_stream/firewall/fields/agent.yml index f6127c3e224..8e774447801 100644 --- a/packages/fortinet/data_stream/firewall/fields/agent.yml +++ b/packages/fortinet/data_stream/firewall/fields/agent.yml @@ -58,11 +58,6 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/fortinet/data_stream/firewall/fields/base-fields.yml b/packages/fortinet/data_stream/firewall/fields/base-fields.yml index 40a25351115..7c798f4534c 100644 --- a/packages/fortinet/data_stream/firewall/fields/base-fields.yml +++ b/packages/fortinet/data_stream/firewall/fields/base-fields.yml @@ -7,14 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet.firewall - name: '@timestamp' type: date description: Event timestamp. diff --git a/packages/fortinet/data_stream/fortimail/fields/agent.yml b/packages/fortinet/data_stream/fortimail/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/fortinet/data_stream/fortimail/fields/agent.yml +++ b/packages/fortinet/data_stream/fortimail/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml index 50a37950c47..835e6882275 100644 --- a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.fortimail -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/data_stream/fortimanager/fields/agent.yml b/packages/fortinet/data_stream/fortimanager/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/agent.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml index bbad94843bc..d9f35d7c497 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.fortimanager -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/docs/README.md b/packages/fortinet/docs/README.md index e5f17a143da..8c2b4a28330 100644 --- a/packages/fortinet/docs/README.md +++ b/packages/fortinet/docs/README.md @@ -224,7 +224,7 @@ An example event for `firewall` looks as following: | error.message | Error message. | match_only_text | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | diff --git a/packages/google_workspace/data_stream/admin/fields/agent.yml b/packages/google_workspace/data_stream/admin/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/admin/fields/agent.yml +++ b/packages/google_workspace/data_stream/admin/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/drive/fields/agent.yml b/packages/google_workspace/data_stream/drive/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/drive/fields/agent.yml +++ b/packages/google_workspace/data_stream/drive/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/groups/fields/agent.yml b/packages/google_workspace/data_stream/groups/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/groups/fields/agent.yml +++ b/packages/google_workspace/data_stream/groups/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/login/fields/agent.yml b/packages/google_workspace/data_stream/login/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/login/fields/agent.yml +++ b/packages/google_workspace/data_stream/login/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/saml/fields/agent.yml b/packages/google_workspace/data_stream/saml/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/saml/fields/agent.yml +++ b/packages/google_workspace/data_stream/saml/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/user_accounts/fields/agent.yml b/packages/google_workspace/data_stream/user_accounts/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/user_accounts/fields/agent.yml +++ b/packages/google_workspace/data_stream/user_accounts/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/hadoop/data_stream/application/fields/beats.yml b/packages/hadoop/data_stream/application/fields/beats.yml index ede69588554..22565288a1d 100644 --- a/packages/hadoop/data_stream/application/fields/beats.yml +++ b/packages/hadoop/data_stream/application/fields/beats.yml @@ -1,6 +1,3 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/hadoop/docs/README.md b/packages/hadoop/docs/README.md index 6338972541a..d2147f9a394 100644 --- a/packages/hadoop/docs/README.md +++ b/packages/hadoop/docs/README.md @@ -101,7 +101,7 @@ An example event for `application` looks as following: | hadoop.application.time.started | Application start time | date | | hadoop.application.vcore_seconds | The amount of CPU resources the application has allocated | long | | input.type | Type of Filebeat input. | keyword | -| tags | User defined tags | keyword | +| tags | List of keywords used to tag each event. | keyword | ## cluster diff --git a/packages/haproxy/data_stream/info/fields/ecs.yml b/packages/haproxy/data_stream/info/fields/ecs.yml index 89b163a3aa1..13ceaf2f995 100644 --- a/packages/haproxy/data_stream/info/fields/ecs.yml +++ b/packages/haproxy/data_stream/info/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: process -- external: ecs - name: process.pid - external: ecs name: service.address - external: ecs diff --git a/packages/haproxy/data_stream/stat/fields/ecs.yml b/packages/haproxy/data_stream/stat/fields/ecs.yml index 89b163a3aa1..13ceaf2f995 100644 --- a/packages/haproxy/data_stream/stat/fields/ecs.yml +++ b/packages/haproxy/data_stream/stat/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: process -- external: ecs - name: process.pid - external: ecs name: service.address - external: ecs diff --git a/packages/haproxy/docs/README.md b/packages/haproxy/docs/README.md index 3abf57087da..306d0412596 100644 --- a/packages/haproxy/docs/README.md +++ b/packages/haproxy/docs/README.md @@ -505,8 +505,148 @@ The fields reported are: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -734,8 +874,148 @@ The fields reported are: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml b/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml index cf3e4e13849..46908d2a37e 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module @@ -21,6 +18,3 @@ - name: log.flags description: Flags for the log file. type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml index eaee751dad7..fb78acf4391 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml @@ -48,8 +48,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -206,8 +204,6 @@ name: user.id - external: ecs name: user.name -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml b/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml +++ b/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml b/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml index ecf4acb535d..868421f01f2 100644 --- a/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml +++ b/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml @@ -11,10 +11,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor - name: event.dataset type: constant_keyword description: Event dataset. diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index 5018e8a093b..ae419ff7169 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -239,7 +239,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | client.domain | Client domain. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | diff --git a/packages/iis/data_stream/access/fields/agent.yml b/packages/iis/data_stream/access/fields/agent.yml index da4e652c53b..3cb905c19c2 100644 --- a/packages/iis/data_stream/access/fields/agent.yml +++ b/packages/iis/data_stream/access/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword diff --git a/packages/iis/data_stream/access/fields/ecs.yml b/packages/iis/data_stream/access/fields/ecs.yml index 80a028d9cb0..295c38639a3 100644 --- a/packages/iis/data_stream/access/fields/ecs.yml +++ b/packages/iis/data_stream/access/fields/ecs.yml @@ -72,22 +72,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/imperva/data_stream/securesphere/fields/base-fields.yml b/packages/imperva/data_stream/securesphere/fields/base-fields.yml index dc56d4aaff7..9ce3355258d 100644 --- a/packages/imperva/data_stream/securesphere/fields/base-fields.yml +++ b/packages/imperva/data_stream/securesphere/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: imperva.securesphere -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/infoblox/data_stream/nios/fields/base-fields.yml b/packages/infoblox/data_stream/nios/fields/base-fields.yml index f9d913dd565..8abe062e052 100644 --- a/packages/infoblox/data_stream/nios/fields/base-fields.yml +++ b/packages/infoblox/data_stream/nios/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: infoblox.nios -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/infoblox_nios/data_stream/log/fields/agent.yml b/packages/infoblox_nios/data_stream/log/fields/agent.yml index 6639aec94a9..0f6bda97446 100644 --- a/packages/infoblox_nios/data_stream/log/fields/agent.yml +++ b/packages/infoblox_nios/data_stream/log/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/juniper/data_stream/junos/fields/agent.yml b/packages/juniper/data_stream/junos/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper/data_stream/junos/fields/agent.yml +++ b/packages/juniper/data_stream/junos/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper/data_stream/junos/fields/base-fields.yml b/packages/juniper/data_stream/junos/fields/base-fields.yml index 6092398a3f1..8401571ede4 100644 --- a/packages/juniper/data_stream/junos/fields/base-fields.yml +++ b/packages/juniper/data_stream/junos/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: juniper.junos -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper/data_stream/netscreen/fields/agent.yml b/packages/juniper/data_stream/netscreen/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper/data_stream/netscreen/fields/agent.yml +++ b/packages/juniper/data_stream/netscreen/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper/data_stream/netscreen/fields/base-fields.yml b/packages/juniper/data_stream/netscreen/fields/base-fields.yml index db5ff9a4dad..181f1fddbeb 100644 --- a/packages/juniper/data_stream/netscreen/fields/base-fields.yml +++ b/packages/juniper/data_stream/netscreen/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: juniper.netscreen -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper/data_stream/srx/fields/agent.yml b/packages/juniper/data_stream/srx/fields/agent.yml index c5d5959b5ab..3d3ef02e8c5 100644 --- a/packages/juniper/data_stream/srx/fields/agent.yml +++ b/packages/juniper/data_stream/srx/fields/agent.yml @@ -5,83 +5,9 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,95 +16,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/juniper/data_stream/srx/fields/base-fields.yml b/packages/juniper/data_stream/srx/fields/base-fields.yml index 2b9703542a6..5e633cd76ab 100644 --- a/packages/juniper/data_stream/srx/fields/base-fields.yml +++ b/packages/juniper/data_stream/srx/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: juniper.srx -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/juniper/data_stream/srx/fields/ecs.yml b/packages/juniper/data_stream/srx/fields/ecs.yml index 5708c81eb0c..5d0de23e023 100644 --- a/packages/juniper/data_stream/srx/fields/ecs.yml +++ b/packages/juniper/data_stream/srx/fields/ecs.yml @@ -542,8 +542,6 @@ name: interface.id - external: ecs name: interface.name -- external: ecs - name: labels - external: ecs name: log.file.path - external: ecs diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index f1cbbdd29f3..ab2082048e0 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -47,7 +47,7 @@ The following processes and tags are supported: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | @@ -101,7 +101,7 @@ The following processes and tags are supported: | cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | code_signature.exists | Boolean to capture if a signature is present. | boolean | | code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | code_signature.subject_name | Subject name of the code signer | keyword | @@ -319,7 +319,7 @@ The following processes and tags are supported: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -882,7 +882,7 @@ The `junos` dataset collects Juniper JUNOS logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | @@ -936,7 +936,7 @@ The `junos` dataset collects Juniper JUNOS logs. | cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | code_signature.exists | Boolean to capture if a signature is present. | boolean | | code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | code_signature.subject_name | Subject name of the code signer | keyword | @@ -1154,7 +1154,7 @@ The `junos` dataset collects Juniper JUNOS logs. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/juniper_junos/data_stream/log/fields/agent.yml b/packages/juniper_junos/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper_junos/data_stream/log/fields/agent.yml +++ b/packages/juniper_junos/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper_junos/data_stream/log/fields/base-fields.yml b/packages/juniper_junos/data_stream/log/fields/base-fields.yml index d93730c7a76..5b3ee114e0f 100644 --- a/packages/juniper_junos/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_junos/data_stream/log/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: juniper_junos.log -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_netscreen/data_stream/log/fields/agent.yml b/packages/juniper_netscreen/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper_netscreen/data_stream/log/fields/agent.yml +++ b/packages/juniper_netscreen/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml b/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml index 82882053b69..905f87d3120 100644 --- a/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: juniper_netscreen.log -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_srx/data_stream/log/fields/agent.yml b/packages/juniper_srx/data_stream/log/fields/agent.yml index c5d5959b5ab..3d3ef02e8c5 100644 --- a/packages/juniper_srx/data_stream/log/fields/agent.yml +++ b/packages/juniper_srx/data_stream/log/fields/agent.yml @@ -5,83 +5,9 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,95 +16,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/juniper_srx/data_stream/log/fields/base-fields.yml b/packages/juniper_srx/data_stream/log/fields/base-fields.yml index 5b1dbba23c1..5d7fc0ea18a 100644 --- a/packages/juniper_srx/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_srx/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: juniper_srx.