From e22eec92c78acafb998a6985abb965eddca5c72e Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 9 May 2022 18:11:44 +0200 Subject: [PATCH 01/28] Activemq --- packages/activemq/data_stream/audit/fields/ecs.yml | 8 -------- packages/activemq/data_stream/broker/fields/ecs.yml | 8 -------- packages/activemq/data_stream/log/fields/ecs.yml | 8 -------- packages/activemq/data_stream/queue/fields/ecs.yml | 8 -------- packages/activemq/data_stream/topic/fields/ecs.yml | 8 -------- 5 files changed, 40 deletions(-) diff --git a/packages/activemq/data_stream/audit/fields/ecs.yml b/packages/activemq/data_stream/audit/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/audit/fields/ecs.yml +++ b/packages/activemq/data_stream/audit/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/broker/fields/ecs.yml b/packages/activemq/data_stream/broker/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/broker/fields/ecs.yml +++ b/packages/activemq/data_stream/broker/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/log/fields/ecs.yml b/packages/activemq/data_stream/log/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/log/fields/ecs.yml +++ b/packages/activemq/data_stream/log/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/queue/fields/ecs.yml b/packages/activemq/data_stream/queue/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/queue/fields/ecs.yml +++ b/packages/activemq/data_stream/queue/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/activemq/data_stream/topic/fields/ecs.yml b/packages/activemq/data_stream/topic/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/activemq/data_stream/topic/fields/ecs.yml +++ b/packages/activemq/data_stream/topic/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs From 8f242da39b136d875a4b59f58d7d12451547ac0e Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 9 May 2022 18:12:29 +0200 Subject: [PATCH 02/28] Akamai --- packages/akamai/data_stream/siem/fields/ecs.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/packages/akamai/data_stream/siem/fields/ecs.yml b/packages/akamai/data_stream/siem/fields/ecs.yml index 22e38558e07..76130228c59 100644 --- a/packages/akamai/data_stream/siem/fields/ecs.yml +++ b/packages/akamai/data_stream/siem/fields/ecs.yml @@ -12,8 +12,6 @@ external: ecs - name: client.geo.continent_name external: ecs -- name: client.geo.country_iso_code - external: ecs - name: client.geo.region_iso_code external: ecs - name: client.geo.location From 05e4ca7599257e9a9ee594d35afee6acd048825d Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 9 May 2022 18:14:58 +0200 Subject: [PATCH 03/28] Apache --- packages/apache/data_stream/access/fields/ecs.yml | 8 -------- packages/apache/data_stream/error/fields/base-fields.yml | 5 ----- 2 files changed, 13 deletions(-) diff --git a/packages/apache/data_stream/access/fields/ecs.yml b/packages/apache/data_stream/access/fields/ecs.yml index 12993b02683..a34bb7b2a25 100644 --- a/packages/apache/data_stream/access/fields/ecs.yml +++ b/packages/apache/data_stream/access/fields/ecs.yml @@ -82,22 +82,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/apache/data_stream/error/fields/base-fields.yml b/packages/apache/data_stream/error/fields/base-fields.yml index e134277b8e1..15365c71bdd 100644 --- a/packages/apache/data_stream/error/fields/base-fields.yml +++ b/packages/apache/data_stream/error/fields/base-fields.yml @@ -10,11 +10,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword - name: event.module type: constant_keyword description: Event module From c2c2f96f2fa460445f322ceae4839022cfe01ed4 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 9 May 2022 18:18:40 +0200 Subject: [PATCH 04/28] Auditd --- .../auditd/data_stream/log/fields/agent.yml | 16 ---------------- .../auditd/data_stream/log/fields/fields.yml | 3 --- .../data_stream/log/fields/package-fields.yml | 19 ------------------- packages/auditd/docs/README.md | 1 - 4 files changed, 39 deletions(-) diff --git a/packages/auditd/data_stream/log/fields/agent.yml b/packages/auditd/data_stream/log/fields/agent.yml index e313ec82874..3a282e597f5 100644 --- a/packages/auditd/data_stream/log/fields/agent.yml +++ b/packages/auditd/data_stream/log/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword @@ -77,11 +72,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,12 +80,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - name: domain level: extended type: keyword diff --git a/packages/auditd/data_stream/log/fields/fields.yml b/packages/auditd/data_stream/log/fields/fields.yml index 90ad2435aea..4bc1b3ac817 100644 --- a/packages/auditd/data_stream/log/fields/fields.yml +++ b/packages/auditd/data_stream/log/fields/fields.yml @@ -36,9 +36,6 @@ type: keyword description: | The first argument to the system call. - - name: a0 - description: The first argument to the system call. - type: keyword - name: addr type: ip - name: rport diff --git a/packages/auditd/data_stream/log/fields/package-fields.yml b/packages/auditd/data_stream/log/fields/package-fields.yml index 208d48ec1f7..412bf41bb10 100644 --- a/packages/auditd/data_stream/log/fields/package-fields.yml +++ b/packages/auditd/data_stream/log/fields/package-fields.yml @@ -24,25 +24,6 @@ type: keyword description: | Name of the group. - - name: effective - type: group - fields: - - name: id - type: keyword - description: | - One or multiple unique identifiers of the user. - - name: name - type: keyword - description: | - Short name or login of the user. - - name: group.id - type: keyword - description: | - Unique identifier for the group on the system/platform. - - name: group.name - type: keyword - description: | - Name of the group. - name: filesystem type: group fields: diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md index 69ea153b6fc..4daeaaa60dd 100644 --- a/packages/auditd/docs/README.md +++ b/packages/auditd/docs/README.md @@ -183,7 +183,6 @@ An example event for `log` looks as following: | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | | container.name | Container name. | keyword | From 6eed8066cc5a7517a54cef9d89014bd8740e70cc Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 9 May 2022 18:19:55 +0200 Subject: [PATCH 05/28] Auth0 --- packages/auth0/data_stream/logs/fields/fields.yml | 3 --- packages/auth0/docs/README.md | 2 +- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/packages/auth0/data_stream/logs/fields/fields.yml b/packages/auth0/data_stream/logs/fields/fields.yml index fc2da86b51d..a1d734682ff 100644 --- a/packages/auth0/data_stream/logs/fields/fields.yml +++ b/packages/auth0/data_stream/logs/fields/fields.yml @@ -61,9 +61,6 @@ - name: strategy_type type: keyword description: Type of strategy involved in the event. - - name: log_id - type: keyword - description: Unique ID of the event. - name: is_mobile type: boolean description: Whether the client was a mobile device (true) or desktop/laptop/server (false). diff --git a/packages/auth0/docs/README.md b/packages/auth0/docs/README.md index a40c20f6acb..a7919e3992a 100644 --- a/packages/auth0/docs/README.md +++ b/packages/auth0/docs/README.md @@ -71,7 +71,7 @@ The Auth0 logs dataset provides events from Auth0 log stream. All Auth0 log even | auth0.logs.data.location_info.latitude | Global latitude (horizontal) position. | keyword | | auth0.logs.data.location_info.longitude | Global longitude (vertical) position. | keyword | | auth0.logs.data.location_info.time_zone | Time zone name as found in the [tz database](https://www.iana.org/time-zones). | keyword | -| auth0.logs.data.log_id | Unique ID of the event. | keyword | +| auth0.logs.data.log_id | Unique log event identifier | keyword | | auth0.logs.data.login.completedAt | Time at which the operation was completed | date | | auth0.logs.data.login.elapsedTime | Number of milliseconds the operation took to complete. | long | | auth0.logs.data.login.initiatedAt | Time at which the operation was initiated | date | From 64d2aa993094aead797f8da36026a3278214fda1 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Mon, 9 May 2022 18:27:47 +0200 Subject: [PATCH 06/28] AWS --- .../aws/data_stream/billing/fields/agent.yml | 56 --------------- .../aws/data_stream/billing/fields/ecs.yml | 16 ----- .../cloudfront_logs/fields/agent.yml | 56 --------------- .../data_stream/cloudtrail/fields/agent.yml | 56 --------------- .../cloudwatch_logs/fields/agent.yml | 56 --------------- .../cloudwatch_metrics/fields/agent.yml | 56 --------------- .../cloudwatch_metrics/fields/ecs.yml | 16 ----- .../cloudwatch_metrics/fields/fields.yml | 5 -- .../aws/data_stream/dynamodb/fields/agent.yml | 56 --------------- .../aws/data_stream/dynamodb/fields/ecs.yml | 16 ----- packages/aws/data_stream/ebs/fields/agent.yml | 56 --------------- packages/aws/data_stream/ebs/fields/ecs.yml | 16 ----- .../aws/data_stream/ec2_logs/fields/agent.yml | 56 --------------- .../data_stream/ec2_metrics/fields/agent.yml | 56 --------------- .../data_stream/ec2_metrics/fields/ecs.yml | 16 ----- .../aws/data_stream/elb_logs/fields/agent.yml | 56 --------------- .../data_stream/elb_metrics/fields/agent.yml | 56 --------------- .../data_stream/elb_metrics/fields/ecs.yml | 16 ----- .../firewall_logs/fields/agent.yml | 56 --------------- .../firewall_metrics/fields/agent.yml | 56 --------------- .../firewall_metrics/fields/ecs.yml | 16 ----- .../aws/data_stream/lambda/fields/agent.yml | 56 --------------- .../aws/data_stream/lambda/fields/ecs.yml | 16 ----- .../data_stream/natgateway/fields/agent.yml | 56 --------------- .../aws/data_stream/natgateway/fields/ecs.yml | 16 ----- packages/aws/data_stream/rds/fields/agent.yml | 56 --------------- packages/aws/data_stream/rds/fields/ecs.yml | 16 ----- .../route53_public_logs/fields/agent.yml | 56 --------------- .../route53_resolver_logs/fields/agent.yml | 56 --------------- .../s3_daily_storage/fields/agent.yml | 56 --------------- .../s3_daily_storage/fields/ecs.yml | 16 ----- .../data_stream/s3_request/fields/agent.yml | 56 --------------- .../aws/data_stream/s3_request/fields/ecs.yml | 16 ----- .../s3_storage_lens/fields/agent.yml | 56 --------------- .../s3_storage_lens/fields/ecs.yml | 16 ----- .../aws/data_stream/s3access/fields/agent.yml | 56 --------------- packages/aws/data_stream/sns/fields/agent.yml | 56 --------------- packages/aws/data_stream/sns/fields/ecs.yml | 16 ----- packages/aws/data_stream/sqs/fields/agent.yml | 56 --------------- packages/aws/data_stream/sqs/fields/ecs.yml | 16 ----- .../transitgateway/fields/agent.yml | 56 --------------- .../data_stream/transitgateway/fields/ecs.yml | 16 ----- .../aws/data_stream/usage/fields/agent.yml | 56 --------------- packages/aws/data_stream/usage/fields/ecs.yml | 16 ----- .../aws/data_stream/vpcflow/fields/agent.yml | 56 --------------- .../aws/data_stream/vpcflow/fields/ecs.yml | 2 - packages/aws/data_stream/vpn/fields/agent.yml | 56 --------------- packages/aws/data_stream/vpn/fields/ecs.yml | 16 ----- packages/aws/data_stream/waf/fields/agent.yml | 56 --------------- packages/aws/data_stream/waf/fields/ecs.yml | 2 +- packages/aws/docs/billing.md | 29 ++++++-- packages/aws/docs/cloudfront.md | 9 --- packages/aws/docs/cloudtrail.md | 9 +-- packages/aws/docs/cloudwatch.md | 42 ++++++++---- packages/aws/docs/dynamodb.md | 29 ++++++-- packages/aws/docs/ebs.md | 31 +++++++-- packages/aws/docs/ec2.md | 42 ++++++++---- packages/aws/docs/elb.md | 37 ++++++---- packages/aws/docs/firewall.md | 38 +++++++---- packages/aws/docs/lambda.md | 29 ++++++-- packages/aws/docs/natgateway.md | 31 +++++++-- packages/aws/docs/rds.md | 29 ++++++-- packages/aws/docs/route53.md | 18 ----- packages/aws/docs/s3.md | 68 ++++++++++++++----- packages/aws/docs/s3_storage_lens.md | 33 +++++++-- packages/aws/docs/sns.md | 29 ++++++-- packages/aws/docs/sqs.md | 29 ++++++-- packages/aws/docs/transitgateway.md | 29 ++++++-- packages/aws/docs/usage.md | 31 +++++++-- packages/aws/docs/vpcflow.md | 6 -- packages/aws/docs/vpn.md | 31 +++++++-- packages/aws/docs/waf.md | 32 +++++++-- 72 files changed, 492 insertions(+), 2090 deletions(-) diff --git a/packages/aws/data_stream/billing/fields/agent.yml b/packages/aws/data_stream/billing/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/billing/fields/agent.yml +++ b/packages/aws/data_stream/billing/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/billing/fields/ecs.yml b/packages/aws/data_stream/billing/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/billing/fields/ecs.yml +++ b/packages/aws/data_stream/billing/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/cloudfront_logs/fields/agent.yml b/packages/aws/data_stream/cloudfront_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/cloudfront_logs/fields/agent.yml +++ b/packages/aws/data_stream/cloudfront_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudtrail/fields/agent.yml b/packages/aws/data_stream/cloudtrail/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/cloudtrail/fields/agent.yml +++ b/packages/aws/data_stream/cloudtrail/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml b/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml +++ b/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml index 0422c9afed4..d466ecf0814 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/fields.yml @@ -1,11 +1,6 @@ - name: aws type: group fields: - - name: dimensions.* - type: object - object_type: keyword - object_type_mapping_type: "*" - description: Metric dimensions. - name: cloudwatch type: group fields: diff --git a/packages/aws/data_stream/dynamodb/fields/agent.yml b/packages/aws/data_stream/dynamodb/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/dynamodb/fields/agent.yml +++ b/packages/aws/data_stream/dynamodb/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/dynamodb/fields/ecs.yml b/packages/aws/data_stream/dynamodb/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/dynamodb/fields/ecs.yml +++ b/packages/aws/data_stream/dynamodb/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/ebs/fields/agent.yml b/packages/aws/data_stream/ebs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/ebs/fields/agent.yml +++ b/packages/aws/data_stream/ebs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/ebs/fields/ecs.yml b/packages/aws/data_stream/ebs/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/ebs/fields/ecs.yml +++ b/packages/aws/data_stream/ebs/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/ec2_logs/fields/agent.yml b/packages/aws/data_stream/ec2_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/ec2_logs/fields/agent.yml +++ b/packages/aws/data_stream/ec2_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/ec2_metrics/fields/agent.yml b/packages/aws/data_stream/ec2_metrics/fields/agent.yml index 8603c3c91e2..0bea2e4e04b 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/agent.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/elb_logs/fields/agent.yml b/packages/aws/data_stream/elb_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/elb_logs/fields/agent.yml +++ b/packages/aws/data_stream/elb_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/elb_metrics/fields/agent.yml b/packages/aws/data_stream/elb_metrics/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/elb_metrics/fields/agent.yml +++ b/packages/aws/data_stream/elb_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/elb_metrics/fields/ecs.yml b/packages/aws/data_stream/elb_metrics/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/elb_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/elb_metrics/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/firewall_logs/fields/agent.yml b/packages/aws/data_stream/firewall_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/firewall_logs/fields/agent.yml +++ b/packages/aws/data_stream/firewall_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/firewall_metrics/fields/agent.yml b/packages/aws/data_stream/firewall_metrics/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/agent.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/firewall_metrics/fields/ecs.yml b/packages/aws/data_stream/firewall_metrics/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/lambda/fields/agent.yml b/packages/aws/data_stream/lambda/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/lambda/fields/agent.yml +++ b/packages/aws/data_stream/lambda/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/lambda/fields/ecs.yml b/packages/aws/data_stream/lambda/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/lambda/fields/ecs.yml +++ b/packages/aws/data_stream/lambda/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/natgateway/fields/agent.yml b/packages/aws/data_stream/natgateway/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/natgateway/fields/agent.yml +++ b/packages/aws/data_stream/natgateway/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/natgateway/fields/ecs.yml b/packages/aws/data_stream/natgateway/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/natgateway/fields/ecs.yml +++ b/packages/aws/data_stream/natgateway/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/rds/fields/agent.yml b/packages/aws/data_stream/rds/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/rds/fields/agent.yml +++ b/packages/aws/data_stream/rds/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/rds/fields/ecs.yml b/packages/aws/data_stream/rds/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/rds/fields/ecs.yml +++ b/packages/aws/data_stream/rds/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/route53_public_logs/fields/agent.yml b/packages/aws/data_stream/route53_public_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/route53_public_logs/fields/agent.yml +++ b/packages/aws/data_stream/route53_public_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml b/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml +++ b/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_daily_storage/fields/agent.yml b/packages/aws/data_stream/s3_daily_storage/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/agent.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml b/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/s3_request/fields/agent.yml b/packages/aws/data_stream/s3_request/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3_request/fields/agent.yml +++ b/packages/aws/data_stream/s3_request/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_request/fields/ecs.yml b/packages/aws/data_stream/s3_request/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/s3_request/fields/ecs.yml +++ b/packages/aws/data_stream/s3_request/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/s3_storage_lens/fields/agent.yml b/packages/aws/data_stream/s3_storage_lens/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/agent.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml b/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/s3access/fields/agent.yml b/packages/aws/data_stream/s3access/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/s3access/fields/agent.yml +++ b/packages/aws/data_stream/s3access/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/sns/fields/agent.yml b/packages/aws/data_stream/sns/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/sns/fields/agent.yml +++ b/packages/aws/data_stream/sns/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/sns/fields/ecs.yml b/packages/aws/data_stream/sns/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/sns/fields/ecs.yml +++ b/packages/aws/data_stream/sns/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/sqs/fields/agent.yml b/packages/aws/data_stream/sqs/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/sqs/fields/agent.yml +++ b/packages/aws/data_stream/sqs/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/sqs/fields/ecs.yml b/packages/aws/data_stream/sqs/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/sqs/fields/ecs.yml +++ b/packages/aws/data_stream/sqs/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/transitgateway/fields/agent.yml b/packages/aws/data_stream/transitgateway/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/transitgateway/fields/agent.yml +++ b/packages/aws/data_stream/transitgateway/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/transitgateway/fields/ecs.yml b/packages/aws/data_stream/transitgateway/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/transitgateway/fields/ecs.yml +++ b/packages/aws/data_stream/transitgateway/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/usage/fields/agent.yml b/packages/aws/data_stream/usage/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/usage/fields/agent.yml +++ b/packages/aws/data_stream/usage/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/usage/fields/ecs.yml b/packages/aws/data_stream/usage/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/usage/fields/ecs.yml +++ b/packages/aws/data_stream/usage/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/vpcflow/fields/agent.yml b/packages/aws/data_stream/vpcflow/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/vpcflow/fields/agent.yml +++ b/packages/aws/data_stream/vpcflow/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/vpcflow/fields/ecs.yml b/packages/aws/data_stream/vpcflow/fields/ecs.yml index 0c0d9f73c4c..77b14a355c7 100644 --- a/packages/aws/data_stream/vpcflow/fields/ecs.yml +++ b/packages/aws/data_stream/vpcflow/fields/ecs.yml @@ -68,8 +68,6 @@ external: ecs - name: source.as.organization.name external: ecs -- name: source.as.organization.name - external: ecs - name: source.bytes external: ecs - name: source.geo.city_name diff --git a/packages/aws/data_stream/vpn/fields/agent.yml b/packages/aws/data_stream/vpn/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/vpn/fields/agent.yml +++ b/packages/aws/data_stream/vpn/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/vpn/fields/ecs.yml b/packages/aws/data_stream/vpn/fields/ecs.yml index 83e3f6f1225..3ee1d551d0b 100644 --- a/packages/aws/data_stream/vpn/fields/ecs.yml +++ b/packages/aws/data_stream/vpn/fields/ecs.yml @@ -1,23 +1,7 @@ - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region - external: ecs name: ecs.version -- external: ecs - name: error - external: ecs name: error.message - external: ecs diff --git a/packages/aws/data_stream/waf/fields/agent.yml b/packages/aws/data_stream/waf/fields/agent.yml index da4e652c53b..57264f48bfa 100644 --- a/packages/aws/data_stream/waf/fields/agent.yml +++ b/packages/aws/data_stream/waf/fields/agent.yml @@ -1,59 +1,3 @@ -- name: cloud - title: Cloud - group: 2 - description: Fields related to the cloud or infrastructure the events are coming from. - footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' - type: group - fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - - name: image.id - type: keyword - description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/waf/fields/ecs.yml b/packages/aws/data_stream/waf/fields/ecs.yml index cf3ab8d9b70..019be5d6dba 100644 --- a/packages/aws/data_stream/waf/fields/ecs.yml +++ b/packages/aws/data_stream/waf/fields/ecs.yml @@ -3,7 +3,7 @@ - external: ecs name: source.ip - external: ecs - name: cloud.provider + name: cloud - external: ecs name: ecs.version - external: ecs diff --git a/packages/aws/docs/billing.md b/packages/aws/docs/billing.md index 197cf44ac2e..194a4b35eaf 100644 --- a/packages/aws/docs/billing.md +++ b/packages/aws/docs/billing.md @@ -97,17 +97,39 @@ An example event for `billing` looks as following: | aws.linked_account.name | Name or alias used to identify linked account. | keyword | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -116,7 +138,6 @@ An example event for `billing` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/cloudfront.md b/packages/aws/docs/cloudfront.md index d6faf5e11f4..cbf3caffed1 100644 --- a/packages/aws/docs/cloudfront.md +++ b/packages/aws/docs/cloudfront.md @@ -17,15 +17,6 @@ The `cloudfront` dataset collects standard logs(also called access logs) from AW | aws.cloudfront.edge_result_type | How the server classified the response after the last byte left the server. In some cases, the result type can change between the time that the server is ready to send the response and the time that it finishes sending the response. See also the x-edge-response-result-type field. For example, in HTTP streaming, suppose the server finds a segment of the stream in the cache. In that scenario, the value of this field would ordinarily be Hit. However, if the viewer closes the connection before the server has delivered the entire segment, the final result type (and the value of this field) is Error. WebSocket connections will have a value of Miss for this field because the content is not cacheable and is proxied directly to the origin. | keyword | | aws.cloudfront.time_to_first_byte | The number of seconds between receiving the request and writing the first byte of the response, as measured on the server. | float | | aws.edge_location | The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number (for example, DFW3). The three-letter code typically corresponds with the International Air Transport Association (IATA) airport code for an airport near the edge location’s geographic location. | alias | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/cloudtrail.md b/packages/aws/docs/cloudtrail.md index 8a04a6d127f..345dafd381e 100644 --- a/packages/aws/docs/cloudtrail.md +++ b/packages/aws/docs/cloudtrail.md @@ -56,14 +56,7 @@ events for the account. If user creates a trail, it delivers those events as log | aws.cloudtrail.user_identity.type | The type of the identity | keyword | | aws.cloudtrail.vpc_endpoint_id | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/cloudwatch.md b/packages/aws/docs/cloudwatch.md index 6c3b055e878..17ccd0a9f3a 100644 --- a/packages/aws/docs/cloudwatch.md +++ b/packages/aws/docs/cloudwatch.md @@ -13,15 +13,6 @@ setup already. |---|---|---| | @timestamp | Event timestamp. | date | | aws.cloudwatch.message | CloudWatch log message. | text | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -153,17 +144,39 @@ An example event for `cloudwatch` looks as following: | aws.dimensions.\* | Metric dimensions. | object | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -172,7 +185,6 @@ An example event for `cloudwatch` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/dynamodb.md b/packages/aws/docs/dynamodb.md index 7d8081fc703..3a98d5d9561 100644 --- a/packages/aws/docs/dynamodb.md +++ b/packages/aws/docs/dynamodb.md @@ -111,17 +111,39 @@ An example event for `dynamodb` looks as following: | aws.dynamodb.metrics.WriteThrottleEvents.sum | Requests to DynamoDB that exceed the provisioned write capacity units for a table or a global secondary index. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -130,7 +152,6 @@ An example event for `dynamodb` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/ebs.md b/packages/aws/docs/ebs.md index f8f74442b8a..d603e40e0d7 100644 --- a/packages/aws/docs/ebs.md +++ b/packages/aws/docs/ebs.md @@ -95,17 +95,39 @@ An example event for `ebs` looks as following: | aws.ebs.metrics.VolumeWriteOps.avg | The total number of write operations in a specified period of time. | double | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -114,7 +136,6 @@ An example event for `ebs` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/ec2.md b/packages/aws/docs/ec2.md index efaeacdcb53..7f537b42c1f 100644 --- a/packages/aws/docs/ec2.md +++ b/packages/aws/docs/ec2.md @@ -13,15 +13,6 @@ and `process.name`. For logs from other services, please use `cloudwatch` datase |---|---|---| | @timestamp | Event timestamp. | date | | aws.ec2.ip_address | The internet address of the requester. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -299,17 +290,39 @@ An example event for `ec2` looks as following: | aws.ec2.status.check_failed_system | Reports whether the instance has passed the system status check in the last minute. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -318,7 +331,6 @@ An example event for `ec2` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/elb.md b/packages/aws/docs/elb.md index 5a9d2b07ad2..271e6e741c9 100644 --- a/packages/aws/docs/elb.md +++ b/packages/aws/docs/elb.md @@ -47,15 +47,7 @@ For network load balancer, please follow [enable access log for network load bal | aws.elb.tls_named_group | The TLS named group. | keyword | | aws.elb.trace_id | The contents of the `X-Amzn-Trace-Id` header. | keyword | | aws.elb.type | The type of the load balancer for v2 Load Balancers. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -363,17 +355,39 @@ An example event for `elb` looks as following: | aws.networkelb.metrics.UnHealthyHostCount.max | The number of targets that are considered unhealthy. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -382,7 +396,6 @@ An example event for `elb` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/firewall.md b/packages/aws/docs/firewall.md index 23b902c76f7..052c1fbcae3 100644 --- a/packages/aws/docs/firewall.md +++ b/packages/aws/docs/firewall.md @@ -162,14 +162,7 @@ An example event for `firewall` looks as following: | aws.firewall.tcp_flags | The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST | keyword | | aws.firewall.tcp_flags_array | List of TCP flags: 'fin, syn, rst, psh, ack, urg' | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -370,17 +363,39 @@ An example event for `firewall` looks as following: | aws.networkfirewall.ReceivedPackets.sum | The number of packets received by the Network Firewall. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -389,7 +404,6 @@ An example event for `firewall` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/lambda.md b/packages/aws/docs/lambda.md index 97c154d2b9f..3cc4ee1a6a6 100644 --- a/packages/aws/docs/lambda.md +++ b/packages/aws/docs/lambda.md @@ -91,17 +91,39 @@ An example event for `lambda` looks as following: | aws.lambda.metrics.UnreservedConcurrentExecutions.avg | For an AWS Region, the number of events that are being processed by functions that don't have reserved concurrency. | double | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -110,7 +132,6 @@ An example event for `lambda` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/natgateway.md b/packages/aws/docs/natgateway.md index 8eccefa4668..f78b4ce5de8 100644 --- a/packages/aws/docs/natgateway.md +++ b/packages/aws/docs/natgateway.md @@ -116,17 +116,39 @@ An example event for `natgateway` looks as following: | aws.natgateway.metrics.PacketsOutToSource.sum | The number of packets sent through the NAT gateway to the clients in your VPC. | long | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -135,7 +157,6 @@ An example event for `natgateway` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/rds.md b/packages/aws/docs/rds.md index a95b2430896..040c56899a9 100644 --- a/packages/aws/docs/rds.md +++ b/packages/aws/docs/rds.md @@ -198,17 +198,39 @@ An example event for `rds` looks as following: | aws.rds.write_io.ops_per_sec | The average number of disk write I/O operations per second. | float | | aws.s3.bucket.name | Name of a S3 bucket. | keyword | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -217,7 +239,6 @@ An example event for `rds` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/route53.md b/packages/aws/docs/route53.md index 0c0ab49f5f7..ee451d2b133 100644 --- a/packages/aws/docs/route53.md +++ b/packages/aws/docs/route53.md @@ -126,15 +126,6 @@ An example event for `route53_public` looks as following: | awscloudwatch.ingestion_time | AWS CloudWatch ingest time | date | | awscloudwatch.log_group | AWS CloudWatch Log Group name | keyword | | awscloudwatch.log_stream | AWS CloudWatch Log Stream name | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -353,15 +344,6 @@ An example event for `route53_resolver` looks as following: | awscloudwatch.ingestion_time | AWS CloudWatch ingest time | date | | awscloudwatch.log_group | AWS CloudWatch Log Group name | keyword | | awscloudwatch.log_stream | AWS CloudWatch Log Stream name | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/s3.md b/packages/aws/docs/s3.md index baebc1ecbb6..83a2a707a46 100644 --- a/packages/aws/docs/s3.md +++ b/packages/aws/docs/s3.md @@ -41,15 +41,7 @@ for sending server access logs to S3 bucket. | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.user.id | Unique identifier of the user. | keyword | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -310,17 +302,39 @@ An example event for `s3_daily_storage` looks as following: | aws.s3_daily_storage.bucket.size.bytes | The amount of data in bytes stored in a bucket. | long | | aws.s3_daily_storage.number_of_objects | The total number of objects stored in a bucket for all storage classes. | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -329,7 +343,6 @@ An example event for `s3_daily_storage` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | @@ -449,17 +462,39 @@ An example event for `s3_request` looks as following: | aws.s3_request.requests.total | The total number of HTTP requests made to an Amazon S3 bucket, regardless of type. | long | | aws.s3_request.uploaded.bytes | The number bytes uploaded that contain a request body, made to an Amazon S3 bucket. | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -468,7 +503,6 @@ An example event for `s3_request` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/s3_storage_lens.md b/packages/aws/docs/s3_storage_lens.md index a1482d649c6..1ba60211d06 100644 --- a/packages/aws/docs/s3_storage_lens.md +++ b/packages/aws/docs/s3_storage_lens.md @@ -184,17 +184,39 @@ An example event for `s3_storage_lens` looks as following: | aws.s3_storage_lens.metrics.SelectScannedBytes.avg | The number of select bytes scanned. | long | | aws.s3_storage_lens.metrics.StorageBytes.avg | The total storage in bytes | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -203,7 +225,6 @@ An example event for `s3_storage_lens` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/sns.md b/packages/aws/docs/sns.md index a861dbd6b26..9b4a69dffc9 100644 --- a/packages/aws/docs/sns.md +++ b/packages/aws/docs/sns.md @@ -90,17 +90,39 @@ An example event for `sns` looks as following: | aws.sns.metrics.SMSMonthToDateSpentUSD.sum | The charges you have accrued since the start of the current calendar month for sending SMS messages. | long | | aws.sns.metrics.SMSSuccessRate.avg | The rate of successful SMS message deliveries. | double | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -109,7 +131,6 @@ An example event for `sns` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/sqs.md b/packages/aws/docs/sqs.md index 7eb72d66a10..1e8ede4a88c 100644 --- a/packages/aws/docs/sqs.md +++ b/packages/aws/docs/sqs.md @@ -81,17 +81,39 @@ An example event for `sqs` looks as following: | aws.sqs.queue.name | SQS queue name | keyword | | aws.sqs.sent_message_size.bytes | The size of messages added to a queue. | long | | aws.tags.\* | Tag key value pairs from aws resources. | object | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -100,7 +122,6 @@ An example event for `sqs` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/transitgateway.md b/packages/aws/docs/transitgateway.md index df9fe83c9d3..5516961408c 100644 --- a/packages/aws/docs/transitgateway.md +++ b/packages/aws/docs/transitgateway.md @@ -88,17 +88,39 @@ An example event for `transitgateway` looks as following: | aws.transitgateway.metrics.PacketDropCountNoRoute.sum | The number of packets dropped because they did not match a route. | long | | aws.transitgateway.metrics.PacketsIn.sum | The number of packets received by the transit gateway. | long | | aws.transitgateway.metrics.PacketsOut.sum | The number of packets sent by the transit gateway. | long | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -107,7 +129,6 @@ An example event for `transitgateway` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/usage.md b/packages/aws/docs/usage.md index 863a54aeb40..e2cd39aae73 100644 --- a/packages/aws/docs/usage.md +++ b/packages/aws/docs/usage.md @@ -74,17 +74,39 @@ An example event for `usage` looks as following: | aws.tags.\* | Tag key value pairs from aws resources. | object | | aws.usage.metrics.CallCount.sum | The number of specified API operations performed in your account. | long | | aws.usage.metrics.ResourceCount.sum | The number of the specified resources running in your account. The resources are defined by the dimensions associated with the metric. | long | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -93,7 +115,6 @@ An example event for `usage` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/vpcflow.md b/packages/aws/docs/vpcflow.md index 1092fe40574..174fe555625 100644 --- a/packages/aws/docs/vpcflow.md +++ b/packages/aws/docs/vpcflow.md @@ -48,14 +48,8 @@ This integration supports various plain text VPC flow log formats: | aws.vpcflow.version | The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. | keyword | | aws.vpcflow.vpc_id | The ID of the VPC that contains the network interface for which the traffic is recorded. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/vpn.md b/packages/aws/docs/vpn.md index 51dd1dd69f1..4630aae7f4c 100644 --- a/packages/aws/docs/vpn.md +++ b/packages/aws/docs/vpn.md @@ -73,17 +73,39 @@ An example event for `vpn` looks as following: | aws.vpn.metrics.TunnelDataIn.sum | The bytes received through the VPN tunnel. | double | | aws.vpn.metrics.TunnelDataOut.sum | The bytes sent through the VPN tunnel. | double | | aws.vpn.metrics.TunnelState.avg | The state of the tunnel. For static VPNs, 0 indicates DOWN and 1 indicates UP. For BGP VPNs, 1 indicates ESTABLISHED and 0 is used for all other states. | double | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -92,7 +114,6 @@ An example event for `vpn` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | | error.message | Error message. | match_only_text | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | diff --git a/packages/aws/docs/waf.md b/packages/aws/docs/waf.md index 79a504b6699..e09d0c24598 100644 --- a/packages/aws/docs/waf.md +++ b/packages/aws/docs/waf.md @@ -19,14 +19,38 @@ The `waf` dataset is specifically for WAF logs. Export logs from Kinesis Data Fi | aws.waf.source.name | The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync. | keyword | | aws.waf.terminating_rule_match_details | Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log. | nested | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | From 2de240657b4a7e8a0bcb4c587fa8151a4978e26d Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 11:05:56 +0200 Subject: [PATCH 07/28] Recover missing docs --- packages/awsfargate/docs/README.md | 37 +- .../azure_application_insights/docs/README.md | 25 +- .../docs/app_state.md | 25 +- packages/azure_metrics/docs/README.md | 188 ++- packages/azure_metrics/docs/compute_vm.md | 23 +- .../azure_metrics/docs/compute_vm_scaleset.md | 23 +- .../azure_metrics/docs/container_instance.md | 23 +- .../azure_metrics/docs/container_registry.md | 23 +- .../azure_metrics/docs/container_service.md | 23 +- .../azure_metrics/docs/database_account.md | 23 +- packages/azure_metrics/docs/monitor.md | 27 +- .../azure_metrics/docs/storage_account.md | 23 +- packages/cockroachdb/docs/README.md | 25 +- packages/docker/docs/README.md | 324 ++++- packages/elasticsearch/docs/README.md | 114 +- packages/haproxy/docs/README.md | 284 ++++- packages/linux/docs/README.md | 457 ++++++- packages/rabbitmq/docs/README.md | 94 +- packages/redis/docs/README.md | 150 ++- packages/system/docs/README.md | 1083 ++++++++++++++++- 20 files changed, 2897 insertions(+), 97 deletions(-) diff --git a/packages/awsfargate/docs/README.md b/packages/awsfargate/docs/README.md index 7659978eb8c..7258c64d877 100644 --- a/packages/awsfargate/docs/README.md +++ b/packages/awsfargate/docs/README.md @@ -340,29 +340,60 @@ If you want to learn more about Amazon ECS metrics, take a look at the blog post | awsfargate.task_stats.network.\*.outbound.errors | Total errors on incoming packets. | long | | awsfargate.task_stats.network.\*.outbound.packets | Total number of incoming packets. | long | | awsfargate.task_stats.task_name | ECS task name | keyword | -| cloud | Fields related to the cloud or infrastructure the events are coming from. | group | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.origin.instance.id | Instance ID of the host machine. | keyword | +| cloud.origin.instance.name | Instance name of the host machine. | keyword | +| cloud.origin.machine.type | Machine type of the host machine. | keyword | +| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | +| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | -| container | Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. | group | +| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | +| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.target.instance.id | Instance ID of the host machine. | keyword | +| cloud.target.instance.name | Instance name of the host machine. | keyword | +| cloud.target.machine.type | Machine type of the host machine. | keyword | +| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.target.region | Region in which this host, resource, or service is located. | keyword | +| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | +| container.labels | Image labels. | object | | container.labels.com_amazonaws_ecs_cluster | ECS Cluster name | keyword | | container.labels.com_amazonaws_ecs_container-name | ECS container name | keyword | | container.labels.com_amazonaws_ecs_task-arn | ECS task ARN | keyword | | container.labels.com_amazonaws_ecs_task-definition-family | ECS task definition family | keyword | | container.labels.com_amazonaws_ecs_task-definition-version | ECS task definition version | keyword | | container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| error | These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. | group | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_application_insights/docs/README.md b/packages/azure_application_insights/docs/README.md index 52a291cad64..660e8a25d74 100644 --- a/packages/azure_application_insights/docs/README.md +++ b/packages/azure_application_insights/docs/README.md @@ -203,24 +203,45 @@ An example event for `app_insights` looks as following: | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_application_insights/docs/app_state.md b/packages/azure_application_insights/docs/app_state.md index 0e4d2b40d6d..8cc973b3ffd 100644 --- a/packages/azure_application_insights/docs/app_state.md +++ b/packages/azure_application_insights/docs/app_state.md @@ -70,24 +70,45 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/README.md b/packages/azure_metrics/docs/README.md index bd45a464479..14457bdb682 100644 --- a/packages/azure_metrics/docs/README.md +++ b/packages/azure_metrics/docs/README.md @@ -94,24 +94,45 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -158,24 +179,45 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -222,24 +264,45 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -286,24 +349,45 @@ so the `period` for `storage_account` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -350,24 +434,45 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s` | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -414,24 +519,45 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s` | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -478,24 +604,45 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -542,24 +689,45 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/compute_vm.md b/packages/azure_metrics/docs/compute_vm.md index 2d1a69cbaf0..e5e7e5c1076 100644 --- a/packages/azure_metrics/docs/compute_vm.md +++ b/packages/azure_metrics/docs/compute_vm.md @@ -108,23 +108,44 @@ Authentication: Dedicated authentication token will be created and updated regul | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/compute_vm_scaleset.md b/packages/azure_metrics/docs/compute_vm_scaleset.md index cde27b0f3eb..b327b72d051 100644 --- a/packages/azure_metrics/docs/compute_vm_scaleset.md +++ b/packages/azure_metrics/docs/compute_vm_scaleset.md @@ -105,23 +105,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/container_instance.md b/packages/azure_metrics/docs/container_instance.md index 28cc4d368ee..9f3d9808a3f 100644 --- a/packages/azure_metrics/docs/container_instance.md +++ b/packages/azure_metrics/docs/container_instance.md @@ -105,23 +105,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/container_registry.md b/packages/azure_metrics/docs/container_registry.md index b508e438544..1563ef1ce8a 100644 --- a/packages/azure_metrics/docs/container_registry.md +++ b/packages/azure_metrics/docs/container_registry.md @@ -105,23 +105,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/container_service.md b/packages/azure_metrics/docs/container_service.md index b01622f9d7a..9a9196256a5 100644 --- a/packages/azure_metrics/docs/container_service.md +++ b/packages/azure_metrics/docs/container_service.md @@ -106,23 +106,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/database_account.md b/packages/azure_metrics/docs/database_account.md index dc3653b9169..6d2c0a24230 100644 --- a/packages/azure_metrics/docs/database_account.md +++ b/packages/azure_metrics/docs/database_account.md @@ -104,23 +104,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/monitor.md b/packages/azure_metrics/docs/monitor.md index af10b2be983..8a02b1f2a02 100644 --- a/packages/azure_metrics/docs/monitor.md +++ b/packages/azure_metrics/docs/monitor.md @@ -157,23 +157,44 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/azure_metrics/docs/storage_account.md b/packages/azure_metrics/docs/storage_account.md index 9887b0252db..89a88dd37b0 100644 --- a/packages/azure_metrics/docs/storage_account.md +++ b/packages/azure_metrics/docs/storage_account.md @@ -106,24 +106,45 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.namespace | Dataset namespace. | constant_keyword | | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/cockroachdb/docs/README.md b/packages/cockroachdb/docs/README.md index 5725dfdac26..0a1dca6d457 100644 --- a/packages/cockroachdb/docs/README.md +++ b/packages/cockroachdb/docs/README.md @@ -41,24 +41,45 @@ exposing metrics in Prometheus format. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.full | Operating system name, including the version or code name. | keyword | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | | service.address | Service address | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/docker/docs/README.md b/packages/docker/docs/README.md index fefa34071a7..860023c146d 100644 --- a/packages/docker/docs/README.md +++ b/packages/docker/docs/README.md @@ -61,11 +61,31 @@ running Docker containers. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -73,8 +93,22 @@ running Docker containers. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -178,11 +212,31 @@ The Docker `cpu` data stream collects runtime CPU metrics. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -190,8 +244,22 @@ The Docker `cpu` data stream collects runtime CPU metrics. | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.email | User email address. | keyword | | | +| host.user.full_name | User's full name, if available. | keyword | | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| host.user.group.name | Name of the group. | keyword | | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| host.user.id | Unique identifier of the user. | keyword | | | +| host.user.name | Short name or login of the user. | keyword | | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -363,11 +431,31 @@ The Docker `diskio` data stream collects disk I/O metrics. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -375,8 +463,22 @@ The Docker `diskio` data stream collects disk I/O metrics. | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.email | User email address. | keyword | | | +| host.user.full_name | User's full name, if available. | keyword | | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| host.user.group.name | Name of the group. | keyword | | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| host.user.id | Unique identifier of the user. | keyword | | | +| host.user.name | Short name or login of the user. | keyword | | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -465,11 +567,31 @@ The Docker `event` data stream collects docker events | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -477,8 +599,22 @@ The Docker `event` data stream collects docker events | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| host.uptime | Seconds the host has been up. | long | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.email | User email address. | keyword | +| host.user.full_name | User's full name, if available. | keyword | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| host.user.group.name | Name of the group. | keyword | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| host.user.id | Unique identifier of the user. | keyword | +| host.user.name | Short name or login of the user. | keyword | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | +| host.user.roles | Array of user roles at the time of the event. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -547,11 +683,31 @@ docker `HEALTHCHECK` instruction has been used to build the docker image. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -559,8 +715,22 @@ docker `HEALTHCHECK` instruction has been used to build the docker image. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -655,11 +825,31 @@ The Docker `image` data stream collects metrics on docker images | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -667,8 +857,22 @@ The Docker `image` data stream collects metrics on docker images | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -746,11 +950,31 @@ https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-s | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -758,8 +982,22 @@ https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-s | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | @@ -829,11 +1067,31 @@ The Docker `memory` data stream collects memory metrics from docker. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -841,8 +1099,22 @@ The Docker `memory` data stream collects memory metrics from docker. | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.email | User email address. | keyword | | | +| host.user.full_name | User's full name, if available. | keyword | | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| host.user.group.name | Name of the group. | keyword | | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| host.user.id | Unique identifier of the user. | keyword | | | +| host.user.name | Short name or login of the user. | keyword | | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -958,11 +1230,31 @@ The Docker `network` data stream collects network metrics. | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | event.dataset | Event dataset | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -970,8 +1262,22 @@ The Docker `network` data stream collects network metrics. | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.email | User email address. | keyword | | +| host.user.full_name | User's full name, if available. | keyword | | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| host.user.group.name | Name of the group. | keyword | | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| host.user.id | Unique identifier of the user. | keyword | | +| host.user.name | Short name or login of the user. | keyword | | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | | +| host.user.roles | Array of user roles at the time of the event. | keyword | | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | diff --git a/packages/elasticsearch/docs/README.md b/packages/elasticsearch/docs/README.md index 456dc33182c..9c7d3a9f0f8 100644 --- a/packages/elasticsearch/docs/README.md +++ b/packages/elasticsearch/docs/README.md @@ -50,17 +50,123 @@ The Elasticsearch package is compatible with logs from Elasticsearch 6.2 and new | elasticsearch.node.id | ID of the node | keyword | | elasticsearch.node.name | Name of the node | keyword | | elasticsearch.shard.id | Id of the shard | keyword | -| http | Fields related to HTTP activity. Use the `url` field set to store the url of the request. | group | +| http.request.body.bytes | Size in bytes of the request body. | long | | http.request.body.content | The full HTTP request body. | wildcard | | http.request.body.content.text | Multi-field of `http.request.body.content`. | match_only_text | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | +| http.request.bytes | Total size in bytes of the request (body and headers). | long | +| http.request.id | A unique identifier for each HTTP request to correlate logs between clients and servers in transactions. The id may be contained in a non-standard HTTP header, such as `X-Request-ID` or `X-Correlation-ID`. | keyword | +| http.request.method | HTTP request method. Prior to ECS 1.6.0 the following guidance was provided: "The field value must be normalized to lowercase for querying." As of ECS 1.6.0, the guidance is deprecated because the original case of the method may be useful in anomaly detection. Original case will be mandated in ECS 2.0.0 | keyword | +| http.request.mime_type | Mime type of the body of the request. This value must only be populated based on the content of the request body, not on the `Content-Type` header. Comparing the mime type of a request with the request's Content-Type header can be helpful in detecting threats or misconfigured clients. | keyword | +| http.request.referrer | Referrer for this HTTP request. | keyword | +| http.response.body.bytes | Size in bytes of the response body. | long | +| http.response.body.content | The full HTTP response body. | wildcard | +| http.response.body.content.text | Multi-field of `http.response.body.content`. | match_only_text | +| http.response.bytes | Total size in bytes of the response (body and headers). | long | +| http.response.mime_type | Mime type of the body of the response. This value must only be populated based on the content of the response body, not on the `Content-Type` header. Comparing the mime type of a response with the response's Content-Type header can be helpful in detecting misconfigured servers. | keyword | +| http.response.status_code | HTTP response status code. | long | +| http.version | HTTP version. | keyword | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | -| url | URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. | group | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | +| source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | +| url.domain | Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. If the URL contains a literal IPv6 address enclosed by `[` and `]` (IETF RFC 2732), the `[` and `]` characters should also be captured in the `domain` field. | keyword | +| url.extension | The field contains the file extension from the original request url, excluding the leading dot. The file extension is only set if it exists, as not every url has a file extension. The leading period must not be included. For example, the value must be "png", not ".png". Note that when the file name has multiple extensions (example.tar.gz), only the last one should be captured ("gz", not "tar.gz"). | keyword | +| url.fragment | Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. | keyword | +| url.full | If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. | wildcard | +| url.full.text | Multi-field of `url.full`. | match_only_text | | url.original | Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. | wildcard | | url.original.text | Multi-field of `url.original`. | match_only_text | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| url.password | Password of the request. | keyword | +| url.path | Path of the request, such as "/search". | wildcard | +| url.port | Port of the request, such as 443. | long | +| url.query | The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. | keyword | +| url.registered_domain | The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| url.scheme | Scheme of the request, such as "https". Note: The `:` is not part of the scheme. | keyword | +| url.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| url.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| url.username | Username of the request. | keyword | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Deprecation diff --git a/packages/haproxy/docs/README.md b/packages/haproxy/docs/README.md index 3abf57087da..306d0412596 100644 --- a/packages/haproxy/docs/README.md +++ b/packages/haproxy/docs/README.md @@ -505,8 +505,148 @@ The fields reported are: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | @@ -734,8 +874,148 @@ The fields reported are: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/linux/docs/README.md b/packages/linux/docs/README.md index a5a133a5d37..9eebe50e4bb 100644 --- a/packages/linux/docs/README.md +++ b/packages/linux/docs/README.md @@ -253,15 +253,32 @@ This data stream is available on: | event.dataset | Event dataset | constant_keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.module | Event module | constant_keyword | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | host.architecture | Operating system architecture. | keyword | | host.containerized | If the host is a container. | boolean | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.geo.city_name | City name. | keyword | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | +| host.geo.continent_name | Name of the continent. | keyword | +| host.geo.country_iso_code | Country ISO code. | keyword | +| host.geo.country_name | Country name. | keyword | +| host.geo.location | Longitude and latitude. | geo_point | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| host.geo.region_iso_code | Region ISO code. | keyword | +| host.geo.region_name | Region name. | keyword | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | @@ -271,15 +288,164 @@ This data stream is available on: | host.os.name | Operating system name, without the version. | keyword | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| host.uptime | Seconds the host has been up. | long | +| host.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.email | User email address. | keyword | +| host.user.full_name | User's full name, if available. | keyword | +| host.user.full_name.text | Multi-field of `host.user.full_name`. | match_only_text | +| host.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| host.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| host.user.group.name | Name of the group. | keyword | +| host.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| host.user.id | Unique identifier of the user. | keyword | +| host.user.name | Short name or login of the user. | keyword | +| host.user.name.text | Multi-field of `host.user.name`. | match_only_text | +| host.user.roles | Array of user roles at the time of the event. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.ppid | Parent process' pid. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | | process.ppid | Parent process' pid. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | | process.working_directory | The working directory of the process. | keyword | | process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | @@ -299,9 +465,54 @@ This data stream is available on: | system.service.sub_state | The sub-state of the service | keyword | | systemd.fragment_path | Service file location | keyword | | systemd.unit | Service unit name | keyword | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Socket @@ -356,15 +567,166 @@ missing short-lived connections. | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| network | The network is defined as the communication path over which a host or network event happens. The network.\* fields should be populated with details about the network activity associated with an event. | group | +| network.application | A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | +| network.community_id | A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. Learn more at https://github.com/corelight/community-id-spec. | keyword | | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | +| network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | +| network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | +| network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| network.name | Name given by operators to sections of their network. | keyword | +| network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | +| network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | +| network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| network.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | process.executable | Absolute path to the process executable. | keyword | | process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | | process.name | Process name. Sometimes called program name or similar. | keyword | | process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.ppid | Parent process' pid. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.ppid | Parent process' pid. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | system.socket.local.ip | Local IP address. This can be an IPv4 or IPv6 address. | ip | @@ -375,10 +737,54 @@ missing short-lived connections. | system.socket.remote.host_error | Error describing the cause of the reverse lookup failure. | keyword | | system.socket.remote.ip | Remote IP address. This can be an IPv4 or IPv6 address. | ip | | system.socket.remote.port | Remote port. | long | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | | user.full_name | User's full name, if available. | keyword | | user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | user.id | Unique identifier of the user. | keyword | +| user.name | Short name or login of the user. | keyword | +| user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Users @@ -429,9 +835,44 @@ The linux/users data stream reports logged in users and associated sessions via | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | +| source.as.organization.name | Organization name. | keyword | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | +| source.bytes | Bytes sent from the source to the destination. | long | +| source.domain | Source domain. | keyword | +| source.geo.city_name | City name. | keyword | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | +| source.geo.continent_name | Name of the continent. | keyword | +| source.geo.country_iso_code | Country ISO code. | keyword | +| source.geo.country_name | Country name. | keyword | +| source.geo.location | Longitude and latitude. | geo_point | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | +| source.geo.region_iso_code | Region ISO code. | keyword | +| source.geo.region_name | Region name. | keyword | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | source.ip | IP address of the source (IPv4 or IPv6). | ip | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | +| source.packets | Packets sent from the source to the destination. | long | | source.port | Port of the source. | long | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.email | User email address. | keyword | +| source.user.full_name | User's full name, if available. | keyword | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | +| source.user.group.name | Name of the group. | keyword | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| source.user.id | Unique identifier of the user. | keyword | +| source.user.name | Short name or login of the user. | keyword | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | +| source.user.roles | Array of user roles at the time of the event. | keyword | | system.users.id | The ID of the session | keyword | | system.users.leader | The root PID of the session | long | | system.users.path | The DBus object path of the session | keyword | diff --git a/packages/rabbitmq/docs/README.md b/packages/rabbitmq/docs/README.md index 7953d89b4b1..710f166f5d3 100644 --- a/packages/rabbitmq/docs/README.md +++ b/packages/rabbitmq/docs/README.md @@ -185,9 +185,54 @@ An example event for `connection` looks as following: | rabbitmq.vhost | Virtual host name with non-ASCII characters escaped as in C. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Exchange Metrics @@ -281,9 +326,54 @@ An example event for `exchange` looks as following: | rabbitmq.vhost | Virtual host name with non-ASCII characters escaped as in C. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.email | User email address. | keyword | +| user.changes.full_name | User's full name, if available. | keyword | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.changes.group.name | Name of the group. | keyword | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.changes.id | Unique identifier of the user. | keyword | +| user.changes.name | Short name or login of the user. | keyword | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | +| user.changes.roles | Array of user roles at the time of the event. | keyword | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.email | User email address. | keyword | +| user.effective.full_name | User's full name, if available. | keyword | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.effective.group.name | Name of the group. | keyword | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.effective.id | Unique identifier of the user. | keyword | +| user.effective.name | Short name or login of the user. | keyword | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | +| user.effective.roles | Array of user roles at the time of the event. | keyword | +| user.email | User email address. | keyword | +| user.full_name | User's full name, if available. | keyword | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.group.name | Name of the group. | keyword | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.id | Unique identifier of the user. | keyword | | user.name | Short name or login of the user. | keyword | | user.name.text | Multi-field of `user.name`. | match_only_text | +| user.roles | Array of user roles at the time of the event. | keyword | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.email | User email address. | keyword | +| user.target.full_name | User's full name, if available. | keyword | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | +| user.target.group.name | Name of the group. | keyword | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | +| user.target.id | Unique identifier of the user. | keyword | +| user.target.name | Short name or login of the user. | keyword | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | +| user.target.roles | Array of user roles at the time of the event. | keyword | ### Node Metrics diff --git a/packages/redis/docs/README.md b/packages/redis/docs/README.md index 32f54e9afb1..88458be929d 100644 --- a/packages/redis/docs/README.md +++ b/packages/redis/docs/README.md @@ -356,11 +356,157 @@ An example event for `info` looks as following: | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| os | The OS fields contain information about the operating system. | group | +| os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | os.full | Operating system name, including the version or code name. | keyword | | os.full.text | Multi-field of `os.full`. | match_only_text | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | +| os.kernel | Operating system kernel version as a raw string. | keyword | +| os.name | Operating system name, without the version. | keyword | +| os.name.text | Multi-field of `os.name`. | match_only_text | +| os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | +| os.version | Operating system version as a raw string. | keyword | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.code_signature.subject_name | Subject name of the code signer | keyword | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.elf.exports | List of exported element names and types. | flattened | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.elf.header.class | Header class of the ELF file. | keyword | +| process.elf.header.data | Data table of the ELF header. | keyword | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.elf.header.type | Header type of the ELF file. | keyword | +| process.elf.header.version | Version of the ELF header. | keyword | +| process.elf.imports | List of imported element names and types. | flattened | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.elf.sections.flags | ELF Section List flags. | keyword | +| process.elf.sections.name | ELF Section List name. | keyword | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.elf.sections.physical_size | ELF Section List physical size. | long | +| process.elf.sections.type | ELF Section List type. | keyword | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.elf.segments.sections | ELF object segment sections. | keyword | +| process.elf.segments.type | ELF object segment type. | keyword | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.end | The time the process ended. | date | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.executable | Absolute path to the process executable. | keyword | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.hash.md5 | MD5 hash. | keyword | +| process.hash.sha1 | SHA1 hash. | keyword | +| process.hash.sha256 | SHA256 hash. | keyword | +| process.hash.sha512 | SHA512 hash. | keyword | +| process.hash.ssdeep | SSDEEP hash. | keyword | +| process.name | Process name. Sometimes called program name or similar. | keyword | +| process.name.text | Multi-field of `process.name`. | match_only_text | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | +| process.parent.elf.exports | List of exported element names and types. | flattened | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | +| process.parent.elf.header.version | Version of the ELF header. | keyword | +| process.parent.elf.imports | List of imported element names and types. | flattened | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | +| process.parent.elf.sections.name | ELF Section List name. | keyword | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | +| process.parent.elf.sections.type | ELF Section List type. | keyword | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | +| process.parent.elf.segments.type | ELF object segment type. | keyword | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | +| process.parent.end | The time the process ended. | date | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | +| process.parent.executable | Absolute path to the process executable. | keyword | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | +| process.parent.hash.md5 | MD5 hash. | keyword | +| process.parent.hash.sha1 | SHA1 hash. | keyword | +| process.parent.hash.sha256 | SHA256 hash. | keyword | +| process.parent.hash.sha512 | SHA512 hash. | keyword | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | +| process.parent.pid | Process id. | long | +| process.parent.start | The time the process started. | date | +| process.parent.thread.id | Thread ID. | long | +| process.parent.thread.name | Thread name. | keyword | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | +| process.parent.uptime | Seconds the process has been up. | long | +| process.parent.working_directory | The working directory of the process. | keyword | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | +| process.pe.architecture | CPU architecture target for the file. | keyword | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | process.pid | Process id. | long | +| process.start | The time the process started. | date | +| process.thread.id | Thread ID. | long | +| process.thread.name | Thread name. | keyword | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | +| process.title.text | Multi-field of `process.title`. | match_only_text | +| process.uptime | Seconds the process has been up. | long | +| process.working_directory | The working directory of the process. | keyword | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | redis.info.clients.biggest_input_buf | Biggest input buffer among current client connections (replaced by max_input_buffer). | long | | redis.info.clients.blocked | Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH). | long | | redis.info.clients.connected | Number of client connections (excluding connections from slaves). | long | diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 5ccfc382669..0e91a4b3020 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -1041,15 +1041,32 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | @@ -1059,8 +1076,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.core.id | CPU Core number. | keyword | | | | system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | | system.core.idle.ticks | The amount of CPU time spent idle. | long | | counter | @@ -1115,16 +1134,33 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | | +| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | percent | gauge | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | @@ -1134,8 +1170,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% \* cores`. The normalized percentages already take this value into account and have a maximum value of 100%. | long | | gauge | | system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | | system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge | @@ -1200,17 +1238,32 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | byte | gauge | | host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | byte | gauge | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | @@ -1220,8 +1273,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.diskio.io.time | The total number of of milliseconds spent doing I/Os. | long | | counter | | system.diskio.iostat.await | The average time spent for requests issued to the device to be served. | float | | gauge | | system.diskio.iostat.busy | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. | float | | gauge | @@ -1346,15 +1401,32 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | @@ -1362,10 +1434,12 @@ This dataset is available on: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.fsstat.count | Number of file systems found. | long | | gauge | | system.fsstat.total_files | Total number of files. | long | | gauge | | system.fsstat.total_size.free | Total free space. | long | byte | gauge | @@ -1407,15 +1481,32 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | event.dataset | Event dataset. | constant_keyword | | | event.module | Event module | constant_keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | @@ -1425,8 +1516,10 @@ This dataset is available on: | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | | system.load.1 | Load average for the last minute. | scaled_float | gauge | | system.load.15 | Load average for the last 15 minutes. | scaled_float | gauge | | system.load.5 | Load average for the last 5 minutes. | scaled_float | gauge | @@ -1471,15 +1564,32 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | @@ -1487,10 +1597,12 @@ This dataset is available on: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. | long | byte | gauge | | system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. | long | byte | gauge | | system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | percent | gauge | @@ -1540,7 +1652,7 @@ This dataset is available on: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | +| @timestamp | Event timestamp. | date | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | @@ -1559,45 +1671,233 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | | group.id | Unique identifier for the group on the system/platform. | keyword | | | | group.name | Name of the group. | keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | | host.mac | Host mac addresses. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | scaled_float | byte | counter | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | | | | host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | | counter | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | | | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | +| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | byte | counter | +| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | scaled_float | | counter | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.elf.exports | List of exported element names and types. | flattened | | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.elf.header.class | Header class of the ELF file. | keyword | | | +| process.elf.header.data | Data table of the ELF header. | keyword | | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.elf.header.type | Header type of the ELF file. | keyword | | | +| process.elf.header.version | Version of the ELF header. | keyword | | | +| process.elf.imports | List of imported element names and types. | flattened | | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.elf.sections.name | ELF Section List name. | keyword | | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.elf.sections.type | ELF Section List type. | keyword | | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.elf.segments.type | ELF object segment type. | keyword | | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.end | The time the process ended. | date | | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.executable | Absolute path to the process executable. | keyword | | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.hash.md5 | MD5 hash. | keyword | | | +| process.hash.sha1 | SHA1 hash. | keyword | | | +| process.hash.sha256 | SHA256 hash. | keyword | | | +| process.hash.sha512 | SHA512 hash. | keyword | | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.parent.end | The time the process ended. | date | | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.parent.executable | Absolute path to the process executable. | keyword | | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.parent.hash.md5 | MD5 hash. | keyword | | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | | +| process.parent.pid | Process id. | long | | | +| process.parent.start | The time the process started. | date | | | +| process.parent.thread.id | Thread ID. | long | | | +| process.parent.thread.name | Thread name. | keyword | | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | | +| process.parent.uptime | Seconds the process has been up. | long | | | +| process.parent.working_directory | The working directory of the process. | keyword | | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | +| process.start | The time the process started. | date | | | +| process.thread.id | Thread ID. | long | | | +| process.thread.name | Thread name. | keyword | | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | | +| process.uptime | Seconds the process has been up. | long | | | +| process.working_directory | The working directory of the process. | keyword | | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | | +| source.as.organization.name | Organization name. | keyword | | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | | +| source.bytes | Bytes sent from the source to the destination. | long | | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | | | source.geo.city_name | City name. | keyword | | | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | | | source.geo.continent_name | Name of the continent. | keyword | | | | source.geo.country_iso_code | Country ISO code. | keyword | | | +| source.geo.country_name | Country name. | keyword | | | | source.geo.location | Longitude and latitude. | geo_point | | | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | | source.geo.region_iso_code | Region ISO code. | keyword | | | | source.geo.region_name | Region name. | keyword | | | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | | +| source.packets | Packets sent from the source to the destination. | long | | | | source.port | Port of the source. | long | | | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.email | User email address. | keyword | | | +| source.user.full_name | User's full name, if available. | keyword | | | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | | | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| source.user.group.name | Name of the group. | keyword | | | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| source.user.id | Unique identifier of the user. | keyword | | | +| source.user.name | Short name or login of the user. | keyword | | | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | | +| source.user.roles | Array of user roles at the time of the event. | keyword | | | | system.network.in.bytes | The number of bytes received. | long | byte | counter | | system.network.in.dropped | The number of incoming packets that were dropped. | long | | counter | | system.network.in.errors | The number of errors while receiving. | long | | counter | @@ -1607,10 +1907,54 @@ This dataset is available on: | system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | | counter | | system.network.out.errors | The number of errors while sending. | long | | counter | | system.network.out.packets | The number of packets sent. | long | | counter | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.email | User email address. | keyword | | | +| user.changes.full_name | User's full name, if available. | keyword | | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.changes.group.name | Name of the group. | keyword | | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.changes.id | Unique identifier of the user. | keyword | | | +| user.changes.name | Short name or login of the user. | keyword | | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.email | User email address. | keyword | | | +| user.effective.full_name | User's full name, if available. | keyword | | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.effective.group.name | Name of the group. | keyword | | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.effective.id | Unique identifier of the user. | keyword | | | +| user.effective.name | Short name or login of the user. | keyword | | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | | +| user.email | User email address. | keyword | | | +| user.full_name | User's full name, if available. | keyword | | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.group.name | Name of the group. | keyword | | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | | user.id | Unique identifier of the user. | keyword | | | | user.name | Short name or login of the user. | keyword | | | | user.name.text | Multi-field of `user.name`. | match_only_text | | | +| user.roles | Array of user roles at the time of the event. | keyword | | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.email | User email address. | keyword | | | +| user.target.full_name | User's full name, if available. | keyword | | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.target.group.name | Name of the group. | keyword | | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.target.id | Unique identifier of the user. | keyword | | | +| user.target.name | Short name or login of the user. | keyword | | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | | ### Process @@ -1649,15 +1993,32 @@ This dataset is available on: | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | +| host.mac | Host mac addresses. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | @@ -1665,25 +2026,156 @@ This dataset is available on: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| host.uptime | Seconds the host has been up. | long | | | | process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | | process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | | process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | | | process.cpu.start_time | The time when the process was started. | date | | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.elf.exports | List of exported element names and types. | flattened | | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.elf.header.class | Header class of the ELF file. | keyword | | | +| process.elf.header.data | Data table of the ELF header. | keyword | | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.elf.header.type | Header type of the ELF file. | keyword | | | +| process.elf.header.version | Version of the ELF header. | keyword | | | +| process.elf.imports | List of imported element names and types. | flattened | | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.elf.sections.name | ELF Section List name. | keyword | | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.elf.sections.type | ELF Section List type. | keyword | | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.elf.segments.type | ELF object segment type. | keyword | | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.end | The time the process ended. | date | | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | | process.executable | Absolute path to the process executable. | keyword | | | | process.executable.text | Multi-field of `process.executable`. | match_only_text | | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.hash.md5 | MD5 hash. | keyword | | | +| process.hash.sha1 | SHA1 hash. | keyword | | | +| process.hash.sha256 | SHA256 hash. | keyword | | | +| process.hash.sha512 | SHA512 hash. | keyword | | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | | process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.parent.end | The time the process ended. | date | | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.parent.executable | Absolute path to the process executable. | keyword | | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.parent.hash.md5 | MD5 hash. | keyword | | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.parent.pid | Process id. | long | | | +| process.parent.start | The time the process started. | date | | | +| process.parent.thread.id | Thread ID. | long | | | +| process.parent.thread.name | Thread name. | keyword | | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | | +| process.parent.uptime | Seconds the process has been up. | long | | | +| process.parent.working_directory | The working directory of the process. | keyword | | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | | process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | +| process.start | The time the process started. | date | | | | process.state | The process state. For example: "running". | keyword | | | +| process.thread.id | Thread ID. | long | | | +| process.thread.name | Thread name. | keyword | | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | | +| process.uptime | Seconds the process has been up. | long | | | | process.working_directory | The working directory of the process. | keyword | | | | process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | @@ -1819,9 +2311,54 @@ This dataset is available on: | system.process.memory.share | The shared memory the process uses. | long | byte | gauge | | system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | byte | gauge | | system.process.state | The process state. For example: "running". | keyword | | | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.email | User email address. | keyword | | | +| user.changes.full_name | User's full name, if available. | keyword | | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.changes.group.name | Name of the group. | keyword | | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.changes.id | Unique identifier of the user. | keyword | | | +| user.changes.name | Short name or login of the user. | keyword | | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.email | User email address. | keyword | | | +| user.effective.full_name | User's full name, if available. | keyword | | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.effective.group.name | Name of the group. | keyword | | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.effective.id | Unique identifier of the user. | keyword | | | +| user.effective.name | Short name or login of the user. | keyword | | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | | +| user.email | User email address. | keyword | | | +| user.full_name | User's full name, if available. | keyword | | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.group.name | Name of the group. | keyword | | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.id | Unique identifier of the user. | keyword | | | | user.name | Short name or login of the user. | keyword | | | | user.name.text | Multi-field of `user.name`. | match_only_text | | | +| user.roles | Array of user roles at the time of the event. | keyword | | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.email | User email address. | keyword | | | +| user.target.full_name | User's full name, if available. | keyword | | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.target.group.name | Name of the group. | keyword | | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.target.id | Unique identifier of the user. | keyword | | | +| user.target.name | Short name or login of the user. | keyword | | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | | ### Process summary @@ -1840,7 +2377,7 @@ This dataset is available on: | Field | Description | Type | Metric Type | |---|---|---|---| -| @timestamp | Event timestamp. | date | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | | cloud.image.id | Image ID for the cloud instance. | keyword | | @@ -1859,41 +2396,229 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | event.dataset | Event dataset. | constant_keyword | | | event.module | Event module | constant_keyword | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | group.id | Unique identifier for the group on the system/platform. | keyword | | | group.name | Name of the group. | keyword | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | host.architecture | Operating system architecture. | keyword | | | host.containerized | If the host is a container. | boolean | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.geo.city_name | City name. | keyword | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | +| host.geo.continent_name | Name of the continent. | keyword | | +| host.geo.country_iso_code | Country ISO code. | keyword | | +| host.geo.country_name | Country name. | keyword | | +| host.geo.location | Longitude and latitude. | geo_point | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | +| host.geo.region_iso_code | Region ISO code. | keyword | | +| host.geo.region_name | Region name. | keyword | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | | host.mac | Host mac addresses. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | host.os.build | OS build information. | keyword | | | host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.full | Operating system name, including the version or code name. | keyword | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | | host.os.name.text | Multi-field of `host.os.name`. | text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| host.uptime | Seconds the host has been up. | long | | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | +| process.elf.exports | List of exported element names and types. | flattened | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | +| process.elf.header.class | Header class of the ELF file. | keyword | | +| process.elf.header.data | Data table of the ELF header. | keyword | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | +| process.elf.header.type | Header type of the ELF file. | keyword | | +| process.elf.header.version | Version of the ELF header. | keyword | | +| process.elf.imports | List of imported element names and types. | flattened | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | +| process.elf.sections.name | ELF Section List name. | keyword | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | +| process.elf.sections.type | ELF Section List type. | keyword | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | +| process.elf.segments.type | ELF object segment type. | keyword | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | +| process.end | The time the process ended. | date | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | +| process.executable | Absolute path to the process executable. | keyword | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | +| process.hash.md5 | MD5 hash. | keyword | | +| process.hash.sha1 | SHA1 hash. | keyword | | +| process.hash.sha256 | SHA256 hash. | keyword | | +| process.hash.sha512 | SHA512 hash. | keyword | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | process.name.text | Multi-field of `process.name`. | match_only_text | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | +| process.parent.end | The time the process ended. | date | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | +| process.parent.executable | Absolute path to the process executable. | keyword | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | +| process.parent.hash.md5 | MD5 hash. | keyword | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | +| process.parent.pid | Process id. | long | | +| process.parent.start | The time the process started. | date | | +| process.parent.thread.id | Thread ID. | long | | +| process.parent.thread.name | Thread name. | keyword | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | +| process.parent.uptime | Seconds the process has been up. | long | | +| process.parent.working_directory | The working directory of the process. | keyword | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | process.pid | Process id. | long | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | +| process.start | The time the process started. | date | | +| process.thread.id | Thread ID. | long | | +| process.thread.name | Thread name. | keyword | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | +| process.uptime | Seconds the process has been up. | long | | +| process.working_directory | The working directory of the process. | keyword | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | +| source.as.organization.name | Organization name. | keyword | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | +| source.bytes | Bytes sent from the source to the destination. | long | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | | source.geo.city_name | City name. | keyword | | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | | source.geo.continent_name | Name of the continent. | keyword | | | source.geo.country_iso_code | Country ISO code. | keyword | | +| source.geo.country_name | Country name. | keyword | | | source.geo.location | Longitude and latitude. | geo_point | | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | source.geo.region_iso_code | Region ISO code. | keyword | | | source.geo.region_name | Region name. | keyword | | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | +| source.packets | Packets sent from the source to the destination. | long | | | source.port | Port of the source. | long | | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| source.user.email | User email address. | keyword | | +| source.user.full_name | User's full name, if available. | keyword | | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| source.user.group.name | Name of the group. | keyword | | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| source.user.id | Unique identifier of the user. | keyword | | +| source.user.name | Short name or login of the user. | keyword | | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | +| source.user.roles | Array of user roles at the time of the event. | keyword | | | system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | gauge | | system.process.summary.idle | Number of idle processes on this host. | long | gauge | | system.process.summary.running | Number of running processes on this host. | long | gauge | @@ -1902,10 +2627,54 @@ This dataset is available on: | system.process.summary.total | Total number of processes on this host. | long | gauge | | system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | gauge | | system.process.summary.zombie | Number of zombie processes on this host. | long | gauge | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.changes.email | User email address. | keyword | | +| user.changes.full_name | User's full name, if available. | keyword | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.changes.group.name | Name of the group. | keyword | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| user.changes.id | Unique identifier of the user. | keyword | | +| user.changes.name | Short name or login of the user. | keyword | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.effective.email | User email address. | keyword | | +| user.effective.full_name | User's full name, if available. | keyword | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.effective.group.name | Name of the group. | keyword | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| user.effective.id | Unique identifier of the user. | keyword | | +| user.effective.name | Short name or login of the user. | keyword | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | +| user.email | User email address. | keyword | | +| user.full_name | User's full name, if available. | keyword | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.group.name | Name of the group. | keyword | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | user.id | Unique identifier of the user. | keyword | | | user.name | Short name or login of the user. | keyword | | | user.name.text | Multi-field of `user.name`. | match_only_text | | +| user.roles | Array of user roles at the time of the event. | keyword | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.target.email | User email address. | keyword | | +| user.target.full_name | User's full name, if available. | keyword | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | +| user.target.group.name | Name of the group. | keyword | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | +| user.target.id | Unique identifier of the user. | keyword | | +| user.target.name | Short name or login of the user. | keyword | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | ### Socket summary @@ -1946,41 +2715,229 @@ This dataset is available on: | data_stream.type | Data stream type. | constant_keyword | | | | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | -| group | The group fields are meant to represent groups that are relevant to the event. | group | | | +| group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | | group.id | Unique identifier for the group on the system/platform. | keyword | | | | group.name | Name of the group. | keyword | | | -| host | A host is defined as a general computing instance. ECS host.\* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. | group | | | | host.architecture | Operating system architecture. | keyword | | | | host.containerized | If the host is a container. | boolean | | | +| host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.geo.city_name | City name. | keyword | | | +| host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | +| host.geo.continent_name | Name of the continent. | keyword | | | +| host.geo.country_iso_code | Country ISO code. | keyword | | | +| host.geo.country_name | Country name. | keyword | | | +| host.geo.location | Longitude and latitude. | geo_point | | | +| host.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| host.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | +| host.geo.region_iso_code | Region ISO code. | keyword | | | +| host.geo.region_name | Region name. | keyword | | | +| host.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | +| host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | | host.os.build | OS build information. | keyword | | | | host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.full | Operating system name, including the version or code name. | keyword | | | +| host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | | host.os.name.text | Multi-field of `host.os.name`. | text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| host.uptime | Seconds the host has been up. | long | | | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | | -| process | These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. | group | | | +| process.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | +| process.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.elf.exports | List of exported element names and types. | flattened | | | +| process.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.elf.header.class | Header class of the ELF file. | keyword | | | +| process.elf.header.data | Data table of the ELF header. | keyword | | | +| process.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.elf.header.type | Header type of the ELF file. | keyword | | | +| process.elf.header.version | Version of the ELF header. | keyword | | | +| process.elf.imports | List of imported element names and types. | flattened | | | +| process.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.elf.sections.name | ELF Section List name. | keyword | | | +| process.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.elf.sections.type | ELF Section List type. | keyword | | | +| process.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.elf.segments.type | ELF object segment type. | keyword | | | +| process.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.end | The time the process ended. | date | | | +| process.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.executable | Absolute path to the process executable. | keyword | | | +| process.executable.text | Multi-field of `process.executable`. | match_only_text | | | +| process.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.hash.md5 | MD5 hash. | keyword | | | +| process.hash.sha1 | SHA1 hash. | keyword | | | +| process.hash.sha256 | SHA256 hash. | keyword | | | +| process.hash.sha512 | SHA512 hash. | keyword | | | +| process.hash.ssdeep | SSDEEP hash. | keyword | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | +| process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | +| process.parent.args_count | Length of the process.args array. This field can be useful for querying or performing bucket analysis on how many arguments were provided to start a process. More arguments may be an indication of suspicious activity. | long | | | +| process.parent.code_signature.digest_algorithm | The hashing algorithm used to sign the process. This value can distinguish signatures when a file is signed multiple times by the same signer but with a different digest algorithm. | keyword | | | +| process.parent.code_signature.exists | Boolean to capture if a signature is present. | boolean | | | +| process.parent.code_signature.signing_id | The identifier used to sign the process. This is used to identify the application manufactured by a software vendor. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | | +| process.parent.code_signature.subject_name | Subject name of the code signer | keyword | | | +| process.parent.code_signature.team_id | The team identifier used to sign the process. This is used to identify the team or vendor of a software product. The field is relevant to Apple \*OS only. | keyword | | | +| process.parent.code_signature.timestamp | Date and time when the code signature was generated and signed. | date | | | +| process.parent.code_signature.trusted | Stores the trust status of the certificate chain. Validating the trust of the certificate chain may be complicated, and this field should only be populated by tools that actively check the status. | boolean | | | +| process.parent.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | +| process.parent.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | +| process.parent.command_line.text | Multi-field of `process.parent.command_line`. | match_only_text | | | +| process.parent.elf.architecture | Machine architecture of the ELF file. | keyword | | | +| process.parent.elf.byte_order | Byte sequence of ELF file. | keyword | | | +| process.parent.elf.cpu_type | CPU type of the ELF file. | keyword | | | +| process.parent.elf.creation_date | Extracted when possible from the file's metadata. Indicates when it was built or compiled. It can also be faked by malware creators. | date | | | +| process.parent.elf.exports | List of exported element names and types. | flattened | | | +| process.parent.elf.header.abi_version | Version of the ELF Application Binary Interface (ABI). | keyword | | | +| process.parent.elf.header.class | Header class of the ELF file. | keyword | | | +| process.parent.elf.header.data | Data table of the ELF header. | keyword | | | +| process.parent.elf.header.entrypoint | Header entrypoint of the ELF file. | long | | | +| process.parent.elf.header.object_version | "0x1" for original ELF files. | keyword | | | +| process.parent.elf.header.os_abi | Application Binary Interface (ABI) of the Linux OS. | keyword | | | +| process.parent.elf.header.type | Header type of the ELF file. | keyword | | | +| process.parent.elf.header.version | Version of the ELF header. | keyword | | | +| process.parent.elf.imports | List of imported element names and types. | flattened | | | +| process.parent.elf.sections | An array containing an object for each section of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.sections.\*`. | nested | | | +| process.parent.elf.sections.chi2 | Chi-square probability distribution of the section. | long | | | +| process.parent.elf.sections.entropy | Shannon entropy calculation from the section. | long | | | +| process.parent.elf.sections.flags | ELF Section List flags. | keyword | | | +| process.parent.elf.sections.name | ELF Section List name. | keyword | | | +| process.parent.elf.sections.physical_offset | ELF Section List offset. | keyword | | | +| process.parent.elf.sections.physical_size | ELF Section List physical size. | long | | | +| process.parent.elf.sections.type | ELF Section List type. | keyword | | | +| process.parent.elf.sections.virtual_address | ELF Section List virtual address. | long | | | +| process.parent.elf.sections.virtual_size | ELF Section List virtual size. | long | | | +| process.parent.elf.segments | An array containing an object for each segment of the ELF file. The keys that should be present in these objects are defined by sub-fields underneath `elf.segments.\*`. | nested | | | +| process.parent.elf.segments.sections | ELF object segment sections. | keyword | | | +| process.parent.elf.segments.type | ELF object segment type. | keyword | | | +| process.parent.elf.shared_libraries | List of shared libraries used by this ELF object. | keyword | | | +| process.parent.elf.telfhash | telfhash symbol hash for ELF file. | keyword | | | +| process.parent.end | The time the process ended. | date | | | +| process.parent.entity_id | Unique identifier for the process. The implementation of this is specified by the data source, but some examples of what could be used here are a process-generated UUID, Sysmon Process GUIDs, or a hash of some uniquely identifying components of a process. Constructing a globally unique identifier is a common practice to mitigate PID reuse as well as to identify a specific process over time, across multiple monitored hosts. | keyword | | | +| process.parent.executable | Absolute path to the process executable. | keyword | | | +| process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | | +| process.parent.exit_code | The exit code of the process, if this is a termination event. The field should be absent if there is no exit code for the event (e.g. process start). | long | | | +| process.parent.hash.md5 | MD5 hash. | keyword | | | +| process.parent.hash.sha1 | SHA1 hash. | keyword | | | +| process.parent.hash.sha256 | SHA256 hash. | keyword | | | +| process.parent.hash.sha512 | SHA512 hash. | keyword | | | +| process.parent.hash.ssdeep | SSDEEP hash. | keyword | | | +| process.parent.name | Process name. Sometimes called program name or similar. | keyword | | | +| process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | | | +| process.parent.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.parent.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.parent.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.parent.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.parent.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.parent.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.parent.pgid | Identifier of the group of processes the process belongs to. | long | | | +| process.parent.pid | Process id. | long | | | +| process.parent.start | The time the process started. | date | | | +| process.parent.thread.id | Thread ID. | long | | | +| process.parent.thread.name | Thread name. | keyword | | | +| process.parent.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.parent.title.text | Multi-field of `process.parent.title`. | match_only_text | | | +| process.parent.uptime | Seconds the process has been up. | long | | | +| process.parent.working_directory | The working directory of the process. | keyword | | | +| process.parent.working_directory.text | Multi-field of `process.parent.working_directory`. | match_only_text | | | +| process.pe.architecture | CPU architecture target for the file. | keyword | | | +| process.pe.company | Internal company name of the file, provided at compile-time. | keyword | | | +| process.pe.description | Internal description of the file, provided at compile-time. | keyword | | | +| process.pe.file_version | Internal version of the file, provided at compile-time. | keyword | | | +| process.pe.imphash | A hash of the imports in a PE file. An imphash -- or import hash -- can be used to fingerprint binaries even after recompilation or other code-level transformations have occurred, which would change more traditional hash values. Learn more at https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html. | keyword | | | +| process.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | | +| process.pe.product | Internal product name of the file, provided at compile-time. | keyword | | | +| process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | -| source | Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. Source fields are usually populated in conjunction with destination fields. The source and destination fields are considered the baseline and should always be filled if an event contains source and destination details from a network transaction. If the event also contains identification of the client and server roles, then the client and server fields should also be populated. | group | | | +| process.start | The time the process started. | date | | | +| process.thread.id | Thread ID. | long | | | +| process.thread.name | Thread name. | keyword | | | +| process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | +| process.title.text | Multi-field of `process.title`. | match_only_text | | | +| process.uptime | Seconds the process has been up. | long | | | +| process.working_directory | The working directory of the process. | keyword | | | +| process.working_directory.text | Multi-field of `process.working_directory`. | match_only_text | | | +| source.address | Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | | +| source.as.number | Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet. | long | | | +| source.as.organization.name | Organization name. | keyword | | | +| source.as.organization.name.text | Multi-field of `source.as.organization.name`. | match_only_text | | | +| source.bytes | Bytes sent from the source to the destination. | long | | | +| source.domain | The domain name of the source system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | | | source.geo.city_name | City name. | keyword | | | +| source.geo.continent_code | Two-letter code representing continent's name. | keyword | | | | source.geo.continent_name | Name of the continent. | keyword | | | | source.geo.country_iso_code | Country ISO code. | keyword | | | +| source.geo.country_name | Country name. | keyword | | | | source.geo.location | Longitude and latitude. | geo_point | | | +| source.geo.name | User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. | keyword | | | +| source.geo.postal_code | Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country. | keyword | | | | source.geo.region_iso_code | Region ISO code. | keyword | | | | source.geo.region_name | Region name. | keyword | | | +| source.geo.timezone | The time zone of the location, such as IANA time zone name. | keyword | | | | source.ip | IP address of the source (IPv4 or IPv6). | ip | | | +| source.mac | MAC address of the source. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | +| source.nat.ip | Translated ip of source based NAT sessions (e.g. internal client to internet) Typically connections traversing load balancers, firewalls, or routers. | ip | | | +| source.nat.port | Translated port of source based NAT sessions. (e.g. internal client to internet) Typically used with load balancers, firewalls, or routers. | long | | | +| source.packets | Packets sent from the source to the destination. | long | | | | source.port | Port of the source. | long | | | +| source.registered_domain | The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | | +| source.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | | | +| source.top_level_domain | The effective top level domain (eTLD), also known as the domain suffix, is the last part of the domain name. For example, the top level domain for example.com is "com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last label will not work well for effective TLDs such as "co.uk". | keyword | | | +| source.user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.email | User email address. | keyword | | | +| source.user.full_name | User's full name, if available. | keyword | | | +| source.user.full_name.text | Multi-field of `source.user.full_name`. | match_only_text | | | +| source.user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| source.user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| source.user.group.name | Name of the group. | keyword | | | +| source.user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| source.user.id | Unique identifier of the user. | keyword | | | +| source.user.name | Short name or login of the user. | keyword | | | +| source.user.name.text | Multi-field of `source.user.name`. | match_only_text | | | +| source.user.roles | Array of user roles at the time of the event. | keyword | | | | system.socket.summary.all.count | All open connections | integer | | gauge | | system.socket.summary.all.listening | All listening ports | integer | | gauge | | system.socket.summary.tcp.all.close_wait | Number of TCP connections in _close_wait_ state | integer | | gauge | @@ -1998,10 +2955,54 @@ This dataset is available on: | system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | byte | gauge | | system.socket.summary.udp.all.count | All open UDP connections | integer | | gauge | | system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | byte | gauge | -| user | The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. | group | | | +| user.changes.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.email | User email address. | keyword | | | +| user.changes.full_name | User's full name, if available. | keyword | | | +| user.changes.full_name.text | Multi-field of `user.changes.full_name`. | match_only_text | | | +| user.changes.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.changes.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.changes.group.name | Name of the group. | keyword | | | +| user.changes.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.changes.id | Unique identifier of the user. | keyword | | | +| user.changes.name | Short name or login of the user. | keyword | | | +| user.changes.name.text | Multi-field of `user.changes.name`. | match_only_text | | | +| user.changes.roles | Array of user roles at the time of the event. | keyword | | | +| user.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.email | User email address. | keyword | | | +| user.effective.full_name | User's full name, if available. | keyword | | | +| user.effective.full_name.text | Multi-field of `user.effective.full_name`. | match_only_text | | | +| user.effective.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.effective.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.effective.group.name | Name of the group. | keyword | | | +| user.effective.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.effective.id | Unique identifier of the user. | keyword | | | +| user.effective.name | Short name or login of the user. | keyword | | | +| user.effective.name.text | Multi-field of `user.effective.name`. | match_only_text | | | +| user.effective.roles | Array of user roles at the time of the event. | keyword | | | +| user.email | User email address. | keyword | | | +| user.full_name | User's full name, if available. | keyword | | | +| user.full_name.text | Multi-field of `user.full_name`. | match_only_text | | | +| user.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.group.name | Name of the group. | keyword | | | +| user.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | | user.id | Unique identifier of the user. | keyword | | | | user.name | Short name or login of the user. | keyword | | | | user.name.text | Multi-field of `user.name`. | match_only_text | | | +| user.roles | Array of user roles at the time of the event. | keyword | | | +| user.target.domain | Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.email | User email address. | keyword | | | +| user.target.full_name | User's full name, if available. | keyword | | | +| user.target.full_name.text | Multi-field of `user.target.full_name`. | match_only_text | | | +| user.target.group.domain | Name of the directory the group is a member of. For example, an LDAP or Active Directory domain name. | keyword | | | +| user.target.group.id | Unique identifier for the group on the system/platform. | keyword | | | +| user.target.group.name | Name of the group. | keyword | | | +| user.target.hash | Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. | keyword | | | +| user.target.id | Unique identifier of the user. | keyword | | | +| user.target.name | Short name or login of the user. | keyword | | | +| user.target.name.text | Multi-field of `user.target.name`. | match_only_text | | | +| user.target.roles | Array of user roles at the time of the event. | keyword | | | ### Uptime From f0d81fcd9bd48de76f355dca509735f6305c14b3 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 11:44:02 +0200 Subject: [PATCH 08/28] Remove duplicates in ecs files --- .../azure/data_stream/activitylogs/fields/ecs.yml | 2 -- .../azure/data_stream/auditlogs/fields/ecs.yml | 4 ---- packages/azure/data_stream/eventhub/fields/ecs.yml | 2 -- .../azure/data_stream/platformlogs/fields/ecs.yml | 2 -- .../azure/data_stream/signinlogs/fields/ecs.yml | 2 -- .../data_stream/springcloudlogs/fields/ecs.yml | 2 -- .../cassandra/data_stream/metrics/fields/ecs.yml | 8 -------- packages/cisco/data_stream/asa/fields/ecs.yml | 4 ---- packages/cisco/data_stream/ftd/fields/ecs.yml | 4 ---- packages/cisco/data_stream/ios/fields/ecs.yml | 4 ---- packages/cisco/docs/README.md | 4 ++-- packages/cisco_asa/data_stream/log/fields/ecs.yml | 4 ---- packages/cisco_ftd/data_stream/log/fields/ecs.yml | 4 ---- packages/cisco_ios/data_stream/log/fields/ecs.yml | 2 -- .../cisco_meraki/data_stream/events/fields/ecs.yml | 4 ---- .../cisco_meraki/data_stream/log/fields/ecs.yml | 4 ---- packages/cisco_meraki/docs/README.md | 10 +++++----- .../data_stream/event/fields/ecs.yml | 2 -- .../cloudflare/data_stream/logpull/fields/ecs.yml | 2 -- packages/fireeye/data_stream/nx/fields/ecs.yml | 2 -- .../data_stream/log/fields/ecs.yml | 4 ---- packages/iis/data_stream/access/fields/ecs.yml | 8 -------- .../m365_defender/data_stream/log/fields/ecs.yml | 2 -- .../mimecast/data_stream/siem_logs/fields/ecs.yml | 4 ---- .../data_stream/ttp_ap_logs/fields/ecs.yml | 4 ---- .../data_stream/ttp_ip_logs/fields/ecs.yml | 2 -- .../data_stream/ttp_url_logs/fields/ecs.yml | 2 -- .../netskope/data_stream/alerts/fields/ecs.yml | 4 ---- .../netskope/data_stream/events/fields/ecs.yml | 4 ---- packages/netskope/docs/README.md | 2 +- packages/panw/data_stream/panos/fields/ecs.yml | 2 -- packages/pfsense/data_stream/log/fields/ecs.yml | 2 -- packages/pfsense/docs/README.md | 2 +- .../data_stream/log/fields/ecs.yml | 14 -------------- packages/squid/data_stream/log/fields/ecs.yml | 2 -- packages/system/data_stream/auth/fields/ecs.yml | 2 -- packages/system/docs/README.md | 2 +- .../data_stream/threat/fields/ecs.yml | 2 -- packages/tomcat/data_stream/log/fields/ecs.yml | 2 -- packages/zeek/data_stream/ssl/fields/ecs.yml | 2 -- .../data_stream/browser_access/fields/ecs.yml | 2 -- 41 files changed, 10 insertions(+), 132 deletions(-) diff --git a/packages/azure/data_stream/activitylogs/fields/ecs.yml b/packages/azure/data_stream/activitylogs/fields/ecs.yml index 2d534bbf331..981fa934174 100644 --- a/packages/azure/data_stream/activitylogs/fields/ecs.yml +++ b/packages/azure/data_stream/activitylogs/fields/ecs.yml @@ -110,7 +110,5 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs diff --git a/packages/azure/data_stream/auditlogs/fields/ecs.yml b/packages/azure/data_stream/auditlogs/fields/ecs.yml index 989ae28f6db..b52fc0d77bc 100644 --- a/packages/azure/data_stream/auditlogs/fields/ecs.yml +++ b/packages/azure/data_stream/auditlogs/fields/ecs.yml @@ -94,8 +94,6 @@ external: ecs - name: source.ip external: ecs -- name: client.ip - external: ecs - name: source.port external: ecs - name: user.full_name @@ -106,7 +104,5 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs diff --git a/packages/azure/data_stream/eventhub/fields/ecs.yml b/packages/azure/data_stream/eventhub/fields/ecs.yml index 58be539b413..cc5b94d7f8f 100644 --- a/packages/azure/data_stream/eventhub/fields/ecs.yml +++ b/packages/azure/data_stream/eventhub/fields/ecs.yml @@ -102,7 +102,5 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs diff --git a/packages/azure/data_stream/platformlogs/fields/ecs.yml b/packages/azure/data_stream/platformlogs/fields/ecs.yml index fc439f82947..54b54083131 100644 --- a/packages/azure/data_stream/platformlogs/fields/ecs.yml +++ b/packages/azure/data_stream/platformlogs/fields/ecs.yml @@ -104,8 +104,6 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs - name: client.ip diff --git a/packages/azure/data_stream/signinlogs/fields/ecs.yml b/packages/azure/data_stream/signinlogs/fields/ecs.yml index 0dc61a920f7..d898b0e80ab 100644 --- a/packages/azure/data_stream/signinlogs/fields/ecs.yml +++ b/packages/azure/data_stream/signinlogs/fields/ecs.yml @@ -104,8 +104,6 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: user_agent.device.name external: ecs - name: user_agent.name diff --git a/packages/azure/data_stream/springcloudlogs/fields/ecs.yml b/packages/azure/data_stream/springcloudlogs/fields/ecs.yml index bb36c557383..1e5edd723f0 100644 --- a/packages/azure/data_stream/springcloudlogs/fields/ecs.yml +++ b/packages/azure/data_stream/springcloudlogs/fields/ecs.yml @@ -102,8 +102,6 @@ external: ecs - name: user.id external: ecs -- name: user.name - external: ecs - name: tags external: ecs - name: geo.name diff --git a/packages/cassandra/data_stream/metrics/fields/ecs.yml b/packages/cassandra/data_stream/metrics/fields/ecs.yml index ada632fe019..64eca720df2 100644 --- a/packages/cassandra/data_stream/metrics/fields/ecs.yml +++ b/packages/cassandra/data_stream/metrics/fields/ecs.yml @@ -86,22 +86,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index 26c8e662c42..ee8b04ed51f 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -48,8 +48,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -200,8 +198,6 @@ name: user.email - external: ecs name: user.name -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco/data_stream/ftd/fields/ecs.yml b/packages/cisco/data_stream/ftd/fields/ecs.yml index 1e4950c9bfe..f611e8ee32a 100644 --- a/packages/cisco/data_stream/ftd/fields/ecs.yml +++ b/packages/cisco/data_stream/ftd/fields/ecs.yml @@ -56,8 +56,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -230,8 +228,6 @@ name: user.name - external: ecs name: user_agent.original -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco/data_stream/ios/fields/ecs.yml b/packages/cisco/data_stream/ios/fields/ecs.yml index f1b640bd5ec..7f5efc110d4 100644 --- a/packages/cisco/data_stream/ios/fields/ecs.yml +++ b/packages/cisco/data_stream/ios/fields/ecs.yml @@ -36,8 +36,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -88,8 +86,6 @@ name: source.port - external: ecs name: source.user.name -- external: ecs - name: source.address - external: ecs name: source.as.number - external: ecs diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 7eca6d6e14b..bd4c2cb5243 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -134,7 +134,7 @@ An example event for `asa` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | | cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | @@ -806,7 +806,7 @@ An example event for `ios` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.ios.access_list | Name of the IP access list. | keyword | | cisco.ios.action | Action taken by the device | keyword | | cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index 71143f2c0c2..6779904532a 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -50,8 +50,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -208,8 +206,6 @@ name: user.email - external: ecs name: user.name -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml index 63bbe0f7fa4..23cf593c2ea 100644 --- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml @@ -58,8 +58,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -238,8 +236,6 @@ name: user.name - external: ecs name: user_agent.original -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/cisco_ios/data_stream/log/fields/ecs.yml b/packages/cisco_ios/data_stream/log/fields/ecs.yml index aa2cf73fd85..903e7852795 100644 --- a/packages/cisco_ios/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ios/data_stream/log/fields/ecs.yml @@ -36,8 +36,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs diff --git a/packages/cisco_meraki/data_stream/events/fields/ecs.yml b/packages/cisco_meraki/data_stream/events/fields/ecs.yml index 1689c91fbc3..0ad0ce22490 100644 --- a/packages/cisco_meraki/data_stream/events/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/events/fields/ecs.yml @@ -280,10 +280,6 @@ name: threat.indicator.file.name - external: ecs name: threat.indicator.file.hash.sha256 -- external: ecs - name: network.direction -- external: ecs - name: network.protocol - external: ecs name: client.geo.city_name - external: ecs diff --git a/packages/cisco_meraki/data_stream/log/fields/ecs.yml b/packages/cisco_meraki/data_stream/log/fields/ecs.yml index d0f1e65d677..81eccba0695 100644 --- a/packages/cisco_meraki/data_stream/log/fields/ecs.yml +++ b/packages/cisco_meraki/data_stream/log/fields/ecs.yml @@ -280,10 +280,6 @@ name: threat.indicator.file.name - external: ecs name: threat.indicator.file.hash.sha256 -- external: ecs - name: network.direction -- external: ecs - name: network.protocol - external: ecs name: client.geo.city_name - external: ecs diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index baea4f77535..ff7997ef857 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -177,7 +177,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -190,7 +190,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | +| input.type | Input type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | @@ -499,7 +499,7 @@ An example event for `log` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -512,8 +512,8 @@ An example event for `log` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | -| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | +| input.type | Input type. | keyword | +| log.file.path | Full path to the log file this event came from. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml index e6934866f97..a111f41da68 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/fields/ecs.yml @@ -24,8 +24,6 @@ name: event.category - external: ecs name: event.id -- external: ecs - name: event.code - external: ecs name: event.timezone - name: related.ip diff --git a/packages/cloudflare/data_stream/logpull/fields/ecs.yml b/packages/cloudflare/data_stream/logpull/fields/ecs.yml index 9a9a6402b06..a76befc86ca 100644 --- a/packages/cloudflare/data_stream/logpull/fields/ecs.yml +++ b/packages/cloudflare/data_stream/logpull/fields/ecs.yml @@ -12,8 +12,6 @@ external: ecs - name: client.geo.continent_name external: ecs -- name: client.geo.country_iso_code - external: ecs - name: client.geo.region_iso_code external: ecs - name: client.geo.location diff --git a/packages/fireeye/data_stream/nx/fields/ecs.yml b/packages/fireeye/data_stream/nx/fields/ecs.yml index f1d3ef0500a..e42fbd85c1a 100644 --- a/packages/fireeye/data_stream/nx/fields/ecs.yml +++ b/packages/fireeye/data_stream/nx/fields/ecs.yml @@ -62,8 +62,6 @@ name: source.ip - external: ecs name: destination.address -- external: ecs - name: destination.port - external: ecs name: destination.as.number - external: ecs diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml index eaee751dad7..fb78acf4391 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml @@ -48,8 +48,6 @@ name: event.code - external: ecs name: event.created -- external: ecs - name: event.created - external: ecs name: event.duration - external: ecs @@ -206,8 +204,6 @@ name: user.id - external: ecs name: user.name -- external: ecs - name: server.domain - external: ecs name: server.address - external: ecs diff --git a/packages/iis/data_stream/access/fields/ecs.yml b/packages/iis/data_stream/access/fields/ecs.yml index 80a028d9cb0..295c38639a3 100644 --- a/packages/iis/data_stream/access/fields/ecs.yml +++ b/packages/iis/data_stream/access/fields/ecs.yml @@ -72,22 +72,14 @@ name: user.name - external: ecs name: user_agent.device.name -- external: ecs - name: user_agent.device.name -- external: ecs - name: user_agent.name - external: ecs name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.full - external: ecs name: user_agent.os.name -- external: ecs - name: user_agent.os.name - external: ecs name: user_agent.os.version - external: ecs diff --git a/packages/m365_defender/data_stream/log/fields/ecs.yml b/packages/m365_defender/data_stream/log/fields/ecs.yml index be5c5190a6f..90a15fb258a 100644 --- a/packages/m365_defender/data_stream/log/fields/ecs.yml +++ b/packages/m365_defender/data_stream/log/fields/ecs.yml @@ -56,8 +56,6 @@ name: url.full - external: ecs name: url.domain -- external: ecs - name: url.full - external: ecs name: url.extension - external: ecs diff --git a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml index 31577dc1b52..863be6474cd 100644 --- a/packages/mimecast/data_stream/siem_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/siem_logs/fields/ecs.yml @@ -12,8 +12,6 @@ name: email.attachments.file.mime_type - external: ecs name: email.attachments.file.name -- external: ecs - name: email.attachments.file.name - external: ecs name: email.attachments.file.size - external: ecs @@ -36,8 +34,6 @@ name: error.type - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml index 8c473b28e22..d942cd864e0 100644 --- a/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_ap_logs/fields/ecs.yml @@ -6,8 +6,6 @@ name: email.attachments.file.hash.sha256 - external: ecs name: email.attachments.file.mime_type -- external: ecs - name: email.attachments.file.mime_type - external: ecs name: email.attachments.file.name - external: ecs @@ -22,8 +20,6 @@ name: email.to.address - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml index 9a1770633fc..ae101f9d829 100644 --- a/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_ip_logs/fields/ecs.yml @@ -10,8 +10,6 @@ name: email.to.address - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml index 622f81b6fc7..faf406570c5 100644 --- a/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml +++ b/packages/mimecast/data_stream/ttp_url_logs/fields/ecs.yml @@ -12,8 +12,6 @@ name: email.to.address - external: ecs name: event.action -- external: ecs - name: event.action - external: ecs name: event.created - external: ecs diff --git a/packages/netskope/data_stream/alerts/fields/ecs.yml b/packages/netskope/data_stream/alerts/fields/ecs.yml index fd79c8e0e94..eb88b129f66 100644 --- a/packages/netskope/data_stream/alerts/fields/ecs.yml +++ b/packages/netskope/data_stream/alerts/fields/ecs.yml @@ -33,8 +33,6 @@ name: destination.geo.region_name - external: ecs name: destination.geo.timezone -- external: ecs - name: destination.ip - external: ecs name: destination.port - external: ecs @@ -86,8 +84,6 @@ name: source.geo.region_name - external: ecs name: source.geo.timezone -- external: ecs - name: source.ip - external: ecs name: source.port - external: ecs diff --git a/packages/netskope/data_stream/events/fields/ecs.yml b/packages/netskope/data_stream/events/fields/ecs.yml index 74357380c59..a3cd1f44581 100644 --- a/packages/netskope/data_stream/events/fields/ecs.yml +++ b/packages/netskope/data_stream/events/fields/ecs.yml @@ -4,16 +4,12 @@ name: client.bytes - external: ecs name: client.nat.ip -- external: ecs - name: client.packets - external: ecs name: cloud.account.name - external: ecs name: cloud.region - external: ecs name: cloud.service.name -- external: ecs - name: client.bytes - external: ecs name: destination.address - external: ecs diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index 7e045449c3a..d28f76b57f0 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -1878,7 +1878,7 @@ user.email.6,,String | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | +| host.os.name.text | Multi-field of `host.os.name`. | text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/panw/data_stream/panos/fields/ecs.yml b/packages/panw/data_stream/panos/fields/ecs.yml index bf4cc4f094d..f3d7ecdff1b 100644 --- a/packages/panw/data_stream/panos/fields/ecs.yml +++ b/packages/panw/data_stream/panos/fields/ecs.yml @@ -84,8 +84,6 @@ name: file.type - external: ecs name: labels -- external: ecs - name: labels - external: ecs name: log.level - external: ecs diff --git a/packages/pfsense/data_stream/log/fields/ecs.yml b/packages/pfsense/data_stream/log/fields/ecs.yml index 51773f7009e..067c22404a9 100644 --- a/packages/pfsense/data_stream/log/fields/ecs.yml +++ b/packages/pfsense/data_stream/log/fields/ecs.yml @@ -15,8 +15,6 @@ - name: client.geo.continent_name external: ecs ignore_above: 1024 -- name: client.geo.country_iso_code - external: ecs - name: client.geo.region_iso_code external: ecs - name: client.geo.location diff --git a/packages/pfsense/docs/README.md b/packages/pfsense/docs/README.md index 8c764da26cf..2334db072dd 100644 --- a/packages/pfsense/docs/README.md +++ b/packages/pfsense/docs/README.md @@ -327,7 +327,7 @@ An example event for `log` looks as following: | pfsense.dhcp.hostname | Hostname of DHCP client | keyword | | pfsense.icmp.code | ICMP code. | long | | pfsense.icmp.destination.ip | Original destination address of the connection that caused this notification | ip | -| pfsense.icmp.id | ID of the echo request/reply | long | +| pfsense.icmp.id | ICMP ID. | long | | pfsense.icmp.mtu | MTU to use for subsequent data to this destination | long | | pfsense.icmp.otime | Originate Timestamp | date | | pfsense.icmp.parameter | ICMP parameter. | long | diff --git a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml index cd455914c85..199a1b1d4c1 100644 --- a/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml +++ b/packages/pulse_connect_secure/data_stream/log/fields/ecs.yml @@ -84,20 +84,6 @@ name: user_agent.os.version - external: ecs name: source.address -- external: ecs - name: source.as.number -- external: ecs - name: source.as.organization.name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- external: ecs - name: source.geo.country_name -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point - external: ecs name: source.ip - external: ecs diff --git a/packages/squid/data_stream/log/fields/ecs.yml b/packages/squid/data_stream/log/fields/ecs.yml index 20e5a824aed..a050c94c85b 100644 --- a/packages/squid/data_stream/log/fields/ecs.yml +++ b/packages/squid/data_stream/log/fields/ecs.yml @@ -244,8 +244,6 @@ name: user_agent.name - external: ecs name: user_agent.original -- external: ecs - name: user_agent.original - external: ecs name: user_agent.os.family - external: ecs diff --git a/packages/system/data_stream/auth/fields/ecs.yml b/packages/system/data_stream/auth/fields/ecs.yml index 7e353efa7d6..7de0e19c510 100644 --- a/packages/system/data_stream/auth/fields/ecs.yml +++ b/packages/system/data_stream/auth/fields/ecs.yml @@ -36,8 +36,6 @@ name: host.domain - external: ecs name: host.hostname -- external: ecs - name: host.hostname - external: ecs name: host.id - external: ecs diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 0e91a4b3020..6612c9f3366 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -890,7 +890,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml index b610ef66549..7e4da707181 100644 --- a/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml +++ b/packages/ti_cybersixgill/data_stream/threat/fields/ecs.yml @@ -16,8 +16,6 @@ name: event.severity - external: ecs name: event.created -- external: ecs - name: message - external: ecs name: tags - external: ecs diff --git a/packages/tomcat/data_stream/log/fields/ecs.yml b/packages/tomcat/data_stream/log/fields/ecs.yml index 384fbb680e5..69e1e7fcf86 100644 --- a/packages/tomcat/data_stream/log/fields/ecs.yml +++ b/packages/tomcat/data_stream/log/fields/ecs.yml @@ -212,8 +212,6 @@ name: source.top_level_domain - external: ecs name: tags -- external: ecs - name: tags - external: ecs name: url.domain - external: ecs diff --git a/packages/zeek/data_stream/ssl/fields/ecs.yml b/packages/zeek/data_stream/ssl/fields/ecs.yml index 27c39bf622b..044dac8274d 100644 --- a/packages/zeek/data_stream/ssl/fields/ecs.yml +++ b/packages/zeek/data_stream/ssl/fields/ecs.yml @@ -138,5 +138,3 @@ name: tls.version - external: ecs name: tls.version_protocol -- external: ecs - name: tls.version_protocol diff --git a/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml b/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml index f59d7cbe5e6..eefe60436b2 100644 --- a/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml +++ b/packages/zscaler_zpa/data_stream/browser_access/fields/ecs.yml @@ -6,8 +6,6 @@ name: client.geo.country_iso_code - external: ecs name: client.geo.continent_name -- external: ecs - name: client.geo.country_iso_code - external: ecs name: client.geo.region_iso_code - description: Longitude and latitude From 6a2ab611473377f279d6f7da5cfc36450a074045 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 12:14:55 +0200 Subject: [PATCH 09/28] Remove fields and sub-fields defined in ECS --- .../data_stream/activitylogs/fields/agent.yml | 2 - .../data_stream/auditlogs/fields/agent.yml | 2 - .../data_stream/eventhub/fields/agent.yml | 2 - .../data_stream/platformlogs/fields/agent.yml | 2 - .../data_stream/signinlogs/fields/agent.yml | 2 - .../springcloudlogs/fields/agent.yml | 2 - .../data_stream/app_insights/fields/agent.yml | 114 -------------- .../data_stream/app_state/fields/agent.yml | 114 -------------- .../azure_application_insights/docs/README.md | 5 +- .../docs/app_state.md | 5 +- .../data_stream/billing/fields/agent.yml | 114 -------------- .../data_stream/compute_vm/fields/agent.yml | 114 -------------- .../compute_vm_scaleset/fields/agent.yml | 114 -------------- .../container_instance/fields/agent.yml | 114 -------------- .../container_registry/fields/agent.yml | 114 -------------- .../container_service/fields/agent.yml | 114 -------------- .../database_account/fields/agent.yml | 114 -------------- .../data_stream/monitor/fields/agent.yml | 114 -------------- .../storage_account/fields/agent.yml | 114 -------------- packages/azure_metrics/docs/README.md | 52 ++----- packages/azure_metrics/docs/compute_vm.md | 7 +- .../azure_metrics/docs/compute_vm_scaleset.md | 7 +- .../azure_metrics/docs/container_instance.md | 7 +- .../azure_metrics/docs/container_registry.md | 7 +- .../azure_metrics/docs/container_service.md | 7 +- .../azure_metrics/docs/database_account.md | 7 +- packages/azure_metrics/docs/monitor.md | 3 - .../azure_metrics/docs/storage_account.md | 7 +- .../spamfirewall/fields/base-fields.yml | 8 - .../data_stream/waf/fields/base-fields.yml | 8 - .../director/fields/base-fields.yml | 8 - .../data_stream/asa/fields/base-fields.yml | 3 - .../data_stream/ftd/fields/base-fields.yml | 3 - .../data_stream/ios/fields/base-fields.yml | 3 - .../data_stream/meraki/fields/base-fields.yml | 8 - .../data_stream/nexus/fields/base-fields.yml | 8 - packages/cisco/docs/README.md | 4 +- .../data_stream/log/fields/base-fields.yml | 3 - packages/cisco_asa/docs/README.md | 2 +- .../data_stream/log/fields/base-fields.yml | 3 - .../data_stream/log/fields/base-fields.yml | 3 - packages/cisco_ios/docs/README.md | 2 +- .../data_stream/events/fields/base-fields.yml | 8 - .../data_stream/log/fields/base-fields.yml | 3 - packages/cisco_meraki/docs/README.md | 10 +- .../data_stream/log/fields/base-fields.yml | 8 - .../data_stream/status/fields/agent.yml | 100 ------------ packages/cockroachdb/docs/README.md | 5 +- .../corepas/fields/base-fields.yml | 8 - .../data_stream/audit/fields/base-fields.yml | 4 - packages/cyberarkpas/docs/README.md | 2 +- .../protect/fields/base-fields.yml | 8 - .../data_stream/ccr/fields/base-fields.yml | 3 - .../data_stream/ml_job/fields/base-fields.yml | 3 - .../bigipafm/fields/base-fields.yml | 8 - .../bigipapm/fields/base-fields.yml | 8 - .../clientendpoint/fields/base-fields.yml | 8 - .../firewall/fields/base-fields.yml | 8 - .../fortimail/fields/base-fields.yml | 8 - .../fortimanager/fields/base-fields.yml | 8 - packages/fortinet/docs/README.md | 2 +- .../data_stream/application/fields/beats.yml | 3 - packages/hadoop/docs/README.md | 2 +- .../data_stream/metrics/fields/fields.yml | 44 ------ packages/hashicorp_vault/docs/README.md | 15 -- .../data_stream/log/fields/base-fields.yml | 3 - .../data_stream/winlog/fields/base-fields.yml | 4 - packages/hid_bravura_monitor/docs/README.md | 2 +- .../securesphere/fields/base-fields.yml | 8 - .../data_stream/nios/fields/base-fields.yml | 8 - .../data_stream/junos/fields/base-fields.yml | 8 - .../netscreen/fields/base-fields.yml | 8 - .../data_stream/srx/fields/base-fields.yml | 3 - packages/juniper/docs/README.md | 12 +- .../data_stream/log/fields/base-fields.yml | 8 - .../data_stream/log/fields/base-fields.yml | 8 - .../data_stream/log/fields/base-fields.yml | 3 - packages/juniper_srx/docs/README.md | 6 +- .../data_stream/service/fields/agent.yml | 114 -------------- packages/linux/docs/README.md | 5 +- .../data_stream/dhcp/fields/base-fields.yml | 8 - .../collstats/fields/base-fields.yml | 3 - .../dbstats/fields/base-fields.yml | 3 - .../metrics/fields/base-fields.yml | 3 - .../replstatus/fields/base-fields.yml | 3 - packages/mongodb/docs/README.md | 2 +- .../data_stream/log/fields/base-fields.yml | 3 - packages/netflow/docs/README.md | 2 +- .../sightline/fields/base-fields.yml | 8 - .../panw/data_stream/panos/fields/fields.yml | 22 --- packages/panw/docs/README.md | 11 -- .../data_stream/log/fields/fields.yml | 6 - packages/postgresql/docs/README.md | 2 +- .../emailsecurity/fields/base-fields.yml | 8 - .../defensepro/fields/base-fields.yml | 8 - .../redis/data_stream/info/fields/fields.yml | 6 - packages/redis/docs/README.md | 4 +- .../firewall/fields/base-fields.yml | 8 - .../data_stream/utm/fields/base-fields.yml | 8 - packages/sophos/docs/README.md | 2 +- .../data_stream/log/fields/base-fields.yml | 8 - .../data_stream/eve/fields/base-fields.yml | 3 - .../data_stream/log/fields/base-fields.yml | 8 - .../data_stream/browser/fields/cloud.yml | 7 +- .../data_stream/browser/fields/http.yml | 92 +----------- .../browser_network/fields/cloud.yml | 7 +- .../browser_network/fields/http.yml | 108 +------------ .../browser_screenshot/fields/cloud.yml | 7 +- .../data_stream/http/fields/cloud.yml | 7 +- .../data_stream/http/fields/http.yml | 92 +----------- .../data_stream/http/fields/tls.yml | 40 +---- .../data_stream/icmp/fields/cloud.yml | 7 +- .../data_stream/icmp/fields/tls.yml | 40 +---- .../data_stream/tcp/fields/cloud.yml | 7 +- .../synthetics/data_stream/tcp/fields/tls.yml | 40 +---- .../data_stream/auth/fields/base-fields.yml | 7 - .../system/data_stream/core/fields/agent.yml | 114 -------------- .../system/data_stream/cpu/fields/agent.yml | 120 --------------- .../system/data_stream/cpu/fields/fields.yml | 9 -- .../data_stream/diskio/fields/agent.yml | 125 --------------- .../data_stream/diskio/fields/fields.yml | 15 -- .../data_stream/fsstat/fields/agent.yml | 114 -------------- .../system/data_stream/load/fields/agent.yml | 114 -------------- .../data_stream/memory/fields/agent.yml | 114 -------------- .../data_stream/network/fields/agent.yml | 136 ----------------- .../network/fields/base-fields.yml | 3 - .../data_stream/network/fields/fields.yml | 26 ---- .../data_stream/process/fields/agent.yml | 142 ------------------ .../process_summary/fields/agent.yml | 114 -------------- .../process_summary/fields/base-fields.yml | 3 - .../security/fields/base-fields.yml | 4 - .../socket_summary/fields/agent.yml | 114 -------------- .../socket_summary/fields/base-fields.yml | 3 - .../data_stream/syslog/fields/base-fields.yml | 7 - .../data_stream/system/fields/base-fields.yml | 4 - packages/system/docs/README.md | 69 ++------- .../data_stream/threat/fields/base-fields.yml | 4 - .../data_stream/threat/fields/base-fields.yml | 4 - .../data_stream/log/fields/base-fields.yml | 3 - packages/tomcat/docs/README.md | 2 +- .../data_stream/zia/fields/base-fields.yml | 8 - 141 files changed, 88 insertions(+), 3805 deletions(-) diff --git a/packages/azure/data_stream/activitylogs/fields/agent.yml b/packages/azure/data_stream/activitylogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/activitylogs/fields/agent.yml +++ b/packages/azure/data_stream/activitylogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/auditlogs/fields/agent.yml b/packages/azure/data_stream/auditlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/auditlogs/fields/agent.yml +++ b/packages/azure/data_stream/auditlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/eventhub/fields/agent.yml b/packages/azure/data_stream/eventhub/fields/agent.yml index bef5d2f6429..f78c40ec1b0 100644 --- a/packages/azure/data_stream/eventhub/fields/agent.yml +++ b/packages/azure/data_stream/eventhub/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/platformlogs/fields/agent.yml b/packages/azure/data_stream/platformlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/platformlogs/fields/agent.yml +++ b/packages/azure/data_stream/platformlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/signinlogs/fields/agent.yml b/packages/azure/data_stream/signinlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/signinlogs/fields/agent.yml +++ b/packages/azure/data_stream/signinlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure/data_stream/springcloudlogs/fields/agent.yml b/packages/azure/data_stream/springcloudlogs/fields/agent.yml index bca66ea4ae0..85704f4c1d4 100644 --- a/packages/azure/data_stream/springcloudlogs/fields/agent.yml +++ b/packages/azure/data_stream/springcloudlogs/fields/agent.yml @@ -33,8 +33,6 @@ external: ecs - name: host.id external: ecs -- name: host.ip - external: ecs - name: host.mac external: ecs - name: host.name diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml +++ b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml +++ b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_application_insights/docs/README.md b/packages/azure_application_insights/docs/README.md index 660e8a25d74..477718938c7 100644 --- a/packages/azure_application_insights/docs/README.md +++ b/packages/azure_application_insights/docs/README.md @@ -204,7 +204,6 @@ An example event for `app_insights` looks as following: | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -229,14 +228,12 @@ An example event for `app_insights` looks as following: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_application_insights/docs/app_state.md b/packages/azure_application_insights/docs/app_state.md index 8cc973b3ffd..95aaba39a55 100644 --- a/packages/azure_application_insights/docs/app_state.md +++ b/packages/azure_application_insights/docs/app_state.md @@ -71,7 +71,6 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -96,14 +95,12 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_billing/data_stream/billing/fields/agent.yml b/packages/azure_billing/data_stream/billing/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_billing/data_stream/billing/fields/agent.yml +++ b/packages/azure_billing/data_stream/billing/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml +++ b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml +++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/container_service/fields/agent.yml b/packages/azure_metrics/data_stream/container_service/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/container_service/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_service/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/database_account/fields/agent.yml b/packages/azure_metrics/data_stream/database_account/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/database_account/fields/agent.yml +++ b/packages/azure_metrics/data_stream/database_account/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/monitor/fields/agent.yml b/packages/azure_metrics/data_stream/monitor/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/monitor/fields/agent.yml +++ b/packages/azure_metrics/data_stream/monitor/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/data_stream/storage_account/fields/agent.yml b/packages/azure_metrics/data_stream/storage_account/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/azure_metrics/data_stream/storage_account/fields/agent.yml +++ b/packages/azure_metrics/data_stream/storage_account/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/azure_metrics/docs/README.md b/packages/azure_metrics/docs/README.md index 14457bdb682..2e128ebcc8c 100644 --- a/packages/azure_metrics/docs/README.md +++ b/packages/azure_metrics/docs/README.md @@ -95,7 +95,6 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -120,8 +119,6 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -180,7 +177,6 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -199,20 +195,18 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -265,7 +259,6 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -284,20 +277,18 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -350,7 +341,6 @@ so the `period` for `storage_account` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -369,20 +359,18 @@ so the `period` for `storage_account` should be `300s` or multiples of `300s`. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -435,7 +423,6 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s` | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -454,20 +441,18 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s` | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -520,7 +505,6 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s` | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -539,20 +523,18 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s` | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -605,7 +587,6 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -624,20 +605,18 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | @@ -690,7 +669,6 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -709,20 +687,18 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/compute_vm.md b/packages/azure_metrics/docs/compute_vm.md index e5e7e5c1076..3160aa9be11 100644 --- a/packages/azure_metrics/docs/compute_vm.md +++ b/packages/azure_metrics/docs/compute_vm.md @@ -109,7 +109,6 @@ Authentication: Dedicated authentication token will be created and updated regul | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -128,20 +127,18 @@ Authentication: Dedicated authentication token will be created and updated regul | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/compute_vm_scaleset.md b/packages/azure_metrics/docs/compute_vm_scaleset.md index b327b72d051..3fee8875136 100644 --- a/packages/azure_metrics/docs/compute_vm_scaleset.md +++ b/packages/azure_metrics/docs/compute_vm_scaleset.md @@ -106,7 +106,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -125,20 +124,18 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/container_instance.md b/packages/azure_metrics/docs/container_instance.md index 9f3d9808a3f..3ba44dac6a1 100644 --- a/packages/azure_metrics/docs/container_instance.md +++ b/packages/azure_metrics/docs/container_instance.md @@ -106,7 +106,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -125,20 +124,18 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/container_registry.md b/packages/azure_metrics/docs/container_registry.md index 1563ef1ce8a..20b18df7bd5 100644 --- a/packages/azure_metrics/docs/container_registry.md +++ b/packages/azure_metrics/docs/container_registry.md @@ -106,7 +106,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -125,20 +124,18 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/container_service.md b/packages/azure_metrics/docs/container_service.md index 9a9196256a5..54e794391a0 100644 --- a/packages/azure_metrics/docs/container_service.md +++ b/packages/azure_metrics/docs/container_service.md @@ -107,7 +107,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -126,20 +125,18 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/database_account.md b/packages/azure_metrics/docs/database_account.md index 6d2c0a24230..26edde99968 100644 --- a/packages/azure_metrics/docs/database_account.md +++ b/packages/azure_metrics/docs/database_account.md @@ -105,7 +105,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -124,20 +123,18 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/azure_metrics/docs/monitor.md b/packages/azure_metrics/docs/monitor.md index 8a02b1f2a02..ee34f6396c1 100644 --- a/packages/azure_metrics/docs/monitor.md +++ b/packages/azure_metrics/docs/monitor.md @@ -158,7 +158,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -183,8 +182,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/storage_account.md b/packages/azure_metrics/docs/storage_account.md index 89a88dd37b0..b45e4210a62 100644 --- a/packages/azure_metrics/docs/storage_account.md +++ b/packages/azure_metrics/docs/storage_account.md @@ -107,7 +107,6 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -126,20 +125,18 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml b/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml index ba1aef8ef59..2e783256e84 100644 --- a/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml +++ b/packages/barracuda/data_stream/spamfirewall/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: barracuda.spamfirewall -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/barracuda/data_stream/waf/fields/base-fields.yml b/packages/barracuda/data_stream/waf/fields/base-fields.yml index 10f3201694a..d0d9b118b1d 100644 --- a/packages/barracuda/data_stream/waf/fields/base-fields.yml +++ b/packages/barracuda/data_stream/waf/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: barracuda.waf -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/bluecoat/data_stream/director/fields/base-fields.yml b/packages/bluecoat/data_stream/director/fields/base-fields.yml index 6a87280d3db..36c3bb3f0ed 100644 --- a/packages/bluecoat/data_stream/director/fields/base-fields.yml +++ b/packages/bluecoat/data_stream/director/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: bluecoat.director -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco/data_stream/asa/fields/base-fields.yml b/packages/cisco/data_stream/asa/fields/base-fields.yml index 4d6bf1902fe..6036c4f4d9f 100644 --- a/packages/cisco/data_stream/asa/fields/base-fields.yml +++ b/packages/cisco/data_stream/asa/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco.asa -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cisco/data_stream/ftd/fields/base-fields.yml b/packages/cisco/data_stream/ftd/fields/base-fields.yml index 919ded43d4a..0adbb933598 100644 --- a/packages/cisco/data_stream/ftd/fields/base-fields.yml +++ b/packages/cisco/data_stream/ftd/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco.ftd -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cisco/data_stream/ios/fields/base-fields.yml b/packages/cisco/data_stream/ios/fields/base-fields.yml index 00107880f51..5c2bd7ccbda 100644 --- a/packages/cisco/data_stream/ios/fields/base-fields.yml +++ b/packages/cisco/data_stream/ios/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco.ios -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/cisco/data_stream/meraki/fields/base-fields.yml b/packages/cisco/data_stream/meraki/fields/base-fields.yml index 774b6eba7f9..9c092a509e7 100644 --- a/packages/cisco/data_stream/meraki/fields/base-fields.yml +++ b/packages/cisco/data_stream/meraki/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco/data_stream/nexus/fields/base-fields.yml b/packages/cisco/data_stream/nexus/fields/base-fields.yml index b676b8221c0..41ee914e6ba 100644 --- a/packages/cisco/data_stream/nexus/fields/base-fields.yml +++ b/packages/cisco/data_stream/nexus/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: cisco.nexus -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index bd4c2cb5243..750e050d29e 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -502,7 +502,7 @@ An example event for `ftd` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.ftd.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.ftd.burst.avg_rate | The current average burst rate seen | keyword | | cisco.ftd.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | @@ -1930,7 +1930,7 @@ An example event for `meraki` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/cisco_asa/data_stream/log/fields/base-fields.yml b/packages/cisco_asa/data_stream/log/fields/base-fields.yml index efbed64fadb..4a5f0534389 100644 --- a/packages/cisco_asa/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_asa/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_asa.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index 15283dd1563..a1b7a6d6170 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -127,7 +127,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.asa.assigned_ip | The IP address assigned to a VPN client successfully connecting | ip | | cisco.asa.burst.avg_rate | The current average burst rate seen | keyword | | cisco.asa.burst.configured_avg_rate | The current configured average burst rate allowed | keyword | diff --git a/packages/cisco_ftd/data_stream/log/fields/base-fields.yml b/packages/cisco_ftd/data_stream/log/fields/base-fields.yml index e02b7e2a255..c867421badf 100644 --- a/packages/cisco_ftd/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_ftd/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_ftd.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_ios/data_stream/log/fields/base-fields.yml b/packages/cisco_ios/data_stream/log/fields/base-fields.yml index 30f3b7cd066..2af9255d83b 100644 --- a/packages/cisco_ios/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_ios/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_ios.log -- name: "@timestamp" - type: date - description: Event timestamp. diff --git a/packages/cisco_ios/docs/README.md b/packages/cisco_ios/docs/README.md index 865021f3756..b07b3c65ef3 100644 --- a/packages/cisco_ios/docs/README.md +++ b/packages/cisco_ios/docs/README.md @@ -95,7 +95,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco.ios.access_list | Name of the IP access list. | keyword | | cisco.ios.action | Action taken by the device | keyword | | cisco.ios.facility | The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message. | keyword | diff --git a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml index ebba8d4244b..9f517c13a0f 100644 --- a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module @@ -25,8 +22,3 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: log.file.path - description: Full path to the log file this event came from. - example: /var/log/fun-times.log - ignore_above: 1024 - type: keyword diff --git a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml index 7691cacc73e..61e7298e6ec 100644 --- a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: "@timestamp" - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index ff7997ef857..1a041a2565f 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -57,7 +57,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco_meraki.8021x_auth | | flattened | | cisco_meraki.8021x_deauth | | flattened | | cisco_meraki.8021x_eap_failure | | flattened | @@ -190,7 +190,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type. | keyword | +| input.type | Type of Filebeat input. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | @@ -387,7 +387,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cisco_meraki.event.alertData | Additional alert data (differs based on alert type) | flattened | | cisco_meraki.event.alertId | ID for this alert message | keyword | | cisco_meraki.event.alertLevel | Alert level (informational, critical etc.) | keyword | @@ -512,8 +512,8 @@ An example event for `log` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Input type. | keyword | -| log.file.path | Full path to the log file this event came from. | keyword | +| input.type | Type of Filebeat input. | keyword | +| log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | | log.source.address | Source address from which the log event was read / sent from. | keyword | diff --git a/packages/cisco_nexus/data_stream/log/fields/base-fields.yml b/packages/cisco_nexus/data_stream/log/fields/base-fields.yml index 40f5ce6158c..d78668f34fe 100644 --- a/packages/cisco_nexus/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_nexus/data_stream/log/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: cisco_nexus.log -- name: "@timestamp" - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cockroachdb/data_stream/status/fields/agent.yml b/packages/cockroachdb/data_stream/status/fields/agent.yml index 79a7a39864b..b4432e51eb7 100644 --- a/packages/cockroachdb/data_stream/status/fields/agent.yml +++ b/packages/cockroachdb/data_stream/status/fields/agent.yml @@ -78,103 +78,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: "A host is defined as a general computing instance.\nECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes." - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: "Name of the domain of which the host is a member.\nFor example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider." - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: "Hostname of the host.\nIt normally contains what the `hostname` command returns on the host machine." - - name: id - level: core - type: keyword - ignore_above: 1024 - description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: "Type of host.\nFor Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment." - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/cockroachdb/docs/README.md b/packages/cockroachdb/docs/README.md index 0a1dca6d457..1ec587efe73 100644 --- a/packages/cockroachdb/docs/README.md +++ b/packages/cockroachdb/docs/README.md @@ -42,7 +42,6 @@ exposing metrics in Prometheus format. | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -61,14 +60,12 @@ exposing metrics in Prometheus format. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/cyberark/data_stream/corepas/fields/base-fields.yml b/packages/cyberark/data_stream/corepas/fields/base-fields.yml index 21c3c25647b..96b7f318d5a 100644 --- a/packages/cyberark/data_stream/corepas/fields/base-fields.yml +++ b/packages/cyberark/data_stream/corepas/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: cyberark.corepas -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml b/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml index 62b68b8872e..1e7939f992a 100644 --- a/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml +++ b/packages/cyberarkpas/data_stream/audit/fields/base-fields.yml @@ -7,10 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: cyberarkpas - name: event.dataset type: constant_keyword description: Event dataset diff --git a/packages/cyberarkpas/docs/README.md b/packages/cyberarkpas/docs/README.md index 21b6c5fe40f..40413f958cb 100644 --- a/packages/cyberarkpas/docs/README.md +++ b/packages/cyberarkpas/docs/README.md @@ -247,7 +247,7 @@ An example event for `audit` looks as following: | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | diff --git a/packages/cylance/data_stream/protect/fields/base-fields.yml b/packages/cylance/data_stream/protect/fields/base-fields.yml index f7a828b7532..669ad8ae0b3 100644 --- a/packages/cylance/data_stream/protect/fields/base-fields.yml +++ b/packages/cylance/data_stream/protect/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: cylance.protect -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml b/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml index 7c798f4534c..a3e80e3a547 100644 --- a/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml +++ b/packages/elasticsearch/data_stream/ccr/fields/base-fields.yml @@ -7,6 +7,3 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml b/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml index 7c798f4534c..a3e80e3a547 100644 --- a/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml +++ b/packages/elasticsearch/data_stream/ml_job/fields/base-fields.yml @@ -7,6 +7,3 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/f5/data_stream/bigipafm/fields/base-fields.yml b/packages/f5/data_stream/bigipafm/fields/base-fields.yml index a4f2b5492fe..62774970e58 100644 --- a/packages/f5/data_stream/bigipafm/fields/base-fields.yml +++ b/packages/f5/data_stream/bigipafm/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: f5.bigipafm -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/f5/data_stream/bigipapm/fields/base-fields.yml b/packages/f5/data_stream/bigipapm/fields/base-fields.yml index 88bd33161a9..6735d33f76a 100644 --- a/packages/f5/data_stream/bigipapm/fields/base-fields.yml +++ b/packages/f5/data_stream/bigipapm/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: f5.bigipapm -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml b/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml index 82f01336920..8b0f96fec09 100644 --- a/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml +++ b/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.clientendpoint -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/data_stream/firewall/fields/base-fields.yml b/packages/fortinet/data_stream/firewall/fields/base-fields.yml index 40a25351115..7c798f4534c 100644 --- a/packages/fortinet/data_stream/firewall/fields/base-fields.yml +++ b/packages/fortinet/data_stream/firewall/fields/base-fields.yml @@ -7,14 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: fortinet -- name: event.dataset - type: constant_keyword - description: Event dataset - value: fortinet.firewall - name: '@timestamp' type: date description: Event timestamp. diff --git a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml index 50a37950c47..251235bb423 100644 --- a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.fortimail -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml index bbad94843bc..ec22402e930 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.fortimanager -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/fortinet/docs/README.md b/packages/fortinet/docs/README.md index e5f17a143da..8c2b4a28330 100644 --- a/packages/fortinet/docs/README.md +++ b/packages/fortinet/docs/README.md @@ -224,7 +224,7 @@ An example event for `firewall` looks as following: | error.message | Error message. | match_only_text | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event, if one exists. Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID. | keyword | -| event.dataset | Event dataset | constant_keyword | +| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | diff --git a/packages/hadoop/data_stream/application/fields/beats.yml b/packages/hadoop/data_stream/application/fields/beats.yml index ede69588554..22565288a1d 100644 --- a/packages/hadoop/data_stream/application/fields/beats.yml +++ b/packages/hadoop/data_stream/application/fields/beats.yml @@ -1,6 +1,3 @@ - name: input.type description: Type of Filebeat input. type: keyword -- name: tags - type: keyword - description: User defined tags diff --git a/packages/hadoop/docs/README.md b/packages/hadoop/docs/README.md index 3392ea9649e..130c67b54c8 100644 --- a/packages/hadoop/docs/README.md +++ b/packages/hadoop/docs/README.md @@ -101,7 +101,7 @@ An example event for `application` looks as following: | hadoop.application.time.started | Application start time | date | | hadoop.application.vcore_seconds | The amount of CPU resources the application has allocated | long | | input.type | Type of Filebeat input. | keyword | -| tags | User defined tags | keyword | +| tags | List of keywords used to tag each event. | keyword | ## cluster diff --git a/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml b/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml index 460dfe67663..43fa8baada8 100644 --- a/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml +++ b/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml @@ -1,47 +1,3 @@ - name: hashicorp_vault.metrics.*.* dynamic: true description: Hashicorp Vault telemetry data from the Prometheus endpoint. -- name: labels - type: group - fields: - - name: auth_method - type: keyword - description: Authorization engine type. - - name: cluster - type: keyword - description: > - The cluster name from which the metric originated; set in the configuration file, or automatically generated when a cluster is created. - - - name: creation_ttl - type: keyword - description: > - Time-to-live value assigned to a token or lease at creation. This value is rounded up to the next-highest bucket; the available buckets are 1m, 10m, 20m, 1h, 2h, 1d, 2d, 7d, and 30d. Any longer TTL is assigned the value +Inf. - - - name: host - type: keyword - - name: instance - type: keyword - - name: job - type: keyword - - name: local - type: keyword - - name: mount_point - type: keyword - description: Path at which an auth method or secret engine is mounted. - - name: namespace - type: keyword - description: A namespace path, or root for the root namespace - - name: quantile - type: keyword - - name: queue_id - type: keyword - - name: term - type: keyword - - name: token_type - type: keyword - description: Identifies whether the token is a batch token or a service token. - example: service - - name: type - type: keyword - - name: version - type: keyword diff --git a/packages/hashicorp_vault/docs/README.md b/packages/hashicorp_vault/docs/README.md index 5ae63ff5af4..e3d237b6223 100644 --- a/packages/hashicorp_vault/docs/README.md +++ b/packages/hashicorp_vault/docs/README.md @@ -438,20 +438,5 @@ telemetry { | event.module | Event module | constant_keyword | | hashicorp_vault.metrics.\*.\* | Hashicorp Vault telemetry data from the Prometheus endpoint. | | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| labels.auth_method | Authorization engine type. | keyword | -| labels.cluster | The cluster name from which the metric originated; set in the configuration file, or automatically generated when a cluster is created. | keyword | -| labels.creation_ttl | Time-to-live value assigned to a token or lease at creation. This value is rounded up to the next-highest bucket; the available buckets are 1m, 10m, 20m, 1h, 2h, 1d, 2d, 7d, and 30d. Any longer TTL is assigned the value +Inf. | keyword | -| labels.host | | keyword | -| labels.instance | | keyword | -| labels.job | | keyword | -| labels.local | | keyword | -| labels.mount_point | Path at which an auth method or secret engine is mounted. | keyword | -| labels.namespace | A namespace path, or root for the root namespace | keyword | -| labels.quantile | | keyword | -| labels.queue_id | | keyword | -| labels.term | | keyword | -| labels.token_type | Identifies whether the token is a batch token or a service token. | keyword | -| labels.type | | keyword | -| labels.version | | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml b/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml index cf3e4e13849..b25d7f5d595 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml b/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml index ecf4acb535d..868421f01f2 100644 --- a/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml +++ b/packages/hid_bravura_monitor/data_stream/winlog/fields/base-fields.yml @@ -11,10 +11,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: hid_bravura_monitor - name: event.dataset type: constant_keyword description: Event dataset. diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index 5018e8a093b..ae419ff7169 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -239,7 +239,7 @@ An example event for `log` looks as following: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | client.domain | Client domain. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | diff --git a/packages/imperva/data_stream/securesphere/fields/base-fields.yml b/packages/imperva/data_stream/securesphere/fields/base-fields.yml index dc56d4aaff7..9ce3355258d 100644 --- a/packages/imperva/data_stream/securesphere/fields/base-fields.yml +++ b/packages/imperva/data_stream/securesphere/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: imperva.securesphere -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/infoblox/data_stream/nios/fields/base-fields.yml b/packages/infoblox/data_stream/nios/fields/base-fields.yml index f9d913dd565..8abe062e052 100644 --- a/packages/infoblox/data_stream/nios/fields/base-fields.yml +++ b/packages/infoblox/data_stream/nios/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: infoblox.nios -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper/data_stream/junos/fields/base-fields.yml b/packages/juniper/data_stream/junos/fields/base-fields.yml index 6092398a3f1..92c55e0c2f9 100644 --- a/packages/juniper/data_stream/junos/fields/base-fields.yml +++ b/packages/juniper/data_stream/junos/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: juniper.junos -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper/data_stream/netscreen/fields/base-fields.yml b/packages/juniper/data_stream/netscreen/fields/base-fields.yml index db5ff9a4dad..f1b2287e9ce 100644 --- a/packages/juniper/data_stream/netscreen/fields/base-fields.yml +++ b/packages/juniper/data_stream/netscreen/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: juniper.netscreen -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper/data_stream/srx/fields/base-fields.yml b/packages/juniper/data_stream/srx/fields/base-fields.yml index 2b9703542a6..5e633cd76ab 100644 --- a/packages/juniper/data_stream/srx/fields/base-fields.yml +++ b/packages/juniper/data_stream/srx/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: juniper.srx -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index f1cbbdd29f3..ec665711bbf 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -47,7 +47,7 @@ The following processes and tags are supported: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | @@ -98,10 +98,10 @@ The following processes and tags are supported: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | code_signature.exists | Boolean to capture if a signature is present. | boolean | | code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | code_signature.subject_name | Subject name of the code signer | keyword | @@ -882,7 +882,7 @@ The `junos` dataset collects Juniper JUNOS logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | @@ -933,10 +933,10 @@ The `junos` dataset collects Juniper JUNOS logs. | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | code_signature.exists | Boolean to capture if a signature is present. | boolean | | code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | code_signature.subject_name | Subject name of the code signer | keyword | diff --git a/packages/juniper_junos/data_stream/log/fields/base-fields.yml b/packages/juniper_junos/data_stream/log/fields/base-fields.yml index d93730c7a76..2b604cdf182 100644 --- a/packages/juniper_junos/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_junos/data_stream/log/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: juniper_junos.log -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml b/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml index 82882053b69..abf4af53ad1 100644 --- a/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: juniper_netscreen.log -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/juniper_srx/data_stream/log/fields/base-fields.yml b/packages/juniper_srx/data_stream/log/fields/base-fields.yml index 5b1dbba23c1..5d7fc0ea18a 100644 --- a/packages/juniper_srx/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_srx/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: juniper_srx.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index cd744d74530..3c1884665d9 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -43,7 +43,7 @@ The following processes and tags are supported: | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.build.original | Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. | keyword | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | @@ -94,10 +94,10 @@ The following processes and tags are supported: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | code_signature.exists | Boolean to capture if a signature is present. | boolean | | code_signature.status | Additional information about the certificate status. This is useful for logging cryptographic errors with the certificate validity or trust status. Leave unpopulated if the validity or trust of the certificate was unchecked. | keyword | | code_signature.subject_name | Subject name of the code signer | keyword | diff --git a/packages/linux/data_stream/service/fields/agent.yml b/packages/linux/data_stream/service/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/linux/data_stream/service/fields/agent.yml +++ b/packages/linux/data_stream/service/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/linux/docs/README.md b/packages/linux/docs/README.md index 9eebe50e4bb..061744baad0 100644 --- a/packages/linux/docs/README.md +++ b/packages/linux/docs/README.md @@ -254,7 +254,6 @@ This data stream is available on: | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -273,14 +272,12 @@ This data stream is available on: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml index cd35075f6e4..4a5691ae184 100644 --- a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml +++ b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: microsoft.dhcp -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/mongodb/data_stream/collstats/fields/base-fields.yml b/packages/mongodb/data_stream/collstats/fields/base-fields.yml index 20a5c443b50..14cf6ae2090 100644 --- a/packages/mongodb/data_stream/collstats/fields/base-fields.yml +++ b/packages/mongodb/data_stream/collstats/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/data_stream/dbstats/fields/base-fields.yml b/packages/mongodb/data_stream/dbstats/fields/base-fields.yml index c10e432de6b..f6348f95f7a 100644 --- a/packages/mongodb/data_stream/dbstats/fields/base-fields.yml +++ b/packages/mongodb/data_stream/dbstats/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/data_stream/metrics/fields/base-fields.yml b/packages/mongodb/data_stream/metrics/fields/base-fields.yml index b7da7cc1960..e43aa3d82c5 100644 --- a/packages/mongodb/data_stream/metrics/fields/base-fields.yml +++ b/packages/mongodb/data_stream/metrics/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/data_stream/replstatus/fields/base-fields.yml b/packages/mongodb/data_stream/replstatus/fields/base-fields.yml index c3ee6a0e1ee..570a470e320 100644 --- a/packages/mongodb/data_stream/replstatus/fields/base-fields.yml +++ b/packages/mongodb/data_stream/replstatus/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: service.address - type: keyword - description: Address of the machine where the service is running. diff --git a/packages/mongodb/docs/README.md b/packages/mongodb/docs/README.md index f76e221f0eb..88193362b07 100644 --- a/packages/mongodb/docs/README.md +++ b/packages/mongodb/docs/README.md @@ -988,7 +988,7 @@ The fields reported are: | mongodb.replstatus.optimes.last_committed | Information, from the viewpoint of this member, regarding the most recent operation that has been written to a majority of replica set members. | long | | mongodb.replstatus.server_date | Reflects the current time according to the server that processed the replSetGetStatus command. | date | | mongodb.replstatus.set_name | The name of the replica set. | keyword | -| service.address | Address of the machine where the service is running. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/netflow/data_stream/log/fields/base-fields.yml b/packages/netflow/data_stream/log/fields/base-fields.yml index 12d5ac2a456..008a46bbbb1 100644 --- a/packages/netflow/data_stream/log/fields/base-fields.yml +++ b/packages/netflow/data_stream/log/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: netflow.log -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index 57624813693..8afb21d6183 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -20,7 +20,7 @@ The `log` dataset collects netflow logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | agent.ephemeral_id | Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but `agent.id` does not. | keyword | | agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | | agent.name | Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. | keyword | diff --git a/packages/netscout/data_stream/sightline/fields/base-fields.yml b/packages/netscout/data_stream/sightline/fields/base-fields.yml index 32ac5000dd4..4e3ab698685 100644 --- a/packages/netscout/data_stream/sightline/fields/base-fields.yml +++ b/packages/netscout/data_stream/sightline/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: netscout.sightline -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/panw/data_stream/panos/fields/fields.yml b/packages/panw/data_stream/panos/fields/fields.yml index 3625a118742..4981d2b007a 100644 --- a/packages/panw/data_stream/panos/fields/fields.yml +++ b/packages/panw/data_stream/panos/fields/fields.yml @@ -332,25 +332,3 @@ type: keyword description: | A string showing the how the GlobalProtect app connects to Gateway. -- name: labels.pcap_included - type: boolean -- name: labels.ipv6_session - type: boolean -- name: labels.ssl_decrypted - type: boolean -- name: labels.url_filter_denied - type: boolean -- name: labels.nat_translated - type: boolean -- name: labels.captive_portal - type: boolean -- name: labels.x_forwarded_for - type: boolean -- name: labels.http_proxy - type: boolean -- name: labels.container_page - type: boolean -- name: labels.temporary_match - type: boolean -- name: labels.symmetric_return - type: boolean diff --git a/packages/panw/docs/README.md b/packages/panw/docs/README.md index 873410c3a78..71cfc697320 100644 --- a/packages/panw/docs/README.md +++ b/packages/panw/docs/README.md @@ -99,17 +99,6 @@ The ingest-geoip Elasticsearch plugin is required to run this module. | http.request.referer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | -| labels.captive_portal | | boolean | -| labels.container_page | | boolean | -| labels.http_proxy | | boolean | -| labels.ipv6_session | | boolean | -| labels.nat_translated | | boolean | -| labels.pcap_included | | boolean | -| labels.ssl_decrypted | | boolean | -| labels.symmetric_return | | boolean | -| labels.temporary_match | | boolean | -| labels.url_filter_denied | | boolean | -| labels.x_forwarded_for | | boolean | | log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | diff --git a/packages/postgresql/data_stream/log/fields/fields.yml b/packages/postgresql/data_stream/log/fields/fields.yml index f25e9ba928a..3da3419b123 100644 --- a/packages/postgresql/data_stream/log/fields/fields.yml +++ b/packages/postgresql/data_stream/log/fields/fields.yml @@ -93,12 +93,6 @@ type: keyword description: | Type of backend of this event. Possible types are autovacuum launcher, autovacuum worker, logical replication launcher, logical replication worker, parallel worker, background writer, client backend, checkpointer, startup, walreceiver, walsender and walwriter. In addition, background workers registered by extensions may have additional types. -- name: event.kind - type: keyword - description: Event kind (e.g. event) -- name: event.category - type: keyword - description: Event category (e.g. database) - name: event.code type: keyword description: Identification code for this event diff --git a/packages/postgresql/docs/README.md b/packages/postgresql/docs/README.md index f99123c2ccb..35281e3a284 100644 --- a/packages/postgresql/docs/README.md +++ b/packages/postgresql/docs/README.md @@ -64,7 +64,7 @@ persistent connections, so enable with care. | error.code | Error code describing the error. | keyword | | error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | -| event.category | Event category (e.g. database) | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.code | Identification code for this event | keyword | | event.dataset | Event dataset | constant_keyword | | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long | diff --git a/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml b/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml index a8d761fd165..be33504baba 100644 --- a/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml +++ b/packages/proofpoint/data_stream/emailsecurity/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: proofpoint.emailsecurity -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/radware/data_stream/defensepro/fields/base-fields.yml b/packages/radware/data_stream/defensepro/fields/base-fields.yml index 2070b87dc06..e64eec82c49 100644 --- a/packages/radware/data_stream/defensepro/fields/base-fields.yml +++ b/packages/radware/data_stream/defensepro/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: radware.defensepro -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/redis/data_stream/info/fields/fields.yml b/packages/redis/data_stream/info/fields/fields.yml index ffb6963100a..30b8053595e 100644 --- a/packages/redis/data_stream/info/fields/fields.yml +++ b/packages/redis/data_stream/info/fields/fields.yml @@ -448,9 +448,3 @@ type: long description: | Count of slow operations -- name: service.address - type: keyword - description: Client address -- name: service.version - type: keyword - description: Version of the service the data was collected from diff --git a/packages/redis/docs/README.md b/packages/redis/docs/README.md index 88458be929d..aaf7513fef4 100644 --- a/packages/redis/docs/README.md +++ b/packages/redis/docs/README.md @@ -613,9 +613,9 @@ An example event for `info` looks as following: | redis.info.stats.sync.full | The number of full resyncs with slaves | long | | redis.info.stats.sync.partial.err | The number of denied partial resync requests | long | | redis.info.stats.sync.partial.ok | The number of accepted partial resync requests | long | -| service.address | Client address | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | -| service.version | Version of the service the data was collected from | keyword | +| service.version | Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service. | keyword | ### key diff --git a/packages/sonicwall/data_stream/firewall/fields/base-fields.yml b/packages/sonicwall/data_stream/firewall/fields/base-fields.yml index a73f5492de5..5134e801922 100644 --- a/packages/sonicwall/data_stream/firewall/fields/base-fields.yml +++ b/packages/sonicwall/data_stream/firewall/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: sonicwall.firewall -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/data_stream/utm/fields/base-fields.yml b/packages/sophos/data_stream/utm/fields/base-fields.yml index 0c50a776378..15da1486fe7 100644 --- a/packages/sophos/data_stream/utm/fields/base-fields.yml +++ b/packages/sophos/data_stream/utm/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: sophos.utm -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 7d950b445d8..12c3c24d2a4 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -26,7 +26,7 @@ The `utm` dataset collects Astaro Security Gateway logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/squid/data_stream/log/fields/base-fields.yml b/packages/squid/data_stream/log/fields/base-fields.yml index 8243e1ed2f0..c25d7cae586 100644 --- a/packages/squid/data_stream/log/fields/base-fields.yml +++ b/packages/squid/data_stream/log/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: squid.log -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword diff --git a/packages/suricata/data_stream/eve/fields/base-fields.yml b/packages/suricata/data_stream/eve/fields/base-fields.yml index eee838550ff..ae4fc87ca44 100644 --- a/packages/suricata/data_stream/eve/fields/base-fields.yml +++ b/packages/suricata/data_stream/eve/fields/base-fields.yml @@ -15,6 +15,3 @@ type: constant_keyword description: Event dataset value: suricata.eve -- name: '@timestamp' - type: date - description: Event timestamp. diff --git a/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml b/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml index d5fd358e285..880943d9dbd 100644 --- a/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml +++ b/packages/symantec_endpoint/data_stream/log/fields/base-fields.yml @@ -7,14 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: event.module - type: constant_keyword - description: Event module - value: symantec_endpoint -- name: event.dataset - type: constant_keyword - description: Event dataset - value: symantec_endpoint.log - name: "@timestamp" type: date description: Event timestamp. diff --git a/packages/synthetics/data_stream/browser/fields/cloud.yml b/packages/synthetics/data_stream/browser/fields/cloud.yml index 29a4b437903..fe51488c706 100644 --- a/packages/synthetics/data_stream/browser/fields/cloud.yml +++ b/packages/synthetics/data_stream/browser/fields/cloud.yml @@ -1,6 +1 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - +[] diff --git a/packages/synthetics/data_stream/browser/fields/http.yml b/packages/synthetics/data_stream/browser/fields/http.yml index 40dd8b42ee9..fe51488c706 100644 --- a/packages/synthetics/data_stream/browser/fields/http.yml +++ b/packages/synthetics/data_stream/browser/fields/http.yml @@ -1,91 +1 @@ -- name: http - type: group - description: > - HTTP related fields. - - fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: hash - type: keyword - description: > - Hash of the full response body. Can be used to group responses with identical hashes. - - - name: redirects - type: keyword - description: > - List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - - - name: headers.