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index cd744d74530..685b9788488 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -43,7 +43,7 @@ The following processes and tags are supported: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | @@ -97,7 +97,7 @@ The following processes and tags are supported: | cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | code_signature.exists | Boolean to capture if a signature is present. | boolean | | code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | code_signature.subject_name | Subject name of the code signer | keyword | @@ -315,7 +315,7 @@ The following processes and tags are supported: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/linux/data_stream/service/fields/agent.yml b/packages/linux/data_stream/service/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/linux/data_stream/service/fields/agent.yml +++ b/packages/linux/data_stream/service/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/linux/data_stream/service/fields/ecs.yml b/packages/linux/data_stream/service/fields/ecs.yml index 8a4edf8d0e0..d1bfe41a38d 100644 --- a/packages/linux/data_stream/service/fields/ecs.yml +++ b/packages/linux/data_stream/service/fields/ecs.yml @@ -8,43 +8,7 @@ name: service.type - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pgid -- external: ecs - name: process.exit_code -- external: ecs - name: process.pid -- external: ecs - name: process.ppid -- external: ecs - name: process.working_directory - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/linux/data_stream/socket/fields/ecs.yml b/packages/linux/data_stream/socket/fields/ecs.yml index 6e399523d80..847ebcc752d 100644 --- a/packages/linux/data_stream/socket/fields/ecs.yml +++ b/packages/linux/data_stream/socket/fields/ecs.yml @@ -8,21 +8,7 @@ name: service.type - external: ecs name: network -- external: ecs - name: network.direction -- external: ecs - name: network.type - external: ecs name: process -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: user -- external: ecs - name: user.full_name -- external: ecs - name: user.id diff --git a/packages/linux/data_stream/users/fields/ecs.yml b/packages/linux/data_stream/users/fields/ecs.yml index 7117f20e5cb..549f1c964e1 100644 --- a/packages/linux/data_stream/users/fields/ecs.yml +++ b/packages/linux/data_stream/users/fields/ecs.yml @@ -8,7 +8,3 @@ name: service.type - external: ecs name: source -- external: ecs - name: source.ip -- external: ecs - name: source.port diff --git a/packages/linux/docs/README.md b/packages/linux/docs/README.md index a5a133a5d37..061744baad0 100644 --- a/packages/linux/docs/README.md +++ b/packages/linux/docs/README.md @@ -253,17 +253,31 @@ This data stream is available on: | event.dataset | Event dataset | constant_keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.module | Event module | constant_keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -271,15 +285,164 @@ This data stream is available on: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| host.uptime | Seconds the host has been up. | long | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.email | User email address. | keyword | +| host.user.full_name | User's full name, if available. | keyword | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| host.user.group.name | Name of the group. | keyword | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| host.user.id | Unique identifier of the user. | keyword | +| host.user.name | Short name or login of the user. | keyword | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | +| host.user.roles | Array of user roles at the time of the event. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.ppid | Parent process' pid. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | | process.working_directory | The working directory of the process. | keyword | | process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | @@ -299,9 +462,54 @@ This data stream is available on: | system.service.sub_state | The sub-state of the service | keyword | | systemd.fragment_path | Service file location | keyword | | systemd.unit | Service unit name | keyword | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Socket @@ -356,15 +564,166 @@ missing short-lived connections. | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| network | The network is defined as the communication path over which a host or network event happens. The network.\* fields should be populated with details about the network activity associated with an event. | group | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.ppid | Parent process' pid. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | system.socket.local.ip | Local IP address. This can be an IPv4 or IPv6 address. | ip | @@ -375,10 +734,54 @@ missing short-lived connections. | system.socket.remote.host_error | Error describing the cause of the reverse lookup failure. | keyword | | system.socket.remote.ip | Remote IP address. This can be an IPv4 or IPv6 address. | ip | | system.socket.remote.port | Remote port. | long | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Users @@ -429,9 +832,44 @@ The linux/users data stream reports logged in users and associated sessions via | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | | system.users.id | The ID of the session | keyword | | system.users.leader | The root PID of the session | long | | system.users.path | The DBus object path of the session | keyword | diff --git a/packages/m365_defender/data_stream/log/fields/ecs.yml b/packages/m365_defender/data_stream/log/fields/ecs.yml index be5c5190a6f..90a15fb258a 100644 --- a/packages/m365_defender/data_stream/log/fields/ecs.yml +++ b/packages/m365_defender/data_stream/log/fields/ecs.yml @@ -56,8 +56,6 @@ name: url.full - external: ecs name: url.domain -- external: ecs - name: url.full - external: ecs name: url.extension - external: ecs diff --git a/packages/microsoft/data_stream/defender_atp/fields/agent.yml b/packages/microsoft/data_stream/defender_atp/fields/agent.yml index e313ec82874..ee2550ac82e 100644 --- a/packages/microsoft/data_stream/defender_atp/fields/agent.yml +++ b/packages/microsoft/data_stream/defender_atp/fields/agent.yml @@ -54,34 +54,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/microsoft/data_stream/dhcp/fields/agent.yml b/packages/microsoft/data_stream/dhcp/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/microsoft/data_stream/dhcp/fields/agent.yml +++ b/packages/microsoft/data_stream/dhcp/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml index cd35075f6e4..5eb984d0e1a 100644 --- a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml +++ b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml @@ -15,13 +15,6 @@ type: constant_keyword description: Event dataset value: microsoft.dhcp -- name: '@timestamp' - type: date - description: Event timestamp. -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword @@ -39,8 +32,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml b/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml index e313ec82874..ee2550ac82e 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml @@ -54,34 +54,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml index 31577dc1b52..863be6474cd 100644 --- a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml @@ -12,8 +12,6 @@ name: email.attachments.file.mime_type - external: ecs name: email.attachments.file.name -- external: ecs - name: email.attachments.file.name - external: ecs name: email.attachments.file.size - external: ecs @@ -36,8 +34,6 @@ name: error.type - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml index 8c473b28e22..d942cd864e0 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml @@ -6,8 +6,6 @@ name: email.attachments.file.hash.sha256 - external: ecs name: email.attachments.file.mime_type -- external: ecs - name: email.attachments.file.mime_type - external: ecs name: email.attachments.file.name - external: ecs @@ -22,8 +20,6 @@ name: email.to.address - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml index 9a1770633fc..ae101f9d829 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml @@ -10,8 +10,6 @@ name: email.to.address - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml index 622f81b6fc7..faf406570c5 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml @@ -12,8 +12,6 @@ name: email.to.address - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/modsecurity/data_stream/auditlog/fields/agent.yml b/packages/modsecurity/data_stream/auditlog/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/modsecurity/data_stream/auditlog/fields/agent.yml +++ b/packages/modsecurity/data_stream/auditlog/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/mongodb/data_stream/collstats/fields/base-fields.yml b/packages/mongodb/data_stream/collstats/fields/base-fields.yml index 20a5c443b50..14cf6ae2090 100644 --- a/packages/mongodb/data_stream/collstats/fields/base-fields.yml +++ b/packages/mongodb/data_stream/collstats/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/data_stream/dbstats/fields/base-fields.yml b/packages/mongodb/data_stream/dbstats/fields/base-fields.yml index c10e432de6b..f6348f95f7a 100644 --- a/packages/mongodb/data_stream/dbstats/fields/base-fields.yml +++ b/packages/mongodb/data_stream/dbstats/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/data_stream/metrics/fields/base-fields.yml b/packages/mongodb/data_stream/metrics/fields/base-fields.yml index b7da7cc1960..e43aa3d82c5 100644 --- a/packages/mongodb/data_stream/metrics/fields/base-fields.yml +++ b/packages/mongodb/data_stream/metrics/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/data_stream/replstatus/fields/base-fields.yml b/packages/mongodb/data_stream/replstatus/fields/base-fields.yml index c3ee6a0e1ee..570a470e320 100644 --- a/packages/mongodb/data_stream/replstatus/fields/base-fields.yml +++ b/packages/mongodb/data_stream/replstatus/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/docs/README.md b/packages/mongodb/docs/README.md index f76e221f0eb..88193362b07 100644 --- a/packages/mongodb/docs/README.md +++ b/packages/mongodb/docs/README.md @@ -988,7 +988,7 @@ The fields reported are: | mongodb.replstatus.optimes.last_committed | Information, from the viewpoint of this member, regarding the most recent operation that has been written to a majority of replica set members. | long | | mongodb.replstatus.server_date | Reflects the current time according to the server that processed the replSetGetStatus command. | date | | mongodb.replstatus.set_name | The name of the replica set. | keyword | -| service.address | Address of the machine where the service is running. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/netflow/data_stream/log/fields/agent.yml b/packages/netflow/data_stream/log/fields/agent.yml index da4e652c53b..7829f106b67 100644 --- a/packages/netflow/data_stream/log/fields/agent.yml +++ b/packages/netflow/data_stream/log/fields/agent.yml @@ -5,83 +5,12 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - name: project.id type: keyword description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,12 +19,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - name: domain level: extended type: keyword @@ -105,80 +28,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/netflow/data_stream/log/fields/base-fields.yml b/packages/netflow/data_stream/log/fields/base-fields.yml index 12d5ac2a456..008a46bbbb1 100644 --- a/packages/netflow/data_stream/log/fields/base-fields.yml +++ b/packages/netflow/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: netflow.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index 57624813693..fccb3cf0bd7 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -20,7 +20,7 @@ The `log` dataset collects netflow logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | @@ -70,7 +70,7 @@ The `log` dataset collects netflow logs. | cloud.machine.type | Machine type of the host machine. | keyword | | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.image.tag | Container image tags. | keyword | @@ -216,7 +216,7 @@ The `log` dataset collects netflow logs. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -225,7 +225,7 @@ The `log` dataset collects netflow logs. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/netscout/data_stream/sightline/fields/base-fields.yml b/packages/netscout/data_stream/sightline/fields/base-fields.yml index 32ac5000dd4..4e3ab698685 100644 --- a/packages/netscout/data_stream/sightline/fields/base-fields.yml +++ b/packages/netscout/data_stream/sightline/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: netscout.sightline -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/netskope/data_stream/alerts/fields/agent.yml b/packages/netskope/data_stream/alerts/fields/agent.yml index e313ec82874..56de8d91448 100644 --- a/packages/netskope/data_stream/alerts/fields/agent.yml +++ b/packages/netskope/data_stream/alerts/fields/agent.yml @@ -5,14 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - name: availability_zone level: extended type: keyword @@ -105,13 +97,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -149,17 +134,6 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword diff --git a/packages/netskope/data_stream/alerts/fields/ecs.yml b/packages/netskope/data_stream/alerts/fields/ecs.yml index fd79c8e0e94..eb88b129f66 100644 --- a/packages/netskope/data_stream/alerts/fields/ecs.yml +++ b/packages/netskope/data_stream/alerts/fields/ecs.yml @@ -33,8 +33,6 @@ name: destination.geo.region_name - external: ecs name: destination.geo.timezone -- external: ecs - name: destination.ip - external: ecs name: destination.port - external: ecs @@ -86,8 +84,6 @@ name: source.geo.region_name - external: ecs name: source.geo.timezone -- external: ecs - name: source.ip - external: ecs name: source.port - external: ecs diff --git a/packages/netskope/data_stream/events/fields/agent.yml b/packages/netskope/data_stream/events/fields/agent.yml index e313ec82874..74d8fc01ac0 100644 --- a/packages/netskope/data_stream/events/fields/agent.yml +++ b/packages/netskope/data_stream/events/fields/agent.yml @@ -42,12 +42,6 @@ ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - name: project.id type: keyword description: Name of the project in Google Cloud. @@ -105,13 +99,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword diff --git a/packages/netskope/data_stream/events/fields/ecs.yml b/packages/netskope/data_stream/events/fields/ecs.yml index 74357380c59..a3cd1f44581 100644 --- a/packages/netskope/data_stream/events/fields/ecs.yml +++ b/packages/netskope/data_stream/events/fields/ecs.yml @@ -4,16 +4,12 @@ name: client.bytes - external: ecs name: client.nat.ip -- external: ecs - name: client.packets - external: ecs name: cloud.account.name - external: ecs name: cloud.region - external: ecs name: cloud.service.name -- external: ecs - name: client.bytes - external: ecs name: destination.address - external: ecs diff --git a/packages/netskope/data_stream/events/fields/fields.yml b/packages/netskope/data_stream/events/fields/fields.yml index e5521ff3c57..89cb9dbdd10 100644 --- a/packages/netskope/data_stream/events/fields/fields.yml +++ b/packages/netskope/data_stream/events/fields/fields.yml @@ -1132,10 +1132,6 @@ type: keyword description: | N/A - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic. - name: url_to_activity type: keyword description: | diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index 7e045449c3a..2525c880149 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -2499,7 +2499,7 @@ An example event for `alerts` looks as following: | cloud.machine.type | Machine type of the host machine. | keyword | | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | diff --git a/packages/nginx/data_stream/access/fields/agent.yml b/packages/nginx/data_stream/access/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/nginx/data_stream/access/fields/agent.yml +++ b/packages/nginx/data_stream/access/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/nginx/data_stream/error/fields/agent.yml