* - type: object - enabled: false - description: > - The canonical headers of the monitored HTTP response. - - - name: rtt - type: group - description: > - HTTP layer round trip times. - - fields: - - name: validate - type: group - description: | - Duration between first byte of HTTP request being written and - response being processed by validator. Duration based on already - available network connection. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: validate_body - type: group - description: | - Duration of validator required to read and validate the response - body. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: write_request - type: group - description: Duration of sending the complete HTTP request. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: response_header - type: group - description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: content.us - type: long - description: Time required to retrieved the content in micro seconds. - - name: total - type: group - description: | - Duration required to process the HTTP transaction. Starts with - the initial TCP connection attempt. Ends with after validator - did check the response. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed. - fields: - - name: us - type: long - description: Duration in microseconds +[] diff --git a/packages/synthetics/data_stream/browser_network/fields/cloud.yml b/packages/synthetics/data_stream/browser_network/fields/cloud.yml index 29a4b437903..fe51488c706 100644 --- a/packages/synthetics/data_stream/browser_network/fields/cloud.yml +++ b/packages/synthetics/data_stream/browser_network/fields/cloud.yml @@ -1,6 +1 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - +[] diff --git a/packages/synthetics/data_stream/browser_network/fields/http.yml b/packages/synthetics/data_stream/browser_network/fields/http.yml index 51b5c0166d0..fe51488c706 100644 --- a/packages/synthetics/data_stream/browser_network/fields/http.yml +++ b/packages/synthetics/data_stream/browser_network/fields/http.yml @@ -1,107 +1 @@ -- name: http - type: group - description: > - HTTP related fields. - - fields: - - name: request.url - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - default_field: false - - name: keyword - type: keyword - description: The request url - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: hash - type: keyword - description: > - Hash of the full response body. Can be used to group responses with identical hashes. - - - name: redirects - type: keyword - description: > - List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - - - name: headers.etag - type: keyword - description: > - Identifier for a specific version of a resource - - - name: headers.* - type: object - enabled: false - description: > - The canonical headers of the monitored HTTP response. - - - name: rtt - type: group - description: > - HTTP layer round trip times. - - fields: - - name: validate - type: group - description: | - Duration between first byte of HTTP request being written and - response being processed by validator. Duration based on already - available network connection. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: validate_body - type: group - description: | - Duration of validator required to read and validate the response - body. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: write_request - type: group - description: Duration of sending the complete HTTP request. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: response_header - type: group - description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: content.us - type: long - description: Time required to retrieved the content in micro seconds. - - name: total - type: group - description: | - Duration required to process the HTTP transaction. Starts with - the initial TCP connection attempt. Ends with after validator - did check the response. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed. - fields: - - name: us - type: long - description: Duration in microseconds +[] diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml b/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml index 29a4b437903..fe51488c706 100644 --- a/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml +++ b/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml @@ -1,6 +1 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - +[] diff --git a/packages/synthetics/data_stream/http/fields/cloud.yml b/packages/synthetics/data_stream/http/fields/cloud.yml index 29a4b437903..fe51488c706 100644 --- a/packages/synthetics/data_stream/http/fields/cloud.yml +++ b/packages/synthetics/data_stream/http/fields/cloud.yml @@ -1,6 +1 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - +[] diff --git a/packages/synthetics/data_stream/http/fields/http.yml b/packages/synthetics/data_stream/http/fields/http.yml index 40dd8b42ee9..fe51488c706 100644 --- a/packages/synthetics/data_stream/http/fields/http.yml +++ b/packages/synthetics/data_stream/http/fields/http.yml @@ -1,91 +1 @@ -- name: http - type: group - description: > - HTTP related fields. - - fields: - - name: response - type: group - fields: - - name: body - type: group - fields: - - name: hash - type: keyword - description: > - Hash of the full response body. Can be used to group responses with identical hashes. - - - name: redirects - type: keyword - description: > - List of redirects followed to arrive at final content. Last item on the list is the URL for which body content is shown. - - - name: headers.* - type: object - enabled: false - description: > - The canonical headers of the monitored HTTP response. - - - name: rtt - type: group - description: > - HTTP layer round trip times. - - fields: - - name: validate - type: group - description: | - Duration between first byte of HTTP request being written and - response being processed by validator. Duration based on already - available network connection. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: validate_body - type: group - description: | - Duration of validator required to read and validate the response - body. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed - to read the body. - fields: - - name: us - type: long - description: Duration in microseconds - - name: write_request - type: group - description: Duration of sending the complete HTTP request. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: response_header - type: group - description: Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. - fields: - - name: us - type: long - description: Duration in microseconds - - name: content.us - type: long - description: Time required to retrieved the content in micro seconds. - - name: total - type: group - description: | - Duration required to process the HTTP transaction. Starts with - the initial TCP connection attempt. Ends with after validator - did check the response. - - Note: if validator is not reading body or only a prefix, this - number does not fully represent the total time needed. - fields: - - name: us - type: long - description: Duration in microseconds +[] diff --git a/packages/synthetics/data_stream/http/fields/tls.yml b/packages/synthetics/data_stream/http/fields/tls.yml index 4174905380c..fe51488c706 100644 --- a/packages/synthetics/data_stream/http/fields/tls.yml +++ b/packages/synthetics/data_stream/http/fields/tls.yml @@ -1,39 +1 @@ -- name: tls - type: group - description: > - TLS layer related fields. - - fields: - - name: certificate_not_valid_before - type: date - deprecated: 7.8.0 - description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - - name: certificate_not_valid_after - deprecated: 7.8.0 - type: date - description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - - name: rtt - type: group - description: > - TLS layer round trip times. - - fields: - - name: handshake - type: group - description: > - Time required to finish TLS handshake based on already available network connection. - - fields: - - name: us - type: long - description: Duration in microseconds - - name: server - type: group - description: Detailed x509 certificate metadata - fields: - - name: version_number - type: keyword - ignore_above: 1024 - description: Version of x509 format. - example: 3 - default_field: false +[] diff --git a/packages/synthetics/data_stream/icmp/fields/cloud.yml b/packages/synthetics/data_stream/icmp/fields/cloud.yml index 29a4b437903..fe51488c706 100644 --- a/packages/synthetics/data_stream/icmp/fields/cloud.yml +++ b/packages/synthetics/data_stream/icmp/fields/cloud.yml @@ -1,6 +1 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - +[] diff --git a/packages/synthetics/data_stream/icmp/fields/tls.yml b/packages/synthetics/data_stream/icmp/fields/tls.yml index 4174905380c..fe51488c706 100644 --- a/packages/synthetics/data_stream/icmp/fields/tls.yml +++ b/packages/synthetics/data_stream/icmp/fields/tls.yml @@ -1,39 +1 @@ -- name: tls - type: group - description: > - TLS layer related fields. - - fields: - - name: certificate_not_valid_before - type: date - deprecated: 7.8.0 - description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - - name: certificate_not_valid_after - deprecated: 7.8.0 - type: date - description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - - name: rtt - type: group - description: > - TLS layer round trip times. - - fields: - - name: handshake - type: group - description: > - Time required to finish TLS handshake based on already available network connection. - - fields: - - name: us - type: long - description: Duration in microseconds - - name: server - type: group - description: Detailed x509 certificate metadata - fields: - - name: version_number - type: keyword - ignore_above: 1024 - description: Version of x509 format. - example: 3 - default_field: false +[] diff --git a/packages/synthetics/data_stream/tcp/fields/cloud.yml b/packages/synthetics/data_stream/tcp/fields/cloud.yml index 29a4b437903..fe51488c706 100644 --- a/packages/synthetics/data_stream/tcp/fields/cloud.yml +++ b/packages/synthetics/data_stream/tcp/fields/cloud.yml @@ -1,6 +1 @@ -- name: cloud.image.id - example: ami-abcd1234 - type: keyword - description: > - Image ID for the cloud instance. - +[] diff --git a/packages/synthetics/data_stream/tcp/fields/tls.yml b/packages/synthetics/data_stream/tcp/fields/tls.yml index 4174905380c..fe51488c706 100644 --- a/packages/synthetics/data_stream/tcp/fields/tls.yml +++ b/packages/synthetics/data_stream/tcp/fields/tls.yml @@ -1,39 +1 @@ -- name: tls - type: group - description: > - TLS layer related fields. - - fields: - - name: certificate_not_valid_before - type: date - deprecated: 7.8.0 - description: Deprecated in favor of `tls.server.x509.not_before`. Earliest time at which the connection's certificates are valid. - - name: certificate_not_valid_after - deprecated: 7.8.0 - type: date - description: Deprecated in favor of `tls.server.x509.not_after`. Latest time at which the connection's certificates are valid. - - name: rtt - type: group - description: > - TLS layer round trip times. - - fields: - - name: handshake - type: group - description: > - Time required to finish TLS handshake based on already available network connection. - - fields: - - name: us - type: long - description: Duration in microseconds - - name: server - type: group - description: Detailed x509 certificate metadata - fields: - - name: version_number - type: keyword - ignore_above: 1024 - description: Version of x509 format. - example: 3 - default_field: false +[] diff --git a/packages/system/data_stream/auth/fields/base-fields.yml b/packages/system/data_stream/auth/fields/base-fields.yml index 516c401c769..605a367be29 100644 --- a/packages/system/data_stream/auth/fields/base-fields.yml +++ b/packages/system/data_stream/auth/fields/base-fields.yml @@ -8,14 +8,7 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.dataset type: constant_keyword description: Event dataset. value: system.auth -- name: event.module - type: constant_keyword - description: Event module - value: system diff --git a/packages/system/data_stream/core/fields/agent.yml b/packages/system/data_stream/core/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/core/fields/agent.yml +++ b/packages/system/data_stream/core/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/cpu/fields/agent.yml b/packages/system/data_stream/cpu/fields/agent.yml index 36435349824..3c816026810 100644 --- a/packages/system/data_stream/cpu/fields/agent.yml +++ b/packages/system/data_stream/cpu/fields/agent.yml @@ -82,123 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: cpu.pct - type: scaled_float - format: percent - description: > - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - diff --git a/packages/system/data_stream/cpu/fields/fields.yml b/packages/system/data_stream/cpu/fields/fields.yml index 9efed64c2dc..6b1e9818bdd 100644 --- a/packages/system/data_stream/cpu/fields/fields.yml +++ b/packages/system/data_stream/cpu/fields/fields.yml @@ -171,12 +171,3 @@ metric_type: counter description: | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -- name: host - type: group - fields: - - name: cpu.pct - type: scaled_float - unit: percent - metric_type: gauge - description: | - Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. diff --git a/packages/system/data_stream/diskio/fields/agent.yml b/packages/system/data_stream/diskio/fields/agent.yml index 54d97ab701d..3c816026810 100644 --- a/packages/system/data_stream/diskio/fields/agent.yml +++ b/packages/system/data_stream/diskio/fields/agent.yml @@ -82,128 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: disk.read.bytes - type: long - format: bytes - description: > - The total number of bytes read successfully in a given period of time. - - - name: disk.write.bytes - type: long - format: bytes - description: >- - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/data_stream/diskio/fields/fields.yml b/packages/system/data_stream/diskio/fields/fields.yml index 01a5762c60a..10822d23bf8 100644 --- a/packages/system/data_stream/diskio/fields/fields.yml +++ b/packages/system/data_stream/diskio/fields/fields.yml @@ -119,18 +119,3 @@ metric_type: gauge description: | Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. -- name: host - type: group - fields: - - name: disk.read.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes read successfully in a given period of time. - - name: disk.write.bytes - type: scaled_float - unit: byte - metric_type: gauge - description: | - The total number of bytes write successfully in a given period of time. diff --git a/packages/system/data_stream/fsstat/fields/agent.yml b/packages/system/data_stream/fsstat/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/fsstat/fields/agent.yml +++ b/packages/system/data_stream/fsstat/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/load/fields/agent.yml b/packages/system/data_stream/load/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/load/fields/agent.yml +++ b/packages/system/data_stream/load/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/memory/fields/agent.yml b/packages/system/data_stream/memory/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/memory/fields/agent.yml +++ b/packages/system/data_stream/memory/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/network/fields/agent.yml b/packages/system/data_stream/network/fields/agent.yml index e5afe011398..3c816026810 100644 --- a/packages/system/data_stream/network/fields/agent.yml +++ b/packages/system/data_stream/network/fields/agent.yml @@ -82,139 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - - - name: network.in.bytes - type: long - format: bytes - description: > - The number of bytes received on all network interfaces by the host in a given period of time. - - - name: network.in.packets - type: long - description: > - The number of packets received on all network interfaces by the host in a given period of time. - - - name: network.out.bytes - type: long - format: bytes - description: > - The number of bytes sent out on all network interfaces by the host in a given period of time. - - - name: network.out.packets - type: long - description: > - The number of packets sent out on all network interfaces by the host in a given period of time. - diff --git a/packages/system/data_stream/network/fields/base-fields.yml b/packages/system/data_stream/network/fields/base-fields.yml index 30ac48f379b..4650bf6b3b7 100644 --- a/packages/system/data_stream/network/fields/base-fields.yml +++ b/packages/system/data_stream/network/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/system/data_stream/network/fields/fields.yml b/packages/system/data_stream/network/fields/fields.yml index a309d88ba0f..8a8c828062b 100644 --- a/packages/system/data_stream/network/fields/fields.yml +++ b/packages/system/data_stream/network/fields/fields.yml @@ -49,29 +49,3 @@ metric_type: counter description: | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. -- name: host - type: group - fields: - - name: network.in.bytes - type: scaled_float - format: bytes - unit: byte - metric_type: counter - description: | - The number of bytes received on all network interfaces by the host in a given period of time. - - name: network.out.bytes - type: scaled_float - unit: byte - metric_type: counter - description: | - The number of bytes sent out on all network interfaces by the host in a given period of time. - - name: network.in.packets - type: scaled_float - metric_type: counter - description: | - The number of packets received on all network interfaces by the host in a given period of time. - - name: network.out.packets - type: scaled_float - metric_type: counter - description: | - The number of packets sent out on all network interfaces by the host in a given period of time. diff --git a/packages/system/data_stream/process/fields/agent.yml b/packages/system/data_stream/process/fields/agent.yml index d5df59895a1..3c816026810 100644 --- a/packages/system/data_stream/process/fields/agent.yml +++ b/packages/system/data_stream/process/fields/agent.yml @@ -82,145 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - -- name: process - title: Process - group: 2 - description: Process metrics. - type: group - fields: - - name: state - type: keyword - description: > - The process state. For example: "running". - - - name: cpu.pct - type: scaled_float - format: percent - description: > - The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. - - - name: cpu.start_time - type: date - description: > - The time when the process was started. - - - name: memory.pct - type: scaled_float - format: percent - description: > - The percentage of memory the process occupied in main memory (RAM). - diff --git a/packages/system/data_stream/process_summary/fields/agent.yml b/packages/system/data_stream/process_summary/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/process_summary/fields/agent.yml +++ b/packages/system/data_stream/process_summary/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/process_summary/fields/base-fields.yml b/packages/system/data_stream/process_summary/fields/base-fields.yml index 8ba4e88dac3..a1bfaa238aa 100644 --- a/packages/system/data_stream/process_summary/fields/base-fields.yml +++ b/packages/system/data_stream/process_summary/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/system/data_stream/security/fields/base-fields.yml b/packages/system/data_stream/security/fields/base-fields.yml index 8c57a260b40..46588cd8dea 100644 --- a/packages/system/data_stream/security/fields/base-fields.yml +++ b/packages/system/data_stream/security/fields/base-fields.yml @@ -11,10 +11,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system - name: event.dataset type: constant_keyword description: Event dataset. diff --git a/packages/system/data_stream/socket_summary/fields/agent.yml b/packages/system/data_stream/socket_summary/fields/agent.yml index da4e652c53b..3c816026810 100644 --- a/packages/system/data_stream/socket_summary/fields/agent.yml +++ b/packages/system/data_stream/socket_summary/fields/agent.yml @@ -82,117 +82,3 @@ type: keyword ignore_above: 1024 description: Container name. -- name: host - title: Host - group: 2 - description: 'A host is defined as a general computing instance. - - ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' - type: group - fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - - name: containerized - type: boolean - description: > - If the host is a container. - - - name: os.build - type: keyword - example: "18D109" - description: > - OS build information. - - - name: os.codename - type: keyword - example: "stretch" - description: > - OS codename, if any. - diff --git a/packages/system/data_stream/socket_summary/fields/base-fields.yml b/packages/system/data_stream/socket_summary/fields/base-fields.yml index 1ed72ba281e..0e1c056093a 100644 --- a/packages/system/data_stream/socket_summary/fields/base-fields.yml +++ b/packages/system/data_stream/socket_summary/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/system/data_stream/syslog/fields/base-fields.yml b/packages/system/data_stream/syslog/fields/base-fields.yml index c43f2568370..b2c2a69a9a1 100644 --- a/packages/system/data_stream/syslog/fields/base-fields.yml +++ b/packages/system/data_stream/syslog/fields/base-fields.yml @@ -8,14 +8,7 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.dataset type: constant_keyword description: Event dataset. value: system.syslog -- name: event.module - type: constant_keyword - description: Event module - value: system diff --git a/packages/system/data_stream/system/fields/base-fields.yml b/packages/system/data_stream/system/fields/base-fields.yml index 567c816e149..8763045cdd8 100644 --- a/packages/system/data_stream/system/fields/base-fields.yml +++ b/packages/system/data_stream/system/fields/base-fields.yml @@ -10,10 +10,6 @@ - name: '@timestamp' type: date description: Event timestamp. -- name: event.module - type: constant_keyword - description: Event module - value: system - name: event.dataset type: constant_keyword description: Event dataset. diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 6612c9f3366..8edeb7c4ee1 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -851,7 +851,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -877,7 +877,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | event.dataset | Event dataset. | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -890,7 +890,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -949,7 +949,7 @@ The `syslog` dataset provides system logs on linux and MacOS. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | cloud.image.id | Image ID for the cloud instance. | keyword | @@ -974,7 +974,7 @@ The `syslog` dataset provides system logs on linux and MacOS. | event.dataset | Event dataset. | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -1042,7 +1042,6 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -1067,8 +1066,6 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1135,8 +1132,6 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | percent | gauge | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -1161,8 +1156,6 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1239,10 +1232,9 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | -| host.disk.read.bytes | The total number of bytes read successfully in a given period of time. | scaled_float | byte | gauge | -| host.disk.write.bytes | The total number of bytes write successfully in a given period of time. | scaled_float | byte | gauge | +| host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | +| host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | | host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | | host.geo.city_name | City name. | keyword | | | | host.geo.continent_code | Two-letter code representing continent's name. | keyword | | | @@ -1264,8 +1256,6 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1402,7 +1392,6 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -1427,8 +1416,6 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1482,7 +1469,6 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | event.module | Event module | constant_keyword | | | host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | @@ -1507,8 +1493,6 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | @@ -1565,7 +1549,6 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -1590,14 +1573,12 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | @@ -1652,7 +1633,7 @@ This dataset is available on: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | @@ -1675,7 +1656,6 @@ This dataset is available on: | group.id | Unique identifier for the group on the system/platform. | keyword | | | | group.name | Name of the group. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -1694,18 +1674,12 @@ This dataset is available on: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | -| host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | | | -| host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | scaled_float | | counter | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | scaled_float | byte | counter | -| host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | scaled_float | | counter | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -1994,7 +1968,6 @@ This dataset is available on: | event.dataset | Event dataset. | constant_keyword | | | | event.module | Event module | constant_keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -2013,14 +1986,12 @@ This dataset is available on: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | | host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | @@ -2045,8 +2016,6 @@ This dataset is available on: | process.code_signature.valid | Boolean to capture if the digital signature is verified against the binary content. Leave unpopulated if a certificate was unchecked. | boolean | | | | process.command_line | Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. | wildcard | | | | process.command_line.text | Multi-field of `process.command_line`. | match_only_text | | | -| process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | | | -| process.cpu.start_time | The time when the process was started. | date | | | | process.elf.architecture | Machine architecture of the ELF file. | keyword | | | | process.elf.byte_order | Byte sequence of ELF file. | keyword | | | | process.elf.cpu_type | CPU type of the ELF file. | keyword | | | @@ -2086,7 +2055,6 @@ This dataset is available on: | process.hash.sha256 | SHA256 hash. | keyword | | | | process.hash.sha512 | SHA512 hash. | keyword | | | | process.hash.ssdeep | SSDEEP hash. | keyword | | | -| process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | | | | process.name | Process name. Sometimes called program name or similar. | keyword | | | | process.name.text | Multi-field of `process.name`. | match_only_text | | | | process.parent.args | Array of process arguments, starting with the absolute path to the executable. May be filtered to protect sensitive information. | keyword | | | @@ -2170,7 +2138,6 @@ This dataset is available on: | process.pgid | Identifier of the group of processes the process belongs to. | long | | | | process.pid | Process id. | long | | | | process.start | The time the process started. | date | | | -| process.state | The process state. For example: "running". | keyword | | | | process.thread.id | Thread ID. | long | | | | process.thread.name | Thread name. | keyword | | | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | | @@ -2400,7 +2367,6 @@ This dataset is available on: | group.id | Unique identifier for the group on the system/platform. | keyword | | | group.name | Name of the group. | keyword | | | host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | @@ -2419,20 +2385,18 @@ This dataset is available on: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | host.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | host.os.full | Operating system name, including the version or code name. | keyword | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | host.os.version | Operating system version as a raw string. | keyword | | @@ -2696,7 +2660,7 @@ This dataset is available on: | Field | Description | Type | Unit | Metric Type | |---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | | cloud.availability_zone | Availability zone in which this host is running. | keyword | | | | cloud.image.id | Image ID for the cloud instance. | keyword | | | @@ -2719,7 +2683,6 @@ This dataset is available on: | group.id | Unique identifier for the group on the system/platform. | keyword | | | | group.name | Name of the group. | keyword | | | | host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | | | @@ -2744,14 +2707,12 @@ This dataset is available on: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | | host.os.full | Operating system name, including the version or code name. | keyword | | | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | | | host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | | | host.os.version | Operating system version as a raw string. | keyword | | | diff --git a/packages/ti_misp/data_stream/threat/fields/base-fields.yml b/packages/ti_misp/data_stream/threat/fields/base-fields.yml index ad1000cb9b2..754431c484e 100644 --- a/packages/ti_misp/data_stream/threat/fields/base-fields.yml +++ b/packages/ti_misp/data_stream/threat/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: ti_misp.threat -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: MISP - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI diff --git a/packages/ti_threatq/data_stream/threat/fields/base-fields.yml b/packages/ti_threatq/data_stream/threat/fields/base-fields.yml index 701a58f1514..4f3471fc6f5 100644 --- a/packages/ti_threatq/data_stream/threat/fields/base-fields.yml +++ b/packages/ti_threatq/data_stream/threat/fields/base-fields.yml @@ -11,10 +11,6 @@ type: constant_keyword description: Event module value: ti_threatq -- name: threat.feed.name - type: constant_keyword - description: Display friendly feed name - value: ThreatQuotient - name: threat.feed.dashboard_id type: constant_keyword description: Dashboard ID used for Kibana CTI UI diff --git a/packages/tomcat/data_stream/log/fields/base-fields.yml b/packages/tomcat/data_stream/log/fields/base-fields.yml index 423a2e20de9..9ea6d274acc 100644 --- a/packages/tomcat/data_stream/log/fields/base-fields.yml +++ b/packages/tomcat/data_stream/log/fields/base-fields.yml @@ -7,9 +7,6 @@ - name: data_stream.namespace type: constant_keyword description: Data stream namespace. -- name: '@timestamp' - type: date - description: Event timestamp. - name: event.module type: constant_keyword description: Event module diff --git a/packages/tomcat/docs/README.md b/packages/tomcat/docs/README.md index 6fb84c060ef..306ccc23390 100644 --- a/packages/tomcat/docs/README.md +++ b/packages/tomcat/docs/README.md @@ -12,7 +12,7 @@ The `log` dataset collects Apache Tomcat logs. | Field | Description | Type | |---|---|---| -| @timestamp | Event timestamp. | date | +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | | client.domain | The domain name of the client system. This value may be a host name, a fully qualified domain name, or another host naming format. The value may derive from the original event or be added from enrichment. | keyword | | client.registered_domain | The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | client.subdomain | The subdomain portion of a fully qualified domain name includes all of the names except the host name under the registered_domain. In a partially qualified domain, or if the the qualification level of the full name cannot be determined, subdomain contains all of the names below the registered domain. For example the subdomain portion of "www.east.mydomain.co.uk" is "east". If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/zscaler/data_stream/zia/fields/base-fields.yml b/packages/zscaler/data_stream/zia/fields/base-fields.yml index 9a64f92d5b5..f86ea60596b 100644 --- a/packages/zscaler/data_stream/zia/fields/base-fields.yml +++ b/packages/zscaler/data_stream/zia/fields/base-fields.yml @@ -15,9 +15,6 @@ type: constant_keyword description: Event dataset value: zscaler.zia -- name: '@timestamp' - type: date - description: Event timestamp. - name: container.id description: Unique container id. ignore_above: 1024 @@ -39,8 +36,3 @@ - name: log.offset description: Offset of the entry in the log file. type: long -- name: tags - description: List of keywords used to tag each event. - example: '["production", "env2"]' - ignore_above: 1024 - type: keyword From fccd3de9c4f690d567d81c2ec42ac176096704d7 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 12:53:18 +0200 Subject: [PATCH 10/28] More duplicates --- .../data_stream/app_insights/fields/agent.yml | 15 -- .../data_stream/app_state/fields/agent.yml | 15 -- .../data_stream/billing/fields/agent.yml | 15 -- .../data_stream/compute_vm/fields/agent.yml | 15 -- .../compute_vm_scaleset/fields/agent.yml | 15 -- .../container_instance/fields/agent.yml | 15 -- .../container_registry/fields/agent.yml | 15 -- .../container_service/fields/agent.yml | 15 -- .../database_account/fields/agent.yml | 15 -- .../data_stream/monitor/fields/agent.yml | 15 -- .../storage_account/fields/agent.yml | 15 -- .../data_stream/alert/fields/agent.yml | 33 ---- .../fields/agent.yml | 40 ----- .../endpoint_event/fields/agent.yml | 44 ----- .../watchlist_hit/fields/agent.yml | 27 --- packages/carbon_black_cloud/docs/README.md | 4 +- .../data_stream/log/fields/agent.yml | 18 -- .../data_stream/firewall/fields/agent.yml | 27 --- packages/checkpoint/docs/README.md | 2 +- .../cisco/data_stream/meraki/fields/agent.yml | 23 --- .../cisco/data_stream/nexus/fields/agent.yml | 23 --- .../data_stream/log/fields/agent.yml | 9 - packages/cisco_ise/docs/README.md | 2 +- .../data_stream/events/fields/agent.yml | 23 --- .../data_stream/log/fields/agent.yml | 23 --- packages/cisco_meraki/docs/README.md | 6 +- .../data_stream/log/fields/agent.yml | 23 --- .../data_stream/log/fields/agent.yml | 23 --- packages/cisco_umbrella/docs/README.md | 2 +- .../data_stream/status/fields/agent.yml | 15 -- .../data_stream/falcon/fields/agent.yml | 12 -- .../fim/data_stream/event/fields/agent.yml | 11 -- .../fireeye/data_stream/nx/fields/agent.yml | 4 - .../clientendpoint/fields/agent.yml | 23 --- .../data_stream/firewall/fields/agent.yml | 5 - .../data_stream/fortimail/fields/agent.yml | 23 --- .../data_stream/fortimanager/fields/agent.yml | 23 --- .../data_stream/admin/fields/agent.yml | 5 - .../data_stream/drive/fields/agent.yml | 5 - .../data_stream/groups/fields/agent.yml | 5 - .../data_stream/login/fields/agent.yml | 5 - .../data_stream/saml/fields/agent.yml | 5 - .../user_accounts/fields/agent.yml | 5 - .../data_stream/winlog/fields/agent.yml | 7 - .../iis/data_stream/access/fields/agent.yml | 7 - .../data_stream/log/fields/agent.yml | 4 - .../data_stream/junos/fields/agent.yml | 23 --- .../data_stream/netscreen/fields/agent.yml | 23 --- .../juniper/data_stream/srx/fields/agent.yml | 163 ------------------ packages/juniper/docs/README.md | 8 +- .../data_stream/log/fields/agent.yml | 23 --- .../data_stream/log/fields/agent.yml | 23 --- .../data_stream/log/fields/agent.yml | 163 ------------------ packages/juniper_srx/docs/README.md | 4 +- .../data_stream/defender_atp/fields/agent.yml | 28 --- .../data_stream/dhcp/fields/agent.yml | 23 --- .../data_stream/log/fields/agent.yml | 28 --- .../data_stream/auditlog/fields/agent.yml | 4 - .../netflow/data_stream/log/fields/agent.yml | 151 ---------------- packages/netflow/docs/README.md | 6 +- .../data_stream/alerts/fields/agent.yml | 26 --- .../data_stream/events/fields/agent.yml | 13 -- packages/netskope/docs/README.md | 6 +- .../nginx/data_stream/access/fields/agent.yml | 4 - .../nginx/data_stream/error/fields/agent.yml | 4 - .../data_stream/stubstatus/fields/agent.yml | 4 - .../data_stream/access/fields/agent.yml | 4 - .../o365/data_stream/audit/fields/agent.yml | 21 --- .../okta/data_stream/system/fields/agent.yml | 5 - .../panw/data_stream/panos/fields/agent.yml | 5 - .../data_stream/alerts/fields/agent.yml | 40 ----- packages/panw_cortex_xdr/docs/README.md | 2 +- .../snort/data_stream/log/fields/agent.yml | 4 - .../suricata/data_stream/eve/fields/agent.yml | 4 - .../data_stream/log/fields/agent.yml | 5 - .../system/data_stream/auth/fields/agent.yml | 76 -------- .../data_stream/security/fields/agent.yml | 7 - .../data_stream/syslog/fields/agent.yml | 76 -------- packages/system/docs/README.md | 6 +- .../data_stream/forwarded/fields/agent.yml | 7 - .../data_stream/powershell/fields/agent.yml | 7 - .../powershell_operational/fields/agent.yml | 7 - .../sysmon_operational/fields/agent.yml | 7 - .../data_stream/capture_loss/fields/agent.yml | 4 - .../data_stream/connection/fields/agent.yml | 4 - .../zeek/data_stream/dce_rpc/fields/agent.yml | 4 - .../zeek/data_stream/dhcp/fields/agent.yml | 4 - .../zeek/data_stream/dnp3/fields/agent.yml | 4 - .../zeek/data_stream/dns/fields/agent.yml | 4 - .../zeek/data_stream/dpd/fields/agent.yml | 4 - .../zeek/data_stream/files/fields/agent.yml | 4 - .../zeek/data_stream/ftp/fields/agent.yml | 4 - .../zeek/data_stream/http/fields/agent.yml | 4 - .../zeek/data_stream/intel/fields/agent.yml | 4 - .../zeek/data_stream/irc/fields/agent.yml | 4 - .../data_stream/kerberos/fields/agent.yml | 4 - .../zeek/data_stream/modbus/fields/agent.yml | 4 - .../zeek/data_stream/mysql/fields/agent.yml | 4 - .../zeek/data_stream/notice/fields/agent.yml | 4 - .../zeek/data_stream/ntlm/fields/agent.yml | 4 - .../zeek/data_stream/ntp/fields/agent.yml | 4 - .../zeek/data_stream/ocsp/fields/agent.yml | 4 - packages/zeek/data_stream/pe/fields/agent.yml | 4 - .../zeek/data_stream/radius/fields/agent.yml | 4 - .../zeek/data_stream/rdp/fields/agent.yml | 4 - .../zeek/data_stream/rfb/fields/agent.yml | 4 - .../data_stream/signature/fields/agent.yml | 4 - .../zeek/data_stream/sip/fields/agent.yml | 4 - .../zeek/data_stream/smb_cmd/fields/agent.yml | 4 - .../data_stream/smb_files/fields/agent.yml | 4 - .../data_stream/smb_mapping/fields/agent.yml | 4 - .../zeek/data_stream/smtp/fields/agent.yml | 4 - .../zeek/data_stream/snmp/fields/agent.yml | 4 - .../zeek/data_stream/socks/fields/agent.yml | 4 - .../zeek/data_stream/ssh/fields/agent.yml | 4 - .../zeek/data_stream/ssl/fields/agent.yml | 4 - .../zeek/data_stream/stats/fields/agent.yml | 4 - .../zeek/data_stream/syslog/fields/agent.yml | 4 - .../data_stream/traceroute/fields/agent.yml | 4 - .../zeek/data_stream/tunnel/fields/agent.yml | 4 - .../zeek/data_stream/weird/fields/agent.yml | 4 - .../zeek/data_stream/x509/fields/agent.yml | 4 - .../data_stream/firewall/fields/agent.yml | 7 - 123 files changed, 24 insertions(+), 1830 deletions(-) diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml +++ b/packages/azure_application_insights/data_stream/app_insights/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_application_insights/data_stream/app_state/fields/agent.yml +++ b/packages/azure_application_insights/data_stream/app_state/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_billing/data_stream/billing/fields/agent.yml b/packages/azure_billing/data_stream/billing/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_billing/data_stream/billing/fields/agent.yml +++ b/packages/azure_billing/data_stream/billing/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml +++ b/packages/azure_metrics/data_stream/compute_vm/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml +++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/container_instance/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_instance/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/container_registry/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_registry/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/container_service/fields/agent.yml b/packages/azure_metrics/data_stream/container_service/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/container_service/fields/agent.yml +++ b/packages/azure_metrics/data_stream/container_service/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/database_account/fields/agent.yml b/packages/azure_metrics/data_stream/database_account/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/database_account/fields/agent.yml +++ b/packages/azure_metrics/data_stream/database_account/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/monitor/fields/agent.yml b/packages/azure_metrics/data_stream/monitor/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/monitor/fields/agent.yml +++ b/packages/azure_metrics/data_stream/monitor/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/azure_metrics/data_stream/storage_account/fields/agent.yml b/packages/azure_metrics/data_stream/storage_account/fields/agent.yml index 3c816026810..71cada4f6f8 100644 --- a/packages/azure_metrics/data_stream/storage_account/fields/agent.yml +++ b/packages/azure_metrics/data_stream/storage_account/fields/agent.yml @@ -62,23 +62,8 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml b/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml index e313ec82874..bf2dfff6756 100644 --- a/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/alert/fields/agent.yml @@ -105,38 +105,11 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -166,12 +139,6 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml index e313ec82874..c761dfb768a 100644 --- a/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/asset_vulnerability_summary/fields/agent.yml @@ -105,22 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - name: ip level: core type: ip @@ -130,13 +114,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -149,29 +126,12 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml index e313ec82874..643c71067ef 100644 --- a/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/endpoint_event/fields/agent.yml @@ -105,61 +105,17 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - name: os.kernel level: extended type: keyword ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword diff --git a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml index e313ec82874..1ff9745963f 100644 --- a/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml +++ b/packages/carbon_black_cloud/data_stream/watchlist_hit/fields/agent.yml @@ -105,38 +105,11 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/carbon_black_cloud/docs/README.md b/packages/carbon_black_cloud/docs/README.md index b07163713d4..6e6dc9efd2d 100644 --- a/packages/carbon_black_cloud/docs/README.md +++ b/packages/carbon_black_cloud/docs/README.md @@ -632,7 +632,7 @@ An example event for `endpoint_event` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -1029,7 +1029,7 @@ An example event for `asset_vulnerability_summary` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.type | Use the `os.type` field to categorize the operating system into one of the broad commercial families. One of these following values should be used (lowercase): linux, macos, unix, windows. If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. | keyword | | host.os.version | Operating system version as a raw string. | keyword | diff --git a/packages/carbonblack_edr/data_stream/log/fields/agent.yml b/packages/carbonblack_edr/data_stream/log/fields/agent.yml index 4d9a6f7b362..8d787b7c8dc 100644 --- a/packages/carbonblack_edr/data_stream/log/fields/agent.yml +++ b/packages/carbonblack_edr/data_stream/log/fields/agent.yml @@ -46,13 +46,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword @@ -65,17 +58,6 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword diff --git a/packages/checkpoint/data_stream/firewall/fields/agent.yml b/packages/checkpoint/data_stream/firewall/fields/agent.yml index 79a7a39864b..915a21e22ae 100644 --- a/packages/checkpoint/data_stream/firewall/fields/agent.yml +++ b/packages/checkpoint/data_stream/firewall/fields/agent.yml @@ -58,11 +58,6 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword @@ -116,11 +111,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: "Name of the host.\nIt can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use." - name: os.family level: extended type: keyword @@ -133,29 +123,12 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/checkpoint/docs/README.md b/packages/checkpoint/docs/README.md index fc596238769..a0b057cdb9f 100644 --- a/packages/checkpoint/docs/README.md +++ b/packages/checkpoint/docs/README.md @@ -592,7 +592,7 @@ An example event for `firewall` looks as following: | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/cisco/data_stream/meraki/fields/agent.yml b/packages/cisco/data_stream/meraki/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco/data_stream/meraki/fields/agent.yml +++ b/packages/cisco/data_stream/meraki/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco/data_stream/nexus/fields/agent.yml b/packages/cisco/data_stream/nexus/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco/data_stream/nexus/fields/agent.yml +++ b/packages/cisco/data_stream/nexus/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_ise/data_stream/log/fields/agent.yml b/packages/cisco_ise/data_stream/log/fields/agent.yml index 6e1bac042bc..98d2f9f38d5 100644 --- a/packages/cisco_ise/data_stream/log/fields/agent.yml +++ b/packages/cisco_ise/data_stream/log/fields/agent.yml @@ -97,20 +97,11 @@ description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/cisco_ise/docs/README.md b/packages/cisco_ise/docs/README.md index 9e7295a4111..22269231ceb 100644 --- a/packages/cisco_ise/docs/README.md +++ b/packages/cisco_ise/docs/README.md @@ -406,7 +406,7 @@ An example event for `log` looks as following: | cisco_ise.log.session.timeout | | long | | cisco_ise.log.severity.level | | long | | cisco_ise.log.software.version | | keyword | -| cisco_ise.log.state | | text | +| cisco_ise.log.state | | keyword | | cisco_ise.log.static.assignment | | boolean | | cisco_ise.log.status | | keyword | | cisco_ise.log.step | | keyword | diff --git a/packages/cisco_meraki/data_stream/events/fields/agent.yml b/packages/cisco_meraki/data_stream/events/fields/agent.yml index 162c9f3aa38..90bd07fa045 100644 --- a/packages/cisco_meraki/data_stream/events/fields/agent.yml +++ b/packages/cisco_meraki/data_stream/events/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_meraki/data_stream/log/fields/agent.yml b/packages/cisco_meraki/data_stream/log/fields/agent.yml index 162c9f3aa38..90bd07fa045 100644 --- a/packages/cisco_meraki/data_stream/log/fields/agent.yml +++ b/packages/cisco_meraki/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 1a041a2565f..362b1c2a302 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -177,7 +177,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -190,7 +190,7 @@ The `cisco_meraki.log` dataset provides events from the configured syslog server | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | +| input.type | Input type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | @@ -499,7 +499,7 @@ An example event for `log` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/cisco_nexus/data_stream/log/fields/agent.yml b/packages/cisco_nexus/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco_nexus/data_stream/log/fields/agent.yml +++ b/packages/cisco_nexus/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_umbrella/data_stream/log/fields/agent.yml b/packages/cisco_umbrella/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/agent.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/cisco_umbrella/docs/README.md b/packages/cisco_umbrella/docs/README.md index 6af338e67e9..9836bb86213 100644 --- a/packages/cisco_umbrella/docs/README.md +++ b/packages/cisco_umbrella/docs/README.md @@ -202,7 +202,7 @@ An example event for `log` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/cockroachdb/data_stream/status/fields/agent.yml b/packages/cockroachdb/data_stream/status/fields/agent.yml index b4432e51eb7..bb0bad1faae 100644 --- a/packages/cockroachdb/data_stream/status/fields/agent.yml +++ b/packages/cockroachdb/data_stream/status/fields/agent.yml @@ -58,23 +58,8 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - name: labels level: extended type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. diff --git a/packages/crowdstrike/data_stream/falcon/fields/agent.yml b/packages/crowdstrike/data_stream/falcon/fields/agent.yml index da4e652c53b..771058c6dca 100644 --- a/packages/crowdstrike/data_stream/falcon/fields/agent.yml +++ b/packages/crowdstrike/data_stream/falcon/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword @@ -130,13 +125,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/fim/data_stream/event/fields/agent.yml b/packages/fim/data_stream/event/fields/agent.yml index e313ec82874..f027c185f47 100644 --- a/packages/fim/data_stream/event/fields/agent.yml +++ b/packages/fim/data_stream/event/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,12 +85,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - name: domain level: extended type: keyword diff --git a/packages/fireeye/data_stream/nx/fields/agent.yml b/packages/fireeye/data_stream/nx/fields/agent.yml index a371c03d96d..368be734273 100644 --- a/packages/fireeye/data_stream/nx/fields/agent.yml +++ b/packages/fireeye/data_stream/nx/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/fortinet/data_stream/clientendpoint/fields/agent.yml b/packages/fortinet/data_stream/clientendpoint/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/fortinet/data_stream/clientendpoint/fields/agent.yml +++ b/packages/fortinet/data_stream/clientendpoint/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/fortinet/data_stream/firewall/fields/agent.yml b/packages/fortinet/data_stream/firewall/fields/agent.yml index f6127c3e224..8e774447801 100644 --- a/packages/fortinet/data_stream/firewall/fields/agent.yml +++ b/packages/fortinet/data_stream/firewall/fields/agent.yml @@ -58,11 +58,6 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/fortinet/data_stream/fortimail/fields/agent.yml b/packages/fortinet/data_stream/fortimail/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/fortinet/data_stream/fortimail/fields/agent.yml +++ b/packages/fortinet/data_stream/fortimail/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/fortinet/data_stream/fortimanager/fields/agent.yml b/packages/fortinet/data_stream/fortimanager/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/agent.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/google_workspace/data_stream/admin/fields/agent.yml b/packages/google_workspace/data_stream/admin/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/admin/fields/agent.yml +++ b/packages/google_workspace/data_stream/admin/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/drive/fields/agent.yml b/packages/google_workspace/data_stream/drive/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/drive/fields/agent.yml +++ b/packages/google_workspace/data_stream/drive/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/groups/fields/agent.yml b/packages/google_workspace/data_stream/groups/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/groups/fields/agent.yml +++ b/packages/google_workspace/data_stream/groups/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/login/fields/agent.yml b/packages/google_workspace/data_stream/login/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/login/fields/agent.yml +++ b/packages/google_workspace/data_stream/login/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/saml/fields/agent.yml b/packages/google_workspace/data_stream/saml/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/saml/fields/agent.yml +++ b/packages/google_workspace/data_stream/saml/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/google_workspace/data_stream/user_accounts/fields/agent.yml b/packages/google_workspace/data_stream/user_accounts/fields/agent.yml index e313ec82874..616523c9e12 100644 --- a/packages/google_workspace/data_stream/user_accounts/fields/agent.yml +++ b/packages/google_workspace/data_stream/user_accounts/fields/agent.yml @@ -77,11 +77,6 @@ type: object object_type: keyword description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml b/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml +++ b/packages/hid_bravura_monitor/data_stream/winlog/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/iis/data_stream/access/fields/agent.yml b/packages/iis/data_stream/access/fields/agent.yml index da4e652c53b..3cb905c19c2 100644 --- a/packages/iis/data_stream/access/fields/agent.yml +++ b/packages/iis/data_stream/access/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword diff --git a/packages/infoblox_nios/data_stream/log/fields/agent.yml b/packages/infoblox_nios/data_stream/log/fields/agent.yml index 6639aec94a9..0f6bda97446 100644 --- a/packages/infoblox_nios/data_stream/log/fields/agent.yml +++ b/packages/infoblox_nios/data_stream/log/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/juniper/data_stream/junos/fields/agent.yml b/packages/juniper/data_stream/junos/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper/data_stream/junos/fields/agent.yml +++ b/packages/juniper/data_stream/junos/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper/data_stream/netscreen/fields/agent.yml b/packages/juniper/data_stream/netscreen/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper/data_stream/netscreen/fields/agent.yml +++ b/packages/juniper/data_stream/netscreen/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper/data_stream/srx/fields/agent.yml b/packages/juniper/data_stream/srx/fields/agent.yml index c5d5959b5ab..3d3ef02e8c5 100644 --- a/packages/juniper/data_stream/srx/fields/agent.yml +++ b/packages/juniper/data_stream/srx/fields/agent.yml @@ -5,83 +5,9 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,95 +16,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index ec665711bbf..ab2082048e0 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -98,7 +98,7 @@ The following processes and tags are supported: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | @@ -319,7 +319,7 @@ The following processes and tags are supported: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -933,7 +933,7 @@ The `junos` dataset collects Juniper JUNOS logs. | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | @@ -1154,7 +1154,7 @@ The `junos` dataset collects Juniper JUNOS logs. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/juniper_junos/data_stream/log/fields/agent.yml b/packages/juniper_junos/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper_junos/data_stream/log/fields/agent.yml +++ b/packages/juniper_junos/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper_netscreen/data_stream/log/fields/agent.yml b/packages/juniper_netscreen/data_stream/log/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/juniper_netscreen/data_stream/log/fields/agent.yml +++ b/packages/juniper_netscreen/data_stream/log/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/juniper_srx/data_stream/log/fields/agent.yml b/packages/juniper_srx/data_stream/log/fields/agent.yml index c5d5959b5ab..3d3ef02e8c5 100644 --- a/packages/juniper_srx/data_stream/log/fields/agent.yml +++ b/packages/juniper_srx/data_stream/log/fields/agent.yml @@ -5,83 +5,9 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - - name: project.id - type: keyword - description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,95 +16,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index 3c1884665d9..685b9788488 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -94,7 +94,7 @@ The following processes and tags are supported: | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | | cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | @@ -315,7 +315,7 @@ The following processes and tags are supported: | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/microsoft/data_stream/defender_atp/fields/agent.yml b/packages/microsoft/data_stream/defender_atp/fields/agent.yml index e313ec82874..ee2550ac82e 100644 --- a/packages/microsoft/data_stream/defender_atp/fields/agent.yml +++ b/packages/microsoft/data_stream/defender_atp/fields/agent.yml @@ -54,34 +54,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/microsoft/data_stream/dhcp/fields/agent.yml b/packages/microsoft/data_stream/dhcp/fields/agent.yml index da4e652c53b..38bb8dcec56 100644 --- a/packages/microsoft/data_stream/dhcp/fields/agent.yml +++ b/packages/microsoft/data_stream/dhcp/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -121,22 +114,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml b/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml index e313ec82874..ee2550ac82e 100644 --- a/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml +++ b/packages/microsoft_defender_endpoint/data_stream/log/fields/agent.yml @@ -54,34 +54,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 diff --git a/packages/modsecurity/data_stream/auditlog/fields/agent.yml b/packages/modsecurity/data_stream/auditlog/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/modsecurity/data_stream/auditlog/fields/agent.yml +++ b/packages/modsecurity/data_stream/auditlog/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/netflow/data_stream/log/fields/agent.yml b/packages/netflow/data_stream/log/fields/agent.yml index da4e652c53b..7829f106b67 100644 --- a/packages/netflow/data_stream/log/fields/agent.yml +++ b/packages/netflow/data_stream/log/fields/agent.yml @@ -5,83 +5,12 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - - name: availability_zone - level: extended - type: keyword - ignore_above: 1024 - description: Availability zone in which this host is running. - example: us-east-1c - - name: instance.id - level: extended - type: keyword - ignore_above: 1024 - description: Instance ID of the host machine. - example: i-1234567890abcdef0 - - name: instance.name - level: extended - type: keyword - ignore_above: 1024 - description: Instance name of the host machine. - - name: machine.type - level: extended - type: keyword - ignore_above: 1024 - description: Machine type of the host machine. - example: t2.medium - - name: provider - level: extended - type: keyword - ignore_above: 1024 - description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - name: project.id type: keyword description: Name of the project in Google Cloud. - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - - name: name - level: extended - type: keyword - ignore_above: 1024 - description: Container name. - name: host title: Host group: 2 @@ -90,12 +19,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - name: domain level: extended type: keyword @@ -105,80 +28,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - - name: type - level: core - type: keyword - ignore_above: 1024 - description: 'Type of host. - - For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean description: > diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index 8afb21d6183..fccb3cf0bd7 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -70,7 +70,7 @@ The `log` dataset collects netflow logs. | cloud.machine.type | Machine type of the host machine. | keyword | | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.image.tag | Container image tags. | keyword | @@ -216,7 +216,7 @@ The `log` dataset collects netflow logs. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -225,7 +225,7 @@ The `log` dataset collects netflow logs. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/netskope/data_stream/alerts/fields/agent.yml b/packages/netskope/data_stream/alerts/fields/agent.yml index e313ec82874..56de8d91448 100644 --- a/packages/netskope/data_stream/alerts/fields/agent.yml +++ b/packages/netskope/data_stream/alerts/fields/agent.yml @@ -5,14 +5,6 @@ footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' type: group fields: - - name: account.id - level: extended - type: keyword - ignore_above: 1024 - description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. - - Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' - example: 666777888999 - name: availability_zone level: extended type: keyword @@ -105,13 +97,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword @@ -149,17 +134,6 @@ ignore_above: 1024 description: Operating system kernel version as a raw string. example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - name: os.platform level: extended type: keyword diff --git a/packages/netskope/data_stream/events/fields/agent.yml b/packages/netskope/data_stream/events/fields/agent.yml index e313ec82874..74d8fc01ac0 100644 --- a/packages/netskope/data_stream/events/fields/agent.yml +++ b/packages/netskope/data_stream/events/fields/agent.yml @@ -42,12 +42,6 @@ ignore_above: 1024 description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. example: aws - - name: region - level: extended - type: keyword - ignore_above: 1024 - description: Region in which this host is running. - example: us-east-1 - name: project.id type: keyword description: Name of the project in Google Cloud. @@ -105,13 +99,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index d28f76b57f0..8d8c674b950 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -1878,7 +1878,7 @@ user.email.6,,String | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -2499,7 +2499,7 @@ An example event for `alerts` looks as following: | cloud.machine.type | Machine type of the host machine. | keyword | | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | +| cloud.region | Region in which this host, resource, or service is located. | keyword | | cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | @@ -2793,7 +2793,7 @@ An example event for `alerts` looks as following: | netskope.events.two_factor_auth | N/A | keyword | | netskope.events.