b/packages/nginx/data_stream/error/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/nginx/data_stream/error/fields/agent.yml +++ b/packages/nginx/data_stream/error/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/nginx/data_stream/stubstatus/fields/agent.yml b/packages/nginx/data_stream/stubstatus/fields/agent.yml index da4e652c53b..cf8456f8583 100644 --- a/packages/nginx/data_stream/stubstatus/fields/agent.yml +++ b/packages/nginx/data_stream/stubstatus/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml b/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml +++ b/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/o365/data_stream/audit/fields/agent.yml b/packages/o365/data_stream/audit/fields/agent.yml index da4e652c53b..40b6d6a32a2 100644 --- a/packages/o365/data_stream/audit/fields/agent.yml +++ b/packages/o365/data_stream/audit/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword @@ -112,15 +107,6 @@ description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - name: ip level: core type: ip @@ -130,13 +116,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/okta/data_stream/system/fields/agent.yml b/packages/okta/data_stream/system/fields/agent.yml index da4e652c53b..9dfc8d1aebc 100644 --- a/packages/okta/data_stream/system/fields/agent.yml +++ b/packages/okta/data_stream/system/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/panw/data_stream/panos/fields/agent.yml b/packages/panw/data_stream/panos/fields/agent.yml index 79a7a39864b..c73d2525553 100644 --- a/packages/panw/data_stream/panos/fields/agent.yml +++ b/packages/panw/data_stream/panos/fields/agent.yml @@ -58,11 +58,6 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/panw/data_stream/panos/fields/ecs.yml b/packages/panw/data_stream/panos/fields/ecs.yml index bf4cc4f094d..f3d7ecdff1b 100644 --- a/packages/panw/data_stream/panos/fields/ecs.yml +++ b/packages/panw/data_stream/panos/fields/ecs.yml @@ -84,8 +84,6 @@ name: file.type - external: ecs name: labels -- external: ecs - name: labels - external: ecs name: log.level - external: ecs diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml index da4e652c53b..93798337211 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml @@ -96,40 +96,6 @@ ignore_above: 1024 description: Operating system architecture. example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - name: name level: core type: keyword @@ -166,12 +132,6 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/panw_cortex_xdr/docs/README.md b/packages/panw_cortex_xdr/docs/README.md index e3584237329..cb094bee06a 100644 --- a/packages/panw_cortex_xdr/docs/README.md +++ b/packages/panw_cortex_xdr/docs/README.md @@ -189,7 +189,7 @@ An example event for `alerts` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/postgresql/data_stream/log/fields/fields.yml b/packages/postgresql/data_stream/log/fields/fields.yml index f25e9ba928a..3da3419b123 100644 --- a/packages/postgresql/data_stream/log/fields/fields.yml +++ b/packages/postgresql/data_stream/log/fields/fields.yml @@ -93,12 +93,6 @@ type: keyword description: | Type of backend of this event. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. In addition, background workers registered by extensions may have additional types. -- name: event.kind - type: keyword - description: Event kind (e.g. event) -- name: event.category - type: keyword - description: Event category (e.g. database) - name: event.code type: keyword description: Identification code for this event diff --git a/packages/postgresql/docs/README.md b/packages/postgresql/docs/README.md index f99123c2ccb..35281e3a284 100644 --- a/packages/postgresql/docs/README.md +++ b/packages/postgresql/docs/README.md @@ -64,7 +64,7 @@ persistent connections, so enable with care. | error.code | Error code describing the error. | keyword | | error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | -| event.category | Event category (e.g. database) | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event | keyword | | event.dataset | Event dataset | constant_keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | diff --git a/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml b/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml index a8d761fd165..be33504baba 100644 --- a/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml +++ b/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: proofpoint.emailsecurity -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml index cd455914c85..199a1b1d4c1 100644 --- a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml +++ b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml @@ -84,20 +84,6 @@ name: user_agent.os.version - external: ecs name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point - external: ecs name: source.ip - external: ecs diff --git a/packages/rabbitmq/data_stream/connection/fields/ecs.yml b/packages/rabbitmq/data_stream/connection/fields/ecs.yml index 59b37655563..826c95e7a10 100644 --- a/packages/rabbitmq/data_stream/connection/fields/ecs.yml +++ b/packages/rabbitmq/data_stream/connection/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: ecs.version - external: ecs diff --git a/packages/rabbitmq/data_stream/exchange/fields/ecs.yml b/packages/rabbitmq/data_stream/exchange/fields/ecs.yml index 59b37655563..826c95e7a10 100644 --- a/packages/rabbitmq/data_stream/exchange/fields/ecs.yml +++ b/packages/rabbitmq/data_stream/exchange/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: ecs.version - external: ecs diff --git a/packages/rabbitmq/docs/README.md b/packages/rabbitmq/docs/README.md index 7953d89b4b1..710f166f5d3 100644 --- a/packages/rabbitmq/docs/README.md +++ b/packages/rabbitmq/docs/README.md @@ -185,9 +185,54 @@ An example event for `connection` looks as following: | rabbitmq.vhost | Virtual host name with non-ASCII characters escaped as in C. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Exchange Metrics @@ -281,9 +326,54 @@ An example event for `exchange` looks as following: | rabbitmq.vhost | Virtual host name with non-ASCII characters escaped as in C. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Node Metrics diff --git a/packages/radware/data_stream/defensepro/fields/base-fields.yml b/packages/radware/data_stream/defensepro/fields/base-fields.yml index 2070b87dc06..e64eec82c49 100644 --- a/packages/radware/data_stream/defensepro/fields/base-fields.yml +++ b/packages/radware/data_stream/defensepro/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: radware.defensepro -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/redis/data_stream/info/fields/ecs.yml b/packages/redis/data_stream/info/fields/ecs.yml index cf2bdd3aad8..7ebe6187463 100644 --- a/packages/redis/data_stream/info/fields/ecs.yml +++ b/packages/redis/data_stream/info/fields/ecs.yml @@ -1,11 +1,7 @@ - external: ecs name: os -- external: ecs - name: os.full - external: ecs name: process -- external: ecs - name: process.pid - external: ecs name: ecs.version - external: ecs diff --git a/packages/redis/data_stream/info/fields/fields.yml b/packages/redis/data_stream/info/fields/fields.yml index ffb6963100a..30b8053595e 100644 --- a/packages/redis/data_stream/info/fields/fields.yml +++ b/packages/redis/data_stream/info/fields/fields.yml @@ -448,9 +448,3 @@ type: long description: | Count of slow operations -- name: service.address - type: keyword - description: Client address -- name: service.version - type: keyword - description: Version of the service the data was collected from diff --git a/packages/redis/docs/README.md b/packages/redis/docs/README.md index 32f54e9afb1..aaf7513fef4 100644 --- a/packages/redis/docs/README.md +++ b/packages/redis/docs/README.md @@ -356,11 +356,157 @@ An example event for `info` looks as following: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| os | The OS fields contain information about the operating system. | group | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | os.full | Operating system name, including the version or code name. | keyword | | os.full.text | Multi-field of `os.full`. | match_only_text | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| os.version | Operating system version as a raw string. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | redis.info.clients.biggest_input_buf | Biggest input buffer among current client connections (replaced by max_input_buffer). | long | | redis.info.clients.blocked | Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH). | long | | redis.info.clients.connected | Number of client connections (excluding connections from slaves). | long | @@ -467,9 +613,9 @@ An example event for `info` looks as following: | redis.info.stats.sync.full | The number of full resyncs with slaves | long | | redis.info.stats.sync.partial.err | The number of denied partial resync requests | long | | redis.info.stats.sync.partial.ok | The number of accepted partial resync requests | long | -| service.address | Client address | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| service.version | Version of the service the data was collected from | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | ### key diff --git a/packages/sonicwall/data_stream/firewall/fields/base-fields.yml b/packages/sonicwall/data_stream/firewall/fields/base-fields.yml index a73f5492de5..5134e801922 100644 --- a/packages/sonicwall/data_stream/firewall/fields/base-fields.yml +++ b/packages/sonicwall/data_stream/firewall/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: sonicwall.firewall -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/data_stream/utm/fields/base-fields.yml b/packages/sophos/data_stream/utm/fields/base-fields.yml index 0c50a776378..15da1486fe7 100644 --- a/packages/sophos/data_stream/utm/fields/base-fields.yml +++ b/packages/sophos/data_stream/utm/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: sophos.utm -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 6dd56deeab8..c6f6e8c41dd 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -680,10 +680,6 @@ type: keyword description: | Email subject - - name: syslog_server_name - type: keyword - description: | - Syslog server name - name: syslog_server_name type: keyword description: | diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 7d950b445d8..f78b90d28ee 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -26,7 +26,7 @@ The `utm` dataset collects Astaro Security Gateway logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | @@ -1236,7 +1236,7 @@ An example event for `xg` looks as following: | sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | | sophos.xg.status_code | Status code | keyword | | sophos.xg.subject | Email subject | keyword | -| sophos.xg.syslog_server_name | Syslog server name | keyword | +| sophos.xg.syslog_server_name | Syslog server name. | keyword | | sophos.xg.system_cpu | system | float | | sophos.xg.target | Platform of the traffic. | keyword | | sophos.xg.temp | Temp | float | diff --git a/packages/squid/data_stream/log/fields/base-fields.yml b/packages/squid/data_stream/log/fields/base-fields.yml index 8243e1ed2f0..c25d7cae586 100644 --- a/packages/squid/data_stream/log/fields/base-fields.yml +++ b/packages/squid/data_stream/log/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: squid.log -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/squid/data_stream/log/fields/ecs.yml b/packages/squid/data_stream/log/fields/ecs.yml index 20e5a824aed..a050c94c85b 100644 --- a/packages/squid/data_stream/log/fields/ecs.yml +++ b/packages/squid/data_stream/log/fields/ecs.yml @@ -244,8 +244,6 @@ name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.family - external: ecs diff --git a/packages/suricata/data_stream/eve/fields/agent.yml b/packages/suricata/data_stream/eve/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/suricata/data_stream/eve/fields/agent.yml +++ b/packages/suricata/data_stream/eve/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/suricata/data_stream/eve/fields/base-fields.yml b/packages/suricata/data_stream/eve/fields/base-fields.yml index eee838550ff..ae4fc87ca44 100644 --- a/packages/suricata/data_stream/eve/fields/base-fields.yml +++ b/packages/suricata/data_stream/eve/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: suricata.eve -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/symantec_endpoint/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/data_stream/log/fields/agent.yml index c2cceee2d3f..f1bcf431f25 100644 --- a/packages/symantec_endpoint/data_stream/log/fields/agent.yml +++ b/packages/symantec_endpoint/data_stream/log/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml b/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml index d5fd358e285..880943d9dbd 100644 --- a/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml +++ b/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml @@ -7,14 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: symantec_endpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: symantec_endpoint.log - name: "@timestamp" type: date description: Event timestamp. diff --git a/packages/synthetics/data_stream/browser/fields/cloud.yml b/packages/synthetics/data_stream/browser/fields/cloud.yml deleted file mode 100644 index 29a4b437903..00000000000 --- a/packages/synthetics/data_stream/browser/fields/cloud.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - diff --git a/packages/synthetics/data_stream/browser/fields/http.yml b/packages/synthetics/data_stream/browser/fields/http.yml deleted file mode 100644 index 40dd8b42ee9..00000000000 --- a/packages/synthetics/data_stream/browser/fields/http.yml +++ /dev/null @@ -1,91 +0,0 @@ -- name: http - type: group - description: > - HTTP related fields. - - fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: hash - type: keyword - description: > - Hash of the full response body. Can be used to group responses with identical hashes. - - - name: redirects - type: keyword - description: > - List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - - - name: headers.* - type: object - enabled: false - description: > - The canonical headers of the monitored HTTP response. - - - name: rtt - type: group - description: > - HTTP layer round trip times. - - fields: - - name: validate - type: group - description: | - Duration between first byte of HTTP request being written and - response being processed by validator. Duration based on already - available network connection. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: validate_body - type: group - description: | - Duration of validator required to read and validate the response - body. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: write_request - type: group - description: Duration of sending the complete HTTP request. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: response_header - type: group - description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: content.us - type: long - description: Time required to retrieved the content in micro seconds. - - name: total - type: group - description: | - Duration required to process the HTTP transaction. Starts with - the initial TCP connection attempt. Ends with after validator - did check the response. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed. - fields: - - name: us - type: long - description: Duration in microseconds diff --git a/packages/synthetics/data_stream/browser_network/fields/cloud.yml b/packages/synthetics/data_stream/browser_network/fields/cloud.yml deleted file mode 100644 index 29a4b437903..00000000000 --- a/packages/synthetics/data_stream/browser_network/fields/cloud.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - diff --git a/packages/synthetics/data_stream/browser_network/fields/http.yml b/packages/synthetics/data_stream/browser_network/fields/http.yml deleted file mode 100644 index 51b5c0166d0..00000000000 --- a/packages/synthetics/data_stream/browser_network/fields/http.yml +++ /dev/null @@ -1,107 +0,0 @@ -- name: http - type: group - description: > - HTTP related fields. - - fields: - - name: request.url - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: keyword - type: keyword - description: The request url - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: hash - type: keyword - description: > - Hash of the full response body. Can be used to group responses with identical hashes. - - - name: redirects - type: keyword - description: > - List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - - - name: headers.etag - type: keyword - description: > - Identifier for a specific version of a resource - - - name: headers.* - type: object - enabled: false - description: > - The canonical headers of the monitored HTTP response. - - - name: rtt - type: group - description: > - HTTP layer round trip times. - - fields: - - name: validate - type: group - description: | - Duration between first byte of HTTP request being written and - response being processed by validator. Duration based on already - available network connection. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: validate_body - type: group - description: | - Duration of validator required to read and validate the response - body. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: write_request - type: group - description: Duration of sending the complete HTTP request. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: response_header - type: group - description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: content.us - type: long - description: Time required to retrieved the content in micro seconds. - - name: total - type: group - description: | - Duration required to process the HTTP transaction. Starts with - the initial TCP connection attempt. Ends with after validator - did check the response. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed. - fields: - - name: us - type: long - description: Duration in microseconds diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml b/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml deleted file mode 100644 index 29a4b437903..00000000000 --- a/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - diff --git a/packages/synthetics/data_stream/http/fields/cloud.yml b/packages/synthetics/data_stream/http/fields/cloud.yml deleted file mode 100644 index 29a4b437903..00000000000 --- a/packages/synthetics/data_stream/http/fields/cloud.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - diff --git a/packages/synthetics/data_stream/http/fields/http.yml b/packages/synthetics/data_stream/http/fields/http.yml deleted file mode 100644 index 40dd8b42ee9..00000000000 --- a/packages/synthetics/data_stream/http/fields/http.yml +++ /dev/null @@ -1,91 +0,0 @@ -- name: http - type: group - description: > - HTTP related fields. - - fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: hash - type: keyword - description: > - Hash of the full response body. Can be used to group responses with identical hashes. - - - name: redirects - type: keyword - description: > - List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - - - name: headers.* - type: object - enabled: false - description: > - The canonical headers of the monitored HTTP response. - - - name: rtt - type: group - description: > - HTTP layer round trip times. - - fields: - - name: validate - type: group - description: | - Duration between first byte of HTTP request being written and - response being processed by validator. Duration based on already - available network connection. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: validate_body - type: group - description: | - Duration of validator required to read and validate the response - body. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: write_request - type: group - description: Duration of sending the complete HTTP request. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: response_header - type: group - description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: content.us - type: long - description: Time required to retrieved the content in micro seconds. - - name: total - type: group - description: | - Duration required to process the HTTP transaction. Starts with - the initial TCP connection attempt. Ends with after validator - did check the response. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed. - fields: - - name: us - type: long - description: Duration in microseconds diff --git a/packages/synthetics/data_stream/http/fields/tls.yml b/packages/synthetics/data_stream/http/fields/tls.yml deleted file mode 100644 index 4174905380c..00000000000 --- a/packages/synthetics/data_stream/http/fields/tls.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: tls - type: group - description: > - TLS layer related fields. - - fields: - - name: certificate_not_valid_before - type: date - deprecated: 7.8.0 - description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - - name: certificate_not_valid_after - deprecated: 7.8.0 - type: date - description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - - name: rtt - type: group - description: > - TLS layer round trip times. - - fields: - - name: handshake - type: group - description: > - Time required to finish TLS handshake based on already available network connection. - - fields: - - name: us - type: long - description: Duration in microseconds - - name: server - type: group - description: Detailed x509 certificate metadata - fields: - - name: version_number - type: keyword - ignore_above: 1024 - description: Version of x509 format. - example: 3 - default_field: false diff --git a/packages/synthetics/data_stream/icmp/fields/cloud.yml b/packages/synthetics/data_stream/icmp/fields/cloud.yml deleted file mode 100644 index 29a4b437903..00000000000 --- a/packages/synthetics/data_stream/icmp/fields/cloud.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - diff --git a/packages/synthetics/data_stream/icmp/fields/tls.yml b/packages/synthetics/data_stream/icmp/fields/tls.yml deleted file mode 100644 index 4174905380c..00000000000 --- a/packages/synthetics/data_stream/icmp/fields/tls.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: tls - type: group - description: > - TLS layer related fields. - - fields: - - name: certificate_not_valid_before - type: date - deprecated: 7.8.0 - description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - - name: certificate_not_valid_after - deprecated: 7.8.0 - type: date - description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - - name: rtt - type: group - description: > - TLS layer round trip times. - - fields: - - name: handshake - type: group - description: > - Time required to finish TLS handshake based on already available network connection. - - fields: - - name: us - type: long - description: Duration in microseconds - - name: server - type: group - description: Detailed x509 certificate metadata - fields: - - name: version_number - type: keyword - ignore_above: 1024 - description: Version of x509 format. - example: 3 - default_field: false diff --git a/packages/synthetics/data_stream/tcp/fields/cloud.yml b/packages/synthetics/data_stream/tcp/fields/cloud.yml deleted file mode 100644 index 29a4b437903..00000000000 --- a/packages/synthetics/data_stream/tcp/fields/cloud.yml +++ /dev/null @@ -1,6 +0,0 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - diff --git a/packages/synthetics/data_stream/tcp/fields/tls.yml b/packages/synthetics/data_stream/tcp/fields/tls.yml deleted file mode 100644 index 4174905380c..00000000000 --- a/packages/synthetics/data_stream/tcp/fields/tls.yml +++ /dev/null @@ -1,39 +0,0 @@ -- name: tls - type: group - description: > - TLS layer related fields. - - fields: - - name: certificate_not_valid_before - type: date - deprecated: 7.8.0 - description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - - name: certificate_not_valid_after - deprecated: 7.8.0 - type: date - description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - - name: rtt - type: group - description: > - TLS layer round trip times. - - fields: - - name: handshake - type: group - description: > - Time required to finish TLS handshake based on already available network connection. - - fields: - - name: us - type: long - description: Duration in microseconds - - name: server - type: group - description: Detailed x509 certificate metadata - fields: - - name: version_number - type: keyword - ignore_above: 1024 - description: Version of x509 format. - example: 3 - default_field: false diff --git a/packages/system/data_stream/auth/fields/agent.yml b/packages/system/data_stream/auth/fields/agent.yml index da4e652c53b..de521f94cbd 100644 --- a/packages/system/data_stream/auth/fields/agent.yml +++ b/packages/system/data_stream/auth/fields/agent.yml @@ -90,82 +90,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - name: os.version level: extended type: keyword diff --git a/packages/system/data_stream/auth/fields/base-fields.yml b/packages/system/data_stream/auth/fields/base-fields.yml index 516c401c769..605a367be29 100644 --- a/packages/system/data_stream/auth/fields/base-fields.yml +++ b/packages/system/data_stream/auth/fields/base-fields.yml @@ -8,14 +8,7 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.dataset type: constant_keyword description: Event dataset. value: system.auth -- name: event.module - type: constant_keyword - description: Event module - value: system diff --git a/packages/system/data_stream/auth/fields/ecs.yml b/packages/system/data_stream/auth/fields/ecs.yml index 7e353efa7d6..7de0e19c510 100644 --- a/packages/system/data_stream/auth/fields/ecs.yml +++ b/packages/system/data_stream/auth/fields/ecs.yml @@ -36,8 +36,6 @@ name: host.domain - external: ecs name: host.hostname -- external: ecs - name: host.hostname - external: ecs name: host.id - external: ecs diff --git a/packages/system/data_stream/core/fields/agent.yml b/packages/system/data_stream/core/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/core/fields/agent.yml +++ b/packages/system/data_stream/core/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/core/fields/ecs.yml b/packages/system/data_stream/core/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/core/fields/ecs.yml +++ b/packages/system/data_stream/core/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/cpu/fields/agent.yml b/packages/system/data_stream/cpu/fields/agent.yml index 36435349824..3c816026810 100644 --- a/packages/system/data_stream/cpu/fields/agent.yml +++ b/packages/system/data_stream/cpu/fields/agent.yml @@ -82,123 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/data_stream/cpu/fields/ecs.yml b/packages/system/data_stream/cpu/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/cpu/fields/ecs.yml +++ b/packages/system/data_stream/cpu/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/cpu/fields/fields.yml b/packages/system/data_stream/cpu/fields/fields.yml index 9efed64c2dc..6b1e9818bdd 100644 --- a/packages/system/data_stream/cpu/fields/fields.yml +++ b/packages/system/data_stream/cpu/fields/fields.yml @@ -171,12 +171,3 @@ metric_type: counter description: | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/data_stream/diskio/fields/agent.yml b/packages/system/data_stream/diskio/fields/agent.yml index 54d97ab701d..3c816026810 100644 --- a/packages/system/data_stream/diskio/fields/agent.yml +++ b/packages/system/data_stream/diskio/fields/agent.yml @@ -82,128 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/data_stream/diskio/fields/ecs.yml b/packages/system/data_stream/diskio/fields/ecs.yml index 125667d5ce5..0e98753ee3b 100644 --- a/packages/system/data_stream/diskio/fields/ecs.yml +++ b/packages/system/data_stream/diskio/fields/ecs.yml @@ -1,26 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.hostname -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/diskio/fields/fields.yml b/packages/system/data_stream/diskio/fields/fields.yml index 01a5762c60a..10822d23bf8 100644 --- a/packages/system/data_stream/diskio/fields/fields.yml +++ b/packages/system/data_stream/diskio/fields/fields.yml @@ -119,18 +119,3 @@ metric_type: gauge description: | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/data_stream/fsstat/fields/agent.yml b/packages/system/data_stream/fsstat/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/fsstat/fields/agent.yml +++ b/packages/system/data_stream/fsstat/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/fsstat/fields/ecs.yml b/packages/system/data_stream/fsstat/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/fsstat/fields/ecs.yml +++ b/packages/system/data_stream/fsstat/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/load/fields/agent.yml b/packages/system/data_stream/load/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/load/fields/agent.yml +++ b/packages/system/data_stream/load/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/load/fields/ecs.yml b/packages/system/data_stream/load/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/load/fields/ecs.yml +++ b/packages/system/data_stream/load/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/memory/fields/agent.yml b/packages/system/data_stream/memory/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/memory/fields/agent.yml +++ b/packages/system/data_stream/memory/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/memory/fields/ecs.yml b/packages/system/data_stream/memory/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/memory/fields/ecs.yml +++ b/packages/system/data_stream/memory/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/network/fields/agent.yml b/packages/system/data_stream/network/fields/agent.yml index e5afe011398..3c816026810 100644 --- a/packages/system/data_stream/network/fields/agent.yml +++ b/packages/system/data_stream/network/fields/agent.yml @@ -82,139 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/data_stream/network/fields/base-fields.yml b/packages/system/data_stream/network/fields/base-fields.yml index 30ac48f379b..4650bf6b3b7 100644 --- a/packages/system/data_stream/network/fields/base-fields.yml +++ b/packages/system/data_stream/network/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/system/data_stream/network/fields/ecs.yml