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword | | netskope.events.universal_connector | N/A | keyword | -| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic | flattened | +| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic. | flattened | | netskope.events.url_to_activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword | | netskope.events.user.category | Type of user in an enterprise - external / internal. | keyword | | netskope.events.user.generated | Tells whether it is user generated page event. | boolean | diff --git a/packages/nginx/data_stream/access/fields/agent.yml b/packages/nginx/data_stream/access/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/nginx/data_stream/access/fields/agent.yml +++ b/packages/nginx/data_stream/access/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/nginx/data_stream/error/fields/agent.yml b/packages/nginx/data_stream/error/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/nginx/data_stream/error/fields/agent.yml +++ b/packages/nginx/data_stream/error/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/nginx/data_stream/stubstatus/fields/agent.yml b/packages/nginx/data_stream/stubstatus/fields/agent.yml index da4e652c53b..cf8456f8583 100644 --- a/packages/nginx/data_stream/stubstatus/fields/agent.yml +++ b/packages/nginx/data_stream/stubstatus/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml b/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml index e313ec82874..3c8ad89f032 100644 --- a/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml +++ b/packages/nginx_ingress_controller/data_stream/access/fields/agent.yml @@ -121,10 +121,6 @@ As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/o365/data_stream/audit/fields/agent.yml b/packages/o365/data_stream/audit/fields/agent.yml index da4e652c53b..40b6d6a32a2 100644 --- a/packages/o365/data_stream/audit/fields/agent.yml +++ b/packages/o365/data_stream/audit/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword @@ -112,15 +107,6 @@ description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - name: ip level: core type: ip @@ -130,13 +116,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/okta/data_stream/system/fields/agent.yml b/packages/okta/data_stream/system/fields/agent.yml index da4e652c53b..9dfc8d1aebc 100644 --- a/packages/okta/data_stream/system/fields/agent.yml +++ b/packages/okta/data_stream/system/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/panw/data_stream/panos/fields/agent.yml b/packages/panw/data_stream/panos/fields/agent.yml index 79a7a39864b..c73d2525553 100644 --- a/packages/panw/data_stream/panos/fields/agent.yml +++ b/packages/panw/data_stream/panos/fields/agent.yml @@ -58,11 +58,6 @@ description: "Container fields are used for meta information about the specific container that is the source of information.\nThese fields help correlate data based containers from any runtime." type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml b/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml index da4e652c53b..93798337211 100644 --- a/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml +++ b/packages/panw_cortex_xdr/data_stream/alerts/fields/agent.yml @@ -96,40 +96,6 @@ ignore_above: 1024 description: Operating system architecture. example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - name: name level: core type: keyword @@ -166,12 +132,6 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin - - name: os.version - level: extended - type: keyword - ignore_above: 1024 - description: Operating system version as a raw string. - example: 10.14.1 - name: type level: core type: keyword diff --git a/packages/panw_cortex_xdr/docs/README.md b/packages/panw_cortex_xdr/docs/README.md index e3584237329..cb094bee06a 100644 --- a/packages/panw_cortex_xdr/docs/README.md +++ b/packages/panw_cortex_xdr/docs/README.md @@ -189,7 +189,7 @@ An example event for `alerts` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | diff --git a/packages/snort/data_stream/log/fields/agent.yml b/packages/snort/data_stream/log/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/snort/data_stream/log/fields/agent.yml +++ b/packages/snort/data_stream/log/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/suricata/data_stream/eve/fields/agent.yml b/packages/suricata/data_stream/eve/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/suricata/data_stream/eve/fields/agent.yml +++ b/packages/suricata/data_stream/eve/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/symantec_endpoint/data_stream/log/fields/agent.yml b/packages/symantec_endpoint/data_stream/log/fields/agent.yml index c2cceee2d3f..f1bcf431f25 100644 --- a/packages/symantec_endpoint/data_stream/log/fields/agent.yml +++ b/packages/symantec_endpoint/data_stream/log/fields/agent.yml @@ -62,11 +62,6 @@ These fields help correlate data based containers from any runtime.' type: group fields: - - name: id - level: core - type: keyword - ignore_above: 1024 - description: Unique container id. - name: image.name level: extended type: keyword diff --git a/packages/system/data_stream/auth/fields/agent.yml b/packages/system/data_stream/auth/fields/agent.yml index da4e652c53b..de521f94cbd 100644 --- a/packages/system/data_stream/auth/fields/agent.yml +++ b/packages/system/data_stream/auth/fields/agent.yml @@ -90,82 +90,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - name: os.version level: extended type: keyword diff --git a/packages/system/data_stream/security/fields/agent.yml b/packages/system/data_stream/security/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/system/data_stream/security/fields/agent.yml +++ b/packages/system/data_stream/security/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/system/data_stream/syslog/fields/agent.yml b/packages/system/data_stream/syslog/fields/agent.yml index da4e652c53b..de521f94cbd 100644 --- a/packages/system/data_stream/syslog/fields/agent.yml +++ b/packages/system/data_stream/syslog/fields/agent.yml @@ -90,82 +90,6 @@ ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' type: group fields: - - name: architecture - level: core - type: keyword - ignore_above: 1024 - description: Operating system architecture. - example: x86_64 - - name: domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the domain of which the host is a member. - - For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' - example: CONTOSO - default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - - name: id - level: core - type: keyword - ignore_above: 1024 - description: 'Unique host id. - - As hostname is not always unique, use values that are meaningful in your environment. - - Example: The current usage of `beat.name`.' - - name: ip - level: core - type: ip - description: Host ip addresses. - - name: mac - level: core - type: keyword - ignore_above: 1024 - description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - - name: os.family - level: extended - type: keyword - ignore_above: 1024 - description: OS family (such as redhat, debian, freebsd, windows). - example: debian - - name: os.kernel - level: extended - type: keyword - ignore_above: 1024 - description: Operating system kernel version as a raw string. - example: 4.4.0-112-generic - - name: os.name - level: extended - type: keyword - ignore_above: 1024 - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Operating system name, without the version. - example: Mac OS X - - name: os.platform - level: extended - type: keyword - ignore_above: 1024 - description: Operating system platform (such centos, ubuntu, windows). - example: darwin - name: os.version level: extended type: keyword diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 8edeb7c4ee1..65fd06c0142 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -890,7 +890,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -899,7 +899,7 @@ The `auth` dataset provides auth logs on linux and MacOS prior to 10.8. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | @@ -994,7 +994,7 @@ The `syslog` dataset provides system logs on linux and MacOS. | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | | host.os.kernel | Operating system kernel version as a raw string. | keyword | | host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.name.text | Multi-field of `host.os.name`. | match_only_text | | host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | host.os.version | Operating system version as a raw string. | keyword | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | diff --git a/packages/windows/data_stream/forwarded/fields/agent.yml b/packages/windows/data_stream/forwarded/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/forwarded/fields/agent.yml +++ b/packages/windows/data_stream/forwarded/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/windows/data_stream/powershell/fields/agent.yml b/packages/windows/data_stream/powershell/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/powershell/fields/agent.yml +++ b/packages/windows/data_stream/powershell/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/windows/data_stream/powershell_operational/fields/agent.yml b/packages/windows/data_stream/powershell_operational/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/powershell_operational/fields/agent.yml +++ b/packages/windows/data_stream/powershell_operational/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/windows/data_stream/sysmon_operational/fields/agent.yml b/packages/windows/data_stream/sysmon_operational/fields/agent.yml index da4e652c53b..5d8b5c2999b 100644 --- a/packages/windows/data_stream/sysmon_operational/fields/agent.yml +++ b/packages/windows/data_stream/sysmon_operational/fields/agent.yml @@ -130,13 +130,6 @@ type: keyword ignore_above: 1024 description: Host mac addresses. - - name: name - level: core - type: keyword - ignore_above: 1024 - description: 'Name of the host. - - It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' - name: os.family level: extended type: keyword diff --git a/packages/zeek/data_stream/capture_loss/fields/agent.yml b/packages/zeek/data_stream/capture_loss/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/capture_loss/fields/agent.yml +++ b/packages/zeek/data_stream/capture_loss/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/connection/fields/agent.yml b/packages/zeek/data_stream/connection/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/connection/fields/agent.yml +++ b/packages/zeek/data_stream/connection/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dce_rpc/fields/agent.yml b/packages/zeek/data_stream/dce_rpc/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dce_rpc/fields/agent.yml +++ b/packages/zeek/data_stream/dce_rpc/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dhcp/fields/agent.yml b/packages/zeek/data_stream/dhcp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dhcp/fields/agent.yml +++ b/packages/zeek/data_stream/dhcp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dnp3/fields/agent.yml b/packages/zeek/data_stream/dnp3/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dnp3/fields/agent.yml +++ b/packages/zeek/data_stream/dnp3/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dns/fields/agent.yml b/packages/zeek/data_stream/dns/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dns/fields/agent.yml +++ b/packages/zeek/data_stream/dns/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/dpd/fields/agent.yml b/packages/zeek/data_stream/dpd/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/dpd/fields/agent.yml +++ b/packages/zeek/data_stream/dpd/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/files/fields/agent.yml b/packages/zeek/data_stream/files/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/files/fields/agent.yml +++ b/packages/zeek/data_stream/files/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ftp/fields/agent.yml b/packages/zeek/data_stream/ftp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ftp/fields/agent.yml +++ b/packages/zeek/data_stream/ftp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/http/fields/agent.yml b/packages/zeek/data_stream/http/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/http/fields/agent.yml +++ b/packages/zeek/data_stream/http/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/intel/fields/agent.yml b/packages/zeek/data_stream/intel/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/intel/fields/agent.yml +++ b/packages/zeek/data_stream/intel/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/irc/fields/agent.yml b/packages/zeek/data_stream/irc/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/irc/fields/agent.yml +++ b/packages/zeek/data_stream/irc/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/kerberos/fields/agent.yml b/packages/zeek/data_stream/kerberos/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/kerberos/fields/agent.yml +++ b/packages/zeek/data_stream/kerberos/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/modbus/fields/agent.yml b/packages/zeek/data_stream/modbus/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/modbus/fields/agent.yml +++ b/packages/zeek/data_stream/modbus/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/mysql/fields/agent.yml b/packages/zeek/data_stream/mysql/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/mysql/fields/agent.yml +++ b/packages/zeek/data_stream/mysql/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/notice/fields/agent.yml b/packages/zeek/data_stream/notice/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/notice/fields/agent.yml +++ b/packages/zeek/data_stream/notice/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ntlm/fields/agent.yml b/packages/zeek/data_stream/ntlm/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ntlm/fields/agent.yml +++ b/packages/zeek/data_stream/ntlm/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ntp/fields/agent.yml b/packages/zeek/data_stream/ntp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ntp/fields/agent.yml +++ b/packages/zeek/data_stream/ntp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ocsp/fields/agent.yml b/packages/zeek/data_stream/ocsp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ocsp/fields/agent.yml +++ b/packages/zeek/data_stream/ocsp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/pe/fields/agent.yml b/packages/zeek/data_stream/pe/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/pe/fields/agent.yml +++ b/packages/zeek/data_stream/pe/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/radius/fields/agent.yml b/packages/zeek/data_stream/radius/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/radius/fields/agent.yml +++ b/packages/zeek/data_stream/radius/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/rdp/fields/agent.yml b/packages/zeek/data_stream/rdp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/rdp/fields/agent.yml +++ b/packages/zeek/data_stream/rdp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/rfb/fields/agent.yml b/packages/zeek/data_stream/rfb/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/rfb/fields/agent.yml +++ b/packages/zeek/data_stream/rfb/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/signature/fields/agent.yml b/packages/zeek/data_stream/signature/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/signature/fields/agent.yml +++ b/packages/zeek/data_stream/signature/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/sip/fields/agent.yml b/packages/zeek/data_stream/sip/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/sip/fields/agent.yml +++ b/packages/zeek/data_stream/sip/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smb_cmd/fields/agent.yml b/packages/zeek/data_stream/smb_cmd/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smb_cmd/fields/agent.yml +++ b/packages/zeek/data_stream/smb_cmd/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smb_files/fields/agent.yml b/packages/zeek/data_stream/smb_files/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smb_files/fields/agent.yml +++ b/packages/zeek/data_stream/smb_files/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smb_mapping/fields/agent.yml b/packages/zeek/data_stream/smb_mapping/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smb_mapping/fields/agent.yml +++ b/packages/zeek/data_stream/smb_mapping/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/smtp/fields/agent.yml b/packages/zeek/data_stream/smtp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/smtp/fields/agent.yml +++ b/packages/zeek/data_stream/smtp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/snmp/fields/agent.yml b/packages/zeek/data_stream/snmp/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/snmp/fields/agent.yml +++ b/packages/zeek/data_stream/snmp/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/socks/fields/agent.yml b/packages/zeek/data_stream/socks/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/socks/fields/agent.yml +++ b/packages/zeek/data_stream/socks/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ssh/fields/agent.yml b/packages/zeek/data_stream/ssh/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ssh/fields/agent.yml +++ b/packages/zeek/data_stream/ssh/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/ssl/fields/agent.yml b/packages/zeek/data_stream/ssl/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/ssl/fields/agent.yml +++ b/packages/zeek/data_stream/ssl/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/stats/fields/agent.yml b/packages/zeek/data_stream/stats/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/stats/fields/agent.yml +++ b/packages/zeek/data_stream/stats/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/syslog/fields/agent.yml b/packages/zeek/data_stream/syslog/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/syslog/fields/agent.yml +++ b/packages/zeek/data_stream/syslog/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/traceroute/fields/agent.yml b/packages/zeek/data_stream/traceroute/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/traceroute/fields/agent.yml +++ b/packages/zeek/data_stream/traceroute/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/tunnel/fields/agent.yml b/packages/zeek/data_stream/tunnel/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/tunnel/fields/agent.yml +++ b/packages/zeek/data_stream/tunnel/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/weird/fields/agent.yml b/packages/zeek/data_stream/weird/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/weird/fields/agent.yml +++ b/packages/zeek/data_stream/weird/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zeek/data_stream/x509/fields/agent.yml b/packages/zeek/data_stream/x509/fields/agent.yml index 79a7a39864b..befedc3a20a 100644 --- a/packages/zeek/data_stream/x509/fields/agent.yml +++ b/packages/zeek/data_stream/x509/fields/agent.yml @@ -107,10 +107,6 @@ type: keyword ignore_above: 1024 description: "Unique host id.\nAs hostname is not always unique, use values that are meaningful in your environment.\nExample: The current usage of `beat.name`." - - name: ip - level: core - type: ip - description: Host ip addresses. - name: mac level: core type: keyword diff --git a/packages/zscaler_zia/data_stream/firewall/fields/agent.yml b/packages/zscaler_zia/data_stream/firewall/fields/agent.yml index e313ec82874..0eaf820125a 100644 --- a/packages/zscaler_zia/data_stream/firewall/fields/agent.yml +++ b/packages/zscaler_zia/data_stream/firewall/fields/agent.yml @@ -105,13 +105,6 @@ For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' example: CONTOSO default_field: false - - name: hostname - level: core - type: keyword - ignore_above: 1024 - description: 'Hostname of the host. - - It normally contains what the `hostname` command returns on the host machine.' - name: id level: core type: keyword From e4bd8c63416351a1768227950517ed7570060106 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 13:35:47 +0200 Subject: [PATCH 11/28] More duplicates in ECS files --- .../data_stream/task_stats/fields/ecs.yml | 38 --------------- packages/cisco/data_stream/asa/fields/ecs.yml | 4 -- packages/cisco/data_stream/ftd/fields/ecs.yml | 4 -- .../cisco_asa/data_stream/log/fields/ecs.yml | 4 -- .../cisco_ftd/data_stream/log/fields/ecs.yml | 4 -- .../data_stream/container/fields/ecs.yml | 22 --------- .../docker/data_stream/cpu/fields/ecs.yml | 22 --------- .../docker/data_stream/diskio/fields/ecs.yml | 22 --------- .../docker/data_stream/event/fields/ecs.yml | 22 --------- .../data_stream/healthcheck/fields/ecs.yml | 22 --------- .../docker/data_stream/image/fields/ecs.yml | 22 --------- .../docker/data_stream/info/fields/ecs.yml | 22 --------- .../docker/data_stream/memory/fields/ecs.yml | 22 --------- .../docker/data_stream/network/fields/ecs.yml | 22 --------- .../data_stream/audit/fields/ecs.yml | 8 ---- packages/gcp/data_stream/dns/fields/ecs.yml | 10 ---- .../haproxy/data_stream/info/fields/ecs.yml | 2 - .../haproxy/data_stream/stat/fields/ecs.yml | 2 - .../data_stream/log/fields/ecs.yml | 4 -- .../juniper/data_stream/srx/fields/ecs.yml | 48 ------------------- .../data_stream/log/fields/ecs.yml | 48 ------------------- .../linux/data_stream/service/fields/ecs.yml | 36 -------------- .../linux/data_stream/socket/fields/ecs.yml | 14 ------ .../linux/data_stream/users/fields/ecs.yml | 4 -- .../netflow/data_stream/log/fields/ecs.yml | 20 -------- .../data_stream/dns/fields/ecs.yml | 10 ---- .../data_stream/connection/fields/ecs.yml | 2 - .../data_stream/exchange/fields/ecs.yml | 2 - .../redis/data_stream/info/fields/ecs.yml | 4 -- .../system/data_stream/core/fields/ecs.yml | 22 --------- .../system/data_stream/cpu/fields/ecs.yml | 22 --------- .../system/data_stream/diskio/fields/ecs.yml | 24 ---------- .../system/data_stream/fsstat/fields/ecs.yml | 22 --------- .../system/data_stream/load/fields/ecs.yml | 22 --------- .../system/data_stream/memory/fields/ecs.yml | 22 --------- .../system/data_stream/network/fields/ecs.yml | 32 ------------- .../system/data_stream/process/fields/ecs.yml | 40 ---------------- .../process_summary/fields/ecs.yml | 32 ------------- .../data_stream/socket_summary/fields/ecs.yml | 32 ------------- .../data_stream/forwarded/fields/ecs.yml | 10 ---- .../sysmon_operational/fields/ecs.yml | 10 ---- packages/zeek/data_stream/dns/fields/ecs.yml | 10 ---- 42 files changed, 766 deletions(-) diff --git a/packages/awsfargate/data_stream/task_stats/fields/ecs.yml b/packages/awsfargate/data_stream/task_stats/fields/ecs.yml index 60fce985c97..044b6b2acd7 100644 --- a/packages/awsfargate/data_stream/task_stats/fields/ecs.yml +++ b/packages/awsfargate/data_stream/task_stats/fields/ecs.yml @@ -1,53 +1,15 @@ # cloud - external: ecs name: cloud -- external: ecs - name: cloud.account.id -- external: ecs - name: cloud.account.name -- external: ecs - name: cloud.availability_zone -- external: ecs - name: cloud.instance.id -- external: ecs - name: cloud.machine.type -- external: ecs - name: cloud.provider -- external: ecs - name: cloud.region # version - external: ecs name: ecs.version # error - external: ecs name: error -- external: ecs - name: error.message # service - external: ecs name: service.type # container - external: ecs name: container -- external: ecs - name: container.id -- external: ecs - name: container.name -- external: ecs - name: container.image.name -# container + custom labels -- name: container.labels.com_amazonaws_ecs_cluster - type: keyword - description: ECS Cluster name -- name: container.labels.com_amazonaws_ecs_container-name - type: keyword - description: ECS container name -- name: container.labels.com_amazonaws_ecs_task-arn - type: keyword - description: ECS task ARN -- name: container.labels.com_amazonaws_ecs_task-definition-family - type: keyword - description: ECS task definition family -- name: container.labels.com_amazonaws_ecs_task-definition-version - type: keyword - description: ECS task definition version diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index ee8b04ed51f..4e5fb4847d5 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -84,10 +84,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco/data_stream/ftd/fields/ecs.yml b/packages/cisco/data_stream/ftd/fields/ecs.yml index f611e8ee32a..8894597527b 100644 --- a/packages/cisco/data_stream/ftd/fields/ecs.yml +++ b/packages/cisco/data_stream/ftd/fields/ecs.yml @@ -104,10 +104,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index 6779904532a..1888e518e62 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -88,10 +88,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml index 23cf593c2ea..6c51d63c154 100644 --- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml @@ -112,10 +112,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/docker/data_stream/container/fields/ecs.yml b/packages/docker/data_stream/container/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/container/fields/ecs.yml +++ b/packages/docker/data_stream/container/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/cpu/fields/ecs.yml b/packages/docker/data_stream/cpu/fields/ecs.yml index c663e96a2c3..2c41a23e678 100644 --- a/packages/docker/data_stream/cpu/fields/ecs.yml +++ b/packages/docker/data_stream/cpu/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.cpu.usage type: scaled_float format: percent diff --git a/packages/docker/data_stream/diskio/fields/ecs.yml b/packages/docker/data_stream/diskio/fields/ecs.yml index 4f2946b7865..8759671c888 100644 --- a/packages/docker/data_stream/diskio/fields/ecs.yml +++ b/packages/docker/data_stream/diskio/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.disk.read.bytes type: long format: bytes diff --git a/packages/docker/data_stream/event/fields/ecs.yml b/packages/docker/data_stream/event/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/event/fields/ecs.yml +++ b/packages/docker/data_stream/event/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/healthcheck/fields/ecs.yml b/packages/docker/data_stream/healthcheck/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/healthcheck/fields/ecs.yml +++ b/packages/docker/data_stream/healthcheck/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/image/fields/ecs.yml b/packages/docker/data_stream/image/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/image/fields/ecs.yml +++ b/packages/docker/data_stream/image/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/info/fields/ecs.yml b/packages/docker/data_stream/info/fields/ecs.yml index 471f0cb8582..0ddecaf4ac3 100644 --- a/packages/docker/data_stream/info/fields/ecs.yml +++ b/packages/docker/data_stream/info/fields/ecs.yml @@ -14,25 +14,3 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/docker/data_stream/memory/fields/ecs.yml b/packages/docker/data_stream/memory/fields/ecs.yml index 4c757034615..2e9d0438675 100644 --- a/packages/docker/data_stream/memory/fields/ecs.yml +++ b/packages/docker/data_stream/memory/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.memory.usage type: scaled_float format: percent diff --git a/packages/docker/data_stream/network/fields/ecs.yml b/packages/docker/data_stream/network/fields/ecs.yml index f41461110e1..3131eac8a02 100644 --- a/packages/docker/data_stream/network/fields/ecs.yml +++ b/packages/docker/data_stream/network/fields/ecs.yml @@ -14,28 +14,6 @@ name: container.image.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: container.network.egress.bytes type: long format: bytes diff --git a/packages/elasticsearch/data_stream/audit/fields/ecs.yml b/packages/elasticsearch/data_stream/audit/fields/ecs.yml index b59e389809c..b0e9dad68d3 100644 --- a/packages/elasticsearch/data_stream/audit/fields/ecs.yml +++ b/packages/elasticsearch/data_stream/audit/fields/ecs.yml @@ -1,16 +1,8 @@ - external: ecs name: http -- external: ecs - name: http.request.body.content - external: ecs name: source -- external: ecs - name: source.ip - external: ecs name: url -- external: ecs - name: url.original - external: ecs name: user -- external: ecs - name: user.name diff --git a/packages/gcp/data_stream/dns/fields/ecs.yml b/packages/gcp/data_stream/dns/fields/ecs.yml index f008e47d957..a7acc4fb82d 100644 --- a/packages/gcp/data_stream/dns/fields/ecs.yml +++ b/packages/gcp/data_stream/dns/fields/ecs.yml @@ -4,16 +4,6 @@ name: destination.ip - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.question.name - external: ecs diff --git a/packages/haproxy/data_stream/info/fields/ecs.yml b/packages/haproxy/data_stream/info/fields/ecs.yml index 89b163a3aa1..13ceaf2f995 100644 --- a/packages/haproxy/data_stream/info/fields/ecs.yml +++ b/packages/haproxy/data_stream/info/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: process -- external: ecs - name: process.pid - external: ecs name: service.address - external: ecs diff --git a/packages/haproxy/data_stream/stat/fields/ecs.yml b/packages/haproxy/data_stream/stat/fields/ecs.yml index 89b163a3aa1..13ceaf2f995 100644 --- a/packages/haproxy/data_stream/stat/fields/ecs.yml +++ b/packages/haproxy/data_stream/stat/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: process -- external: ecs - name: process.pid - external: ecs name: service.address - external: ecs diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml index fb78acf4391..7cafdae9e7c 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml @@ -86,10 +86,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/juniper/data_stream/srx/fields/ecs.yml b/packages/juniper/data_stream/srx/fields/ecs.yml index 5708c81eb0c..2be8bd4a869 100644 --- a/packages/juniper/data_stream/srx/fields/ecs.yml +++ b/packages/juniper/data_stream/srx/fields/ecs.yml @@ -224,16 +224,6 @@ name: dll.pe.product - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs @@ -552,16 +542,6 @@ name: log.logger - external: ecs name: log.syslog -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name - external: ecs name: message - external: ecs @@ -578,10 +558,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.name - external: ecs @@ -598,18 +574,6 @@ name: network.vlan.name - external: ecs name: observer.egress -- external: ecs - name: observer.egress.interface.alias -- external: ecs - name: observer.egress.interface.id -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.egress.vlan.id -- external: ecs - name: observer.egress.vlan.name -- external: ecs - name: observer.egress.zone - external: ecs name: observer.geo.city_name - external: ecs @@ -632,18 +596,6 @@ name: observer.hostname - external: ecs name: observer.ingress -- external: ecs - name: observer.ingress.interface.alias -- external: ecs - name: observer.ingress.interface.id -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.ingress.vlan.id -- external: ecs - name: observer.ingress.vlan.name -- external: ecs - name: observer.ingress.zone - external: ecs name: observer.ip - external: ecs diff --git a/packages/juniper_srx/data_stream/log/fields/ecs.yml b/packages/juniper_srx/data_stream/log/fields/ecs.yml index 5708c81eb0c..2be8bd4a869 100644 --- a/packages/juniper_srx/data_stream/log/fields/ecs.yml +++ b/packages/juniper_srx/data_stream/log/fields/ecs.yml @@ -224,16 +224,6 @@ name: dll.pe.product - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs @@ -552,16 +542,6 @@ name: log.logger - external: ecs name: log.syslog -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name - external: ecs name: message - external: ecs @@ -578,10 +558,6 @@ name: network.iana_number - external: ecs name: network.inner -- external: ecs - name: network.inner.vlan.id -- external: ecs - name: network.inner.vlan.name - external: ecs name: network.name - external: ecs @@ -598,18 +574,6 @@ name: network.vlan.name - external: ecs name: observer.egress -- external: ecs - name: observer.egress.interface.alias -- external: ecs - name: observer.egress.interface.id -- external: ecs - name: observer.egress.interface.name -- external: ecs - name: observer.egress.vlan.id -- external: ecs - name: observer.egress.vlan.name -- external: ecs - name: observer.egress.zone - external: ecs name: observer.geo.city_name - external: ecs @@ -632,18 +596,6 @@ name: observer.hostname - external: ecs name: observer.ingress -- external: ecs - name: observer.ingress.interface.alias -- external: ecs - name: observer.ingress.interface.id -- external: ecs - name: observer.ingress.interface.name -- external: ecs - name: observer.ingress.vlan.id -- external: ecs - name: observer.ingress.vlan.name -- external: ecs - name: observer.ingress.zone - external: ecs name: observer.ip - external: ecs diff --git a/packages/linux/data_stream/service/fields/ecs.yml b/packages/linux/data_stream/service/fields/ecs.yml index 8a4edf8d0e0..d1bfe41a38d 100644 --- a/packages/linux/data_stream/service/fields/ecs.yml +++ b/packages/linux/data_stream/service/fields/ecs.yml @@ -8,43 +8,7 @@ name: service.type - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pgid -- external: ecs - name: process.exit_code -- external: ecs - name: process.pid -- external: ecs - name: process.ppid -- external: ecs - name: process.working_directory - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/linux/data_stream/socket/fields/ecs.yml b/packages/linux/data_stream/socket/fields/ecs.yml index 6e399523d80..847ebcc752d 100644 --- a/packages/linux/data_stream/socket/fields/ecs.yml +++ b/packages/linux/data_stream/socket/fields/ecs.yml @@ -8,21 +8,7 @@ name: service.type - external: ecs name: network -- external: ecs - name: network.direction -- external: ecs - name: network.type - external: ecs name: process -- external: ecs - name: process.executable -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: user -- external: ecs - name: user.full_name -- external: ecs - name: user.id diff --git a/packages/linux/data_stream/users/fields/ecs.yml b/packages/linux/data_stream/users/fields/ecs.yml index 7117f20e5cb..549f1c964e1 100644 --- a/packages/linux/data_stream/users/fields/ecs.yml +++ b/packages/linux/data_stream/users/fields/ecs.yml @@ -8,7 +8,3 @@ name: service.type - external: ecs name: source -- external: ecs - name: source.ip -- external: ecs - name: source.port diff --git a/packages/netflow/data_stream/log/fields/ecs.yml b/packages/netflow/data_stream/log/fields/ecs.yml index 8d3da9674be..b0076c63316 100644 --- a/packages/netflow/data_stream/log/fields/ecs.yml +++ b/packages/netflow/data_stream/log/fields/ecs.yml @@ -166,16 +166,6 @@ name: destination.user.name - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs @@ -406,16 +396,6 @@ name: log.origin.function - external: ecs name: log.syslog -- external: ecs - name: log.syslog.facility.code -- external: ecs - name: log.syslog.facility.name -- external: ecs - name: log.syslog.priority -- external: ecs - name: log.syslog.severity.code -- external: ecs - name: log.syslog.severity.name - external: ecs name: message - external: ecs diff --git a/packages/network_traffic/data_stream/dns/fields/ecs.yml b/packages/network_traffic/data_stream/dns/fields/ecs.yml index d78aee57951..3469d6b233d 100644 --- a/packages/network_traffic/data_stream/dns/fields/ecs.yml +++ b/packages/network_traffic/data_stream/dns/fields/ecs.yml @@ -12,16 +12,6 @@ name: destination.port - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/rabbitmq/data_stream/connection/fields/ecs.yml b/packages/rabbitmq/data_stream/connection/fields/ecs.yml index 59b37655563..826c95e7a10 100644 --- a/packages/rabbitmq/data_stream/connection/fields/ecs.yml +++ b/packages/rabbitmq/data_stream/connection/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: ecs.version - external: ecs diff --git a/packages/rabbitmq/data_stream/exchange/fields/ecs.yml b/packages/rabbitmq/data_stream/exchange/fields/ecs.yml index 59b37655563..826c95e7a10 100644 --- a/packages/rabbitmq/data_stream/exchange/fields/ecs.yml +++ b/packages/rabbitmq/data_stream/exchange/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: ecs.version - external: ecs diff --git a/packages/redis/data_stream/info/fields/ecs.yml b/packages/redis/data_stream/info/fields/ecs.yml index cf2bdd3aad8..7ebe6187463 100644 --- a/packages/redis/data_stream/info/fields/ecs.yml +++ b/packages/redis/data_stream/info/fields/ecs.yml @@ -1,11 +1,7 @@ - external: ecs name: os -- external: ecs - name: os.full - external: ecs name: process -- external: ecs - name: process.pid - external: ecs name: ecs.version - external: ecs diff --git a/packages/system/data_stream/core/fields/ecs.yml b/packages/system/data_stream/core/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/core/fields/ecs.yml +++ b/packages/system/data_stream/core/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/cpu/fields/ecs.yml b/packages/system/data_stream/cpu/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/cpu/fields/ecs.yml +++ b/packages/system/data_stream/cpu/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/diskio/fields/ecs.yml b/packages/system/data_stream/diskio/fields/ecs.yml index 125667d5ce5..0e98753ee3b 100644 --- a/packages/system/data_stream/diskio/fields/ecs.yml +++ b/packages/system/data_stream/diskio/fields/ecs.yml @@ -1,26 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.hostname -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/fsstat/fields/ecs.yml b/packages/system/data_stream/fsstat/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/fsstat/fields/ecs.yml +++ b/packages/system/data_stream/fsstat/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/load/fields/ecs.yml b/packages/system/data_stream/load/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/load/fields/ecs.yml +++ b/packages/system/data_stream/load/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/memory/fields/ecs.yml b/packages/system/data_stream/memory/fields/ecs.yml index 9e69e978131..0e98753ee3b 100644 --- a/packages/system/data_stream/memory/fields/ecs.yml +++ b/packages/system/data_stream/memory/fields/ecs.yml @@ -1,24 +1,2 @@ - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type diff --git a/packages/system/data_stream/network/fields/ecs.yml b/packages/system/data_stream/network/fields/ecs.yml index 49038af7df0..b7f1d8dc1ee 100644 --- a/packages/system/data_stream/network/fields/ecs.yml +++ b/packages/system/data_stream/network/fields/ecs.yml @@ -4,43 +4,11 @@ name: message - external: ecs name: group -- external: ecs - name: group.id -- external: ecs - name: group.name - external: ecs name: host -- external: ecs - name: host.hostname - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port - external: ecs name: user -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/system/data_stream/process/fields/ecs.yml b/packages/system/data_stream/process/fields/ecs.yml index 1b7b5372d01..6b0425b6f90 100644 --- a/packages/system/data_stream/process/fields/ecs.yml +++ b/packages/system/data_stream/process/fields/ecs.yml @@ -1,50 +1,10 @@ - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pgid -- external: ecs - name: process.pid -- external: ecs - name: process.parent.pid -- external: ecs - name: process.working_directory - external: ecs name: user -- external: ecs - name: user.name - external: ecs name: host -- external: ecs - name: host.architecture -- external: ecs - name: host.ip -- external: ecs - name: host.mac -- external: ecs - name: host.name -- external: ecs - name: host.os.family -- external: ecs - name: host.os.full -- external: ecs - name: host.os.kernel -- external: ecs - name: host.os.name -- external: ecs - name: host.os.platform -- external: ecs - name: host.os.version -- external: ecs - name: host.type - name: ecs.version external: ecs -- name: process.args - external: ecs -- name: process.command_line - external: ecs -- name: process.executable - external: ecs - name: service.type external: ecs diff --git a/packages/system/data_stream/process_summary/fields/ecs.yml b/packages/system/data_stream/process_summary/fields/ecs.yml index 49038af7df0..b7f1d8dc1ee 100644 --- a/packages/system/data_stream/process_summary/fields/ecs.yml +++ b/packages/system/data_stream/process_summary/fields/ecs.yml @@ -4,43 +4,11 @@ name: message - external: ecs name: group -- external: ecs - name: group.id -- external: ecs - name: group.name - external: ecs name: host -- external: ecs - name: host.hostname - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port - external: ecs name: user -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/system/data_stream/socket_summary/fields/ecs.yml b/packages/system/data_stream/socket_summary/fields/ecs.yml index 49038af7df0..b7f1d8dc1ee 100644 --- a/packages/system/data_stream/socket_summary/fields/ecs.yml +++ b/packages/system/data_stream/socket_summary/fields/ecs.yml @@ -4,43 +4,11 @@ name: message - external: ecs name: group -- external: ecs - name: group.id -- external: ecs - name: group.name - external: ecs name: host -- external: ecs - name: host.hostname - external: ecs name: process -- external: ecs - name: process.name -- external: ecs - name: process.pid - external: ecs name: source -- external: ecs - name: source.geo.city_name -- external: ecs - name: source.geo.continent_name -- external: ecs - name: source.geo.country_iso_code -- description: Longitude and latitude. - level: core - name: source.geo.location - type: geo_point -- external: ecs - name: source.geo.region_iso_code -- external: ecs - name: source.geo.region_name -- external: ecs - name: source.ip -- external: ecs - name: source.port - external: ecs name: user -- external: ecs - name: user.id -- external: ecs - name: user.name diff --git a/packages/windows/data_stream/forwarded/fields/ecs.yml b/packages/windows/data_stream/forwarded/fields/ecs.yml index 39b88dd3642..850afcb3007 100644 --- a/packages/windows/data_stream/forwarded/fields/ecs.yml +++ b/packages/windows/data_stream/forwarded/fields/ecs.yml @@ -12,16 +12,6 @@ name: destination.user.name - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/windows/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/data_stream/sysmon_operational/fields/ecs.yml index 03b3598d44c..e598973dc5d 100644 --- a/packages/windows/data_stream/sysmon_operational/fields/ecs.yml +++ b/packages/windows/data_stream/sysmon_operational/fields/ecs.yml @@ -6,16 +6,6 @@ name: destination.port - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/zeek/data_stream/dns/fields/ecs.yml b/packages/zeek/data_stream/dns/fields/ecs.yml index b183a600a17..0fb85555012 100644 --- a/packages/zeek/data_stream/dns/fields/ecs.yml +++ b/packages/zeek/data_stream/dns/fields/ecs.yml @@ -28,16 +28,6 @@ name: destination.port - external: ecs name: dns.answers -- external: ecs - name: dns.answers.class -- external: ecs - name: dns.answers.data -- external: ecs - name: dns.answers.name -- external: ecs - name: dns.answers.ttl -- external: ecs - name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs From 43361a483f4bdbe73f6c706a770f200b23c64211 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 13:39:05 +0200 Subject: [PATCH 12/28] Remove empty files --- packages/synthetics/data_stream/browser/fields/cloud.yml | 1 - packages/synthetics/data_stream/browser/fields/http.yml | 1 - packages/synthetics/data_stream/browser_network/fields/cloud.yml | 1 - packages/synthetics/data_stream/browser_network/fields/http.yml | 1 - .../synthetics/data_stream/browser_screenshot/fields/cloud.yml | 1 - packages/synthetics/data_stream/http/fields/cloud.yml | 1 - packages/synthetics/data_stream/http/fields/http.yml | 1 - packages/synthetics/data_stream/http/fields/tls.yml | 1 - packages/synthetics/data_stream/icmp/fields/cloud.yml | 1 - packages/synthetics/data_stream/icmp/fields/tls.yml | 1 - packages/synthetics/data_stream/tcp/fields/cloud.yml | 1 - packages/synthetics/data_stream/tcp/fields/tls.yml | 1 - 12 files changed, 12 deletions(-) delete mode 100644 packages/synthetics/data_stream/browser/fields/cloud.yml delete mode 100644 packages/synthetics/data_stream/browser/fields/http.yml delete mode 100644 packages/synthetics/data_stream/browser_network/fields/cloud.yml delete mode 100644 packages/synthetics/data_stream/browser_network/fields/http.yml delete mode 100644 packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml delete mode 100644 packages/synthetics/data_stream/http/fields/cloud.yml delete mode 100644 packages/synthetics/data_stream/http/fields/http.yml delete mode 100644 packages/synthetics/data_stream/http/fields/tls.yml delete mode 100644 packages/synthetics/data_stream/icmp/fields/cloud.yml delete mode 100644 packages/synthetics/data_stream/icmp/fields/tls.yml delete mode 100644 packages/synthetics/data_stream/tcp/fields/cloud.yml delete mode 100644 packages/synthetics/data_stream/tcp/fields/tls.yml diff --git a/packages/synthetics/data_stream/browser/fields/cloud.yml b/packages/synthetics/data_stream/browser/fields/cloud.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/browser/fields/cloud.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/browser/fields/http.yml b/packages/synthetics/data_stream/browser/fields/http.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/browser/fields/http.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/browser_network/fields/cloud.yml b/packages/synthetics/data_stream/browser_network/fields/cloud.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/browser_network/fields/cloud.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/browser_network/fields/http.yml b/packages/synthetics/data_stream/browser_network/fields/http.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/browser_network/fields/http.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml b/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/browser_screenshot/fields/cloud.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/http/fields/cloud.yml b/packages/synthetics/data_stream/http/fields/cloud.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/http/fields/cloud.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/http/fields/http.yml b/packages/synthetics/data_stream/http/fields/http.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/http/fields/http.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/http/fields/tls.yml b/packages/synthetics/data_stream/http/fields/tls.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/http/fields/tls.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/icmp/fields/cloud.yml b/packages/synthetics/data_stream/icmp/fields/cloud.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/icmp/fields/cloud.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/icmp/fields/tls.yml b/packages/synthetics/data_stream/icmp/fields/tls.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/icmp/fields/tls.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/tcp/fields/cloud.yml b/packages/synthetics/data_stream/tcp/fields/cloud.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/tcp/fields/cloud.yml +++ /dev/null @@ -1 +0,0 @@ -[] diff --git a/packages/synthetics/data_stream/tcp/fields/tls.yml b/packages/synthetics/data_stream/tcp/fields/tls.yml deleted file mode 100644 index fe51488c706..00000000000 --- a/packages/synthetics/data_stream/tcp/fields/tls.yml +++ /dev/null @@ -1 +0,0 @@ -[] From e98bde5edb6d13088a246d12a6fd4d7c3043a2ee Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 13:40:53 +0200 Subject: [PATCH 13/28] Remove duplicated from agent.yml --- packages/cisco/data_stream/meraki/fields/base-fields.yml | 4 ---- packages/cisco/data_stream/nexus/fields/base-fields.yml | 4 ---- .../cisco_meraki/data_stream/events/fields/base-fields.yml | 7 ------- .../cisco_meraki/data_stream/log/fields/base-fields.yml | 7 ------- .../cisco_nexus/data_stream/log/fields/base-fields.yml | 4 ---- .../data_stream/log/fields/fields.yml | 2 -- .../data_stream/event/fields/base-fields.yml | 4 ---- .../cisco_umbrella/data_stream/log/fields/base-fields.yml | 4 ---- .../data_stream/clientendpoint/fields/base-fields.yml | 4 ---- .../fortinet/data_stream/fortimail/fields/base-fields.yml | 4 ---- .../data_stream/fortimanager/fields/base-fields.yml | 4 ---- .../data_stream/log/fields/base-fields.yml | 3 --- packages/juniper/data_stream/junos/fields/base-fields.yml | 4 ---- .../juniper/data_stream/netscreen/fields/base-fields.yml | 4 ---- .../juniper_junos/data_stream/log/fields/base-fields.yml | 4 ---- .../data_stream/log/fields/base-fields.yml | 4 ---- packages/microsoft/data_stream/dhcp/fields/base-fields.yml | 4 ---- packages/zeek/data_stream/capture_loss/fields/beats.yml | 4 ---- packages/zeek/data_stream/connection/fields/beats.yml | 4 ---- packages/zeek/data_stream/dce_rpc/fields/beats.yml | 4 ---- packages/zeek/data_stream/dhcp/fields/beats.yml | 4 ---- packages/zeek/data_stream/dnp3/fields/beats.yml | 4 ---- packages/zeek/data_stream/dns/fields/beats.yml | 4 ---- packages/zeek/data_stream/dpd/fields/beats.yml | 4 ---- packages/zeek/data_stream/files/fields/beats.yml | 4 ---- packages/zeek/data_stream/ftp/fields/beats.yml | 4 ---- packages/zeek/data_stream/http/fields/beats.yml | 4 ---- packages/zeek/data_stream/intel/fields/beats.yml | 4 ---- packages/zeek/data_stream/irc/fields/beats.yml | 4 ---- packages/zeek/data_stream/kerberos/fields/beats.yml | 4 ---- packages/zeek/data_stream/modbus/fields/beats.yml | 4 ---- packages/zeek/data_stream/mysql/fields/beats.yml | 4 ---- packages/zeek/data_stream/notice/fields/beats.yml | 4 ---- packages/zeek/data_stream/ntlm/fields/beats.yml | 4 ---- packages/zeek/data_stream/ntp/fields/beats.yml | 4 ---- packages/zeek/data_stream/ocsp/fields/beats.yml | 4 ---- packages/zeek/data_stream/pe/fields/beats.yml | 4 ---- packages/zeek/data_stream/radius/fields/beats.yml | 4 ---- packages/zeek/data_stream/rdp/fields/beats.yml | 4 ---- packages/zeek/data_stream/rfb/fields/beats.yml | 4 ---- packages/zeek/data_stream/signature/fields/beats.yml | 4 ---- packages/zeek/data_stream/sip/fields/beats.yml | 4 ---- packages/zeek/data_stream/smb_cmd/fields/beats.yml | 4 ---- packages/zeek/data_stream/smb_files/fields/beats.yml | 4 ---- packages/zeek/data_stream/smb_mapping/fields/beats.yml | 4 ---- packages/zeek/data_stream/smtp/fields/beats.yml | 4 ---- packages/zeek/data_stream/snmp/fields/beats.yml | 4 ---- packages/zeek/data_stream/socks/fields/beats.yml | 4 ---- packages/zeek/data_stream/ssh/fields/beats.yml | 4 ---- packages/zeek/data_stream/ssl/fields/beats.yml | 4 ---- packages/zeek/data_stream/stats/fields/beats.yml | 4 ---- packages/zeek/data_stream/syslog/fields/beats.yml | 4 ---- packages/zeek/data_stream/traceroute/fields/beats.yml | 4 ---- packages/zeek/data_stream/tunnel/fields/beats.yml | 4 ---- packages/zeek/data_stream/weird/fields/beats.yml | 4 ---- packages/zeek/data_stream/x509/fields/beats.yml | 4 ---- 56 files changed, 227 deletions(-) diff --git a/packages/cisco/data_stream/meraki/fields/base-fields.yml b/packages/cisco/data_stream/meraki/fields/base-fields.yml index 9c092a509e7..e32ab63a97b 100644 --- a/packages/cisco/data_stream/meraki/fields/base-fields.yml +++ b/packages/cisco/data_stream/meraki/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco.meraki -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco/data_stream/nexus/fields/base-fields.yml b/packages/cisco/data_stream/nexus/fields/base-fields.yml index 41ee914e6ba..4f3c8eaa3e0 100644 --- a/packages/cisco/data_stream/nexus/fields/base-fields.yml +++ b/packages/cisco/data_stream/nexus/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco.nexus -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml index 9f517c13a0f..71da0e30206 100644 --- a/packages/cisco_meraki/data_stream/events/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/events/fields/base-fields.yml @@ -15,10 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_meraki.events -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml index 61e7298e6ec..57cd7d544ae 100644 --- a/packages/cisco_meraki/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_meraki/data_stream/log/fields/base-fields.yml @@ -15,10 +15,3 @@ type: constant_keyword description: Event dataset value: cisco_meraki.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword -- name: input.type - description: Type of Filebeat input. - type: keyword diff --git a/packages/cisco_nexus/data_stream/log/fields/base-fields.yml b/packages/cisco_nexus/data_stream/log/fields/base-fields.yml index d78668f34fe..2edfc68eac0 100644 --- a/packages/cisco_nexus/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_nexus/data_stream/log/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco_nexus.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml index 0b6fbd185e1..5b8eee05bcb 100644 --- a/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml +++ b/packages/cisco_secure_email_gateway/data_stream/log/fields/fields.yml @@ -502,5 +502,3 @@ - name: type type: keyword description: Input type. -- name: input.type - type: keyword diff --git a/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml index 351ac771303..7e2ae7c8427 100644 --- a/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml +++ b/packages/cisco_secure_endpoint/data_stream/event/fields/base-fields.yml @@ -18,10 +18,6 @@ type: constant_keyword description: Event dataset value: cisco_secure_endpoint.event -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml b/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml index 1fb9b67d579..2c6581fc21d 100644 --- a/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml +++ b/packages/cisco_umbrella/data_stream/log/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: cisco_umbrella.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml b/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml index 8b0f96fec09..08b97d5f8d8 100644 --- a/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml +++ b/packages/fortinet/data_stream/clientendpoint/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.clientendpoint -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml index 251235bb423..835e6882275 100644 --- a/packages/fortinet/data_stream/fortimail/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimail/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.fortimail -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml index ec22402e930..d9f35d7c497 100644 --- a/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml +++ b/packages/fortinet/data_stream/fortimanager/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: fortinet.fortimanager -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml b/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml index b25d7f5d595..46908d2a37e 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/base-fields.yml @@ -18,6 +18,3 @@ - name: log.flags description: Flags for the log file. type: keyword -- name: log.offset - description: Offset of the entry in the log file. - type: long diff --git a/packages/juniper/data_stream/junos/fields/base-fields.yml b/packages/juniper/data_stream/junos/fields/base-fields.yml index 92c55e0c2f9..8401571ede4 100644 --- a/packages/juniper/data_stream/junos/fields/base-fields.yml +++ b/packages/juniper/data_stream/junos/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: juniper.junos -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/juniper/data_stream/netscreen/fields/base-fields.yml b/packages/juniper/data_stream/netscreen/fields/base-fields.yml index f1b2287e9ce..181f1fddbeb 100644 --- a/packages/juniper/data_stream/netscreen/fields/base-fields.yml +++ b/packages/juniper/data_stream/netscreen/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: juniper.netscreen -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/juniper_junos/data_stream/log/fields/base-fields.yml b/packages/juniper_junos/data_stream/log/fields/base-fields.yml index 2b604cdf182..5b3ee114e0f 100644 --- a/packages/juniper_junos/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_junos/data_stream/log/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: juniper_junos.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml b/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml index abf4af53ad1..905f87d3120 100644 --- a/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml +++ b/packages/juniper_netscreen/data_stream/log/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: juniper_netscreen.log -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml index 4a5691ae184..5eb984d0e1a 100644 --- a/packages/microsoft/data_stream/dhcp/fields/base-fields.yml +++ b/packages/microsoft/data_stream/dhcp/fields/base-fields.yml @@ -15,10 +15,6 @@ type: constant_keyword description: Event dataset value: microsoft.dhcp -- name: container.id - description: Unique container id. - ignore_above: 1024 - type: keyword - name: input.type description: Type of Filebeat input. type: keyword diff --git a/packages/zeek/data_stream/capture_loss/fields/beats.yml b/packages/zeek/data_stream/capture_loss/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/capture_loss/fields/beats.yml +++ b/packages/zeek/data_stream/capture_loss/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/connection/fields/beats.yml b/packages/zeek/data_stream/connection/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/connection/fields/beats.yml +++ b/packages/zeek/data_stream/connection/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dce_rpc/fields/beats.yml b/packages/zeek/data_stream/dce_rpc/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dce_rpc/fields/beats.yml +++ b/packages/zeek/data_stream/dce_rpc/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dhcp/fields/beats.yml b/packages/zeek/data_stream/dhcp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dhcp/fields/beats.yml +++ b/packages/zeek/data_stream/dhcp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dnp3/fields/beats.yml b/packages/zeek/data_stream/dnp3/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dnp3/fields/beats.yml +++ b/packages/zeek/data_stream/dnp3/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dns/fields/beats.yml b/packages/zeek/data_stream/dns/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dns/fields/beats.yml +++ b/packages/zeek/data_stream/dns/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/dpd/fields/beats.yml b/packages/zeek/data_stream/dpd/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/dpd/fields/beats.yml +++ b/packages/zeek/data_stream/dpd/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/files/fields/beats.yml b/packages/zeek/data_stream/files/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/files/fields/beats.yml +++ b/packages/zeek/data_stream/files/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ftp/fields/beats.yml b/packages/zeek/data_stream/ftp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ftp/fields/beats.yml +++ b/packages/zeek/data_stream/ftp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/http/fields/beats.yml b/packages/zeek/data_stream/http/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/http/fields/beats.yml +++ b/packages/zeek/data_stream/http/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/intel/fields/beats.yml b/packages/zeek/data_stream/intel/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/intel/fields/beats.yml +++ b/packages/zeek/data_stream/intel/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/irc/fields/beats.yml b/packages/zeek/data_stream/irc/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/irc/fields/beats.yml +++ b/packages/zeek/data_stream/irc/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/kerberos/fields/beats.yml b/packages/zeek/data_stream/kerberos/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/kerberos/fields/beats.yml +++ b/packages/zeek/data_stream/kerberos/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/modbus/fields/beats.yml b/packages/zeek/data_stream/modbus/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/modbus/fields/beats.yml +++ b/packages/zeek/data_stream/modbus/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/mysql/fields/beats.yml b/packages/zeek/data_stream/mysql/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/mysql/fields/beats.yml +++ b/packages/zeek/data_stream/mysql/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/notice/fields/beats.yml b/packages/zeek/data_stream/notice/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/notice/fields/beats.yml +++ b/packages/zeek/data_stream/notice/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ntlm/fields/beats.yml b/packages/zeek/data_stream/ntlm/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ntlm/fields/beats.yml +++ b/packages/zeek/data_stream/ntlm/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ntp/fields/beats.yml b/packages/zeek/data_stream/ntp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ntp/fields/beats.yml +++ b/packages/zeek/data_stream/ntp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ocsp/fields/beats.yml b/packages/zeek/data_stream/ocsp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ocsp/fields/beats.yml +++ b/packages/zeek/data_stream/ocsp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/pe/fields/beats.yml b/packages/zeek/data_stream/pe/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/pe/fields/beats.yml +++ b/packages/zeek/data_stream/pe/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/radius/fields/beats.yml b/packages/zeek/data_stream/radius/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/radius/fields/beats.yml +++ b/packages/zeek/data_stream/radius/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/rdp/fields/beats.yml b/packages/zeek/data_stream/rdp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/rdp/fields/beats.yml +++ b/packages/zeek/data_stream/rdp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/rfb/fields/beats.yml b/packages/zeek/data_stream/rfb/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/rfb/fields/beats.yml +++ b/packages/zeek/data_stream/rfb/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/signature/fields/beats.yml b/packages/zeek/data_stream/signature/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/signature/fields/beats.yml +++ b/packages/zeek/data_stream/signature/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/sip/fields/beats.yml b/packages/zeek/data_stream/sip/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/sip/fields/beats.yml +++ b/packages/zeek/data_stream/sip/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smb_cmd/fields/beats.yml b/packages/zeek/data_stream/smb_cmd/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smb_cmd/fields/beats.yml +++ b/packages/zeek/data_stream/smb_cmd/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smb_files/fields/beats.yml b/packages/zeek/data_stream/smb_files/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smb_files/fields/beats.yml +++ b/packages/zeek/data_stream/smb_files/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smb_mapping/fields/beats.yml b/packages/zeek/data_stream/smb_mapping/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smb_mapping/fields/beats.yml +++ b/packages/zeek/data_stream/smb_mapping/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/smtp/fields/beats.yml b/packages/zeek/data_stream/smtp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/smtp/fields/beats.yml +++ b/packages/zeek/data_stream/smtp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/snmp/fields/beats.yml b/packages/zeek/data_stream/snmp/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/snmp/fields/beats.yml +++ b/packages/zeek/data_stream/snmp/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/socks/fields/beats.yml b/packages/zeek/data_stream/socks/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/socks/fields/beats.yml +++ b/packages/zeek/data_stream/socks/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ssh/fields/beats.yml b/packages/zeek/data_stream/ssh/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ssh/fields/beats.yml +++ b/packages/zeek/data_stream/ssh/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/ssl/fields/beats.yml b/packages/zeek/data_stream/ssl/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/ssl/fields/beats.yml +++ b/packages/zeek/data_stream/ssl/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/stats/fields/beats.yml b/packages/zeek/data_stream/stats/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/stats/fields/beats.yml +++ b/packages/zeek/data_stream/stats/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/syslog/fields/beats.yml b/packages/zeek/data_stream/syslog/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/syslog/fields/beats.yml +++ b/packages/zeek/data_stream/syslog/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/traceroute/fields/beats.yml b/packages/zeek/data_stream/traceroute/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/traceroute/fields/beats.yml +++ b/packages/zeek/data_stream/traceroute/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/tunnel/fields/beats.yml b/packages/zeek/data_stream/tunnel/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/tunnel/fields/beats.yml +++ b/packages/zeek/data_stream/tunnel/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/weird/fields/beats.yml b/packages/zeek/data_stream/weird/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/weird/fields/beats.yml +++ b/packages/zeek/data_stream/weird/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword diff --git a/packages/zeek/data_stream/x509/fields/beats.yml b/packages/zeek/data_stream/x509/fields/beats.yml index 470f5fae484..e5e37f3fe94 100644 --- a/packages/zeek/data_stream/x509/fields/beats.yml +++ b/packages/zeek/data_stream/x509/fields/beats.yml @@ -1,7 +1,3 @@ -- description: Unique container id. - ignore_above: 1024 - name: container.id - type: keyword - description: Type of Filebeat input. name: input.type type: keyword From c2709953c4b0cb4fdaf06fc875f75a62bfa5265c Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Tue, 10 May 2022 13:44:45 +0200 Subject: [PATCH 14/28] More fields --- packages/awsfargate/docs/README.md | 5 - packages/cisco/docs/README.md | 4 - packages/cisco_asa/docs/README.md | 2 - packages/cisco_ftd/docs/README.md | 2 - packages/cisco_meraki/docs/README.md | 2 +- .../cisco_secure_email_gateway/docs/README.md | 2 +- packages/gcp/docs/README.md | 5 - packages/gcp/docs/dns.md | 5 - packages/hid_bravura_monitor/docs/README.md | 2 - packages/juniper/docs/README.md | 48 - packages/juniper_srx/docs/README.md | 24 - .../data_stream/container/fields/fields.yml | 207 --- .../controllermanager/fields/fields.yml | 159 -- .../data_stream/event/fields/fields.yml | 108 -- .../data_stream/node/fields/fields.yml | 198 --- .../data_stream/pod/fields/fields.yml | 144 -- .../data_stream/scheduler/fields/fields.yml | 163 -- .../state_container/fields/fields.yml | 66 - .../state_cronjob/fields/fields.yml | 42 - .../state_daemonset/fields/fields.yml | 31 - .../state_deployment/fields/fields.yml | 30 - .../data_stream/state_job/fields/fields.yml | 76 - .../data_stream/state_node/fields/fields.yml | 69 - .../state_persistentvolume/fields/fields.yml | 18 - .../fields/fields.yml | 24 - .../data_stream/state_pod/fields/fields.yml | 26 - .../state_replicaset/fields/fields.yml | 31 - .../state_resourcequota/fields/fields.yml | 24 - .../state_service/fields/fields.yml | 31 - .../state_statefulset/fields/fields.yml | 40 - .../state_storageclass/fields/fields.yml | 19 - .../data_stream/system/fields/fields.yml | 74 - .../data_stream/volume/fields/fields.yml | 73 - packages/kubernetes/docs/events.md | 128 +- .../docs/kube-controller-manager.md | 142 +- packages/kubernetes/docs/kube-scheduler.md | 144 +- .../kubernetes/docs/kube-state-metrics.md | 1332 ++++++++--------- packages/kubernetes/docs/kubelet.md | 543 +++---- packages/netflow/docs/README.md | 10 - packages/network_traffic/docs/README.md | 5 - packages/windows/docs/README.md | 5 - packages/zeek/docs/README.md | 5 - 42 files changed, 1014 insertions(+), 3054 deletions(-) delete mode 100644 packages/kubernetes/data_stream/container/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/controllermanager/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/event/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/node/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/pod/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/scheduler/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_container/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_cronjob/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_daemonset/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_deployment/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_job/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_node/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_pod/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_replicaset/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_service/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_statefulset/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/state_storageclass/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/system/fields/fields.yml delete mode 100644 packages/kubernetes/data_stream/volume/fields/fields.yml diff --git a/packages/awsfargate/docs/README.md b/packages/awsfargate/docs/README.md index 7258c64d877..e6e0d4dcbc8 100644 --- a/packages/awsfargate/docs/README.md +++ b/packages/awsfargate/docs/README.md @@ -377,11 +377,6 @@ If you want to learn more about Amazon ECS metrics, take a look at the blog post | container.image.name | Name of the image the container was built on. | keyword | | container.image.tag | Container image tags. | keyword | | container.labels | Image labels. | object | -| container.labels.com_amazonaws_ecs_cluster | ECS Cluster name | keyword | -| container.labels.com_amazonaws_ecs_container-name | ECS container name | keyword | -| container.labels.com_amazonaws_ecs_task-arn | ECS task ARN | keyword | -| container.labels.com_amazonaws_ecs_task-definition-family | ECS task definition family | keyword | -| container.labels.com_amazonaws_ecs_task-definition-version | ECS task definition version | keyword | | container.name | Container name. | keyword | | container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 750e050d29e..5ef587a2db0 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -257,8 +257,6 @@ An example event for `asa` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | @@ -635,8 +633,6 @@ An example event for `ftd` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index a1b7a6d6170..99e13422e71 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -256,8 +256,6 @@ An example event for `log` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index acde41953a9..f8da1286849 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -319,8 +319,6 @@ An example event for `log` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | diff --git a/packages/cisco_meraki/docs/README.md b/packages/cisco_meraki/docs/README.md index 362b1c2a302..4e5897bfe75 100644 --- a/packages/cisco_meraki/docs/README.md +++ b/packages/cisco_meraki/docs/README.md @@ -512,7 +512,7 @@ An example event for `log` looks as following: | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.request.referrer | Referrer for this HTTP request. | keyword | -| input.type | Type of Filebeat input. | keyword | +| input.type | Input type. | keyword | | log.file.path | Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Offset of the entry in the log file. | long | diff --git a/packages/cisco_secure_email_gateway/docs/README.md b/packages/cisco_secure_email_gateway/docs/README.md index 31559fa4eec..601a29c3afc 100644 --- a/packages/cisco_secure_email_gateway/docs/README.md +++ b/packages/cisco_secure_email_gateway/docs/README.md @@ -500,7 +500,7 @@ An example event for `log` looks as following: | http.request.method | HTTP request method. The value should retain its casing from the original event. For example, `GET`, `get`, and `GeT` are all considered valid values for this field. | keyword | | http.response.status_code | HTTP response status code. | long | | http.version | HTTP version. | keyword | -| input.type | | keyword | +| input.type | Input type | keyword | | log.file.path | File path from which the log event was read / sent from. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | | log.offset | Log offset | long | diff --git a/packages/gcp/docs/README.md b/packages/gcp/docs/README.md index c070e2f3f6b..a29a9407879 100644 --- a/packages/gcp/docs/README.md +++ b/packages/gcp/docs/README.md @@ -950,11 +950,6 @@ The `dns` dataset collects queries that name servers resolve for your Virtual Pr | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/gcp/docs/dns.md b/packages/gcp/docs/dns.md index 18f0001dae4..87fae2ac287 100644 --- a/packages/gcp/docs/dns.md +++ b/packages/gcp/docs/dns.md @@ -28,11 +28,6 @@ The `dns` dataset collects queries that name servers resolve for your Virtual Pr | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index ae419ff7169..5ad6994de9b 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -360,8 +360,6 @@ An example event for `log` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index ab2082048e0..c28413de56b 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -169,11 +169,6 @@ The following processes and tags are supported: | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -443,11 +438,6 @@ The following processes and tags are supported: | log.offset | Byte offset of the log line within its file. | long | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -456,8 +446,6 @@ The following processes and tags are supported: | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -466,12 +454,6 @@ The following processes and tags are supported: | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.geo.city_name | City name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | @@ -482,12 +464,6 @@ The following processes and tags are supported: | observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | @@ -1004,11 +980,6 @@ The `junos` dataset collects Juniper JUNOS logs. | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -1278,11 +1249,6 @@ The `junos` dataset collects Juniper JUNOS logs. | log.offset | Byte offset of the log line within its file. | long | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -1291,8 +1257,6 @@ The `junos` dataset collects Juniper JUNOS logs. | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -1301,12 +1265,6 @@ The `junos` dataset collects Juniper JUNOS logs. | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.geo.city_name | City name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | @@ -1317,12 +1275,6 @@ The `junos` dataset collects Juniper JUNOS logs. | observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index 685b9788488..fb29d040933 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -165,11 +165,6 @@ The following processes and tags are supported: | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -439,11 +434,6 @@ The following processes and tags are supported: | log.offset | Byte offset of the log line within its file. | long | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -452,8 +442,6 @@ The following processes and tags are supported: | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | -| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | -| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -462,12 +450,6 @@ The following processes and tags are supported: | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.egress.interface.name | Interface name as reported by the system. | keyword | -| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.geo.city_name | City name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | @@ -478,12 +460,6 @@ The following processes and tags are supported: | observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | -| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | -| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | -| observer.ingress.interface.name | Interface name as reported by the system. | keyword | -| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | -| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | -| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | diff --git a/packages/kubernetes/data_stream/container/fields/fields.yml b/packages/kubernetes/data_stream/container/fields/fields.yml deleted file mode 100644 index 41e238e000e..00000000000 --- a/packages/kubernetes/data_stream/container/fields/fields.yml +++ /dev/null @@ -1,207 +0,0 @@ -- name: kubernetes.container - type: group - fields: - - name: start_time - type: date - description: | - Start time - - name: cpu - type: group - fields: - - name: usage - type: group - fields: - - name: core - type: group - fields: - - name: ns - type: long - metric_type: gauge - description: | - Container CPU Core usage nanoseconds - - name: nanocores - type: long - metric_type: gauge - description: | - CPU used nanocores - - name: node.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - CPU usage as a percentage of the total node allocatable CPU - - name: limit.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited) - - name: logs - type: group - fields: - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Logs available capacity in bytes - - name: capacity - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Logs total capacity in bytes - - name: used - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Logs used capacity in bytes - - name: inodes - type: group - fields: - - name: count - type: long - metric_type: gauge - description: | - Total available inodes - - name: free - type: long - metric_type: gauge - description: | - Total free inodes - - name: used - type: long - metric_type: gauge - description: | - Total used inodes - - name: memory - type: group - fields: - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total available memory - - name: usage - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage - - name: node.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - Memory usage as a percentage of the total node allocatable memory - - name: limit.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) - - name: rss - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - RSS memory usage - - name: workingset - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Working set memory usage - - name: limit.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: > - Working set memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) - - - name: pagefaults - type: long - metric_type: counter - description: | - Number of page faults - - name: majorpagefaults - type: long - metric_type: counter - description: | - Number of major page faults - - name: rootfs - type: group - fields: - - name: capacity - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Root filesystem total capacity in bytes - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Root filesystem total available in bytes - - name: used - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Root filesystem total used in bytes - - name: inodes - type: group - fields: - - name: used - type: long - metric_type: gauge - description: | - Used inodes diff --git a/packages/kubernetes/data_stream/controllermanager/fields/fields.yml b/packages/kubernetes/data_stream/controllermanager/fields/fields.yml deleted file mode 100644 index 1ef76f93e8b..00000000000 --- a/packages/kubernetes/data_stream/controllermanager/fields/fields.yml +++ /dev/null @@ -1,159 +0,0 @@ -- name: kubernetes.controllermanager - type: group - fields: - - name: handler - dimension: true - type: keyword - description: | - Request handler - - name: code - dimension: true - type: keyword - description: | - HTTP code - - name: method - dimension: true - type: keyword - description: | - HTTP method - - name: host - dimension: true - type: keyword - description: | - Request host - - name: name - dimension: true - type: keyword - description: | - Name for the resource - - name: zone - dimension: true - type: keyword - description: | - Infrastructure zone - - name: process - type: group - fields: - - name: cpu.sec - type: double - metric_type: counter - description: CPU seconds - - name: memory.resident.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Bytes in resident memory - - name: memory.virtual.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Bytes in virtual memory - - name: fds.open.count - type: long - metric_type: gauge - description: Number of open file descriptors - - name: started.sec - type: double - metric_type: gauge - description: Seconds since the process started - - name: http - type: group - fields: - - name: request.duration.us.percentile.* - type: object - description: Request duration microseconds percentiles - - name: request.duration.us.sum - type: double - unit: micros - metric_type: counter - description: Request duration microseconds cumulative sum - - name: request.duration.us.count - type: long - unit: micros - metric_type: counter - description: Request count for duration - - name: request.size.bytes.percentile.* - type: object - description: Request size percentiles - - name: request.size.bytes.sum - type: long - format: bytes - unit: byte - metric_type: counter - description: Request size cumulative sum - - name: request.size.bytes.count - type: long - unit: byte - metric_type: counter - description: Request count for size - - name: response.size.bytes.percentile.* - type: object - description: Response size percentiles - - name: response.size.bytes.sum - type: long - format: bytes - unit: byte - metric_type: counter - description: Response size cumulative sum - - name: response.size.bytes.count - type: long - unit: byte - metric_type: counter - description: Response count - - name: request.count - type: long - metric_type: counter - description: Request count for response - - name: client.request.count - type: long - metric_type: counter - description: | - Number of requests as client - - name: workqueue - type: group - fields: - - name: longestrunning.sec - type: double - metric_type: gauge - description: Longest running processors - - name: unfinished.sec - type: double - metric_type: gauge - description: Unfinished processors - - name: adds.count - type: long - metric_type: counter - description: Workqueue add count - - name: depth.count - type: long - metric_type: gauge - description: Workqueue depth count - - name: retries.count - type: long - metric_type: counter - description: Workqueue number of retries - - name: node.collector - type: group - fields: - - name: eviction.count - type: long - metric_type: counter - description: Number of node evictions - - name: unhealthy.count - type: long - metric_type: gauge - description: Number of unhealthy nodes - - name: count - type: long - metric_type: gauge - description: Number of nodes - - name: health.pct - type: long - metric_type: gauge - description: Percentage of healthy nodes - - name: leader.is_master - type: boolean - description: | - Whether the node is master diff --git a/packages/kubernetes/data_stream/event/fields/fields.yml b/packages/kubernetes/data_stream/event/fields/fields.yml deleted file mode 100644 index 9bcbf000165..00000000000 --- a/packages/kubernetes/data_stream/event/fields/fields.yml +++ /dev/null @@ -1,108 +0,0 @@ -- name: kubernetes.event - type: group - fields: - - name: count - type: long - metric_type: counter - description: | - Count field records the number of times the particular event has occurred - - name: timestamp - type: group - fields: - - name: first_occurrence - type: date - description: | - Timestamp of first occurrence of event - - name: last_occurrence - type: date - description: | - Timestamp of last occurrence of event - - name: message - type: text - description: | - Message recorded for the given event - - name: reason - dimension: true - type: keyword - description: | - Reason recorded for the given event - - name: type - dimension: true - type: keyword - description: | - Type of the given event - - name: source - type: group - fields: - - name: component - dimension: true - type: keyword - description: | - Component from which the event is generated - - name: host - dimension: true - type: keyword - description: | - Node name on which the event is generated - - name: metadata - type: group - fields: - - name: timestamp - type: group - fields: - - name: created - type: date - description: | - Timestamp of creation of the given event - - name: generate_name - dimension: true - type: keyword - description: | - Generate name of the event - - name: name - dimension: true - type: keyword - description: | - Name of the event - - name: namespace - dimension: true - type: keyword - description: | - Namespace in which event was generated - - name: resource_version - dimension: true - type: keyword - description: | - Version of the event resource - - name: uid - type: keyword - description: | - Unique identifier to the event object - - name: self_link - type: keyword - description: | - URL representing the event - - name: involved_object - type: group - fields: - - name: api_version - type: keyword - description: | - API version of the object - - name: kind - type: keyword - description: | - API kind of the object - - name: name - type: keyword - description: | - name of the object - - name: resource_version - type: keyword - description: | - resource version of the object - - name: uid - dimension: true - type: keyword - description: | - uid version of the object diff --git a/packages/kubernetes/data_stream/node/fields/fields.yml b/packages/kubernetes/data_stream/node/fields/fields.yml deleted file mode 100644 index dc46f35f2ab..00000000000 --- a/packages/kubernetes/data_stream/node/fields/fields.yml +++ /dev/null @@ -1,198 +0,0 @@ -- name: kubernetes.node - type: group - fields: - - name: start_time - type: date - description: | - Start time - - name: cpu - type: group - fields: - - name: usage - type: group - fields: - - name: core - type: group - fields: - - name: ns - type: long - metric_type: gauge - description: | - Node CPU Core usage nanoseconds - - name: nanocores - type: long - metric_type: gauge - description: | - CPU used nanocores - - name: memory - type: group - fields: - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total available memory - - name: usage - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage - - name: rss - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - RSS memory usage - - name: workingset - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Working set memory usage - - name: pagefaults - type: long - metric_type: counter - description: | - Number of page faults - - name: majorpagefaults - type: long - metric_type: counter - description: | - Number of major page faults - - name: network - type: group - fields: - - name: rx - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - Received bytes - - name: errors - type: long - description: | - Rx errors - - name: tx - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - Transmitted bytes - - name: errors - type: long - metric_type: counter - description: | - Tx errors - - name: fs - type: group - fields: - - name: capacity - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Filesystem total capacity in bytes - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Filesystem total available in bytes - - name: used - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Filesystem total used in bytes - - name: inodes - type: group - fields: - - name: used - type: long - metric_type: gauge - description: | - Number of used inodes - - name: count - type: long - metric_type: gauge - description: | - Number of inodes - - name: free - type: long - metric_type: gauge - description: | - Number of free inodes - - name: runtime - type: group - fields: - - name: imagefs - type: group - fields: - - name: capacity - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Image filesystem total capacity in bytes - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Image filesystem total available in bytes - - name: used - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Image filesystem total used in bytes diff --git a/packages/kubernetes/data_stream/pod/fields/fields.yml b/packages/kubernetes/data_stream/pod/fields/fields.yml deleted file mode 100644 index 3f18b91dffe..00000000000 --- a/packages/kubernetes/data_stream/pod/fields/fields.yml +++ /dev/null @@ -1,144 +0,0 @@ -- name: kubernetes.pod - type: group - fields: - - name: start_time - type: date - description: | - Start time - - name: network - type: group - fields: - - name: rx - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - Received bytes - - name: errors - type: long - metric_type: counter - description: | - Rx errors - - name: tx - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: counter - description: | - Transmitted bytes - - name: errors - type: long - metric_type: counter - description: | - Tx errors - - name: cpu - type: group - fields: - - name: usage - type: group - fields: - - name: nanocores - type: long - unit: byte - metric_type: gauge - description: | - CPU used nanocores - - name: node.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - CPU usage as a percentage of the total node CPU - - name: limit.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if one or more containers of the pod are unlimited) - - name: memory - type: group - fields: - - name: usage - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage - - name: node.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - Memory usage as a percentage of the total node allocatable memory - - name: limit.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: percent - metric_type: gauge - description: | - Total memory available - - name: working_set - type: group - fields: - - name: bytes - type: long - format: bytes - unit: percent - metric_type: gauge - description: | - Total working set memory - - name: limit.pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: > - Working set memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) - - - name: rss - type: group - fields: - - name: bytes - type: long - format: bytes - unit: percent - metric_type: gauge - description: | - Total resident set size memory - - name: page_faults - type: long - metric_type: counter - description: | - Total page faults - - name: major_page_faults - type: long - metric_type: counter - description: | - Total major page faults - - name: ip - type: ip - description: Kubernetes pod IP diff --git a/packages/kubernetes/data_stream/scheduler/fields/fields.yml b/packages/kubernetes/data_stream/scheduler/fields/fields.yml deleted file mode 100644 index fa717504afa..00000000000 --- a/packages/kubernetes/data_stream/scheduler/fields/fields.yml +++ /dev/null @@ -1,163 +0,0 @@ -- name: kubernetes.scheduler - type: group - fields: - - name: handler - dimension: true - type: keyword - description: | - Request handler - - name: code - dimension: true - type: keyword - description: | - HTTP code - - name: method - dimension: true - type: keyword - description: | - HTTP method - - name: host - dimension: true - type: keyword - description: | - Request host - - name: name - dimension: true - type: keyword - description: | - Name for the resource - - name: result - dimension: true - type: keyword - description: | - Schedule attempt result - - name: operation - dimension: true - type: keyword - description: | - Scheduling operation - - name: process - type: group - fields: - - name: cpu.sec - type: double - metric_type: counter - description: CPU seconds - - name: memory.resident.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Bytes in resident memory - - name: memory.virtual.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: Bytes in virtual memory - - name: fds.open.count - type: long - metric_type: gauge - description: Number of open file descriptors - - name: started.sec - type: double - metric_type: gauge - description: Seconds since the process started - - name: http - type: group - fields: - - name: request.duration.us.percentile.* - type: object - description: Request duration microseconds percentiles - - name: request.duration.us.sum - type: double - metric_type: counter - unit: micros - description: Request duration microseconds cumulative sum - - name: request.duration.us.count - type: long - metric_type: counter - unit: micros - description: Request count for duration - - name: request.size.bytes.percentile.* - type: object - description: Request size percentiles - - name: request.size.bytes.sum - type: long - format: bytes - unit: byte - metric_type: counter - description: Request size cumulative sum - - name: request.size.bytes.count - type: long - unit: byte - metric_type: counter - description: Request count for size - - name: response.size.bytes.percentile.* - type: object - description: Response size percentiles - - name: response.size.bytes.sum - type: long - format: bytes - unit: byte - metric_type: counter - description: Response size cumulative sum - - name: response.size.bytes.count - type: long - metric_type: counter - description: Response count - - name: request.count - type: long - metric_type: counter - description: Request count - - name: client.request.count - type: long - metric_type: counter - description: | - Number of requests as client - - name: leader.is_master - type: boolean - description: | - Whether the node is master - - name: scheduling - type: group - fields: - - name: e2e.duration.us.bucket.* - type: object - description: End to end scheduling duration microseconds - - name: e2e.duration.us.sum - type: long - unit: micros - metric_type: counter - description: End to end scheduling duration microseconds sum - - name: e2e.duration.us.count - type: long - unit: micros - metric_type: counter - description: End to end scheduling count - - name: pod.preemption.victims.bucket.* - type: long - description: Pod preemption victims - - name: pod.preemption.victims.sum - type: long - metric_type: counter - description: Pod preemption victims sum - - name: pod.preemption.victims.count - type: long - metric_type: counter - description: Pod preemption victims count - - name: pod.attempts.count - type: long - metric_type: counter - description: Pod attempts count - - name: duration.seconds.percentile.* - type: object - description: Scheduling duration percentiles - - name: duration.seconds.sum - type: double - metric_type: counter - description: Scheduling duration cumulative sum - - name: duration.seconds.count - type: long - metric_type: counter - description: Scheduling count diff --git a/packages/kubernetes/data_stream/state_container/fields/fields.yml b/packages/kubernetes/data_stream/state_container/fields/fields.yml deleted file mode 100644 index 858f894d188..00000000000 --- a/packages/kubernetes/data_stream/state_container/fields/fields.yml +++ /dev/null @@ -1,66 +0,0 @@ -- name: kubernetes.container - type: group - fields: - - name: id - type: keyword - description: Container id - - name: status - type: group - fields: - - name: phase - type: keyword - description: | - Container phase (running, waiting, terminated) - - name: ready - type: boolean - description: | - Container ready status - - name: restarts - type: integer - metric_type: counter - description: | - Container restarts count - - name: reason - type: keyword - description: | - Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. - - name: cpu - type: group - fields: - - name: limit.cores - type: float - metric_type: gauge - description: | - Container CPU cores limit - - name: request.cores - type: float - metric_type: gauge - description: | - Container CPU requested cores - - name: limit.nanocores - type: long - metric_type: gauge - description: | - Container CPU nanocores limit - - name: request.nanocores - type: long - metric_type: gauge - description: | - Container CPU requested nanocores - - name: memory - type: group - fields: - - name: limit.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Container memory limit in bytes - - name: request.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Container requested memory in bytes diff --git a/packages/kubernetes/data_stream/state_cronjob/fields/fields.yml b/packages/kubernetes/data_stream/state_cronjob/fields/fields.yml deleted file mode 100644 index acf6803436d..00000000000 --- a/packages/kubernetes/data_stream/state_cronjob/fields/fields.yml +++ /dev/null @@ -1,42 +0,0 @@ -- name: kubernetes.cronjob - type: group - fields: - - name: name - dimension: true - type: keyword - description: Cronjob name - - name: schedule - dimension: true - type: keyword - description: Cronjob schedule - - name: concurrency - dimension: true - type: keyword - description: Concurrency policy - - name: active.count - type: long - metric_type: gauge - description: Number of active pods for the cronjob - - name: is_suspended - type: boolean - description: Whether the cronjob is suspended - - name: created.sec - type: double - unit: s - metric_type: gauge - description: Epoch seconds since the cronjob was created - - name: last_schedule.sec - type: double - unit: s - metric_type: gauge - description: Epoch seconds for last cronjob run - - name: next_schedule.sec - type: double - unit: s - metric_type: gauge - description: Epoch seconds for next cronjob run - - name: deadline.sec - type: long - unit: s - metric_type: gauge - description: Deadline seconds after schedule for considering failed diff --git a/packages/kubernetes/data_stream/state_daemonset/fields/fields.yml b/packages/kubernetes/data_stream/state_daemonset/fields/fields.yml deleted file mode 100644 index c763091832c..00000000000 --- a/packages/kubernetes/data_stream/state_daemonset/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: kubernetes.daemonset - type: group - fields: - - name: name - dimension: true - type: keyword - - name: replicas - type: group - description: | - Kubernetes DaemonSet replica metrics - fields: - - name: available - type: long - metric_type: gauge - description: | - The number of available replicas per DaemonSet - - name: desired - type: long - metric_type: gauge - description: | - The desired number of replicas per DaemonSet - - name: ready - type: long - metric_type: gauge - description: | - The number of ready replicas per DaemonSet - - name: unavailable - type: long - metric_type: gauge - description: | - The number of unavailable replicas per DaemonSet diff --git a/packages/kubernetes/data_stream/state_deployment/fields/fields.yml b/packages/kubernetes/data_stream/state_deployment/fields/fields.yml deleted file mode 100644 index 51b6abb87e7..00000000000 --- a/packages/kubernetes/data_stream/state_deployment/fields/fields.yml +++ /dev/null @@ -1,30 +0,0 @@ -- name: kubernetes.deployment - type: group - fields: - - name: paused - type: boolean - description: | - Kubernetes deployment paused status - - name: replicas - type: group - fields: - - name: desired - type: integer - metric_type: gauge - description: | - Deployment number of desired replicas (spec) - - name: available - type: integer - metric_type: gauge - description: | - Deployment available replicas - - name: unavailable - type: integer - metric_type: gauge - description: | - Deployment unavailable replicas - - name: updated - type: integer - metric_type: gauge - description: | - Deployment updated replicas diff --git a/packages/kubernetes/data_stream/state_job/fields/fields.yml b/packages/kubernetes/data_stream/state_job/fields/fields.yml deleted file mode 100644 index dd96148faec..00000000000 --- a/packages/kubernetes/data_stream/state_job/fields/fields.yml +++ /dev/null @@ -1,76 +0,0 @@ -- name: kubernetes.job - type: group - fields: - - name: name - dimension: true - type: keyword - description: > - The name of the job resource - - - name: pods - type: group - description: > - Pod metrics for the job - - fields: - - name: active - type: long - metric_type: gauge - description: Number of active pods - - name: failed - type: long - metric_type: gauge - description: Number of failed pods - - name: succeeded - type: long - metric_type: gauge - description: Number of successful pods - - name: time - type: group - description: Kubernetes job timestamps - fields: - - name: created - type: date - description: The time at which the job was created - - name: completed - type: date - description: The time at which the job completed - - name: completions - type: group - description: Kubernetes job completion settings - fields: - - name: desired - type: long - metric_type: gauge - description: The configured completion count for the job (Spec) - - name: parallelism - type: group - description: Kubernetes job parallelism settings - fields: - - name: desired - type: long - metric_type: gauge - description: The configured parallelism of the job (Spec) - - name: owner - type: group - description: Kubernetes job owner information - fields: - - name: name - type: keyword - description: The name of the resource that owns this job - - name: kind - type: keyword - description: The kind of resource that owns this job (eg. "CronJob") - - name: is_controller - type: keyword - description: Owner is controller ("true", "false", or `""`) - - name: status - type: group - description: Kubernetes job status information - fields: - - name: complete - type: keyword - description: Whether the job completed ("true", "false", or "unknown") - - name: failed - type: keyword - description: Whether the job failed ("true", "false", or "unknown") diff --git a/packages/kubernetes/data_stream/state_node/fields/fields.yml b/packages/kubernetes/data_stream/state_node/fields/fields.yml deleted file mode 100644 index c1eb2152441..00000000000 --- a/packages/kubernetes/data_stream/state_node/fields/fields.yml +++ /dev/null @@ -1,69 +0,0 @@ -- name: kubernetes.node - type: group - fields: - - name: status - type: group - fields: - - name: ready - type: keyword - description: | - Node ready status (true, false or unknown) - - name: unschedulable - type: boolean - description: | - Node unschedulable status - - name: disk_pressure - type: keyword - description: Node DiskPressure status (true, false or unknown) - - name: memory_pressure - type: keyword - description: Node MemoryPressure status (true, false or unknown) - - name: out_of_disk - type: keyword - description: Node OutOfDisk status (true, false or unknown) - - name: pid_pressure - type: keyword - description: Node PIDPressure status (true, false or unknown) - - name: cpu - type: group - fields: - - name: allocatable.cores - type: float - metric_type: gauge - description: | - Node CPU allocatable cores - - name: capacity.cores - type: long - metric_type: gauge - description: | - Node CPU capacity cores - - name: memory - type: group - fields: - - name: allocatable.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Node allocatable memory in bytes - - name: capacity.bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Node memory capacity in bytes - - name: pod - type: group - fields: - - name: allocatable.total - type: long - metric_type: gauge - description: | - Node allocatable pods - - name: capacity.total - type: long - metric_type: gauge - description: | - Node pod capacity diff --git a/packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml b/packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml deleted file mode 100644 index e441ac8f9c4..00000000000 --- a/packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml +++ /dev/null @@ -1,18 +0,0 @@ -- name: kubernetes.persistentvolume - type: group - fields: - - name: name - dimension: true - type: keyword - description: Volume name. - - name: capacity.bytes - type: long - unit: byte - metric_type: gauge - description: Volume capacity - - name: phase - type: keyword - description: Volume phase according to kubernetes - - name: storage_class - type: keyword - description: Storage class for the volume diff --git a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml deleted file mode 100644 index 6f11ce66b78..00000000000 --- a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: kubernetes.persistentvolumeclaim - type: group - fields: - - name: name - dimension: true - type: keyword - description: PVC name. - - name: volume_name - type: keyword - description: Binded volume name. - - name: request_storage.bytes - type: long - unit: byte - metric_type: gauge - description: Requested capacity. - - name: phase - type: keyword - description: PVC phase. - - name: access_mode - type: keyword - description: Access mode. - - name: storage_class - type: keyword - description: Storage class for the PVC. diff --git a/packages/kubernetes/data_stream/state_pod/fields/fields.yml b/packages/kubernetes/data_stream/state_pod/fields/fields.yml deleted file mode 100644 index 67d4cb4b223..00000000000 --- a/packages/kubernetes/data_stream/state_pod/fields/fields.yml +++ /dev/null @@ -1,26 +0,0 @@ -- name: kubernetes.pod - type: group - fields: - - name: ip - type: ip - description: | - Kubernetes pod IP - - name: host_ip - type: ip - description: | - Kubernetes pod host IP - - name: status - type: group - fields: - - name: phase - type: keyword - description: | - Kubernetes pod phase (Running, Pending...) - - name: ready - type: keyword - description: | - Kubernetes pod ready status (true, false or unknown) - - name: scheduled - type: keyword - description: | - Kubernetes pod scheduled status (true, false, unknown) diff --git a/packages/kubernetes/data_stream/state_replicaset/fields/fields.yml b/packages/kubernetes/data_stream/state_replicaset/fields/fields.yml deleted file mode 100644 index 40928a77137..00000000000 --- a/packages/kubernetes/data_stream/state_replicaset/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: kubernetes.replicaset - type: group - fields: - - name: replicas - type: group - fields: - - name: available - type: long - metric_type: gauge - description: | - The number of replicas per ReplicaSet - - name: desired - type: long - metric_type: gauge - description: | - The number of replicas per ReplicaSet - - name: ready - type: long - metric_type: gauge - description: | - The number of ready replicas per ReplicaSet - - name: observed - type: long - metric_type: gauge - description: | - The generation observed by the ReplicaSet controller - - name: labeled - type: long - metric_type: gauge - description: | - The number of fully labeled replicas per ReplicaSet diff --git a/packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml b/packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml deleted file mode 100644 index 530619270cf..00000000000 --- a/packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml +++ /dev/null @@ -1,24 +0,0 @@ -- name: kubernetes.resourcequota - type: group - fields: - - name: created.sec - type: double - unit: s - metric_type: gauge - description: Epoch seconds since the ResourceQuota was created - - name: quota - type: double - metric_type: gauge - description: Quota informed (hard or used) for the resource - - name: name - dimension: true - type: keyword - description: ResourceQuota name - - name: type - dimension: true - type: keyword - description: Quota information type, `hard` or `used` - - name: resource - dimension: true - type: keyword - description: Resource name the quota applies to diff --git a/packages/kubernetes/data_stream/state_service/fields/fields.yml b/packages/kubernetes/data_stream/state_service/fields/fields.yml deleted file mode 100644 index 0bec4028605..00000000000 --- a/packages/kubernetes/data_stream/state_service/fields/fields.yml +++ /dev/null @@ -1,31 +0,0 @@ -- name: kubernetes.service - type: group - fields: - - name: name - dimension: true - type: keyword - description: Service name. - - name: cluster_ip - type: keyword - description: Internal IP for the service. - - name: external_name - type: keyword - description: Service external DNS name - - name: external_ip - type: keyword - description: Service external IP - - name: load_balancer_ip - type: keyword - description: Load Balancer service IP - - name: type - type: keyword - description: Service type - - name: ingress_ip - type: keyword - description: Ingress IP - - name: ingress_hostname - type: keyword - description: Ingress Hostname - - name: created - type: date - description: Service creation date diff --git a/packages/kubernetes/data_stream/state_statefulset/fields/fields.yml b/packages/kubernetes/data_stream/state_statefulset/fields/fields.yml deleted file mode 100644 index e28adddcaa9..00000000000 --- a/packages/kubernetes/data_stream/state_statefulset/fields/fields.yml +++ /dev/null @@ -1,40 +0,0 @@ -- name: kubernetes.statefulset - type: group - fields: - - name: created - type: long - metric_type: gauge - description: | - The creation timestamp (epoch) for StatefulSet - - name: replicas - type: group - fields: - - name: observed - type: long - metric_type: gauge - description: | - The number of observed replicas per StatefulSet - - name: desired - type: long - metric_type: gauge - description: | - The number of desired replicas per StatefulSet - - name: ready - type: long - metric_type: gauge - description: > - The number of ready replicas per StatefulSet - - - name: generation - type: group - fields: - - name: observed - type: long - metric_type: gauge - description: | - The observed generation per StatefulSet - - name: desired - type: long - metric_type: gauge - description: | - The desired generation per StatefulSet diff --git a/packages/kubernetes/data_stream/state_storageclass/fields/fields.yml b/packages/kubernetes/data_stream/state_storageclass/fields/fields.yml deleted file mode 100644 index 6a0d31a6274..00000000000 --- a/packages/kubernetes/data_stream/state_storageclass/fields/fields.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: kubernetes.storageclass - type: group - fields: - - name: name - dimension: true - type: keyword - description: Storage class name. - - name: provisioner - type: keyword - description: Volume provisioner for the storage class. - - name: reclaim_policy - type: keyword - description: Reclaim policy for dynamically created volumes - - name: volume_binding_mode - type: keyword - description: Mode for default provisioning and binding - - name: created - type: date - description: Storage class creation date diff --git a/packages/kubernetes/data_stream/system/fields/fields.yml b/packages/kubernetes/data_stream/system/fields/fields.yml deleted file mode 100644 index 65fc48d0dd2..00000000000 --- a/packages/kubernetes/data_stream/system/fields/fields.yml +++ /dev/null @@ -1,74 +0,0 @@ -- name: kubernetes.system - type: group - fields: - - name: container - dimension: true - type: keyword - description: | - Container name - - name: start_time - type: date - description: | - Start time - - name: cpu - type: group - fields: - - name: usage - type: group - fields: - - name: core - type: group - fields: - - name: ns - type: long - metric_type: gauge - description: | - CPU Core usage nanoseconds - - name: nanocores - type: long - metric_type: gauge - description: | - CPU used nanocores - - name: memory - type: group - fields: - - name: usage - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Total memory usage - - name: rss - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - RSS memory usage - - name: workingset - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Working set memory usage - - name: pagefaults - type: long - metric_type: counter - description: | - Number of page faults - - name: majorpagefaults - type: long - metric_type: counter - description: | - Number of major page faults diff --git a/packages/kubernetes/data_stream/volume/fields/fields.yml b/packages/kubernetes/data_stream/volume/fields/fields.yml deleted file mode 100644 index 8ccb8574c47..00000000000 --- a/packages/kubernetes/data_stream/volume/fields/fields.yml +++ /dev/null @@ -1,73 +0,0 @@ -- name: kubernetes.volume - type: group - fields: - - name: name - dimension: true - type: keyword - description: | - Volume name - - name: fs - type: group - fields: - - name: capacity - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Filesystem total capacity in bytes - - name: available - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Filesystem total available in bytes - - name: used - type: group - fields: - - name: bytes - type: long - format: bytes - unit: byte - metric_type: gauge - description: | - Filesystem total used in bytes - - name: pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of filesystem total used - - name: inodes - type: group - fields: - - name: used - type: long - metric_type: gauge - description: | - Used inodes - - name: pct - type: scaled_float - format: percent - unit: percent - metric_type: gauge - description: | - Percentage of used inodes - - name: free - type: long - metric_type: gauge - description: | - Free inodes - - name: count - type: long - metric_type: gauge - description: | - Total inodes diff --git a/packages/kubernetes/docs/events.md b/packages/kubernetes/docs/events.md index 384b4c2e9cd..6ef736dded6 100644 --- a/packages/kubernetes/docs/events.md +++ b/packages/kubernetes/docs/events.md @@ -96,77 +96,57 @@ An example event for `event` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.event.count | Count field records the number of times the particular event has occurred | long | counter | -| kubernetes.event.involved_object.api_version | API version of the object | keyword | | -| kubernetes.event.involved_object.kind | API kind of the object | keyword | | -| kubernetes.event.involved_object.name | name of the object | keyword | | -| kubernetes.event.involved_object.resource_version | resource version of the object | keyword | | -| kubernetes.event.involved_object.uid | uid version of the object | keyword | | -| kubernetes.event.message | Message recorded for the given event | text | | -| kubernetes.event.metadata.generate_name | Generate name of the event | keyword | | -| kubernetes.event.metadata.name | Name of the event | keyword | | -| kubernetes.event.metadata.namespace | Namespace in which event was generated | keyword | | -| kubernetes.event.metadata.resource_version | Version of the event resource | keyword | | -| kubernetes.event.metadata.self_link | URL representing the event | keyword | | -| kubernetes.event.metadata.timestamp.created | Timestamp of creation of the given event | date | | -| kubernetes.event.metadata.uid | Unique identifier to the event object | keyword | | -| kubernetes.event.reason | Reason recorded for the given event | keyword | | -| kubernetes.event.source.component | Component from which the event is generated | keyword | | -| kubernetes.event.source.host | Node name on which the event is generated | keyword | | -| kubernetes.event.timestamp.first_occurrence | Timestamp of first occurrence of event | date | | -| kubernetes.event.timestamp.last_occurrence | Timestamp of last occurrence of event | date | | -| kubernetes.event.type | Type of the given event | keyword | | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/kubernetes/docs/kube-controller-manager.md b/packages/kubernetes/docs/kube-controller-manager.md index ae019f99c74..7032c890bb0 100644 --- a/packages/kubernetes/docs/kube-controller-manager.md +++ b/packages/kubernetes/docs/kube-controller-manager.md @@ -107,90 +107,58 @@ An example event for `controllermanager` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.controllermanager.client.request.count | Number of requests as client | long | | counter | -| kubernetes.controllermanager.code | HTTP code | keyword | | | -| kubernetes.controllermanager.handler | Request handler | keyword | | | -| kubernetes.controllermanager.host | Request host | keyword | | | -| kubernetes.controllermanager.http.request.count | Request count for response | long | | counter | -| kubernetes.controllermanager.http.request.duration.us.count | Request count for duration | long | micros | counter | -| kubernetes.controllermanager.http.request.duration.us.percentile.\* | Request duration microseconds percentiles | object | | | -| kubernetes.controllermanager.http.request.duration.us.sum | Request duration microseconds cumulative sum | double | micros | counter | -| kubernetes.controllermanager.http.request.size.bytes.count | Request count for size | long | byte | counter | -| kubernetes.controllermanager.http.request.size.bytes.percentile.\* | Request size percentiles | object | | | -| kubernetes.controllermanager.http.request.size.bytes.sum | Request size cumulative sum | long | byte | counter | -| kubernetes.controllermanager.http.response.size.bytes.count | Response count | long | byte | counter | -| kubernetes.controllermanager.http.response.size.bytes.percentile.\* | Response size percentiles | object | | | -| kubernetes.controllermanager.http.response.size.bytes.sum | Response size cumulative sum | long | byte | counter | -| kubernetes.controllermanager.leader.is_master | Whether the node is master | boolean | | | -| kubernetes.controllermanager.method | HTTP method | keyword | | | -| kubernetes.controllermanager.name | Name for the resource | keyword | | | -| kubernetes.controllermanager.node.collector.count | Number of nodes | long | | gauge | -| kubernetes.controllermanager.node.collector.eviction.count | Number of node evictions | long | | counter | -| kubernetes.controllermanager.node.collector.health.pct | Percentage of healthy nodes | long | | gauge | -| kubernetes.controllermanager.node.collector.unhealthy.count | Number of unhealthy nodes | long | | gauge | -| kubernetes.controllermanager.process.cpu.sec | CPU seconds | double | | counter | -| kubernetes.controllermanager.process.fds.open.count | Number of open file descriptors | long | | gauge | -| kubernetes.controllermanager.process.memory.resident.bytes | Bytes in resident memory | long | byte | gauge | -| kubernetes.controllermanager.process.memory.virtual.bytes | Bytes in virtual memory | long | byte | gauge | -| kubernetes.controllermanager.process.started.sec | Seconds since the process started | double | | gauge | -| kubernetes.controllermanager.workqueue.adds.count | Workqueue add count | long | | counter | -| kubernetes.controllermanager.workqueue.depth.count | Workqueue depth count | long | | gauge | -| kubernetes.controllermanager.workqueue.longestrunning.sec | Longest running processors | double | | gauge | -| kubernetes.controllermanager.workqueue.retries.count | Workqueue number of retries | long | | counter | -| kubernetes.controllermanager.workqueue.unfinished.sec | Unfinished processors | double | | gauge | -| kubernetes.controllermanager.zone | Infrastructure zone | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/kubernetes/docs/kube-scheduler.md b/packages/kubernetes/docs/kube-scheduler.md index 596ab5dfc34..a9f57a079cd 100644 --- a/packages/kubernetes/docs/kube-scheduler.md +++ b/packages/kubernetes/docs/kube-scheduler.md @@ -93,92 +93,58 @@ An example event for `scheduler` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.scheduler.client.request.count | Number of requests as client | long | | counter | -| kubernetes.scheduler.code | HTTP code | keyword | | | -| kubernetes.scheduler.handler | Request handler | keyword | | | -| kubernetes.scheduler.host | Request host | keyword | | | -| kubernetes.scheduler.http.request.count | Request count | long | | counter | -| kubernetes.scheduler.http.request.duration.us.count | Request count for duration | long | micros | counter | -| kubernetes.scheduler.http.request.duration.us.percentile.\* | Request duration microseconds percentiles | object | | | -| kubernetes.scheduler.http.request.duration.us.sum | Request duration microseconds cumulative sum | double | micros | counter | -| kubernetes.scheduler.http.request.size.bytes.count | Request count for size | long | byte | counter | -| kubernetes.scheduler.http.request.size.bytes.percentile.\* | Request size percentiles | object | | | -| kubernetes.scheduler.http.request.size.bytes.sum | Request size cumulative sum | long | byte | counter | -| kubernetes.scheduler.http.response.size.bytes.count | Response count | long | | counter | -| kubernetes.scheduler.http.response.size.bytes.percentile.\* | Response size percentiles | object | | | -| kubernetes.scheduler.http.response.size.bytes.sum | Response size cumulative sum | long | byte | counter | -| kubernetes.scheduler.leader.is_master | Whether the node is master | boolean | | | -| kubernetes.scheduler.method | HTTP method | keyword | | | -| kubernetes.scheduler.name | Name for the resource | keyword | | | -| kubernetes.scheduler.operation | Scheduling operation | keyword | | | -| kubernetes.scheduler.process.cpu.sec | CPU seconds | double | | counter | -| kubernetes.scheduler.process.fds.open.count | Number of open file descriptors | long | | gauge | -| kubernetes.scheduler.process.memory.resident.bytes | Bytes in resident memory | long | byte | gauge | -| kubernetes.scheduler.process.memory.virtual.bytes | Bytes in virtual memory | long | byte | gauge | -| kubernetes.scheduler.process.started.sec | Seconds since the process started | double | | gauge | -| kubernetes.scheduler.result | Schedule attempt result | keyword | | | -| kubernetes.scheduler.scheduling.duration.seconds.count | Scheduling count | long | | counter | -| kubernetes.scheduler.scheduling.duration.seconds.percentile.\* | Scheduling duration percentiles | object | | | -| kubernetes.scheduler.scheduling.duration.seconds.sum | Scheduling duration cumulative sum | double | | counter | -| kubernetes.scheduler.scheduling.e2e.duration.us.bucket.\* | End to end scheduling duration microseconds | object | | | -| kubernetes.scheduler.scheduling.e2e.duration.us.count | End to end scheduling count | long | micros | counter | -| kubernetes.scheduler.scheduling.e2e.duration.us.sum | End to end scheduling duration microseconds sum | long | micros | counter | -| kubernetes.scheduler.scheduling.pod.attempts.count | Pod attempts count | long | | counter | -| kubernetes.scheduler.scheduling.pod.preemption.victims.bucket.\* | Pod preemption victims | long | | | -| kubernetes.scheduler.scheduling.pod.preemption.victims.count | Pod preemption victims count | long | | counter | -| kubernetes.scheduler.scheduling.pod.preemption.victims.sum | Pod preemption victims sum | long | | counter | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/kubernetes/docs/kube-state-metrics.md b/packages/kubernetes/docs/kube-state-metrics.md index ac299b3eee9..43e5d5f3d4e 100644 --- a/packages/kubernetes/docs/kube-state-metrics.md +++ b/packages/kubernetes/docs/kube-state-metrics.md @@ -150,82 +150,71 @@ An example event for `state_container` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| container.runtime | Runtime managing this container. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.cpu.limit.cores | Container CPU cores limit | float | | gauge | -| kubernetes.container.cpu.limit.nanocores | Container CPU nanocores limit | long | | gauge | -| kubernetes.container.cpu.request.cores | Container CPU requested cores | float | | gauge | -| kubernetes.container.cpu.request.nanocores | Container CPU requested nanocores | long | | gauge | -| kubernetes.container.id | Container id | keyword | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.memory.limit.bytes | Container memory limit in bytes | long | byte | gauge | -| kubernetes.container.memory.request.bytes | Container requested memory in bytes | long | byte | gauge | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.container.status.phase | Container phase (running, waiting, terminated) | keyword | | | -| kubernetes.container.status.ready | Container ready status | boolean | | | -| kubernetes.container.status.reason | Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. | keyword | | | -| kubernetes.container.status.restarts | Container restarts count | integer | | counter | -| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | -| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | | | -| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | | | -| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | | | -| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.labels.\* | Kubernetes node labels map | object | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.node.uid | Kubernetes node UID | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| container.runtime | Runtime managing this container. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | +| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | +| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | +| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | +| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.labels.