b/packages/system/data_stream/network/fields/ecs.yml index 49038af7df0..b7f1d8dc1ee 100644 --- a/packages/system/data_stream/network/fields/ecs.yml +++ b/packages/system/data_stream/network/fields/ecs.yml @@ -4,43 +4,11 @@ name: message - external: ecs name: group -- external: ecs - name: group.id -- external: ecs - name: group.name - external: ecs name: host -- external: ecs - name: host.hostname - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port - external: ecs name: user -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/system/data_stream/network/fields/fields.yml b/packages/system/data_stream/network/fields/fields.yml index a309d88ba0f..8a8c828062b 100644 --- a/packages/system/data_stream/network/fields/fields.yml +++ b/packages/system/data_stream/network/fields/fields.yml @@ -49,29 +49,3 @@ metric_type: counter description: | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/data_stream/process/fields/agent.yml b/packages/system/data_stream/process/fields/agent.yml index d5df59895a1..3c816026810 100644 --- a/packages/system/data_stream/process/fields/agent.yml +++ b/packages/system/data_stream/process/fields/agent.yml @@ -82,145 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/data_stream/process/fields/ecs.yml b/packages/system/data_stream/process/fields/ecs.yml index 1b7b5372d01..6b0425b6f90 100644 --- a/packages/system/data_stream/process/fields/ecs.yml +++ b/packages/system/data_stream/process/fields/ecs.yml @@ -1,50 +1,10 @@ - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pgid -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.working_directory - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: ecs.version external: ecs -- name: process.args - external: ecs -- name: process.command_line - external: ecs -- name: process.executable - external: ecs - name: service.type external: ecs diff --git a/packages/system/data_stream/process_summary/fields/agent.yml b/packages/system/data_stream/process_summary/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/process_summary/fields/agent.yml +++ b/packages/system/data_stream/process_summary/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/process_summary/fields/base-fields.yml b/packages/system/data_stream/process_summary/fields/base-fields.yml index 8ba4e88dac3..a1bfaa238aa 100644 --- a/packages/system/data_stream/process_summary/fields/base-fields.yml +++ b/packages/system/data_stream/process_summary/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/system/data_stream/process_summary/fields/ecs.yml b/packages/system/data_stream/process_summary/fields/ecs.yml index 49038af7df0..b7f1d8dc1ee 100644 --- a/packages/system/data_stream/process_summary/fields/ecs.yml +++ b/packages/system/data_stream/process_summary/fields/ecs.yml @@ -4,43 +4,11 @@ name: message - external: ecs name: group -- external: ecs - name: group.id -- external: ecs - name: group.name - external: ecs name: host -- external: ecs - name: host.hostname - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port - external: ecs name: user -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/system/data_stream/security/fields/agent.yml b/packages/system/data_stream/security/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/system/data_stream/security/fields/agent.yml +++ b/packages/system/data_stream/security/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/system/data_stream/security/fields/base-fields.yml b/packages/system/data_stream/security/fields/base-fields.yml index 8c57a260b40..46588cd8dea 100644 --- a/packages/system/data_stream/security/fields/base-fields.yml +++ b/packages/system/data_stream/security/fields/base-fields.yml @@ -11,10 +11,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system - name: event.dataset type: constant_keyword description: Event dataset. diff --git a/packages/system/data_stream/socket_summary/fields/agent.yml b/packages/system/data_stream/socket_summary/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/socket_summary/fields/agent.yml +++ b/packages/system/data_stream/socket_summary/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/socket_summary/fields/base-fields.yml b/packages/system/data_stream/socket_summary/fields/base-fields.yml index 1ed72ba281e..0e1c056093a 100644 --- a/packages/system/data_stream/socket_summary/fields/base-fields.yml +++ b/packages/system/data_stream/socket_summary/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/system/data_stream/socket_summary/fields/ecs.yml b/packages/system/data_stream/socket_summary/fields/ecs.yml index 49038af7df0..b7f1d8dc1ee 100644 --- a/packages/system/data_stream/socket_summary/fields/ecs.yml +++ b/packages/system/data_stream/socket_summary/fields/ecs.yml @@ -4,43 +4,11 @@ name: message - external: ecs name: group -- external: ecs - name: group.id -- external: ecs - name: group.name - external: ecs name: host -- external: ecs - name: host.hostname - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port - external: ecs name: user -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/system/data_stream/syslog/fields/agent.yml b/packages/system/data_stream/syslog/fields/agent.yml index da4e652c53b..de521f94cbd 100644 --- a/packages/system/data_stream/syslog/fields/agent.yml +++ b/packages/system/data_stream/syslog/fields/agent.yml @@ -90,82 +90,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - name: os.version level: extended type: keyword diff --git a/packages/system/data_stream/syslog/fields/base-fields.yml b/packages/system/data_stream/syslog/fields/base-fields.yml index c43f2568370..b2c2a69a9a1 100644 --- a/packages/system/data_stream/syslog/fields/base-fields.yml +++ b/packages/system/data_stream/syslog/fields/base-fields.yml @@ -8,14 +8,7 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.dataset type: constant_keyword description: Event dataset. value: system.syslog -- name: event.module - type: constant_keyword - description: Event module - value: system diff --git a/packages/system/data_stream/system/fields/base-fields.yml b/packages/system/data_stream/system/fields/base-fields.yml index 567c816e149..8763045cdd8 100644 --- a/packages/system/data_stream/system/fields/base-fields.yml +++ b/packages/system/data_stream/system/fields/base-fields.yml @@ -10,10 +10,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system - name: event.dataset type: constant_keyword description: Event dataset. diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 5ccfc382669..65fd06c0142 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -851,7 +851,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -877,7 +877,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | event.dataset | Event dataset. | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -890,7 +890,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -899,7 +899,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -949,7 +949,7 @@ The `syslog` dataset provides system logs on linux and MacOS. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -974,7 +974,7 @@ The `syslog` dataset provides system logs on linux and MacOS. | event.dataset | Event dataset. | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -994,7 +994,7 @@ The `syslog` dataset provides system logs on linux and MacOS. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -1041,17 +1041,31 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1059,8 +1073,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.core.id | CPU Core number. | keyword | | | | system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | | system.core.idle.ticks | The amount of CPU time spent idle. | long | | counter | @@ -1115,18 +1131,31 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1134,8 +1163,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% \* cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | | gauge | | system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | | system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | @@ -1200,19 +1231,31 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | byte | gauge | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | byte | gauge | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1220,8 +1263,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | | counter | | system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | | gauge | | system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | | gauge | @@ -1346,26 +1391,42 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.fsstat.count | Number of file systems found. | long | | gauge | | system.fsstat.total_files | Total number of files. | long | | gauge | | system.fsstat.total_size.free | Total free space. | long | byte | gauge | @@ -1407,17 +1468,31 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | event.dataset | Event dataset. | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -1425,8 +1500,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | | system.load.1 | Load average for the last minute. | scaled_float | gauge | | system.load.15 | Load average for the last 15 minutes. | scaled_float | gauge | | system.load.5 | Load average for the last 5 minutes. | scaled_float | gauge | @@ -1471,17 +1548,31 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1489,8 +1580,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | byte | gauge | | system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | byte | gauge | | system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | percent | gauge | @@ -1559,45 +1652,226 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | | group.id | Unique identifier for the group on the system/platform. | keyword | | | | group.name | Name of the group. | keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | byte | counter | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | | counter | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | | | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.elf.exports | List of exported element names and types. | flattened | | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.elf.header.class | Header class of the ELF file. | keyword | | | +| process.elf.header.data | Data table of the ELF header. | keyword | | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.elf.header.type | Header type of the ELF file. | keyword | | | +| process.elf.header.version | Version of the ELF header. | keyword | | | +| process.elf.imports | List of imported element names and types. | flattened | | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.elf.sections.name | ELF Section List name. | keyword | | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.elf.sections.type | ELF Section List type. | keyword | | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.elf.segments.type | ELF object segment type. | keyword | | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.end | The time the process ended. | date | | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.executable | Absolute path to the process executable. | keyword | | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.hash.md5 | MD5 hash. | keyword | | | +| process.hash.sha1 | SHA1 hash. | keyword | | | +| process.hash.sha256 | SHA256 hash. | keyword | | | +| process.hash.sha512 | SHA512 hash. | keyword | | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.parent.end | The time the process ended. | date | | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.parent.executable | Absolute path to the process executable. | keyword | | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.parent.hash.md5 | MD5 hash. | keyword | | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | | +| process.parent.pid | Process id. | long | | | +| process.parent.start | The time the process started. | date | | | +| process.parent.thread.id | Thread ID. | long | | | +| process.parent.thread.name | Thread name. | keyword | | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | | +| process.parent.uptime | Seconds the process has been up. | long | | | +| process.parent.working_directory | The working directory of the process. | keyword | | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | +| process.start | The time the process started. | date | | | +| process.thread.id | Thread ID. | long | | | +| process.thread.name | Thread name. | keyword | | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | | +| process.uptime | Seconds the process has been up. | long | | | +| process.working_directory | The working directory of the process. | keyword | | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | | +| source.as.organization.name | Organization name. | keyword | | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | | +| source.bytes | Bytes sent from the source to the destination. | long | | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | | | source.geo.city_name | City name. | keyword | | | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | | | source.geo.continent_name | Name of the continent. | keyword | | | | source.geo.country_iso_code | Country ISO code. | keyword | | | +| source.geo.country_name | Country name. | keyword | | | | source.geo.location | Longitude and latitude. | geo_point | | | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | | source.geo.region_iso_code | Region ISO code. | keyword | | | | source.geo.region_name | Region name. | keyword | | | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | | +| source.packets | Packets sent from the source to the destination. | long | | | | source.port | Port of the source. | long | | | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.email | User email address. | keyword | | | +| source.user.full_name | User's full name, if available. | keyword | | | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | | | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| source.user.group.name | Name of the group. | keyword | | | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| source.user.id | Unique identifier of the user. | keyword | | | +| source.user.name | Short name or login of the user. | keyword | | | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | | +| source.user.roles | Array of user roles at the time of the event. | keyword | | | | system.network.in.bytes | The number of bytes received. | long | byte | counter | | system.network.in.dropped | The number of incoming packets that were dropped. | long | | counter | | system.network.in.errors | The number of errors while receiving. | long | | counter | @@ -1607,10 +1881,54 @@ This dataset is available on: | system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | | counter | | system.network.out.errors | The number of errors while sending. | long | | counter | | system.network.out.packets | The number of packets sent. | long | | counter | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.email | User email address. | keyword | | | +| user.changes.full_name | User's full name, if available. | keyword | | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.changes.group.name | Name of the group. | keyword | | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.changes.id | Unique identifier of the user. | keyword | | | +| user.changes.name | Short name or login of the user. | keyword | | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.email | User email address. | keyword | | | +| user.effective.full_name | User's full name, if available. | keyword | | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.effective.group.name | Name of the group. | keyword | | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.effective.id | Unique identifier of the user. | keyword | | | +| user.effective.name | Short name or login of the user. | keyword | | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | | +| user.email | User email address. | keyword | | | +| user.full_name | User's full name, if available. | keyword | | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.group.name | Name of the group. | keyword | | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | | user.id | Unique identifier of the user. | keyword | | | | user.name | Short name or login of the user. | keyword | | | | user.name.text | Multi-field of `user.name`. | match_only_text | | | +| user.roles | Array of user roles at the time of the event. | keyword | | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.email | User email address. | keyword | | | +| user.target.full_name | User's full name, if available. | keyword | | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.target.group.name | Name of the group. | keyword | | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.target.id | Unique identifier of the user. | keyword | | | +| user.target.name | Short name or login of the user. | keyword | | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | | ### Process @@ -1649,41 +1967,182 @@ This dataset is available on: | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| host.uptime | Seconds the host has been up. | long | | | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | | process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | | -| process.cpu.start_time | The time when the process was started. | date | | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.elf.exports | List of exported element names and types. | flattened | | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.elf.header.class | Header class of the ELF file. | keyword | | | +| process.elf.header.data | Data table of the ELF header. | keyword | | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.elf.header.type | Header type of the ELF file. | keyword | | | +| process.elf.header.version | Version of the ELF header. | keyword | | | +| process.elf.imports | List of imported element names and types. | flattened | | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.elf.sections.name | ELF Section List name. | keyword | | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.elf.sections.type | ELF Section List type. | keyword | | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.elf.segments.type | ELF object segment type. | keyword | | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.end | The time the process ended. | date | | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | | process.executable | Absolute path to the process executable. | keyword | | | | process.executable.text | Multi-field of `process.executable`. | match_only_text | | | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.hash.md5 | MD5 hash. | keyword | | | +| process.hash.sha1 | SHA1 hash. | keyword | | | +| process.hash.sha256 | SHA256 hash. | keyword | | | +| process.hash.sha512 | SHA512 hash. | keyword | | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.parent.end | The time the process ended. | date | | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.parent.executable | Absolute path to the process executable. | keyword | | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.parent.hash.md5 | MD5 hash. | keyword | | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.parent.pid | Process id. | long | | | +| process.parent.start | The time the process started. | date | | | +| process.parent.thread.id | Thread ID. | long | | | +| process.parent.thread.name | Thread name. | keyword | | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | | +| process.parent.uptime | Seconds the process has been up. | long | | | +| process.parent.working_directory | The working directory of the process. | keyword | | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | | process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | -| process.state | The process state. For example: "running". | keyword | | | +| process.start | The time the process started. | date | | | +| process.thread.id | Thread ID. | long | | | +| process.thread.name | Thread name. | keyword | | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | | +| process.uptime | Seconds the process has been up. | long | | | | process.working_directory | The working directory of the process. | keyword | | | | process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -1819,9 +2278,54 @@ This dataset is available on: | system.process.memory.share | The shared memory the process uses. | long | byte | gauge | | system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | byte | gauge | | system.process.state | The process state. For example: "running". | keyword | | | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.email | User email address. | keyword | | | +| user.changes.full_name | User's full name, if available. | keyword | | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.changes.group.name | Name of the group. | keyword | | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.changes.id | Unique identifier of the user. | keyword | | | +| user.changes.name | Short name or login of the user. | keyword | | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.email | User email address. | keyword | | | +| user.effective.full_name | User's full name, if available. | keyword | | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.effective.group.name | Name of the group. | keyword | | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.effective.id | Unique identifier of the user. | keyword | | | +| user.effective.name | Short name or login of the user. | keyword | | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | | +| user.email | User email address. | keyword | | | +| user.full_name | User's full name, if available. | keyword | | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.group.name | Name of the group. | keyword | | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.id | Unique identifier of the user. | keyword | | | | user.name | Short name or login of the user. | keyword | | | | user.name.text | Multi-field of `user.name`. | match_only_text | | | +| user.roles | Array of user roles at the time of the event. | keyword | | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.email | User email address. | keyword | | | +| user.target.full_name | User's full name, if available. | keyword | | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.target.group.name | Name of the group. | keyword | | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.target.id | Unique identifier of the user. | keyword | | | +| user.target.name | Short name or login of the user. | keyword | | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | | ### Process summary @@ -1840,7 +2344,7 @@ This dataset is available on: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | @@ -1859,41 +2363,226 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | event.dataset | Event dataset. | constant_keyword | | | event.module | Event module | constant_keyword | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | group.id | Unique identifier for the group on the system/platform. | keyword | | | group.name | Name of the group. | keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.full | Operating system name, including the version or code name. | keyword | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | +| process.elf.exports | List of exported element names and types. | flattened | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | +| process.elf.header.class | Header class of the ELF file. | keyword | | +| process.elf.header.data | Data table of the ELF header. | keyword | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | +| process.elf.header.type | Header type of the ELF file. | keyword | | +| process.elf.header.version | Version of the ELF header. | keyword | | +| process.elf.imports | List of imported element names and types. | flattened | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | +| process.elf.sections.name | ELF Section List name. | keyword | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | +| process.elf.sections.type | ELF Section List type. | keyword | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | +| process.elf.segments.type | ELF object segment type. | keyword | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | +| process.end | The time the process ended. | date | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | +| process.executable | Absolute path to the process executable. | keyword | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | +| process.hash.md5 | MD5 hash. | keyword | | +| process.hash.sha1 | SHA1 hash. | keyword | | +| process.hash.sha256 | SHA256 hash. | keyword | | +| process.hash.sha512 | SHA512 hash. | keyword | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | process.name.text | Multi-field of `process.name`. | match_only_text | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | +| process.parent.end | The time the process ended. | date | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | +| process.parent.executable | Absolute path to the process executable. | keyword | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | +| process.parent.hash.md5 | MD5 hash. | keyword | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | +| process.parent.pid | Process id. | long | | +| process.parent.start | The time the process started. | date | | +| process.parent.thread.id | Thread ID. | long | | +| process.parent.thread.name | Thread name. | keyword | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | +| process.parent.uptime | Seconds the process has been up. | long | | +| process.parent.working_directory | The working directory of the process. | keyword | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | process.pid | Process id. | long | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | +| process.start | The time the process started. | date | | +| process.thread.id | Thread ID. | long | | +| process.thread.name | Thread name. | keyword | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | +| process.uptime | Seconds the process has been up. | long | | +| process.working_directory | The working directory of the process. | keyword | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | +| source.as.organization.name | Organization name. | keyword | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | +| source.bytes | Bytes sent from the source to the destination. | long | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | | source.geo.city_name | City name. | keyword | | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | | source.geo.continent_name | Name of the continent. | keyword | | | source.geo.country_iso_code | Country ISO code. | keyword | | +| source.geo.country_name | Country name. | keyword | | | source.geo.location | Longitude and latitude. | geo_point | | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | source.geo.region_iso_code | Region ISO code. | keyword | | | source.geo.region_name | Region name. | keyword | | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | +| source.packets | Packets sent from the source to the destination. | long | | | source.port | Port of the source. | long | | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| source.user.email | User email address. | keyword | | +| source.user.full_name | User's full name, if available. | keyword | | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| source.user.group.name | Name of the group. | keyword | | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| source.user.id | Unique identifier of the user. | keyword | | +| source.user.name | Short name or login of the user. | keyword | | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | +| source.user.roles | Array of user roles at the time of the event. | keyword | | | system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | gauge | | system.process.summary.idle | Number of idle processes on this host. | long | gauge | | system.process.summary.running | Number of running processes on this host. | long | gauge | @@ -1902,10 +2591,54 @@ This dataset is available on: | system.process.summary.total | Total number of processes on this host. | long | gauge | | system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | gauge | | system.process.summary.zombie | Number of zombie processes on this host. | long | gauge | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.changes.email | User email address. | keyword | | +| user.changes.full_name | User's full name, if available. | keyword | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.changes.group.name | Name of the group. | keyword | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| user.changes.id | Unique identifier of the user. | keyword | | +| user.changes.name | Short name or login of the user. | keyword | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.effective.email | User email address. | keyword | | +| user.effective.full_name | User's full name, if available. | keyword | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.effective.group.name | Name of the group. | keyword | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| user.effective.id | Unique identifier of the user. | keyword | | +| user.effective.name | Short name or login of the user. | keyword | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | +| user.email | User email address. | keyword | | +| user.full_name | User's full name, if available. | keyword | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.group.name | Name of the group. | keyword | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | user.id | Unique identifier of the user. | keyword | | | user.name | Short name or login of the user. | keyword | | | user.name.text | Multi-field of `user.name`. | match_only_text | | +| user.roles | Array of user roles at the time of the event. | keyword | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.target.email | User email address. | keyword | | +| user.target.full_name | User's full name, if available. | keyword | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.target.group.name | Name of the group. | keyword | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| user.target.id | Unique identifier of the user. | keyword | | +| user.target.name | Short name or login of the user. | keyword | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | ### Socket summary @@ -1927,7 +2660,7 @@ This dataset is available on: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | @@ -1946,41 +2679,226 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | | group.id | Unique identifier for the group on the system/platform. | keyword | | | | group.name | Name of the group. | keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.elf.exports | List of exported element names and types. | flattened | | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.elf.header.class | Header class of the ELF file. | keyword | | | +| process.elf.header.data | Data table of the ELF header. | keyword | | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.elf.header.type | Header type of the ELF file. | keyword | | | +| process.elf.header.version | Version of the ELF header. | keyword | | | +| process.elf.imports | List of imported element names and types. | flattened | | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.elf.sections.name | ELF Section List name. | keyword | | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.elf.sections.type | ELF Section List type. | keyword | | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.elf.segments.type | ELF object segment type. | keyword | | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.end | The time the process ended. | date | | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.executable | Absolute path to the process executable. | keyword | | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.hash.md5 | MD5 hash. | keyword | | | +| process.hash.sha1 | SHA1 hash. | keyword | | | +| process.hash.sha256 | SHA256 hash. | keyword | | | +| process.hash.sha512 | SHA512 hash. | keyword | | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.parent.end | The time the process ended. | date | | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.parent.executable | Absolute path to the process executable. | keyword | | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.parent.hash.md5 | MD5 hash. | keyword | | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | | +| process.parent.pid | Process id. | long | | | +| process.parent.start | The time the process started. | date | | | +| process.parent.thread.id | Thread ID. | long | | | +| process.parent.thread.name | Thread name. | keyword | | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | | +| process.parent.uptime | Seconds the process has been up. | long | | | +| process.parent.working_directory | The working directory of the process. | keyword | | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | +| process.start | The time the process started. | date | | | +| process.thread.id | Thread ID. | long | | | +| process.thread.name | Thread name. | keyword | | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | | +| process.uptime | Seconds the process has been up. | long | | | +| process.working_directory | The working directory of the process. | keyword | | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | | +| source.as.organization.name | Organization name. | keyword | | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | | +| source.bytes | Bytes sent from the source to the destination. | long | | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | | | source.geo.city_name | City name. | keyword | | | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | | | source.geo.continent_name | Name of the continent. | keyword | | | | source.geo.country_iso_code | Country ISO code. | keyword | | | +| source.geo.country_name | Country name. | keyword | | | | source.geo.location | Longitude and latitude. | geo_point | | | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | | source.geo.region_iso_code | Region ISO code. | keyword | | | | source.geo.region_name | Region name. | keyword | | | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | | +| source.packets | Packets sent from the source to the destination. | long | | | | source.port | Port of the source. | long | | | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.email | User email address. | keyword | | | +| source.user.full_name | User's full name, if available. | keyword | | | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | | | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| source.user.group.name | Name of the group. | keyword | | | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| source.user.id | Unique identifier of the user. | keyword | | | +| source.user.name | Short name or login of the user. | keyword | | | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | | +| source.user.roles | Array of user roles at the time of the event. | keyword | | | | system.socket.summary.all.count | All open connections | integer | | gauge | | system.socket.summary.all.listening | All listening ports | integer | | gauge | | system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | | gauge | @@ -1998,10 +2916,54 @@ This dataset is available on: | system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | byte | gauge | | system.socket.summary.udp.all.count | All open UDP connections | integer | | gauge | | system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | byte | gauge | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.email | User email address. | keyword | | | +| user.changes.full_name | User's full name, if available. | keyword | | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.changes.group.name | Name of the group. | keyword | | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.changes.id | Unique identifier of the user. | keyword | | | +| user.changes.name | Short name or login of the user. | keyword | | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.email | User email address. | keyword | | | +| user.effective.full_name | User's full name, if available. | keyword | | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.effective.group.name | Name of the group. | keyword | | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.effective.id | Unique identifier of the user. | keyword | | | +| user.effective.name | Short name or login of the user. | keyword | | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | | +| user.email | User email address. | keyword | | | +| user.full_name | User's full name, if available. | keyword | | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.group.name | Name of the group. | keyword | | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | | user.id | Unique identifier of the user. | keyword | | | | user.name | Short name or login of the user. | keyword | | | | user.name.text | Multi-field of `user.name`. | match_only_text | | | +| user.roles | Array of user roles at the time of the event. | keyword | | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.email | User email address. | keyword | | | +| user.target.full_name | User's full name, if available. | keyword | | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.target.group.name | Name of the group. | keyword | | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.target.id | Unique identifier of the user. | keyword | | | +| user.target.name | Short name or login of the user. | keyword | | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | | ### Uptime diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml index b610ef66549..7e4da707181 100644 --- a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml +++ b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml @@ -16,8 +16,6 @@ name: event.severity - external: ecs name: event.created -- external: ecs - name: message - external: ecs name: tags - external: ecs diff --git a/packages/ti_misp/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/data_stream/threat/fields/base-fields.yml index ad1000cb9b2..754431c484e 100644 --- a/packages/ti_misp/data_stream/threat/fields/base-fields.yml +++ b/packages/ti_misp/data_stream/threat/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: ti_misp.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: MISP - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI diff --git a/packages/ti_threatq/data_stream/threat/fields/base-fields.yml b/packages/ti_threatq/data_stream/threat/fields/base-fields.yml index 701a58f1514..4f3471fc6f5 100644 --- a/packages/ti_threatq/data_stream/threat/fields/base-fields.yml +++ b/packages/ti_threatq/data_stream/threat/fields/base-fields.yml @@ -11,10 +11,6 @@ type: constant_keyword description: Event module value: ti_threatq -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: ThreatQuotient - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI diff --git a/packages/tomcat/data_stream/log/fields/base-fields.yml b/packages/tomcat/data_stream/log/fields/base-fields.yml index 423a2e20de9..9ea6d274acc 100644 --- a/packages/tomcat/data_stream/log/fields/base-fields.yml +++ b/packages/tomcat/data_stream/log/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/tomcat/data_stream/log/fields/ecs.yml b/packages/tomcat/data_stream/log/fields/ecs.yml index 384fbb680e5..69e1e7fcf86 100644 --- a/packages/tomcat/data_stream/log/fields/ecs.yml +++ b/packages/tomcat/data_stream/log/fields/ecs.yml @@ -212,8 +212,6 @@ name: source.top_level_domain - external: ecs name: tags -- external: ecs - name: tags - external: ecs name: url.domain - external: ecs diff --git a/packages/tomcat/docs/README.md b/packages/tomcat/docs/README.md index 6fb84c060ef..306ccc23390 100644 --- a/packages/tomcat/docs/README.md +++ b/packages/tomcat/docs/README.md @@ -12,7 +12,7 @@ The `log` dataset collects Apache Tomcat logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/windows/data_stream/forwarded/fields/agent.yml b/packages/windows/data_stream/forwarded/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/forwarded/fields/agent.yml +++ b/packages/windows/data_stream/forwarded/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/windows/data_stream/forwarded/fields/ecs.yml b/packages/windows/data_stream/forwarded/fields/ecs.yml index 39b88dd3642..850afcb3007 100644 --- a/packages/windows/data_stream/forwarded/fields/ecs.yml +++ b/packages/windows/data_stream/forwarded/fields/ecs.yml @@ -12,16 +12,6 @@ name: destination.user.name - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/windows/data_stream/powershell/fields/agent.yml b/packages/windows/data_stream/powershell/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/powershell/fields/agent.yml +++ b/packages/windows/data_stream/powershell/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/windows/data_stream/powershell_operational/fields/agent.yml b/packages/windows/data_stream/powershell_operational/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/powershell_operational/fields/agent.yml +++ b/packages/windows/data_stream/powershell_operational/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/windows/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/data_stream/sysmon_operational/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/sysmon_operational/fields/agent.yml +++ b/packages/windows/data_stream/sysmon_operational/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/zeek/data_stream/capture_loss/fields/agent.yml b/packages/zeek/data_stream/capture_loss/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/capture_loss/fields/agent.yml +++ b/packages/zeek/data_stream/capture_loss/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/capture_loss/fields/beats.yml b/packages/zeek/data_stream/capture_loss/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/capture_loss/fields/beats.yml +++ b/packages/zeek/data_stream/capture_loss/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/connection/fields/agent.yml b/packages/zeek/data_stream/connection/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/connection/fields/agent.yml +++ b/packages/zeek/data_stream/connection/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/connection/fields/beats.yml b/packages/zeek/data_stream/connection/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/connection/fields/beats.yml +++ b/packages/zeek/data_stream/connection/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dce_rpc/fields/agent.yml b/packages/zeek/data_stream/dce_rpc/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dce_rpc/fields/agent.yml +++ b/packages/zeek/data_stream/dce_rpc/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dce_rpc/fields/beats.yml b/packages/zeek/data_stream/dce_rpc/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dce_rpc/fields/beats.yml +++ b/packages/zeek/data_stream/dce_rpc/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dhcp/fields/agent.yml b/packages/zeek/data_stream/dhcp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dhcp/fields/agent.yml +++ b/packages/zeek/data_stream/dhcp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dhcp/fields/beats.yml b/packages/zeek/data_stream/dhcp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dhcp/fields/beats.yml +++ b/packages/zeek/data_stream/dhcp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dnp3/fields/agent.yml b/packages/zeek/data_stream/dnp3/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dnp3/fields/agent.yml +++ b/packages/zeek/data_stream/dnp3/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dnp3/fields/beats.yml b/packages/zeek/data_stream/dnp3/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dnp3/fields/beats.yml +++ b/packages/zeek/data_stream/dnp3/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dns/fields/agent.yml b/packages/zeek/data_stream/dns/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dns/fields/agent.yml +++ b/packages/zeek/data_stream/dns/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dns/fields/beats.yml b/packages/zeek/data_stream/dns/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dns/fields/beats.yml +++ b/packages/zeek/data_stream/dns/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dpd/fields/agent.yml b/packages/zeek/data_stream/dpd/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dpd/fields/agent.yml +++ b/packages/zeek/data_stream/dpd/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dpd/fields/beats.yml b/packages/zeek/data_stream/dpd/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dpd/fields/beats.yml +++ b/packages/zeek/data_stream/dpd/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/files/fields/agent.yml b/packages/zeek/data_stream/files/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/files/fields/agent.yml +++ b/packages/zeek/data_stream/files/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/files/fields/beats.yml b/packages/zeek/data_stream/files/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/files/fields/beats.yml +++ b/packages/zeek/data_stream/files/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ftp/fields/agent.yml b/packages/zeek/data_stream/ftp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ftp/fields/agent.yml +++ b/packages/zeek/data_stream/ftp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ftp/fields/beats.yml