\* | Kubernetes node labels map | object | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.node.uid | Kubernetes node UID | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_cronjob @@ -306,70 +295,61 @@ An example event for `state_cronjob` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.cronjob.active.count | Number of active pods for the cronjob | long | | gauge | -| kubernetes.cronjob.concurrency | Concurrency policy | keyword | | | -| kubernetes.cronjob.created.sec | Epoch seconds since the cronjob was created | double | s | gauge | -| kubernetes.cronjob.deadline.sec | Deadline seconds after schedule for considering failed | long | s | gauge | -| kubernetes.cronjob.is_suspended | Whether the cronjob is suspended | boolean | | | -| kubernetes.cronjob.last_schedule.sec | Epoch seconds for last cronjob run | double | s | gauge | -| kubernetes.cronjob.name | Cronjob name | keyword | | | -| kubernetes.cronjob.next_schedule.sec | Epoch seconds for next cronjob run | double | s | gauge | -| kubernetes.cronjob.schedule | Cronjob schedule | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_daemonset @@ -446,66 +426,61 @@ An example event for `state_daemonset` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.daemonset.name | | keyword | | -| kubernetes.daemonset.replicas.available | The number of available replicas per DaemonSet | long | gauge | -| kubernetes.daemonset.replicas.desired | The desired number of replicas per DaemonSet | long | gauge | -| kubernetes.daemonset.replicas.ready | The number of ready replicas per DaemonSet | long | gauge | -| kubernetes.daemonset.replicas.unavailable | The number of unavailable replicas per DaemonSet | long | gauge | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_deployment @@ -583,66 +558,61 @@ An example event for `state_deployment` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.deployment.paused | Kubernetes deployment paused status | boolean | | -| kubernetes.deployment.replicas.available | Deployment available replicas | integer | gauge | -| kubernetes.deployment.replicas.desired | Deployment number of desired replicas (spec) | integer | gauge | -| kubernetes.deployment.replicas.unavailable | Deployment unavailable replicas | integer | gauge | -| kubernetes.deployment.replicas.updated | Deployment updated replicas | integer | gauge | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_job @@ -729,75 +699,63 @@ An example event for `state_job` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.job.completions.desired | The configured completion count for the job (Spec) | long | gauge | -| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | -| kubernetes.job.owner.is_controller | Owner is controller ("true", "false", or `"\"`) | keyword | | -| kubernetes.job.owner.kind | The kind of resource that owns this job (eg. "CronJob") | keyword | | -| kubernetes.job.owner.name | The name of the resource that owns this job | keyword | | -| kubernetes.job.parallelism.desired | The configured parallelism of the job (Spec) | long | gauge | -| kubernetes.job.pods.active | Number of active pods | long | gauge | -| kubernetes.job.pods.failed | Number of failed pods | long | gauge | -| kubernetes.job.pods.succeeded | Number of successful pods | long | gauge | -| kubernetes.job.status.complete | Whether the job completed ("true", "false", or "unknown") | keyword | | -| kubernetes.job.status.failed | Whether the job failed ("true", "false", or "unknown") | keyword | | -| kubernetes.job.time.completed | The time at which the job completed | date | | -| kubernetes.job.time.created | The time at which the job was created | date | | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_node @@ -900,73 +858,61 @@ An example event for `state_node` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.cpu.allocatable.cores | Node CPU allocatable cores | float | | gauge | -| kubernetes.node.cpu.capacity.cores | Node CPU capacity cores | long | | gauge | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.memory.allocatable.bytes | Node allocatable memory in bytes | long | byte | gauge | -| kubernetes.node.memory.capacity.bytes | Node memory capacity in bytes | long | byte | gauge | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.node.pod.allocatable.total | Node allocatable pods | long | | gauge | -| kubernetes.node.pod.capacity.total | Node pod capacity | long | | gauge | -| kubernetes.node.status.disk_pressure | Node DiskPressure status (true, false or unknown) | keyword | | | -| kubernetes.node.status.memory_pressure | Node MemoryPressure status (true, false or unknown) | keyword | | | -| kubernetes.node.status.out_of_disk | Node OutOfDisk status (true, false or unknown) | keyword | | | -| kubernetes.node.status.pid_pressure | Node PIDPressure status (true, false or unknown) | keyword | | | -| kubernetes.node.status.ready | Node ready status (true, false or unknown) | keyword | | | -| kubernetes.node.status.unschedulable | Node unschedulable status | boolean | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_persistentvolume @@ -1041,65 +987,61 @@ An example event for `state_persistentvolume` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.persistentvolume.capacity.bytes | Volume capacity | long | byte | gauge | -| kubernetes.persistentvolume.name | Volume name. | keyword | | | -| kubernetes.persistentvolume.phase | Volume phase according to kubernetes | keyword | | | -| kubernetes.persistentvolume.storage_class | Storage class for the volume | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_persistentvolumeclaim @@ -1174,67 +1116,61 @@ An example event for `state_persistentvolumeclaim` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.persistentvolumeclaim.access_mode | Access mode. | keyword | | | -| kubernetes.persistentvolumeclaim.name | PVC name. | keyword | | | -| kubernetes.persistentvolumeclaim.phase | PVC phase. | keyword | | | -| kubernetes.persistentvolumeclaim.request_storage.bytes | Requested capacity. | long | byte | gauge | -| kubernetes.persistentvolumeclaim.storage_class | Storage class for the PVC. | keyword | | | -| kubernetes.persistentvolumeclaim.volume_name | Binded volume name. | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_pod @@ -1411,12 +1347,8 @@ An example event for `state_pod` looks as following: | kubernetes.node.labels.\* | Kubernetes node labels map | object | | kubernetes.node.name | Kubernetes node name | keyword | | kubernetes.node.uid | Kubernetes node UID | keyword | -| kubernetes.pod.host_ip | Kubernetes pod host IP | ip | | kubernetes.pod.ip | Kubernetes pod IP | ip | | kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.status.phase | Kubernetes pod phase (Running, Pending...) | keyword | -| kubernetes.pod.status.ready | Kubernetes pod ready status (true, false or unknown) | keyword | -| kubernetes.pod.status.scheduled | Kubernetes pod scheduled status (true, false, unknown) | keyword | | kubernetes.pod.uid | Kubernetes pod UID | keyword | | kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | kubernetes.selectors.\* | Kubernetes Service selectors map | object | @@ -1508,66 +1440,61 @@ An example event for `state_replicaset` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.replicaset.replicas.available | The number of replicas per ReplicaSet | long | gauge | -| kubernetes.replicaset.replicas.desired | The number of replicas per ReplicaSet | long | gauge | -| kubernetes.replicaset.replicas.labeled | The number of fully labeled replicas per ReplicaSet | long | gauge | -| kubernetes.replicaset.replicas.observed | The generation observed by the ReplicaSet controller | long | gauge | -| kubernetes.replicaset.replicas.ready | The number of ready replicas per ReplicaSet | long | gauge | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_resourcequota @@ -1638,66 +1565,61 @@ An example event for `state_resourcequota` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.resourcequota.created.sec | Epoch seconds since the ResourceQuota was created | double | s | gauge | -| kubernetes.resourcequota.name | ResourceQuota name | keyword | | | -| kubernetes.resourcequota.quota | Quota informed (hard or used) for the resource | double | | gauge | -| kubernetes.resourcequota.resource | Resource name the quota applies to | keyword | | | -| kubernetes.resourcequota.type | Quota information type, `hard` or `used` | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_service @@ -1853,15 +1775,6 @@ An example event for `state_service` looks as following: | kubernetes.pod.uid | Kubernetes pod UID | keyword | | kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.service.cluster_ip | Internal IP for the service. | keyword | -| kubernetes.service.created | Service creation date | date | -| kubernetes.service.external_ip | Service external IP | keyword | -| kubernetes.service.external_name | Service external DNS name | keyword | -| kubernetes.service.ingress_hostname | Ingress Hostname | keyword | -| kubernetes.service.ingress_ip | Ingress IP | keyword | -| kubernetes.service.load_balancer_ip | Load Balancer service IP | keyword | -| kubernetes.service.name | Service name. | keyword | -| kubernetes.service.type | Service type | keyword | | kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | orchestrator.cluster.name | Name of the cluster. | keyword | | orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | @@ -1942,67 +1855,61 @@ An example event for `state_statefulset` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.created | The creation timestamp (epoch) for StatefulSet | long | gauge | -| kubernetes.statefulset.generation.desired | The desired generation per StatefulSet | long | gauge | -| kubernetes.statefulset.generation.observed | The observed generation per StatefulSet | long | gauge | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| kubernetes.statefulset.replicas.desired | The number of desired replicas per StatefulSet | long | gauge | -| kubernetes.statefulset.replicas.observed | The number of observed replicas per StatefulSet | long | gauge | -| kubernetes.statefulset.replicas.ready | The number of ready replicas per StatefulSet | long | gauge | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### state_storageclass @@ -2127,11 +2034,6 @@ An example event for `state_storageclass` looks as following: | kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | kubernetes.selectors.\* | Kubernetes Service selectors map | object | | kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| kubernetes.storageclass.created | Storage class creation date | date | -| kubernetes.storageclass.name | Storage class name. | keyword | -| kubernetes.storageclass.provisioner | Volume provisioner for the storage class. | keyword | -| kubernetes.storageclass.reclaim_policy | Reclaim policy for dynamically created volumes | keyword | -| kubernetes.storageclass.volume_binding_mode | Mode for default provisioning and binding | keyword | | orchestrator.cluster.name | Name of the cluster. | keyword | | orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | diff --git a/packages/kubernetes/docs/kubelet.md b/packages/kubernetes/docs/kubelet.md index cabf8c1018d..5550b2536da 100644 --- a/packages/kubernetes/docs/kubelet.md +++ b/packages/kubernetes/docs/kubelet.md @@ -231,32 +231,8 @@ An example event for `container` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | | kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.cpu.usage.core.ns | Container CPU Core usage nanoseconds | long | | gauge | -| kubernetes.container.cpu.usage.limit.pct | CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited) | scaled_float | percent | gauge | -| kubernetes.container.cpu.usage.nanocores | CPU used nanocores | long | | gauge | -| kubernetes.container.cpu.usage.node.pct | CPU usage as a percentage of the total node allocatable CPU | scaled_float | percent | gauge | | kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.logs.available.bytes | Logs available capacity in bytes | long | byte | gauge | -| kubernetes.container.logs.capacity.bytes | Logs total capacity in bytes | long | byte | gauge | -| kubernetes.container.logs.inodes.count | Total available inodes | long | | gauge | -| kubernetes.container.logs.inodes.free | Total free inodes | long | | gauge | -| kubernetes.container.logs.inodes.used | Total used inodes | long | | gauge | -| kubernetes.container.logs.used.bytes | Logs used capacity in bytes | long | byte | gauge | -| kubernetes.container.memory.available.bytes | Total available memory | long | byte | gauge | -| kubernetes.container.memory.majorpagefaults | Number of major page faults | long | | counter | -| kubernetes.container.memory.pagefaults | Number of page faults | long | | counter | -| kubernetes.container.memory.rss.bytes | RSS memory usage | long | byte | gauge | -| kubernetes.container.memory.usage.bytes | Total memory usage | long | byte | gauge | -| kubernetes.container.memory.usage.limit.pct | Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | -| kubernetes.container.memory.usage.node.pct | Memory usage as a percentage of the total node allocatable memory | scaled_float | percent | gauge | -| kubernetes.container.memory.workingset.bytes | Working set memory usage | long | byte | gauge | -| kubernetes.container.memory.workingset.limit.pct | Working set memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | | kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.container.rootfs.available.bytes | Root filesystem total available in bytes | long | byte | gauge | -| kubernetes.container.rootfs.capacity.bytes | Root filesystem total capacity in bytes | long | byte | gauge | -| kubernetes.container.rootfs.inodes.used | Used inodes | long | | gauge | -| kubernetes.container.rootfs.used.bytes | Root filesystem total used in bytes | long | byte | gauge | -| kubernetes.container.start_time | Start time | date | | | | kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | | kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | | kubernetes.deployment.name | Kubernetes deployment name | keyword | | | @@ -443,83 +419,61 @@ An example event for `node` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.cpu.usage.core.ns | Node CPU Core usage nanoseconds | long | | gauge | -| kubernetes.node.cpu.usage.nanocores | CPU used nanocores | long | | gauge | -| kubernetes.node.fs.available.bytes | Filesystem total available in bytes | long | byte | gauge | -| kubernetes.node.fs.capacity.bytes | Filesystem total capacity in bytes | long | byte | gauge | -| kubernetes.node.fs.inodes.count | Number of inodes | long | | gauge | -| kubernetes.node.fs.inodes.free | Number of free inodes | long | | gauge | -| kubernetes.node.fs.inodes.used | Number of used inodes | long | | gauge | -| kubernetes.node.fs.used.bytes | Filesystem total used in bytes | long | byte | gauge | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.memory.available.bytes | Total available memory | long | byte | gauge | -| kubernetes.node.memory.majorpagefaults | Number of major page faults | long | | counter | -| kubernetes.node.memory.pagefaults | Number of page faults | long | | counter | -| kubernetes.node.memory.rss.bytes | RSS memory usage | long | byte | gauge | -| kubernetes.node.memory.usage.bytes | Total memory usage | long | byte | gauge | -| kubernetes.node.memory.workingset.bytes | Working set memory usage | long | byte | gauge | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.node.network.rx.bytes | Received bytes | long | byte | counter | -| kubernetes.node.network.rx.errors | Rx errors | long | | | -| kubernetes.node.network.tx.bytes | Transmitted bytes | long | byte | counter | -| kubernetes.node.network.tx.errors | Tx errors | long | | counter | -| kubernetes.node.runtime.imagefs.available.bytes | Image filesystem total available in bytes | long | byte | gauge | -| kubernetes.node.runtime.imagefs.capacity.bytes | Image filesystem total capacity in bytes | long | byte | gauge | -| kubernetes.node.runtime.imagefs.used.bytes | Image filesystem total used in bytes | long | byte | gauge | -| kubernetes.node.start_time | Start time | date | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### pod @@ -678,89 +632,72 @@ An example event for `pod` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| container.network.egress.bytes | Total number of outgoing bytes. | long | | counter | -| container.network.ingress.bytes | Total number of incoming bytes. | long | | counter | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | -| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | | | -| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | | | -| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | | | -| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.labels.\* | Kubernetes node labels map | object | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.node.uid | Kubernetes node UID | keyword | | | -| kubernetes.pod.cpu.usage.limit.pct | CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if one or more containers of the pod are unlimited) | scaled_float | percent | gauge | -| kubernetes.pod.cpu.usage.nanocores | CPU used nanocores | long | byte | gauge | -| kubernetes.pod.cpu.usage.node.pct | CPU usage as a percentage of the total node CPU | scaled_float | percent | gauge | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.memory.available.bytes | Total memory available | long | percent | gauge | -| kubernetes.pod.memory.major_page_faults | Total major page faults | long | | counter | -| kubernetes.pod.memory.page_faults | Total page faults | long | | counter | -| kubernetes.pod.memory.rss.bytes | Total resident set size memory | long | percent | gauge | -| kubernetes.pod.memory.usage.bytes | Total memory usage | long | byte | gauge | -| kubernetes.pod.memory.usage.limit.pct | Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | -| kubernetes.pod.memory.usage.node.pct | Memory usage as a percentage of the total node allocatable memory | scaled_float | percent | gauge | -| kubernetes.pod.memory.working_set.bytes | Total working set memory | long | percent | gauge | -| kubernetes.pod.memory.working_set.limit.pct | Working set memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.network.rx.bytes | Received bytes | long | byte | counter | -| kubernetes.pod.network.rx.errors | Rx errors | long | | counter | -| kubernetes.pod.network.tx.bytes | Transmitted bytes | long | byte | counter | -| kubernetes.pod.network.tx.errors | Tx errors | long | | counter | -| kubernetes.pod.start_time | Start time | date | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| container.network.egress.bytes | Total number of outgoing bytes. | long | counter | +| container.network.ingress.bytes | Total number of incoming bytes. | long | counter | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | +| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | | +| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | | +| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | | +| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.labels.\* | Kubernetes node labels map | object | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.node.uid | Kubernetes node UID | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | ### system @@ -876,70 +813,61 @@ An example event for `system` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| kubernetes.system.container | Container name | keyword | | | -| kubernetes.system.cpu.usage.core.ns | CPU Core usage nanoseconds | long | | gauge | -| kubernetes.system.cpu.usage.nanocores | CPU used nanocores | long | | gauge | -| kubernetes.system.memory.majorpagefaults | Number of major page faults | long | | counter | -| kubernetes.system.memory.pagefaults | Number of page faults | long | | counter | -| kubernetes.system.memory.rss.bytes | RSS memory usage | long | byte | gauge | -| kubernetes.system.memory.usage.bytes | Total memory usage | long | byte | gauge | -| kubernetes.system.memory.workingset.bytes | Working set memory usage | long | byte | gauge | -| kubernetes.system.start_time | Start time | date | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | ### volume @@ -1054,67 +982,58 @@ An example event for `volume` looks as following: **Exported fields** -| Field | Description | Type | Unit | Metric Type | -|---|---|---|---|---| -| @timestamp | Event timestamp. | date | | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | | -| cloud.instance.name | Instance name of the host machine. | keyword | | | -| cloud.machine.type | Machine type of the host machine. | keyword | | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | -| cloud.region | Region in which this host is running. | keyword | | | -| container.id | Unique container id. | keyword | | | -| container.image.name | Name of the image the container was built on. | keyword | | | -| container.labels | Image labels. | object | | | -| container.name | Container name. | keyword | | | -| data_stream.dataset | Data stream dataset. | constant_keyword | | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | | -| data_stream.type | Data stream type. | constant_keyword | | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | -| host.architecture | Operating system architecture. | keyword | | | -| host.containerized | If the host is a container. | boolean | | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | -| host.ip | Host ip addresses. | ip | | | -| host.mac | Host mac addresses. | keyword | | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | -| host.os.build | OS build information. | keyword | | | -| host.os.codename | OS codename, if any. | keyword | | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | -| host.os.name | Operating system name, without the version. | keyword | | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | -| host.os.version | Operating system version as a raw string. | keyword | | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | | -| kubernetes.container.image | Kubernetes container image | keyword | | | -| kubernetes.container.name | Kubernetes container name | keyword | | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | -| kubernetes.labels.\* | Kubernetes labels map | object | | | -| kubernetes.namespace | Kubernetes namespace | keyword | | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | -| kubernetes.node.name | Kubernetes node name | keyword | | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | -| kubernetes.volume.fs.available.bytes | Filesystem total available in bytes | long | byte | gauge | -| kubernetes.volume.fs.capacity.bytes | Filesystem total capacity in bytes | long | byte | gauge | -| kubernetes.volume.fs.inodes.count | Total inodes | long | | gauge | -| kubernetes.volume.fs.inodes.free | Free inodes | long | | gauge | -| kubernetes.volume.fs.inodes.pct | Percentage of used inodes | scaled_float | percent | gauge | -| kubernetes.volume.fs.inodes.used | Used inodes | long | | gauge | -| kubernetes.volume.fs.used.bytes | Filesystem total used in bytes | long | byte | gauge | -| kubernetes.volume.fs.used.pct | Percentage of filesystem total used | scaled_float | percent | gauge | -| kubernetes.volume.name | Volume name | keyword | | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| kubernetes.annotations.\* | Kubernetes annotations map | object | +| kubernetes.container.image | Kubernetes container image | keyword | +| kubernetes.container.name | Kubernetes container name | keyword | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | +| kubernetes.labels.\* | Kubernetes labels map | object | +| kubernetes.namespace | Kubernetes namespace | keyword | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | +| kubernetes.node.name | Kubernetes node name | keyword | +| kubernetes.pod.ip | Kubernetes pod IP | ip | +| kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| orchestrator.cluster.name | Name of the cluster. | keyword | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index fccb3cf0bd7..f77aa075236 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -115,11 +115,6 @@ The `log` dataset collects netflow logs. | destination.user.name | Short name or login of the user. | keyword | | destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -250,11 +245,6 @@ The `log` dataset collects netflow logs. | log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | | log.origin.function | The name of the function or method which originated the log event. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | -| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | -| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | -| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | -| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | -| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | netflow.absolute_error | | double | | netflow.address_pool_high_threshold | | long | diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index 947d820e0ca..3d7903d80be 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -928,11 +928,6 @@ Fields published for DNS packets. | dns.additionals.type | The type of data contained in this resource record. | keyword | | dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | | dns.authorities | An array containing a dictionary for each authority section from the answer. | object | | dns.authorities.class | The class of DNS data contained in this resource record. | keyword | diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 2f9e3154f82..62ef8db33be 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -983,11 +983,6 @@ An example event for `sysmon_operational` looks as following: | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md index 2d9054112e0..ca8bcd4148e 100644 --- a/packages/zeek/docs/README.md +++ b/packages/zeek/docs/README.md @@ -529,11 +529,6 @@ activity. | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | -| dns.answers.class | The class of DNS data contained in this resource record. | keyword | -| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | -| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | -| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | -| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.question.class | The class of records being queried. | keyword | From 166a71091bb4fcbfce766de2b566a7e4adc4d915 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 16:15:17 +0200 Subject: [PATCH 15/28] Cassandra --- .../cassandra/data_stream/metrics/fields/fields.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/packages/cassandra/data_stream/metrics/fields/fields.yml b/packages/cassandra/data_stream/metrics/fields/fields.yml index 9deb596f458..5058d2ab128 100644 --- a/packages/cassandra/data_stream/metrics/fields/fields.yml +++ b/packages/cassandra/data_stream/metrics/fields/fields.yml @@ -283,16 +283,6 @@ type: long - name: active type: long - - name: request_response_stage - type: group - fields: - - name: request - type: group - fields: - - name: pending - type: long - - name: active - type: long - name: read_stage type: group fields: From 89b4298f4079efee8d3ea5d390c78858603ec554 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 16:26:29 +0200 Subject: [PATCH 16/28] More duplicated fields --- .../data_stream/log/fields/fields.yml | 2 - .../fields/beat-fields.yml | 78 ------------------- .../data_stream/events/fields/fields.yml | 4 - .../sophos/data_stream/xg/fields/fields.yml | 4 - 4 files changed, 88 deletions(-) diff --git a/packages/cisco_ise/data_stream/log/fields/fields.yml b/packages/cisco_ise/data_stream/log/fields/fields.yml index 2426988f9f0..69f920b6ea1 100644 --- a/packages/cisco_ise/data_stream/log/fields/fields.yml +++ b/packages/cisco_ise/data_stream/log/fields/fields.yml @@ -726,8 +726,6 @@ fields: - name: version type: keyword - - name: state - type: text - name: static type: group fields: diff --git a/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml b/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml index 0c063d19aee..b33ee877b00 100644 --- a/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml +++ b/packages/elastic_agent/data_stream/elastic_agent_metrics/fields/beat-fields.yml @@ -1,81 +1,3 @@ - name: beat.type descripion: Beat type. type: keyword -- name: beat.stats - description: Beat stats - type: group - fields: - - name: libbeat - type: group - description: > - Fields common to all Beats - - fields: - - name: output - type: group - description: > - Output stats - - fields: - - name: events - type: group - description: > - Event counters - - fields: - - name: acked - type: long - description: > - Number of events acknowledged - - - name: active - type: long - description: > - Number of active events - - - name: batches - type: long - description: > - Number of event batches - - - name: dropped - type: long - description: > - Number of events dropped - - - name: duplicates - type: long - description: > - Number of events duplicated - - - name: failed - type: long - description: > - Number of events failed - - - name: toomany - type: long - description: > - Number of too many events - - - name: total - type: long - description: > - Total number of events - - - name: write - type: group - description: > - Write stats - - fields: - - name: bytes - type: long - description: > - Number of bytes written - - - name: errors - type: long - description: > - Number of write errors - diff --git a/packages/netskope/data_stream/events/fields/fields.yml b/packages/netskope/data_stream/events/fields/fields.yml index e5521ff3c57..89cb9dbdd10 100644 --- a/packages/netskope/data_stream/events/fields/fields.yml +++ b/packages/netskope/data_stream/events/fields/fields.yml @@ -1132,10 +1132,6 @@ type: keyword description: | N/A - - name: url - type: flattened - description: | - URL of the application that the user visited as provided by the log or data plane traffic. - name: url_to_activity type: keyword description: | diff --git a/packages/sophos/data_stream/xg/fields/fields.yml b/packages/sophos/data_stream/xg/fields/fields.yml index 6dd56deeab8..c6f6e8c41dd 100644 --- a/packages/sophos/data_stream/xg/fields/fields.yml +++ b/packages/sophos/data_stream/xg/fields/fields.yml @@ -680,10 +680,6 @@ type: keyword description: | Email subject - - name: syslog_server_name - type: keyword - description: | - Syslog server name - name: syslog_server_name type: keyword description: | From d254c061ebb37948837f00362e7824995c0d2e2a Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 16:28:18 +0200 Subject: [PATCH 17/28] Build readmes --- packages/netskope/docs/README.md | 2 +- packages/sophos/docs/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/netskope/docs/README.md b/packages/netskope/docs/README.md index 8d8c674b950..2525c880149 100644 --- a/packages/netskope/docs/README.md +++ b/packages/netskope/docs/README.md @@ -2793,7 +2793,7 @@ An example event for `alerts` looks as following: | netskope.events.two_factor_auth | N/A | keyword | | netskope.events.type | Shows if it is an application event or a connection event. Application events are recorded to track user events inside a cloud app. Connection events shows the actual HTTP connection. | keyword | | netskope.events.universal_connector | N/A | keyword | -| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic. | flattened | +| netskope.events.url | URL of the application that the user visited as provided by the log or data plane traffic | flattened | | netskope.events.url_to_activity | Populated if the activity from the URL matches certain activities. This field applies to Risk Insights only. | keyword | | netskope.events.user.category | Type of user in an enterprise - external / internal. | keyword | | netskope.events.user.generated | Tells whether it is user generated page event. | boolean | diff --git a/packages/sophos/docs/README.md b/packages/sophos/docs/README.md index 12c3c24d2a4..f78b90d28ee 100644 --- a/packages/sophos/docs/README.md +++ b/packages/sophos/docs/README.md @@ -1236,7 +1236,7 @@ An example event for `xg` looks as following: | sophos.xg.status | Ultimate status of traffic – Allowed or Denied | keyword | | sophos.xg.status_code | Status code | keyword | | sophos.xg.subject | Email subject | keyword | -| sophos.xg.syslog_server_name | Syslog server name | keyword | +| sophos.xg.syslog_server_name | Syslog server name. | keyword | | sophos.xg.system_cpu | system | float | | sophos.xg.target | Platform of the traffic. | keyword | | sophos.xg.temp | Temp | float | From cc1aa5de977526a9a19eb011869b1ddf0f1066c4 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 17:48:40 +0200 Subject: [PATCH 18/28] Revert some removals --- .../data_stream/metrics/fields/fields.yml | 44 + packages/hashicorp_vault/docs/README.md | 15 + .../juniper/data_stream/srx/fields/ecs.yml | 50 +- packages/juniper/docs/README.md | 48 + .../data_stream/log/fields/ecs.yml | 48 + packages/juniper_srx/docs/README.md | 24 + .../data_stream/container/fields/fields.yml | 207 +++ .../controllermanager/fields/fields.yml | 159 ++ .../data_stream/event/fields/fields.yml | 108 ++ .../data_stream/node/fields/fields.yml | 198 +++ .../data_stream/pod/fields/fields.yml | 144 ++ .../data_stream/scheduler/fields/fields.yml | 163 ++ .../state_container/fields/fields.yml | 66 + .../state_cronjob/fields/fields.yml | 42 + .../state_daemonset/fields/fields.yml | 31 + .../state_deployment/fields/fields.yml | 30 + .../data_stream/state_job/fields/fields.yml | 76 + .../data_stream/state_node/fields/fields.yml | 69 + .../state_persistentvolume/fields/fields.yml | 18 + .../fields/fields.yml | 24 + .../data_stream/state_pod/fields/fields.yml | 26 + .../state_replicaset/fields/fields.yml | 31 + .../state_resourcequota/fields/fields.yml | 24 + .../state_service/fields/fields.yml | 31 + .../state_statefulset/fields/fields.yml | 40 + .../state_storageclass/fields/fields.yml | 19 + .../data_stream/system/fields/fields.yml | 74 + .../data_stream/volume/fields/fields.yml | 73 + packages/kubernetes/docs/events.md | 128 +- .../docs/kube-controller-manager.md | 142 +- packages/kubernetes/docs/kube-scheduler.md | 144 +- .../kubernetes/docs/kube-state-metrics.md | 1404 +++++++++-------- packages/kubernetes/docs/kubelet.md | 543 ++++--- .../panw/data_stream/panos/fields/fields.yml | 22 + packages/panw/docs/README.md | 11 + 35 files changed, 3226 insertions(+), 1050 deletions(-) create mode 100644 packages/kubernetes/data_stream/container/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/controllermanager/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/event/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/node/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/pod/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/scheduler/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_container/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_cronjob/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_daemonset/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_deployment/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_job/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_node/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_pod/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_replicaset/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_service/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_statefulset/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/state_storageclass/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/system/fields/fields.yml create mode 100644 packages/kubernetes/data_stream/volume/fields/fields.yml diff --git a/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml b/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml index 43fa8baada8..460dfe67663 100644 --- a/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml +++ b/packages/hashicorp_vault/data_stream/metrics/fields/fields.yml @@ -1,3 +1,47 @@ - name: hashicorp_vault.metrics.*.* dynamic: true description: Hashicorp Vault telemetry data from the Prometheus endpoint. +- name: labels + type: group + fields: + - name: auth_method + type: keyword + description: Authorization engine type. + - name: cluster + type: keyword + description: > + The cluster name from which the metric originated; set in the configuration file, or automatically generated when a cluster is created. + + - name: creation_ttl + type: keyword + description: > + Time-to-live value assigned to a token or lease at creation. This value is rounded up to the next-highest bucket; the available buckets are 1m, 10m, 20m, 1h, 2h, 1d, 2d, 7d, and 30d. Any longer TTL is assigned the value +Inf. + + - name: host + type: keyword + - name: instance + type: keyword + - name: job + type: keyword + - name: local + type: keyword + - name: mount_point + type: keyword + description: Path at which an auth method or secret engine is mounted. + - name: namespace + type: keyword + description: A namespace path, or root for the root namespace + - name: quantile + type: keyword + - name: queue_id + type: keyword + - name: term + type: keyword + - name: token_type + type: keyword + description: Identifies whether the token is a batch token or a service token. + example: service + - name: type + type: keyword + - name: version + type: keyword diff --git a/packages/hashicorp_vault/docs/README.md b/packages/hashicorp_vault/docs/README.md index e3d237b6223..5ae63ff5af4 100644 --- a/packages/hashicorp_vault/docs/README.md +++ b/packages/hashicorp_vault/docs/README.md @@ -438,5 +438,20 @@ telemetry { | event.module | Event module | constant_keyword | | hashicorp_vault.metrics.\*.\* | Hashicorp Vault telemetry data from the Prometheus endpoint. | | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| labels.auth_method | Authorization engine type. | keyword | +| labels.cluster | The cluster name from which the metric originated; set in the configuration file, or automatically generated when a cluster is created. | keyword | +| labels.creation_ttl | Time-to-live value assigned to a token or lease at creation. This value is rounded up to the next-highest bucket; the available buckets are 1m, 10m, 20m, 1h, 2h, 1d, 2d, 7d, and 30d. Any longer TTL is assigned the value +Inf. | keyword | +| labels.host | | keyword | +| labels.instance | | keyword | +| labels.job | | keyword | +| labels.local | | keyword | +| labels.mount_point | Path at which an auth method or secret engine is mounted. | keyword | +| labels.namespace | A namespace path, or root for the root namespace | keyword | +| labels.quantile | | keyword | +| labels.queue_id | | keyword | +| labels.term | | keyword | +| labels.token_type | Identifies whether the token is a batch token or a service token. | keyword | +| labels.type | | keyword | +| labels.version | | keyword | | service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | diff --git a/packages/juniper/data_stream/srx/fields/ecs.yml b/packages/juniper/data_stream/srx/fields/ecs.yml index 2be8bd4a869..5d0de23e023 100644 --- a/packages/juniper/data_stream/srx/fields/ecs.yml +++ b/packages/juniper/data_stream/srx/fields/ecs.yml @@ -224,6 +224,16 @@ name: dll.pe.product - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs @@ -532,8 +542,6 @@ name: interface.id - external: ecs name: interface.name -- external: ecs - name: labels - external: ecs name: log.file.path - external: ecs @@ -542,6 +550,16 @@ name: log.logger - external: ecs name: log.syslog +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name - external: ecs name: message - external: ecs @@ -558,6 +576,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.name - external: ecs @@ -574,6 +596,18 @@ name: network.vlan.name - external: ecs name: observer.egress +- external: ecs + name: observer.egress.interface.alias +- external: ecs + name: observer.egress.interface.id +- external: ecs + name: observer.egress.interface.name +- external: ecs + name: observer.egress.vlan.id +- external: ecs + name: observer.egress.vlan.name +- external: ecs + name: observer.egress.zone - external: ecs name: observer.geo.city_name - external: ecs @@ -596,6 +630,18 @@ name: observer.hostname - external: ecs name: observer.ingress +- external: ecs + name: observer.ingress.interface.alias +- external: ecs + name: observer.ingress.interface.id +- external: ecs + name: observer.ingress.interface.name +- external: ecs + name: observer.ingress.vlan.id +- external: ecs + name: observer.ingress.vlan.name +- external: ecs + name: observer.ingress.zone - external: ecs name: observer.ip - external: ecs diff --git a/packages/juniper/docs/README.md b/packages/juniper/docs/README.md index c28413de56b..ab2082048e0 100644 --- a/packages/juniper/docs/README.md +++ b/packages/juniper/docs/README.md @@ -169,6 +169,11 @@ The following processes and tags are supported: | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -438,6 +443,11 @@ The following processes and tags are supported: | log.offset | Byte offset of the log line within its file. | long | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -446,6 +456,8 @@ The following processes and tags are supported: | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -454,6 +466,12 @@ The following processes and tags are supported: | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.geo.city_name | City name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | @@ -464,6 +482,12 @@ The following processes and tags are supported: | observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | @@ -980,6 +1004,11 @@ The `junos` dataset collects Juniper JUNOS logs. | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -1249,6 +1278,11 @@ The `junos` dataset collects Juniper JUNOS logs. | log.offset | Byte offset of the log line within its file. | long | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -1257,6 +1291,8 @@ The `junos` dataset collects Juniper JUNOS logs. | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -1265,6 +1301,12 @@ The `junos` dataset collects Juniper JUNOS logs. | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.geo.city_name | City name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | @@ -1275,6 +1317,12 @@ The `junos` dataset collects Juniper JUNOS logs. | observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | diff --git a/packages/juniper_srx/data_stream/log/fields/ecs.yml b/packages/juniper_srx/data_stream/log/fields/ecs.yml index 2be8bd4a869..5708c81eb0c 100644 --- a/packages/juniper_srx/data_stream/log/fields/ecs.yml +++ b/packages/juniper_srx/data_stream/log/fields/ecs.yml @@ -224,6 +224,16 @@ name: dll.pe.product - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs @@ -542,6 +552,16 @@ name: log.logger - external: ecs name: log.syslog +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name - external: ecs name: message - external: ecs @@ -558,6 +578,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.name - external: ecs @@ -574,6 +598,18 @@ name: network.vlan.name - external: ecs name: observer.egress +- external: ecs + name: observer.egress.interface.alias +- external: ecs + name: observer.egress.interface.id +- external: ecs + name: observer.egress.interface.name +- external: ecs + name: observer.egress.vlan.id +- external: ecs + name: observer.egress.vlan.name +- external: ecs + name: observer.egress.zone - external: ecs name: observer.geo.city_name - external: ecs @@ -596,6 +632,18 @@ name: observer.hostname - external: ecs name: observer.ingress +- external: ecs + name: observer.ingress.interface.alias +- external: ecs + name: observer.ingress.interface.id +- external: ecs + name: observer.ingress.interface.name +- external: ecs + name: observer.ingress.vlan.id +- external: ecs + name: observer.ingress.vlan.name +- external: ecs + name: observer.ingress.zone - external: ecs name: observer.ip - external: ecs diff --git a/packages/juniper_srx/docs/README.md b/packages/juniper_srx/docs/README.md index fb29d040933..685b9788488 100644 --- a/packages/juniper_srx/docs/README.md +++ b/packages/juniper_srx/docs/README.md @@ -165,6 +165,11 @@ The following processes and tags are supported: | dll.pe.original_file_name | Internal name of the file, provided at compile-time. | keyword | | dll.pe.product | Internal product name of the file, provided at compile-time. | keyword | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -434,6 +439,11 @@ The following processes and tags are supported: | log.offset | Byte offset of the log line within its file. | long | | log.source.address | Source address of the syslog message. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | network.application | When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application's or service's name. For example, the original event identifies the network connection being from a specific web service in a `https` network connection, like `facebook` or `twitter`. The field value must be normalized to lowercase for querying. | keyword | | network.bytes | Total bytes transferred in both directions. If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. | long | @@ -442,6 +452,8 @@ The following processes and tags are supported: | network.forwarded_ip | Host IP address when the source IP address is the proxy. | ip | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.name | Name given by operators to sections of their network. | keyword | | network.packets | Total packets transferred in both directions. If `source.packets` and `destination.packets` are known, `network.packets` is their sum. | long | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | @@ -450,6 +462,12 @@ The following processes and tags are supported: | network.vlan.id | VLAN ID as reported by the observer. | keyword | | network.vlan.name | Optional VLAN name as reported by the observer. | keyword | | observer.egress | Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.egress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.egress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.egress.interface.name | Interface name as reported by the system. | keyword | +| observer.egress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.egress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.egress.zone | Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc. | keyword | | observer.geo.city_name | City name. | keyword | | observer.geo.continent_name | Name of the continent. | keyword | | observer.geo.country_iso_code | Country ISO code. | keyword | @@ -460,6 +478,12 @@ The following processes and tags are supported: | observer.geo.region_name | Region name. | keyword | | observer.hostname | Hostname of the observer. | keyword | | observer.ingress | Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic. | object | +| observer.ingress.interface.alias | Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming. | keyword | +| observer.ingress.interface.id | Interface ID as reported by an observer (typically SNMP interface ID). | keyword | +| observer.ingress.interface.name | Interface name as reported by the system. | keyword | +| observer.ingress.vlan.id | VLAN ID as reported by the observer. | keyword | +| observer.ingress.vlan.name | Optional VLAN name as reported by the observer. | keyword | +| observer.ingress.zone | Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc. | keyword | | observer.ip | IP addresses of the observer. | ip | | observer.mac | MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | observer.name | Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty. | keyword | diff --git a/packages/kubernetes/data_stream/container/fields/fields.yml b/packages/kubernetes/data_stream/container/fields/fields.yml new file mode 100644 index 00000000000..41e238e000e --- /dev/null +++ b/packages/kubernetes/data_stream/container/fields/fields.yml @@ -0,0 +1,207 @@ +- name: kubernetes.container + type: group + fields: + - name: start_time + type: date + description: | + Start time + - name: cpu + type: group + fields: + - name: usage + type: group + fields: + - name: core + type: group + fields: + - name: ns + type: long + metric_type: gauge + description: | + Container CPU Core usage nanoseconds + - name: nanocores + type: long + metric_type: gauge + description: | + CPU used nanocores + - name: node.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + CPU usage as a percentage of the total node allocatable CPU + - name: limit.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited) + - name: logs + type: group + fields: + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Logs available capacity in bytes + - name: capacity + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Logs total capacity in bytes + - name: used + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Logs used capacity in bytes + - name: inodes + type: group + fields: + - name: count + type: long + metric_type: gauge + description: | + Total available inodes + - name: free + type: long + metric_type: gauge + description: | + Total free inodes + - name: used + type: long + metric_type: gauge + description: | + Total used inodes + - name: memory + type: group + fields: + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total available memory + - name: usage + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total memory usage + - name: node.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + Memory usage as a percentage of the total node allocatable memory + - name: limit.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) + - name: rss + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + RSS memory usage + - name: workingset + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Working set memory usage + - name: limit.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: > + Working set memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) + + - name: pagefaults + type: long + metric_type: counter + description: | + Number of page faults + - name: majorpagefaults + type: long + metric_type: counter + description: | + Number of major page faults + - name: rootfs + type: group + fields: + - name: capacity + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Root filesystem total capacity in bytes + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Root filesystem total available in bytes + - name: used + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Root filesystem total used in bytes + - name: inodes + type: group + fields: + - name: used + type: long + metric_type: gauge + description: | + Used inodes diff --git a/packages/kubernetes/data_stream/controllermanager/fields/fields.yml b/packages/kubernetes/data_stream/controllermanager/fields/fields.yml new file mode 100644 index 00000000000..1ef76f93e8b --- /dev/null +++ b/packages/kubernetes/data_stream/controllermanager/fields/fields.yml @@ -0,0 +1,159 @@ +- name: kubernetes.controllermanager + type: group + fields: + - name: handler + dimension: true + type: keyword + description: | + Request handler + - name: code + dimension: true + type: keyword + description: | + HTTP code + - name: method + dimension: true + type: keyword + description: | + HTTP method + - name: host + dimension: true + type: keyword + description: | + Request host + - name: name + dimension: true + type: keyword + description: | + Name for the resource + - name: zone + dimension: true + type: keyword + description: | + Infrastructure zone + - name: process + type: group + fields: + - name: cpu.sec + type: double + metric_type: counter + description: CPU seconds + - name: memory.resident.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: Bytes in resident memory + - name: memory.virtual.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: Bytes in virtual memory + - name: fds.open.count + type: long + metric_type: gauge + description: Number of open file descriptors + - name: started.sec + type: double + metric_type: gauge + description: Seconds since the process started + - name: http + type: group + fields: + - name: request.duration.us.percentile.* + type: object + description: Request duration microseconds percentiles + - name: request.duration.us.sum + type: double + unit: micros + metric_type: counter + description: Request duration microseconds cumulative sum + - name: request.duration.us.count + type: long + unit: micros + metric_type: counter + description: Request count for duration + - name: request.size.bytes.percentile.* + type: object + description: Request size percentiles + - name: request.size.bytes.sum + type: long + format: bytes + unit: byte + metric_type: counter + description: Request size cumulative sum + - name: request.size.bytes.count + type: long + unit: byte + metric_type: counter + description: Request count for size + - name: response.size.bytes.percentile.* + type: object + description: Response size percentiles + - name: response.size.bytes.sum + type: long + format: bytes + unit: byte + metric_type: counter + description: Response size cumulative sum + - name: response.size.bytes.count + type: long + unit: byte + metric_type: counter + description: Response count + - name: request.count + type: long + metric_type: counter + description: Request count for response + - name: client.request.count + type: long + metric_type: counter + description: | + Number of requests as client + - name: workqueue + type: group + fields: + - name: longestrunning.sec + type: double + metric_type: gauge + description: Longest running processors + - name: unfinished.sec + type: double + metric_type: gauge + description: Unfinished processors + - name: adds.count + type: long + metric_type: counter + description: Workqueue add count + - name: depth.count + type: long + metric_type: gauge + description: Workqueue depth count + - name: retries.count + type: long + metric_type: counter + description: Workqueue number of retries + - name: node.collector + type: group + fields: + - name: eviction.count + type: long + metric_type: counter + description: Number of node evictions + - name: unhealthy.count + type: long + metric_type: gauge + description: Number of unhealthy nodes + - name: count + type: long + metric_type: gauge + description: Number of nodes + - name: health.pct + type: long + metric_type: gauge + description: Percentage of healthy nodes + - name: leader.is_master + type: boolean + description: | + Whether the node is master diff --git a/packages/kubernetes/data_stream/event/fields/fields.yml b/packages/kubernetes/data_stream/event/fields/fields.yml new file mode 100644 index 00000000000..9bcbf000165 --- /dev/null +++ b/packages/kubernetes/data_stream/event/fields/fields.yml @@ -0,0 +1,108 @@ +- name: kubernetes.event + type: group + fields: + - name: count + type: long + metric_type: counter + description: | + Count field records the number of times the particular event has occurred + - name: timestamp + type: group + fields: + - name: first_occurrence + type: date + description: | + Timestamp of first occurrence of event + - name: last_occurrence + type: date + description: | + Timestamp of last occurrence of event + - name: message + type: text + description: | + Message recorded for the given event + - name: reason + dimension: true + type: keyword + description: | + Reason recorded for the given event + - name: type + dimension: true + type: keyword + description: | + Type of the given event + - name: source + type: group + fields: + - name: component + dimension: true + type: keyword + description: | + Component from which the event is generated + - name: host + dimension: true + type: keyword + description: | + Node name on which the event is generated + - name: metadata + type: group + fields: + - name: timestamp + type: group + fields: + - name: created + type: date + description: | + Timestamp of creation of the given event + - name: generate_name + dimension: true + type: keyword + description: | + Generate name of the event + - name: name + dimension: true + type: keyword + description: | + Name of the event + - name: namespace + dimension: true + type: keyword + description: | + Namespace in which event was generated + - name: resource_version + dimension: true + type: keyword + description: | + Version of the event resource + - name: uid + type: keyword + description: | + Unique identifier to the event object + - name: self_link + type: keyword + description: | + URL representing the event + - name: involved_object + type: group + fields: + - name: api_version + type: keyword + description: | + API version of the object + - name: kind + type: keyword + description: | + API kind of the object + - name: name + type: keyword + description: | + name of the object + - name: resource_version + type: keyword + description: | + resource version of the object + - name: uid + dimension: true + type: keyword + description: | + uid version of the object diff --git a/packages/kubernetes/data_stream/node/fields/fields.yml b/packages/kubernetes/data_stream/node/fields/fields.yml new file mode 100644 index 00000000000..dc46f35f2ab --- /dev/null +++ b/packages/kubernetes/data_stream/node/fields/fields.yml @@ -0,0 +1,198 @@ +- name: kubernetes.node + type: group + fields: + - name: start_time + type: date + description: | + Start time + - name: cpu + type: group + fields: + - name: usage + type: group + fields: + - name: core + type: group + fields: + - name: ns + type: long + metric_type: gauge + description: | + Node CPU Core usage nanoseconds + - name: nanocores + type: long + metric_type: gauge + description: | + CPU used nanocores + - name: memory + type: group + fields: + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total available memory + - name: usage + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total memory usage + - name: rss + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + RSS memory usage + - name: workingset + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Working set memory usage + - name: pagefaults + type: long + metric_type: counter + description: | + Number of page faults + - name: majorpagefaults + type: long + metric_type: counter + description: | + Number of major page faults + - name: network + type: group + fields: + - name: rx + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + Received bytes + - name: errors + type: long + description: | + Rx errors + - name: tx + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + Transmitted bytes + - name: errors + type: long + metric_type: counter + description: | + Tx errors + - name: fs + type: group + fields: + - name: capacity + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Filesystem total capacity in bytes + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Filesystem total available in bytes + - name: used + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Filesystem total used in bytes + - name: inodes + type: group + fields: + - name: used + type: long + metric_type: gauge + description: | + Number of used inodes + - name: count + type: long + metric_type: gauge + description: | + Number of inodes + - name: free + type: long + metric_type: gauge + description: | + Number of free inodes + - name: runtime + type: group + fields: + - name: imagefs + type: group + fields: + - name: capacity + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Image filesystem total capacity in bytes + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Image filesystem total available in bytes + - name: used + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Image filesystem total used in bytes diff --git a/packages/kubernetes/data_stream/pod/fields/fields.yml b/packages/kubernetes/data_stream/pod/fields/fields.yml new file mode 100644 index 00000000000..3f18b91dffe --- /dev/null +++ b/packages/kubernetes/data_stream/pod/fields/fields.yml @@ -0,0 +1,144 @@ +- name: kubernetes.pod + type: group + fields: + - name: start_time + type: date + description: | + Start time + - name: network + type: group + fields: + - name: rx + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + Received bytes + - name: errors + type: long + metric_type: counter + description: | + Rx errors + - name: tx + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: counter + description: | + Transmitted bytes + - name: errors + type: long + metric_type: counter + description: | + Tx errors + - name: cpu + type: group + fields: + - name: usage + type: group + fields: + - name: nanocores + type: long + unit: byte + metric_type: gauge + description: | + CPU used nanocores + - name: node.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + CPU usage as a percentage of the total node CPU + - name: limit.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if one or more containers of the pod are unlimited) + - name: memory + type: group + fields: + - name: usage + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total memory usage + - name: node.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + Memory usage as a percentage of the total node allocatable memory + - name: limit.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: percent + metric_type: gauge + description: | + Total memory available + - name: working_set + type: group + fields: + - name: bytes + type: long + format: bytes + unit: percent + metric_type: gauge + description: | + Total working set memory + - name: limit.pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: > + Working set memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) + + - name: rss + type: group + fields: + - name: bytes + type: long + format: bytes + unit: percent + metric_type: gauge + description: | + Total resident set size memory + - name: page_faults + type: long + metric_type: counter + description: | + Total page faults + - name: major_page_faults + type: long + metric_type: counter + description: | + Total major page faults + - name: ip + type: ip + description: Kubernetes pod IP diff --git a/packages/kubernetes/data_stream/scheduler/fields/fields.yml b/packages/kubernetes/data_stream/scheduler/fields/fields.yml new file mode 100644 index 00000000000..fa717504afa --- /dev/null +++ b/packages/kubernetes/data_stream/scheduler/fields/fields.yml @@ -0,0 +1,163 @@ +- name: kubernetes.scheduler + type: group + fields: + - name: handler + dimension: true + type: keyword + description: | + Request handler + - name: code + dimension: true + type: keyword + description: | + HTTP code + - name: method + dimension: true + type: keyword + description: | + HTTP method + - name: host + dimension: true + type: keyword + description: | + Request host + - name: name + dimension: true + type: keyword + description: | + Name for the resource + - name: result + dimension: true + type: keyword + description: | + Schedule attempt result + - name: operation + dimension: true + type: keyword + description: | + Scheduling operation + - name: process + type: group + fields: + - name: cpu.sec + type: double + metric_type: counter + description: CPU seconds + - name: memory.resident.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: Bytes in resident memory + - name: memory.virtual.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: Bytes in virtual memory + - name: fds.open.count + type: long + metric_type: gauge + description: Number of open file descriptors + - name: started.sec + type: double + metric_type: gauge + description: Seconds since the process started + - name: http + type: group + fields: + - name: request.duration.us.percentile.* + type: object + description: Request duration microseconds percentiles + - name: request.duration.us.sum + type: double + metric_type: counter + unit: micros + description: Request duration microseconds cumulative sum + - name: request.duration.us.count + type: long + metric_type: counter + unit: micros + description: Request count for duration + - name: request.size.bytes.percentile.* + type: object + description: Request size percentiles + - name: request.size.bytes.sum + type: long + format: bytes + unit: byte + metric_type: counter + description: Request size cumulative sum + - name: request.size.bytes.count + type: long + unit: byte + metric_type: counter + description: Request count for size + - name: response.size.bytes.percentile.* + type: object + description: Response size percentiles + - name: response.size.bytes.sum + type: long + format: bytes + unit: byte + metric_type: counter + description: Response size cumulative sum + - name: response.size.bytes.count + type: long + metric_type: counter + description: Response count + - name: request.count + type: long + metric_type: counter + description: Request count + - name: client.request.count + type: long + metric_type: counter + description: | + Number of requests as client + - name: leader.is_master + type: boolean + description: | + Whether the node is master + - name: scheduling + type: group + fields: + - name: e2e.duration.us.bucket.* + type: object + description: End to end scheduling duration microseconds + - name: e2e.duration.us.sum + type: long + unit: micros + metric_type: counter + description: End to end scheduling duration microseconds sum + - name: e2e.duration.us.count + type: long + unit: micros + metric_type: counter + description: End to end scheduling count + - name: pod.preemption.victims.bucket.