b/packages/zeek/data_stream/ftp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ftp/fields/beats.yml +++ b/packages/zeek/data_stream/ftp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/http/fields/agent.yml b/packages/zeek/data_stream/http/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/http/fields/agent.yml +++ b/packages/zeek/data_stream/http/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/http/fields/beats.yml b/packages/zeek/data_stream/http/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/http/fields/beats.yml +++ b/packages/zeek/data_stream/http/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/intel/fields/agent.yml b/packages/zeek/data_stream/intel/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/intel/fields/agent.yml +++ b/packages/zeek/data_stream/intel/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/intel/fields/beats.yml b/packages/zeek/data_stream/intel/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/intel/fields/beats.yml +++ b/packages/zeek/data_stream/intel/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/irc/fields/agent.yml b/packages/zeek/data_stream/irc/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/irc/fields/agent.yml +++ b/packages/zeek/data_stream/irc/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/irc/fields/beats.yml b/packages/zeek/data_stream/irc/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/irc/fields/beats.yml +++ b/packages/zeek/data_stream/irc/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/kerberos/fields/agent.yml b/packages/zeek/data_stream/kerberos/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/kerberos/fields/agent.yml +++ b/packages/zeek/data_stream/kerberos/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/kerberos/fields/beats.yml b/packages/zeek/data_stream/kerberos/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/kerberos/fields/beats.yml +++ b/packages/zeek/data_stream/kerberos/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/modbus/fields/agent.yml b/packages/zeek/data_stream/modbus/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/modbus/fields/agent.yml +++ b/packages/zeek/data_stream/modbus/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/modbus/fields/beats.yml b/packages/zeek/data_stream/modbus/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/modbus/fields/beats.yml +++ b/packages/zeek/data_stream/modbus/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/mysql/fields/agent.yml b/packages/zeek/data_stream/mysql/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/mysql/fields/agent.yml +++ b/packages/zeek/data_stream/mysql/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/mysql/fields/beats.yml b/packages/zeek/data_stream/mysql/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/mysql/fields/beats.yml +++ b/packages/zeek/data_stream/mysql/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/notice/fields/agent.yml b/packages/zeek/data_stream/notice/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/notice/fields/agent.yml +++ b/packages/zeek/data_stream/notice/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/notice/fields/beats.yml b/packages/zeek/data_stream/notice/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/notice/fields/beats.yml +++ b/packages/zeek/data_stream/notice/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ntlm/fields/agent.yml b/packages/zeek/data_stream/ntlm/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ntlm/fields/agent.yml +++ b/packages/zeek/data_stream/ntlm/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ntlm/fields/beats.yml b/packages/zeek/data_stream/ntlm/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ntlm/fields/beats.yml +++ b/packages/zeek/data_stream/ntlm/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ntp/fields/agent.yml b/packages/zeek/data_stream/ntp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ntp/fields/agent.yml +++ b/packages/zeek/data_stream/ntp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ntp/fields/beats.yml b/packages/zeek/data_stream/ntp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ntp/fields/beats.yml +++ b/packages/zeek/data_stream/ntp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ocsp/fields/agent.yml b/packages/zeek/data_stream/ocsp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ocsp/fields/agent.yml +++ b/packages/zeek/data_stream/ocsp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ocsp/fields/beats.yml b/packages/zeek/data_stream/ocsp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ocsp/fields/beats.yml +++ b/packages/zeek/data_stream/ocsp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/pe/fields/agent.yml b/packages/zeek/data_stream/pe/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/pe/fields/agent.yml +++ b/packages/zeek/data_stream/pe/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/pe/fields/beats.yml b/packages/zeek/data_stream/pe/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/pe/fields/beats.yml +++ b/packages/zeek/data_stream/pe/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/radius/fields/agent.yml b/packages/zeek/data_stream/radius/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/radius/fields/agent.yml +++ b/packages/zeek/data_stream/radius/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/radius/fields/beats.yml b/packages/zeek/data_stream/radius/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/radius/fields/beats.yml +++ b/packages/zeek/data_stream/radius/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/rdp/fields/agent.yml b/packages/zeek/data_stream/rdp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/rdp/fields/agent.yml +++ b/packages/zeek/data_stream/rdp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/rdp/fields/beats.yml b/packages/zeek/data_stream/rdp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/rdp/fields/beats.yml +++ b/packages/zeek/data_stream/rdp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/rfb/fields/agent.yml b/packages/zeek/data_stream/rfb/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/rfb/fields/agent.yml +++ b/packages/zeek/data_stream/rfb/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/rfb/fields/beats.yml b/packages/zeek/data_stream/rfb/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/rfb/fields/beats.yml +++ b/packages/zeek/data_stream/rfb/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/signature/fields/agent.yml b/packages/zeek/data_stream/signature/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/signature/fields/agent.yml +++ b/packages/zeek/data_stream/signature/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/signature/fields/beats.yml b/packages/zeek/data_stream/signature/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/signature/fields/beats.yml +++ b/packages/zeek/data_stream/signature/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/sip/fields/agent.yml b/packages/zeek/data_stream/sip/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/sip/fields/agent.yml +++ b/packages/zeek/data_stream/sip/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/sip/fields/beats.yml b/packages/zeek/data_stream/sip/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/sip/fields/beats.yml +++ b/packages/zeek/data_stream/sip/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smb_cmd/fields/agent.yml b/packages/zeek/data_stream/smb_cmd/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smb_cmd/fields/agent.yml +++ b/packages/zeek/data_stream/smb_cmd/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smb_cmd/fields/beats.yml b/packages/zeek/data_stream/smb_cmd/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smb_cmd/fields/beats.yml +++ b/packages/zeek/data_stream/smb_cmd/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smb_files/fields/agent.yml b/packages/zeek/data_stream/smb_files/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smb_files/fields/agent.yml +++ b/packages/zeek/data_stream/smb_files/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smb_files/fields/beats.yml b/packages/zeek/data_stream/smb_files/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smb_files/fields/beats.yml +++ b/packages/zeek/data_stream/smb_files/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smb_mapping/fields/agent.yml b/packages/zeek/data_stream/smb_mapping/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smb_mapping/fields/agent.yml +++ b/packages/zeek/data_stream/smb_mapping/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smb_mapping/fields/beats.yml b/packages/zeek/data_stream/smb_mapping/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smb_mapping/fields/beats.yml +++ b/packages/zeek/data_stream/smb_mapping/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smtp/fields/agent.yml b/packages/zeek/data_stream/smtp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smtp/fields/agent.yml +++ b/packages/zeek/data_stream/smtp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smtp/fields/beats.yml b/packages/zeek/data_stream/smtp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smtp/fields/beats.yml +++ b/packages/zeek/data_stream/smtp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/snmp/fields/agent.yml b/packages/zeek/data_stream/snmp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/snmp/fields/agent.yml +++ b/packages/zeek/data_stream/snmp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/snmp/fields/beats.yml b/packages/zeek/data_stream/snmp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/snmp/fields/beats.yml +++ b/packages/zeek/data_stream/snmp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/socks/fields/agent.yml b/packages/zeek/data_stream/socks/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/socks/fields/agent.yml +++ b/packages/zeek/data_stream/socks/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/socks/fields/beats.yml b/packages/zeek/data_stream/socks/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/socks/fields/beats.yml +++ b/packages/zeek/data_stream/socks/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ssh/fields/agent.yml b/packages/zeek/data_stream/ssh/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ssh/fields/agent.yml +++ b/packages/zeek/data_stream/ssh/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ssh/fields/beats.yml b/packages/zeek/data_stream/ssh/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ssh/fields/beats.yml +++ b/packages/zeek/data_stream/ssh/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ssl/fields/agent.yml b/packages/zeek/data_stream/ssl/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ssl/fields/agent.yml +++ b/packages/zeek/data_stream/ssl/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ssl/fields/beats.yml b/packages/zeek/data_stream/ssl/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ssl/fields/beats.yml +++ b/packages/zeek/data_stream/ssl/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ssl/fields/ecs.yml b/packages/zeek/data_stream/ssl/fields/ecs.yml index 27c39bf622b..044dac8274d 100644 --- a/packages/zeek/data_stream/ssl/fields/ecs.yml +++ b/packages/zeek/data_stream/ssl/fields/ecs.yml @@ -138,5 +138,3 @@ name: tls.version - external: ecs name: tls.version_protocol -- external: ecs - name: tls.version_protocol diff --git a/packages/zeek/data_stream/stats/fields/agent.yml b/packages/zeek/data_stream/stats/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/stats/fields/agent.yml +++ b/packages/zeek/data_stream/stats/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/stats/fields/beats.yml b/packages/zeek/data_stream/stats/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/stats/fields/beats.yml +++ b/packages/zeek/data_stream/stats/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/syslog/fields/agent.yml b/packages/zeek/data_stream/syslog/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/syslog/fields/agent.yml +++ b/packages/zeek/data_stream/syslog/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/syslog/fields/beats.yml b/packages/zeek/data_stream/syslog/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/syslog/fields/beats.yml +++ b/packages/zeek/data_stream/syslog/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/traceroute/fields/agent.yml b/packages/zeek/data_stream/traceroute/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/traceroute/fields/agent.yml +++ b/packages/zeek/data_stream/traceroute/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/traceroute/fields/beats.yml b/packages/zeek/data_stream/traceroute/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/traceroute/fields/beats.yml +++ b/packages/zeek/data_stream/traceroute/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/tunnel/fields/agent.yml b/packages/zeek/data_stream/tunnel/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/tunnel/fields/agent.yml +++ b/packages/zeek/data_stream/tunnel/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/tunnel/fields/beats.yml b/packages/zeek/data_stream/tunnel/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/tunnel/fields/beats.yml +++ b/packages/zeek/data_stream/tunnel/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/weird/fields/agent.yml b/packages/zeek/data_stream/weird/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/weird/fields/agent.yml +++ b/packages/zeek/data_stream/weird/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/weird/fields/beats.yml b/packages/zeek/data_stream/weird/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/weird/fields/beats.yml +++ b/packages/zeek/data_stream/weird/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/x509/fields/agent.yml b/packages/zeek/data_stream/x509/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/x509/fields/agent.yml +++ b/packages/zeek/data_stream/x509/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/x509/fields/beats.yml b/packages/zeek/data_stream/x509/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/x509/fields/beats.yml +++ b/packages/zeek/data_stream/x509/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zscaler/data_stream/zia/fields/base-fields.yml b/packages/zscaler/data_stream/zia/fields/base-fields.yml index 9a64f92d5b5..f86ea60596b 100644 --- a/packages/zscaler/data_stream/zia/fields/base-fields.yml +++ b/packages/zscaler/data_stream/zia/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: zscaler.zia -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/zscaler_zia/data_stream/firewall/fields/agent.yml b/packages/zscaler_zia/data_stream/firewall/fields/agent.yml index e313ec82874..0eaf820125a 100644 --- a/packages/zscaler_zia/data_stream/firewall/fields/agent.yml +++ b/packages/zscaler_zia/data_stream/firewall/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml index f59d7cbe5e6..eefe60436b2 100644 --- a/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml @@ -6,8 +6,6 @@ name: client.geo.country_iso_code - external: ecs name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code - external: ecs name: client.geo.region_iso_code - description: Longitude and latitude