* + type: long + description: Pod preemption victims + - name: pod.preemption.victims.sum + type: long + metric_type: counter + description: Pod preemption victims sum + - name: pod.preemption.victims.count + type: long + metric_type: counter + description: Pod preemption victims count + - name: pod.attempts.count + type: long + metric_type: counter + description: Pod attempts count + - name: duration.seconds.percentile.* + type: object + description: Scheduling duration percentiles + - name: duration.seconds.sum + type: double + metric_type: counter + description: Scheduling duration cumulative sum + - name: duration.seconds.count + type: long + metric_type: counter + description: Scheduling count diff --git a/packages/kubernetes/data_stream/state_container/fields/fields.yml b/packages/kubernetes/data_stream/state_container/fields/fields.yml new file mode 100644 index 00000000000..858f894d188 --- /dev/null +++ b/packages/kubernetes/data_stream/state_container/fields/fields.yml @@ -0,0 +1,66 @@ +- name: kubernetes.container + type: group + fields: + - name: id + type: keyword + description: Container id + - name: status + type: group + fields: + - name: phase + type: keyword + description: | + Container phase (running, waiting, terminated) + - name: ready + type: boolean + description: | + Container ready status + - name: restarts + type: integer + metric_type: counter + description: | + Container restarts count + - name: reason + type: keyword + description: | + Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. + - name: cpu + type: group + fields: + - name: limit.cores + type: float + metric_type: gauge + description: | + Container CPU cores limit + - name: request.cores + type: float + metric_type: gauge + description: | + Container CPU requested cores + - name: limit.nanocores + type: long + metric_type: gauge + description: | + Container CPU nanocores limit + - name: request.nanocores + type: long + metric_type: gauge + description: | + Container CPU requested nanocores + - name: memory + type: group + fields: + - name: limit.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Container memory limit in bytes + - name: request.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Container requested memory in bytes diff --git a/packages/kubernetes/data_stream/state_cronjob/fields/fields.yml b/packages/kubernetes/data_stream/state_cronjob/fields/fields.yml new file mode 100644 index 00000000000..acf6803436d --- /dev/null +++ b/packages/kubernetes/data_stream/state_cronjob/fields/fields.yml @@ -0,0 +1,42 @@ +- name: kubernetes.cronjob + type: group + fields: + - name: name + dimension: true + type: keyword + description: Cronjob name + - name: schedule + dimension: true + type: keyword + description: Cronjob schedule + - name: concurrency + dimension: true + type: keyword + description: Concurrency policy + - name: active.count + type: long + metric_type: gauge + description: Number of active pods for the cronjob + - name: is_suspended + type: boolean + description: Whether the cronjob is suspended + - name: created.sec + type: double + unit: s + metric_type: gauge + description: Epoch seconds since the cronjob was created + - name: last_schedule.sec + type: double + unit: s + metric_type: gauge + description: Epoch seconds for last cronjob run + - name: next_schedule.sec + type: double + unit: s + metric_type: gauge + description: Epoch seconds for next cronjob run + - name: deadline.sec + type: long + unit: s + metric_type: gauge + description: Deadline seconds after schedule for considering failed diff --git a/packages/kubernetes/data_stream/state_daemonset/fields/fields.yml b/packages/kubernetes/data_stream/state_daemonset/fields/fields.yml new file mode 100644 index 00000000000..c763091832c --- /dev/null +++ b/packages/kubernetes/data_stream/state_daemonset/fields/fields.yml @@ -0,0 +1,31 @@ +- name: kubernetes.daemonset + type: group + fields: + - name: name + dimension: true + type: keyword + - name: replicas + type: group + description: | + Kubernetes DaemonSet replica metrics + fields: + - name: available + type: long + metric_type: gauge + description: | + The number of available replicas per DaemonSet + - name: desired + type: long + metric_type: gauge + description: | + The desired number of replicas per DaemonSet + - name: ready + type: long + metric_type: gauge + description: | + The number of ready replicas per DaemonSet + - name: unavailable + type: long + metric_type: gauge + description: | + The number of unavailable replicas per DaemonSet diff --git a/packages/kubernetes/data_stream/state_deployment/fields/fields.yml b/packages/kubernetes/data_stream/state_deployment/fields/fields.yml new file mode 100644 index 00000000000..51b6abb87e7 --- /dev/null +++ b/packages/kubernetes/data_stream/state_deployment/fields/fields.yml @@ -0,0 +1,30 @@ +- name: kubernetes.deployment + type: group + fields: + - name: paused + type: boolean + description: | + Kubernetes deployment paused status + - name: replicas + type: group + fields: + - name: desired + type: integer + metric_type: gauge + description: | + Deployment number of desired replicas (spec) + - name: available + type: integer + metric_type: gauge + description: | + Deployment available replicas + - name: unavailable + type: integer + metric_type: gauge + description: | + Deployment unavailable replicas + - name: updated + type: integer + metric_type: gauge + description: | + Deployment updated replicas diff --git a/packages/kubernetes/data_stream/state_job/fields/fields.yml b/packages/kubernetes/data_stream/state_job/fields/fields.yml new file mode 100644 index 00000000000..dd96148faec --- /dev/null +++ b/packages/kubernetes/data_stream/state_job/fields/fields.yml @@ -0,0 +1,76 @@ +- name: kubernetes.job + type: group + fields: + - name: name + dimension: true + type: keyword + description: > + The name of the job resource + + - name: pods + type: group + description: > + Pod metrics for the job + + fields: + - name: active + type: long + metric_type: gauge + description: Number of active pods + - name: failed + type: long + metric_type: gauge + description: Number of failed pods + - name: succeeded + type: long + metric_type: gauge + description: Number of successful pods + - name: time + type: group + description: Kubernetes job timestamps + fields: + - name: created + type: date + description: The time at which the job was created + - name: completed + type: date + description: The time at which the job completed + - name: completions + type: group + description: Kubernetes job completion settings + fields: + - name: desired + type: long + metric_type: gauge + description: The configured completion count for the job (Spec) + - name: parallelism + type: group + description: Kubernetes job parallelism settings + fields: + - name: desired + type: long + metric_type: gauge + description: The configured parallelism of the job (Spec) + - name: owner + type: group + description: Kubernetes job owner information + fields: + - name: name + type: keyword + description: The name of the resource that owns this job + - name: kind + type: keyword + description: The kind of resource that owns this job (eg. "CronJob") + - name: is_controller + type: keyword + description: Owner is controller ("true", "false", or `""`) + - name: status + type: group + description: Kubernetes job status information + fields: + - name: complete + type: keyword + description: Whether the job completed ("true", "false", or "unknown") + - name: failed + type: keyword + description: Whether the job failed ("true", "false", or "unknown") diff --git a/packages/kubernetes/data_stream/state_node/fields/fields.yml b/packages/kubernetes/data_stream/state_node/fields/fields.yml new file mode 100644 index 00000000000..c1eb2152441 --- /dev/null +++ b/packages/kubernetes/data_stream/state_node/fields/fields.yml @@ -0,0 +1,69 @@ +- name: kubernetes.node + type: group + fields: + - name: status + type: group + fields: + - name: ready + type: keyword + description: | + Node ready status (true, false or unknown) + - name: unschedulable + type: boolean + description: | + Node unschedulable status + - name: disk_pressure + type: keyword + description: Node DiskPressure status (true, false or unknown) + - name: memory_pressure + type: keyword + description: Node MemoryPressure status (true, false or unknown) + - name: out_of_disk + type: keyword + description: Node OutOfDisk status (true, false or unknown) + - name: pid_pressure + type: keyword + description: Node PIDPressure status (true, false or unknown) + - name: cpu + type: group + fields: + - name: allocatable.cores + type: float + metric_type: gauge + description: | + Node CPU allocatable cores + - name: capacity.cores + type: long + metric_type: gauge + description: | + Node CPU capacity cores + - name: memory + type: group + fields: + - name: allocatable.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Node allocatable memory in bytes + - name: capacity.bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Node memory capacity in bytes + - name: pod + type: group + fields: + - name: allocatable.total + type: long + metric_type: gauge + description: | + Node allocatable pods + - name: capacity.total + type: long + metric_type: gauge + description: | + Node pod capacity diff --git a/packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml b/packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml new file mode 100644 index 00000000000..e441ac8f9c4 --- /dev/null +++ b/packages/kubernetes/data_stream/state_persistentvolume/fields/fields.yml @@ -0,0 +1,18 @@ +- name: kubernetes.persistentvolume + type: group + fields: + - name: name + dimension: true + type: keyword + description: Volume name. + - name: capacity.bytes + type: long + unit: byte + metric_type: gauge + description: Volume capacity + - name: phase + type: keyword + description: Volume phase according to kubernetes + - name: storage_class + type: keyword + description: Storage class for the volume diff --git a/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml new file mode 100644 index 00000000000..6f11ce66b78 --- /dev/null +++ b/packages/kubernetes/data_stream/state_persistentvolumeclaim/fields/fields.yml @@ -0,0 +1,24 @@ +- name: kubernetes.persistentvolumeclaim + type: group + fields: + - name: name + dimension: true + type: keyword + description: PVC name. + - name: volume_name + type: keyword + description: Binded volume name. + - name: request_storage.bytes + type: long + unit: byte + metric_type: gauge + description: Requested capacity. + - name: phase + type: keyword + description: PVC phase. + - name: access_mode + type: keyword + description: Access mode. + - name: storage_class + type: keyword + description: Storage class for the PVC. diff --git a/packages/kubernetes/data_stream/state_pod/fields/fields.yml b/packages/kubernetes/data_stream/state_pod/fields/fields.yml new file mode 100644 index 00000000000..67d4cb4b223 --- /dev/null +++ b/packages/kubernetes/data_stream/state_pod/fields/fields.yml @@ -0,0 +1,26 @@ +- name: kubernetes.pod + type: group + fields: + - name: ip + type: ip + description: | + Kubernetes pod IP + - name: host_ip + type: ip + description: | + Kubernetes pod host IP + - name: status + type: group + fields: + - name: phase + type: keyword + description: | + Kubernetes pod phase (Running, Pending...) + - name: ready + type: keyword + description: | + Kubernetes pod ready status (true, false or unknown) + - name: scheduled + type: keyword + description: | + Kubernetes pod scheduled status (true, false, unknown) diff --git a/packages/kubernetes/data_stream/state_replicaset/fields/fields.yml b/packages/kubernetes/data_stream/state_replicaset/fields/fields.yml new file mode 100644 index 00000000000..40928a77137 --- /dev/null +++ b/packages/kubernetes/data_stream/state_replicaset/fields/fields.yml @@ -0,0 +1,31 @@ +- name: kubernetes.replicaset + type: group + fields: + - name: replicas + type: group + fields: + - name: available + type: long + metric_type: gauge + description: | + The number of replicas per ReplicaSet + - name: desired + type: long + metric_type: gauge + description: | + The number of replicas per ReplicaSet + - name: ready + type: long + metric_type: gauge + description: | + The number of ready replicas per ReplicaSet + - name: observed + type: long + metric_type: gauge + description: | + The generation observed by the ReplicaSet controller + - name: labeled + type: long + metric_type: gauge + description: | + The number of fully labeled replicas per ReplicaSet diff --git a/packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml b/packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml new file mode 100644 index 00000000000..530619270cf --- /dev/null +++ b/packages/kubernetes/data_stream/state_resourcequota/fields/fields.yml @@ -0,0 +1,24 @@ +- name: kubernetes.resourcequota + type: group + fields: + - name: created.sec + type: double + unit: s + metric_type: gauge + description: Epoch seconds since the ResourceQuota was created + - name: quota + type: double + metric_type: gauge + description: Quota informed (hard or used) for the resource + - name: name + dimension: true + type: keyword + description: ResourceQuota name + - name: type + dimension: true + type: keyword + description: Quota information type, `hard` or `used` + - name: resource + dimension: true + type: keyword + description: Resource name the quota applies to diff --git a/packages/kubernetes/data_stream/state_service/fields/fields.yml b/packages/kubernetes/data_stream/state_service/fields/fields.yml new file mode 100644 index 00000000000..0bec4028605 --- /dev/null +++ b/packages/kubernetes/data_stream/state_service/fields/fields.yml @@ -0,0 +1,31 @@ +- name: kubernetes.service + type: group + fields: + - name: name + dimension: true + type: keyword + description: Service name. + - name: cluster_ip + type: keyword + description: Internal IP for the service. + - name: external_name + type: keyword + description: Service external DNS name + - name: external_ip + type: keyword + description: Service external IP + - name: load_balancer_ip + type: keyword + description: Load Balancer service IP + - name: type + type: keyword + description: Service type + - name: ingress_ip + type: keyword + description: Ingress IP + - name: ingress_hostname + type: keyword + description: Ingress Hostname + - name: created + type: date + description: Service creation date diff --git a/packages/kubernetes/data_stream/state_statefulset/fields/fields.yml b/packages/kubernetes/data_stream/state_statefulset/fields/fields.yml new file mode 100644 index 00000000000..e28adddcaa9 --- /dev/null +++ b/packages/kubernetes/data_stream/state_statefulset/fields/fields.yml @@ -0,0 +1,40 @@ +- name: kubernetes.statefulset + type: group + fields: + - name: created + type: long + metric_type: gauge + description: | + The creation timestamp (epoch) for StatefulSet + - name: replicas + type: group + fields: + - name: observed + type: long + metric_type: gauge + description: | + The number of observed replicas per StatefulSet + - name: desired + type: long + metric_type: gauge + description: | + The number of desired replicas per StatefulSet + - name: ready + type: long + metric_type: gauge + description: > + The number of ready replicas per StatefulSet + + - name: generation + type: group + fields: + - name: observed + type: long + metric_type: gauge + description: | + The observed generation per StatefulSet + - name: desired + type: long + metric_type: gauge + description: | + The desired generation per StatefulSet diff --git a/packages/kubernetes/data_stream/state_storageclass/fields/fields.yml b/packages/kubernetes/data_stream/state_storageclass/fields/fields.yml new file mode 100644 index 00000000000..6a0d31a6274 --- /dev/null +++ b/packages/kubernetes/data_stream/state_storageclass/fields/fields.yml @@ -0,0 +1,19 @@ +- name: kubernetes.storageclass + type: group + fields: + - name: name + dimension: true + type: keyword + description: Storage class name. + - name: provisioner + type: keyword + description: Volume provisioner for the storage class. + - name: reclaim_policy + type: keyword + description: Reclaim policy for dynamically created volumes + - name: volume_binding_mode + type: keyword + description: Mode for default provisioning and binding + - name: created + type: date + description: Storage class creation date diff --git a/packages/kubernetes/data_stream/system/fields/fields.yml b/packages/kubernetes/data_stream/system/fields/fields.yml new file mode 100644 index 00000000000..65fc48d0dd2 --- /dev/null +++ b/packages/kubernetes/data_stream/system/fields/fields.yml @@ -0,0 +1,74 @@ +- name: kubernetes.system + type: group + fields: + - name: container + dimension: true + type: keyword + description: | + Container name + - name: start_time + type: date + description: | + Start time + - name: cpu + type: group + fields: + - name: usage + type: group + fields: + - name: core + type: group + fields: + - name: ns + type: long + metric_type: gauge + description: | + CPU Core usage nanoseconds + - name: nanocores + type: long + metric_type: gauge + description: | + CPU used nanocores + - name: memory + type: group + fields: + - name: usage + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Total memory usage + - name: rss + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + RSS memory usage + - name: workingset + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Working set memory usage + - name: pagefaults + type: long + metric_type: counter + description: | + Number of page faults + - name: majorpagefaults + type: long + metric_type: counter + description: | + Number of major page faults diff --git a/packages/kubernetes/data_stream/volume/fields/fields.yml b/packages/kubernetes/data_stream/volume/fields/fields.yml new file mode 100644 index 00000000000..8ccb8574c47 --- /dev/null +++ b/packages/kubernetes/data_stream/volume/fields/fields.yml @@ -0,0 +1,73 @@ +- name: kubernetes.volume + type: group + fields: + - name: name + dimension: true + type: keyword + description: | + Volume name + - name: fs + type: group + fields: + - name: capacity + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Filesystem total capacity in bytes + - name: available + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Filesystem total available in bytes + - name: used + type: group + fields: + - name: bytes + type: long + format: bytes + unit: byte + metric_type: gauge + description: | + Filesystem total used in bytes + - name: pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + Percentage of filesystem total used + - name: inodes + type: group + fields: + - name: used + type: long + metric_type: gauge + description: | + Used inodes + - name: pct + type: scaled_float + format: percent + unit: percent + metric_type: gauge + description: | + Percentage of used inodes + - name: free + type: long + metric_type: gauge + description: | + Free inodes + - name: count + type: long + metric_type: gauge + description: | + Total inodes diff --git a/packages/kubernetes/docs/events.md b/packages/kubernetes/docs/events.md index 6ef736dded6..384b4c2e9cd 100644 --- a/packages/kubernetes/docs/events.md +++ b/packages/kubernetes/docs/events.md @@ -96,57 +96,77 @@ An example event for `event` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.event.count | Count field records the number of times the particular event has occurred | long | counter | +| kubernetes.event.involved_object.api_version | API version of the object | keyword | | +| kubernetes.event.involved_object.kind | API kind of the object | keyword | | +| kubernetes.event.involved_object.name | name of the object | keyword | | +| kubernetes.event.involved_object.resource_version | resource version of the object | keyword | | +| kubernetes.event.involved_object.uid | uid version of the object | keyword | | +| kubernetes.event.message | Message recorded for the given event | text | | +| kubernetes.event.metadata.generate_name | Generate name of the event | keyword | | +| kubernetes.event.metadata.name | Name of the event | keyword | | +| kubernetes.event.metadata.namespace | Namespace in which event was generated | keyword | | +| kubernetes.event.metadata.resource_version | Version of the event resource | keyword | | +| kubernetes.event.metadata.self_link | URL representing the event | keyword | | +| kubernetes.event.metadata.timestamp.created | Timestamp of creation of the given event | date | | +| kubernetes.event.metadata.uid | Unique identifier to the event object | keyword | | +| kubernetes.event.reason | Reason recorded for the given event | keyword | | +| kubernetes.event.source.component | Component from which the event is generated | keyword | | +| kubernetes.event.source.host | Node name on which the event is generated | keyword | | +| kubernetes.event.timestamp.first_occurrence | Timestamp of first occurrence of event | date | | +| kubernetes.event.timestamp.last_occurrence | Timestamp of last occurrence of event | date | | +| kubernetes.event.type | Type of the given event | keyword | | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | diff --git a/packages/kubernetes/docs/kube-controller-manager.md b/packages/kubernetes/docs/kube-controller-manager.md index 7032c890bb0..ae019f99c74 100644 --- a/packages/kubernetes/docs/kube-controller-manager.md +++ b/packages/kubernetes/docs/kube-controller-manager.md @@ -107,58 +107,90 @@ An example event for `controllermanager` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.controllermanager.client.request.count | Number of requests as client | long | | counter | +| kubernetes.controllermanager.code | HTTP code | keyword | | | +| kubernetes.controllermanager.handler | Request handler | keyword | | | +| kubernetes.controllermanager.host | Request host | keyword | | | +| kubernetes.controllermanager.http.request.count | Request count for response | long | | counter | +| kubernetes.controllermanager.http.request.duration.us.count | Request count for duration | long | micros | counter | +| kubernetes.controllermanager.http.request.duration.us.percentile.\* | Request duration microseconds percentiles | object | | | +| kubernetes.controllermanager.http.request.duration.us.sum | Request duration microseconds cumulative sum | double | micros | counter | +| kubernetes.controllermanager.http.request.size.bytes.count | Request count for size | long | byte | counter | +| kubernetes.controllermanager.http.request.size.bytes.percentile.\* | Request size percentiles | object | | | +| kubernetes.controllermanager.http.request.size.bytes.sum | Request size cumulative sum | long | byte | counter | +| kubernetes.controllermanager.http.response.size.bytes.count | Response count | long | byte | counter | +| kubernetes.controllermanager.http.response.size.bytes.percentile.\* | Response size percentiles | object | | | +| kubernetes.controllermanager.http.response.size.bytes.sum | Response size cumulative sum | long | byte | counter | +| kubernetes.controllermanager.leader.is_master | Whether the node is master | boolean | | | +| kubernetes.controllermanager.method | HTTP method | keyword | | | +| kubernetes.controllermanager.name | Name for the resource | keyword | | | +| kubernetes.controllermanager.node.collector.count | Number of nodes | long | | gauge | +| kubernetes.controllermanager.node.collector.eviction.count | Number of node evictions | long | | counter | +| kubernetes.controllermanager.node.collector.health.pct | Percentage of healthy nodes | long | | gauge | +| kubernetes.controllermanager.node.collector.unhealthy.count | Number of unhealthy nodes | long | | gauge | +| kubernetes.controllermanager.process.cpu.sec | CPU seconds | double | | counter | +| kubernetes.controllermanager.process.fds.open.count | Number of open file descriptors | long | | gauge | +| kubernetes.controllermanager.process.memory.resident.bytes | Bytes in resident memory | long | byte | gauge | +| kubernetes.controllermanager.process.memory.virtual.bytes | Bytes in virtual memory | long | byte | gauge | +| kubernetes.controllermanager.process.started.sec | Seconds since the process started | double | | gauge | +| kubernetes.controllermanager.workqueue.adds.count | Workqueue add count | long | | counter | +| kubernetes.controllermanager.workqueue.depth.count | Workqueue depth count | long | | gauge | +| kubernetes.controllermanager.workqueue.longestrunning.sec | Longest running processors | double | | gauge | +| kubernetes.controllermanager.workqueue.retries.count | Workqueue number of retries | long | | counter | +| kubernetes.controllermanager.workqueue.unfinished.sec | Unfinished processors | double | | gauge | +| kubernetes.controllermanager.zone | Infrastructure zone | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | diff --git a/packages/kubernetes/docs/kube-scheduler.md b/packages/kubernetes/docs/kube-scheduler.md index a9f57a079cd..596ab5dfc34 100644 --- a/packages/kubernetes/docs/kube-scheduler.md +++ b/packages/kubernetes/docs/kube-scheduler.md @@ -93,58 +93,92 @@ An example event for `scheduler` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.scheduler.client.request.count | Number of requests as client | long | | counter | +| kubernetes.scheduler.code | HTTP code | keyword | | | +| kubernetes.scheduler.handler | Request handler | keyword | | | +| kubernetes.scheduler.host | Request host | keyword | | | +| kubernetes.scheduler.http.request.count | Request count | long | | counter | +| kubernetes.scheduler.http.request.duration.us.count | Request count for duration | long | micros | counter | +| kubernetes.scheduler.http.request.duration.us.percentile.\* | Request duration microseconds percentiles | object | | | +| kubernetes.scheduler.http.request.duration.us.sum | Request duration microseconds cumulative sum | double | micros | counter | +| kubernetes.scheduler.http.request.size.bytes.count | Request count for size | long | byte | counter | +| kubernetes.scheduler.http.request.size.bytes.percentile.\* | Request size percentiles | object | | | +| kubernetes.scheduler.http.request.size.bytes.sum | Request size cumulative sum | long | byte | counter | +| kubernetes.scheduler.http.response.size.bytes.count | Response count | long | | counter | +| kubernetes.scheduler.http.response.size.bytes.percentile.\* | Response size percentiles | object | | | +| kubernetes.scheduler.http.response.size.bytes.sum | Response size cumulative sum | long | byte | counter | +| kubernetes.scheduler.leader.is_master | Whether the node is master | boolean | | | +| kubernetes.scheduler.method | HTTP method | keyword | | | +| kubernetes.scheduler.name | Name for the resource | keyword | | | +| kubernetes.scheduler.operation | Scheduling operation | keyword | | | +| kubernetes.scheduler.process.cpu.sec | CPU seconds | double | | counter | +| kubernetes.scheduler.process.fds.open.count | Number of open file descriptors | long | | gauge | +| kubernetes.scheduler.process.memory.resident.bytes | Bytes in resident memory | long | byte | gauge | +| kubernetes.scheduler.process.memory.virtual.bytes | Bytes in virtual memory | long | byte | gauge | +| kubernetes.scheduler.process.started.sec | Seconds since the process started | double | | gauge | +| kubernetes.scheduler.result | Schedule attempt result | keyword | | | +| kubernetes.scheduler.scheduling.duration.seconds.count | Scheduling count | long | | counter | +| kubernetes.scheduler.scheduling.duration.seconds.percentile.\* | Scheduling duration percentiles | object | | | +| kubernetes.scheduler.scheduling.duration.seconds.sum | Scheduling duration cumulative sum | double | | counter | +| kubernetes.scheduler.scheduling.e2e.duration.us.bucket.\* | End to end scheduling duration microseconds | object | | | +| kubernetes.scheduler.scheduling.e2e.duration.us.count | End to end scheduling count | long | micros | counter | +| kubernetes.scheduler.scheduling.e2e.duration.us.sum | End to end scheduling duration microseconds sum | long | micros | counter | +| kubernetes.scheduler.scheduling.pod.attempts.count | Pod attempts count | long | | counter | +| kubernetes.scheduler.scheduling.pod.preemption.victims.bucket.\* | Pod preemption victims | long | | | +| kubernetes.scheduler.scheduling.pod.preemption.victims.count | Pod preemption victims count | long | | counter | +| kubernetes.scheduler.scheduling.pod.preemption.victims.sum | Pod preemption victims sum | long | | counter | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | diff --git a/packages/kubernetes/docs/kube-state-metrics.md b/packages/kubernetes/docs/kube-state-metrics.md index 43e5d5f3d4e..ac299b3eee9 100644 --- a/packages/kubernetes/docs/kube-state-metrics.md +++ b/packages/kubernetes/docs/kube-state-metrics.md @@ -150,71 +150,82 @@ An example event for `state_container` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| container.runtime | Runtime managing this container. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | -| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | -| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | -| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | -| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.labels.\* | Kubernetes node labels map | object | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.node.uid | Kubernetes node UID | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| container.runtime | Runtime managing this container. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.cpu.limit.cores | Container CPU cores limit | float | | gauge | +| kubernetes.container.cpu.limit.nanocores | Container CPU nanocores limit | long | | gauge | +| kubernetes.container.cpu.request.cores | Container CPU requested cores | float | | gauge | +| kubernetes.container.cpu.request.nanocores | Container CPU requested nanocores | long | | gauge | +| kubernetes.container.id | Container id | keyword | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.memory.limit.bytes | Container memory limit in bytes | long | byte | gauge | +| kubernetes.container.memory.request.bytes | Container requested memory in bytes | long | byte | gauge | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.container.status.phase | Container phase (running, waiting, terminated) | keyword | | | +| kubernetes.container.status.ready | Container ready status | boolean | | | +| kubernetes.container.status.reason | Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. | keyword | | | +| kubernetes.container.status.restarts | Container restarts count | integer | | counter | +| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | +| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | | | +| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | | | +| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | | | +| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.labels.\* | Kubernetes node labels map | object | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.node.uid | Kubernetes node UID | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### state_cronjob @@ -295,61 +306,70 @@ An example event for `state_cronjob` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.cronjob.active.count | Number of active pods for the cronjob | long | | gauge | +| kubernetes.cronjob.concurrency | Concurrency policy | keyword | | | +| kubernetes.cronjob.created.sec | Epoch seconds since the cronjob was created | double | s | gauge | +| kubernetes.cronjob.deadline.sec | Deadline seconds after schedule for considering failed | long | s | gauge | +| kubernetes.cronjob.is_suspended | Whether the cronjob is suspended | boolean | | | +| kubernetes.cronjob.last_schedule.sec | Epoch seconds for last cronjob run | double | s | gauge | +| kubernetes.cronjob.name | Cronjob name | keyword | | | +| kubernetes.cronjob.next_schedule.sec | Epoch seconds for next cronjob run | double | s | gauge | +| kubernetes.cronjob.schedule | Cronjob schedule | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### state_daemonset @@ -426,61 +446,66 @@ An example event for `state_daemonset` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.daemonset.name | | keyword | | +| kubernetes.daemonset.replicas.available | The number of available replicas per DaemonSet | long | gauge | +| kubernetes.daemonset.replicas.desired | The desired number of replicas per DaemonSet | long | gauge | +| kubernetes.daemonset.replicas.ready | The number of ready replicas per DaemonSet | long | gauge | +| kubernetes.daemonset.replicas.unavailable | The number of unavailable replicas per DaemonSet | long | gauge | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | ### state_deployment @@ -558,61 +583,66 @@ An example event for `state_deployment` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.deployment.paused | Kubernetes deployment paused status | boolean | | +| kubernetes.deployment.replicas.available | Deployment available replicas | integer | gauge | +| kubernetes.deployment.replicas.desired | Deployment number of desired replicas (spec) | integer | gauge | +| kubernetes.deployment.replicas.unavailable | Deployment unavailable replicas | integer | gauge | +| kubernetes.deployment.replicas.updated | Deployment updated replicas | integer | gauge | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | ### state_job @@ -699,63 +729,75 @@ An example event for `state_job` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.job.completions.desired | The configured completion count for the job (Spec) | long | gauge | +| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | +| kubernetes.job.owner.is_controller | Owner is controller ("true", "false", or `"\"`) | keyword | | +| kubernetes.job.owner.kind | The kind of resource that owns this job (eg. "CronJob") | keyword | | +| kubernetes.job.owner.name | The name of the resource that owns this job | keyword | | +| kubernetes.job.parallelism.desired | The configured parallelism of the job (Spec) | long | gauge | +| kubernetes.job.pods.active | Number of active pods | long | gauge | +| kubernetes.job.pods.failed | Number of failed pods | long | gauge | +| kubernetes.job.pods.succeeded | Number of successful pods | long | gauge | +| kubernetes.job.status.complete | Whether the job completed ("true", "false", or "unknown") | keyword | | +| kubernetes.job.status.failed | Whether the job failed ("true", "false", or "unknown") | keyword | | +| kubernetes.job.time.completed | The time at which the job completed | date | | +| kubernetes.job.time.created | The time at which the job was created | date | | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | ### state_node @@ -858,61 +900,73 @@ An example event for `state_node` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.cpu.allocatable.cores | Node CPU allocatable cores | float | | gauge | +| kubernetes.node.cpu.capacity.cores | Node CPU capacity cores | long | | gauge | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.memory.allocatable.bytes | Node allocatable memory in bytes | long | byte | gauge | +| kubernetes.node.memory.capacity.bytes | Node memory capacity in bytes | long | byte | gauge | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.node.pod.allocatable.total | Node allocatable pods | long | | gauge | +| kubernetes.node.pod.capacity.total | Node pod capacity | long | | gauge | +| kubernetes.node.status.disk_pressure | Node DiskPressure status (true, false or unknown) | keyword | | | +| kubernetes.node.status.memory_pressure | Node MemoryPressure status (true, false or unknown) | keyword | | | +| kubernetes.node.status.out_of_disk | Node OutOfDisk status (true, false or unknown) | keyword | | | +| kubernetes.node.status.pid_pressure | Node PIDPressure status (true, false or unknown) | keyword | | | +| kubernetes.node.status.ready | Node ready status (true, false or unknown) | keyword | | | +| kubernetes.node.status.unschedulable | Node unschedulable status | boolean | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### state_persistentvolume @@ -951,97 +1005,101 @@ An example event for `state_persistentvolume` looks as following: }, "labels": { "type": "local" - } - }, - "host": { - "ip": [ - "172.17.0.11" - ], - "mac": [ - "02:42:ac:11:00:0b" - ], - "hostname": "agent-ingest-management-clusterscope-674dbb75df-rp8cc", - "architecture": "x86_64", - "os": { - "codename": "Core", - "platform": "centos", - "version": "7 (Core)", - "family": "redhat", - "name": "CentOS Linux", - "kernel": "4.19.81" - }, - "id": "b0e83d397c054b8a99a431072fe4617b", - "name": "agent-ingest-management-clusterscope-674dbb75df-rp8cc", - "containerized": false - }, - "metricset": { - "period": 10000, - "name": "state_persistentvolume" - }, - "service": { - "address": "kube-state-metrics:8080", - "type": "kubernetes" - } -} -``` - -**Exported fields** - -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | + } + }, + "host": { + "ip": [ + "172.17.0.11" + ], + "mac": [ + "02:42:ac:11:00:0b" + ], + "hostname": "agent-ingest-management-clusterscope-674dbb75df-rp8cc", + "architecture": "x86_64", + "os": { + "codename": "Core", + "platform": "centos", + "version": "7 (Core)", + "family": "redhat", + "name": "CentOS Linux", + "kernel": "4.19.81" + }, + "id": "b0e83d397c054b8a99a431072fe4617b", + "name": "agent-ingest-management-clusterscope-674dbb75df-rp8cc", + "containerized": false + }, + "metricset": { + "period": 10000, + "name": "state_persistentvolume" + }, + "service": { + "address": "kube-state-metrics:8080", + "type": "kubernetes" + } +} +``` + +**Exported fields** + +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.persistentvolume.capacity.bytes | Volume capacity | long | byte | gauge | +| kubernetes.persistentvolume.name | Volume name. | keyword | | | +| kubernetes.persistentvolume.phase | Volume phase according to kubernetes | keyword | | | +| kubernetes.persistentvolume.storage_class | Storage class for the volume | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### state_persistentvolumeclaim @@ -1116,61 +1174,67 @@ An example event for `state_persistentvolumeclaim` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.persistentvolumeclaim.access_mode | Access mode. | keyword | | | +| kubernetes.persistentvolumeclaim.name | PVC name. | keyword | | | +| kubernetes.persistentvolumeclaim.phase | PVC phase. | keyword | | | +| kubernetes.persistentvolumeclaim.request_storage.bytes | Requested capacity. | long | byte | gauge | +| kubernetes.persistentvolumeclaim.storage_class | Storage class for the PVC. | keyword | | | +| kubernetes.persistentvolumeclaim.volume_name | Binded volume name. | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### state_pod @@ -1347,8 +1411,12 @@ An example event for `state_pod` looks as following: | kubernetes.node.labels.\* | Kubernetes node labels map | object | | kubernetes.node.name | Kubernetes node name | keyword | | kubernetes.node.uid | Kubernetes node UID | keyword | +| kubernetes.pod.host_ip | Kubernetes pod host IP | ip | | kubernetes.pod.ip | Kubernetes pod IP | ip | | kubernetes.pod.name | Kubernetes pod name | keyword | +| kubernetes.pod.status.phase | Kubernetes pod phase (Running, Pending...) | keyword | +| kubernetes.pod.status.ready | Kubernetes pod ready status (true, false or unknown) | keyword | +| kubernetes.pod.status.scheduled | Kubernetes pod scheduled status (true, false, unknown) | keyword | | kubernetes.pod.uid | Kubernetes pod UID | keyword | | kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | kubernetes.selectors.\* | Kubernetes Service selectors map | object | @@ -1440,61 +1508,66 @@ An example event for `state_replicaset` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.replicaset.replicas.available | The number of replicas per ReplicaSet | long | gauge | +| kubernetes.replicaset.replicas.desired | The number of replicas per ReplicaSet | long | gauge | +| kubernetes.replicaset.replicas.labeled | The number of fully labeled replicas per ReplicaSet | long | gauge | +| kubernetes.replicaset.replicas.observed | The generation observed by the ReplicaSet controller | long | gauge | +| kubernetes.replicaset.replicas.ready | The number of ready replicas per ReplicaSet | long | gauge | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | ### state_resourcequota @@ -1565,61 +1638,66 @@ An example event for `state_resourcequota` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.resourcequota.created.sec | Epoch seconds since the ResourceQuota was created | double | s | gauge | +| kubernetes.resourcequota.name | ResourceQuota name | keyword | | | +| kubernetes.resourcequota.quota | Quota informed (hard or used) for the resource | double | | gauge | +| kubernetes.resourcequota.resource | Resource name the quota applies to | keyword | | | +| kubernetes.resourcequota.type | Quota information type, `hard` or `used` | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### state_service @@ -1775,6 +1853,15 @@ An example event for `state_service` looks as following: | kubernetes.pod.uid | Kubernetes pod UID | keyword | | kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | kubernetes.selectors.\* | Kubernetes Service selectors map | object | +| kubernetes.service.cluster_ip | Internal IP for the service. | keyword | +| kubernetes.service.created | Service creation date | date | +| kubernetes.service.external_ip | Service external IP | keyword | +| kubernetes.service.external_name | Service external DNS name | keyword | +| kubernetes.service.ingress_hostname | Ingress Hostname | keyword | +| kubernetes.service.ingress_ip | Ingress IP | keyword | +| kubernetes.service.load_balancer_ip | Load Balancer service IP | keyword | +| kubernetes.service.name | Service name. | keyword | +| kubernetes.service.type | Service type | keyword | | kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | orchestrator.cluster.name | Name of the cluster. | keyword | | orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | @@ -1855,61 +1942,67 @@ An example event for `state_statefulset` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Metric Type | +|---|---|---|---| +| @timestamp | Event timestamp. | date | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | +| cloud.instance.name | Instance name of the host machine. | keyword | | +| cloud.machine.type | Machine type of the host machine. | keyword | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | +| cloud.region | Region in which this host is running. | keyword | | +| container.id | Unique container id. | keyword | | +| container.image.name | Name of the image the container was built on. | keyword | | +| container.labels | Image labels. | object | | +| container.name | Container name. | keyword | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | +| data_stream.type | Data stream type. | constant_keyword | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | +| host.architecture | Operating system architecture. | keyword | | +| host.containerized | If the host is a container. | boolean | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | +| host.ip | Host ip addresses. | ip | | +| host.mac | Host mac addresses. | keyword | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | +| host.os.build | OS build information. | keyword | | +| host.os.codename | OS codename, if any. | keyword | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | +| host.os.name | Operating system name, without the version. | keyword | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | +| host.os.version | Operating system version as a raw string. | keyword | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | +| kubernetes.container.image | Kubernetes container image | keyword | | +| kubernetes.container.name | Kubernetes container name | keyword | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | +| kubernetes.labels.\* | Kubernetes labels map | object | | +| kubernetes.namespace | Kubernetes namespace | keyword | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | +| kubernetes.node.name | Kubernetes node name | keyword | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | +| kubernetes.statefulset.created | The creation timestamp (epoch) for StatefulSet | long | gauge | +| kubernetes.statefulset.generation.desired | The desired generation per StatefulSet | long | gauge | +| kubernetes.statefulset.generation.observed | The observed generation per StatefulSet | long | gauge | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | +| kubernetes.statefulset.replicas.desired | The number of desired replicas per StatefulSet | long | gauge | +| kubernetes.statefulset.replicas.observed | The number of observed replicas per StatefulSet | long | gauge | +| kubernetes.statefulset.replicas.ready | The number of ready replicas per StatefulSet | long | gauge | +| orchestrator.cluster.name | Name of the cluster. | keyword | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | ### state_storageclass @@ -2034,6 +2127,11 @@ An example event for `state_storageclass` looks as following: | kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | kubernetes.selectors.\* | Kubernetes Service selectors map | object | | kubernetes.statefulset.name | Kubernetes statefulset name | keyword | +| kubernetes.storageclass.created | Storage class creation date | date | +| kubernetes.storageclass.name | Storage class name. | keyword | +| kubernetes.storageclass.provisioner | Volume provisioner for the storage class. | keyword | +| kubernetes.storageclass.reclaim_policy | Reclaim policy for dynamically created volumes | keyword | +| kubernetes.storageclass.volume_binding_mode | Mode for default provisioning and binding | keyword | | orchestrator.cluster.name | Name of the cluster. | keyword | | orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | diff --git a/packages/kubernetes/docs/kubelet.md b/packages/kubernetes/docs/kubelet.md index 5550b2536da..cabf8c1018d 100644 --- a/packages/kubernetes/docs/kubelet.md +++ b/packages/kubernetes/docs/kubelet.md @@ -231,8 +231,32 @@ An example event for `container` looks as following: | host.os.version | Operating system version as a raw string. | keyword | | | | host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | | kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.cpu.usage.core.ns | Container CPU Core usage nanoseconds | long | | gauge | +| kubernetes.container.cpu.usage.limit.pct | CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited) | scaled_float | percent | gauge | +| kubernetes.container.cpu.usage.nanocores | CPU used nanocores | long | | gauge | +| kubernetes.container.cpu.usage.node.pct | CPU usage as a percentage of the total node allocatable CPU | scaled_float | percent | gauge | | kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.logs.available.bytes | Logs available capacity in bytes | long | byte | gauge | +| kubernetes.container.logs.capacity.bytes | Logs total capacity in bytes | long | byte | gauge | +| kubernetes.container.logs.inodes.count | Total available inodes | long | | gauge | +| kubernetes.container.logs.inodes.free | Total free inodes | long | | gauge | +| kubernetes.container.logs.inodes.used | Total used inodes | long | | gauge | +| kubernetes.container.logs.used.bytes | Logs used capacity in bytes | long | byte | gauge | +| kubernetes.container.memory.available.bytes | Total available memory | long | byte | gauge | +| kubernetes.container.memory.majorpagefaults | Number of major page faults | long | | counter | +| kubernetes.container.memory.pagefaults | Number of page faults | long | | counter | +| kubernetes.container.memory.rss.bytes | RSS memory usage | long | byte | gauge | +| kubernetes.container.memory.usage.bytes | Total memory usage | long | byte | gauge | +| kubernetes.container.memory.usage.limit.pct | Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | +| kubernetes.container.memory.usage.node.pct | Memory usage as a percentage of the total node allocatable memory | scaled_float | percent | gauge | +| kubernetes.container.memory.workingset.bytes | Working set memory usage | long | byte | gauge | +| kubernetes.container.memory.workingset.limit.pct | Working set memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | | kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.container.rootfs.available.bytes | Root filesystem total available in bytes | long | byte | gauge | +| kubernetes.container.rootfs.capacity.bytes | Root filesystem total capacity in bytes | long | byte | gauge | +| kubernetes.container.rootfs.inodes.used | Used inodes | long | | gauge | +| kubernetes.container.rootfs.used.bytes | Root filesystem total used in bytes | long | byte | gauge | +| kubernetes.container.start_time | Start time | date | | | | kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | | kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | | kubernetes.deployment.name | Kubernetes deployment name | keyword | | | @@ -419,61 +443,83 @@ An example event for `node` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.cpu.usage.core.ns | Node CPU Core usage nanoseconds | long | | gauge | +| kubernetes.node.cpu.usage.nanocores | CPU used nanocores | long | | gauge | +| kubernetes.node.fs.available.bytes | Filesystem total available in bytes | long | byte | gauge | +| kubernetes.node.fs.capacity.bytes | Filesystem total capacity in bytes | long | byte | gauge | +| kubernetes.node.fs.inodes.count | Number of inodes | long | | gauge | +| kubernetes.node.fs.inodes.free | Number of free inodes | long | | gauge | +| kubernetes.node.fs.inodes.used | Number of used inodes | long | | gauge | +| kubernetes.node.fs.used.bytes | Filesystem total used in bytes | long | byte | gauge | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.memory.available.bytes | Total available memory | long | byte | gauge | +| kubernetes.node.memory.majorpagefaults | Number of major page faults | long | | counter | +| kubernetes.node.memory.pagefaults | Number of page faults | long | | counter | +| kubernetes.node.memory.rss.bytes | RSS memory usage | long | byte | gauge | +| kubernetes.node.memory.usage.bytes | Total memory usage | long | byte | gauge | +| kubernetes.node.memory.workingset.bytes | Working set memory usage | long | byte | gauge | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.node.network.rx.bytes | Received bytes | long | byte | counter | +| kubernetes.node.network.rx.errors | Rx errors | long | | | +| kubernetes.node.network.tx.bytes | Transmitted bytes | long | byte | counter | +| kubernetes.node.network.tx.errors | Tx errors | long | | counter | +| kubernetes.node.runtime.imagefs.available.bytes | Image filesystem total available in bytes | long | byte | gauge | +| kubernetes.node.runtime.imagefs.capacity.bytes | Image filesystem total capacity in bytes | long | byte | gauge | +| kubernetes.node.runtime.imagefs.used.bytes | Image filesystem total used in bytes | long | byte | gauge | +| kubernetes.node.start_time | Start time | date | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### pod @@ -632,72 +678,89 @@ An example event for `pod` looks as following: **Exported fields** -| Field | Description | Type | Metric Type | -|---|---|---|---| -| @timestamp | Event timestamp. | date | | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | | -| cloud.image.id | Image ID for the cloud instance. | keyword | | -| cloud.instance.id | Instance ID of the host machine. | keyword | | -| cloud.instance.name | Instance name of the host machine. | keyword | | -| cloud.machine.type | Machine type of the host machine. | keyword | | -| cloud.project.id | Name of the project in Google Cloud. | keyword | | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | -| cloud.region | Region in which this host is running. | keyword | | -| container.id | Unique container id. | keyword | | -| container.image.name | Name of the image the container was built on. | keyword | | -| container.labels | Image labels. | object | | -| container.name | Container name. | keyword | | -| container.network.egress.bytes | Total number of outgoing bytes. | long | counter | -| container.network.ingress.bytes | Total number of incoming bytes. | long | counter | -| data_stream.dataset | Data stream dataset. | constant_keyword | | -| data_stream.namespace | Data stream namespace. | constant_keyword | | -| data_stream.type | Data stream type. | constant_keyword | | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | -| host.architecture | Operating system architecture. | keyword | | -| host.containerized | If the host is a container. | boolean | | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | -| host.ip | Host ip addresses. | ip | | -| host.mac | Host mac addresses. | keyword | | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | -| host.os.build | OS build information. | keyword | | -| host.os.codename | OS codename, if any. | keyword | | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | | -| host.os.name | Operating system name, without the version. | keyword | | -| host.os.name.text | Multi-field of `host.os.name`. | text | | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | -| host.os.version | Operating system version as a raw string. | keyword | | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | -| kubernetes.annotations.\* | Kubernetes annotations map | object | | -| kubernetes.container.image | Kubernetes container image | keyword | | -| kubernetes.container.name | Kubernetes container name | keyword | | -| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | -| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | | -| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | -| kubernetes.labels.\* | Kubernetes labels map | object | | -| kubernetes.namespace | Kubernetes namespace | keyword | | -| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | | -| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | | -| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | | -| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | -| kubernetes.node.labels.\* | Kubernetes node labels map | object | | -| kubernetes.node.name | Kubernetes node name | keyword | | -| kubernetes.node.uid | Kubernetes node UID | keyword | | -| kubernetes.pod.ip | Kubernetes pod IP | ip | | -| kubernetes.pod.name | Kubernetes pod name | keyword | | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | -| orchestrator.cluster.name | Name of the cluster. | keyword | | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| container.network.egress.bytes | Total number of outgoing bytes. | long | | counter | +| container.network.ingress.bytes | Total number of incoming bytes. | long | | counter | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.cronjob.name | Name of the CronJob to which the Pod belongs | keyword | | | +| kubernetes.daemonset.name | Kubernetes daemonset name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.job.name | Name of the Job to which the Pod belongs | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.namespace_annotations.\* | Kubernetes namespace annotations map | object | | | +| kubernetes.namespace_labels.\* | Kubernetes namespace labels map | object | | | +| kubernetes.namespace_uid | Kubernetes namespace UID | keyword | | | +| kubernetes.node.annotations.\* | Kubernetes node annotations map | object | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.labels.\* | Kubernetes node labels map | object | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.node.uid | Kubernetes node UID | keyword | | | +| kubernetes.pod.cpu.usage.limit.pct | CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if one or more containers of the pod are unlimited) | scaled_float | percent | gauge | +| kubernetes.pod.cpu.usage.nanocores | CPU used nanocores | long | byte | gauge | +| kubernetes.pod.cpu.usage.node.pct | CPU usage as a percentage of the total node CPU | scaled_float | percent | gauge | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.memory.available.bytes | Total memory available | long | percent | gauge | +| kubernetes.pod.memory.major_page_faults | Total major page faults | long | | counter | +| kubernetes.pod.memory.page_faults | Total page faults | long | | counter | +| kubernetes.pod.memory.rss.bytes | Total resident set size memory | long | percent | gauge | +| kubernetes.pod.memory.usage.bytes | Total memory usage | long | byte | gauge | +| kubernetes.pod.memory.usage.limit.pct | Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | +| kubernetes.pod.memory.usage.node.pct | Memory usage as a percentage of the total node allocatable memory | scaled_float | percent | gauge | +| kubernetes.pod.memory.working_set.bytes | Total working set memory | long | percent | gauge | +| kubernetes.pod.memory.working_set.limit.pct | Working set memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) | scaled_float | percent | gauge | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.network.rx.bytes | Received bytes | long | byte | counter | +| kubernetes.pod.network.rx.errors | Rx errors | long | | counter | +| kubernetes.pod.network.tx.bytes | Transmitted bytes | long | byte | counter | +| kubernetes.pod.network.tx.errors | Tx errors | long | | counter | +| kubernetes.pod.start_time | Start time | date | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### system @@ -813,61 +876,70 @@ An example event for `system` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| kubernetes.system.container | Container name | keyword | | | +| kubernetes.system.cpu.usage.core.ns | CPU Core usage nanoseconds | long | | gauge | +| kubernetes.system.cpu.usage.nanocores | CPU used nanocores | long | | gauge | +| kubernetes.system.memory.majorpagefaults | Number of major page faults | long | | counter | +| kubernetes.system.memory.pagefaults | Number of page faults | long | | counter | +| kubernetes.system.memory.rss.bytes | RSS memory usage | long | byte | gauge | +| kubernetes.system.memory.usage.bytes | Total memory usage | long | byte | gauge | +| kubernetes.system.memory.workingset.bytes | Working set memory usage | long | byte | gauge | +| kubernetes.system.start_time | Start time | date | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | ### volume @@ -982,58 +1054,67 @@ An example event for `volume` looks as following: **Exported fields** -| Field | Description | Type | -|---|---|---| -| @timestamp | Event timestamp. | date | -| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.availability_zone | Availability zone in which this host is running. | keyword | -| cloud.image.id | Image ID for the cloud instance. | keyword | -| cloud.instance.id | Instance ID of the host machine. | keyword | -| cloud.instance.name | Instance name of the host machine. | keyword | -| cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.project.id | Name of the project in Google Cloud. | keyword | -| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host is running. | keyword | -| container.id | Unique container id. | keyword | -| container.image.name | Name of the image the container was built on. | keyword | -| container.labels | Image labels. | object | -| container.name | Container name. | keyword | -| data_stream.dataset | Data stream dataset. | constant_keyword | -| data_stream.namespace | Data stream namespace. | constant_keyword | -| data_stream.type | Data stream type. | constant_keyword | -| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | -| host.architecture | Operating system architecture. | keyword | -| host.containerized | If the host is a container. | boolean | -| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | -| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | -| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | -| host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | -| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | -| host.os.build | OS build information. | keyword | -| host.os.codename | OS codename, if any. | keyword | -| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | -| host.os.kernel | Operating system kernel version as a raw string. | keyword | -| host.os.name | Operating system name, without the version. | keyword | -| host.os.name.text | Multi-field of `host.os.name`. | text | -| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | -| host.os.version | Operating system version as a raw string. | keyword | -| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | -| kubernetes.annotations.\* | Kubernetes annotations map | object | -| kubernetes.container.image | Kubernetes container image | keyword | -| kubernetes.container.name | Kubernetes container name | keyword | -| kubernetes.deployment.name | Kubernetes deployment name | keyword | -| kubernetes.labels.\* | Kubernetes labels map | object | -| kubernetes.namespace | Kubernetes namespace | keyword | -| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | -| kubernetes.node.name | Kubernetes node name | keyword | -| kubernetes.pod.ip | Kubernetes pod IP | ip | -| kubernetes.pod.name | Kubernetes pod name | keyword | -| kubernetes.pod.uid | Kubernetes pod UID | keyword | -| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | -| kubernetes.selectors.\* | Kubernetes Service selectors map | object | -| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | -| orchestrator.cluster.name | Name of the cluster. | keyword | -| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | -| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | -| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | +| Field | Description | Type | Unit | Metric Type | +|---|---|---|---|---| +| @timestamp | Event timestamp. | date | | | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | | | +| cloud.image.id | Image ID for the cloud instance. | keyword | | | +| cloud.instance.id | Instance ID of the host machine. | keyword | | | +| cloud.instance.name | Instance name of the host machine. | keyword | | | +| cloud.machine.type | Machine type of the host machine. | keyword | | | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | | +| cloud.region | Region in which this host is running. | keyword | | | +| container.id | Unique container id. | keyword | | | +| container.image.name | Name of the image the container was built on. | keyword | | | +| container.labels | Image labels. | object | | | +| container.name | Container name. | keyword | | | +| data_stream.dataset | Data stream dataset. | constant_keyword | | | +| data_stream.namespace | Data stream namespace. | constant_keyword | | | +| data_stream.type | Data stream type. | constant_keyword | | | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | | +| host.architecture | Operating system architecture. | keyword | | | +| host.containerized | If the host is a container. | boolean | | | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | | | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | | +| host.ip | Host ip addresses. | ip | | | +| host.mac | Host mac addresses. | keyword | | | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | | +| host.os.build | OS build information. | keyword | | | +| host.os.codename | OS codename, if any. | keyword | | | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | | | +| host.os.name | Operating system name, without the version. | keyword | | | +| host.os.name.text | Multi-field of `host.os.name`. | text | | | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | | | +| host.os.version | Operating system version as a raw string. | keyword | | | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | | | +| kubernetes.annotations.\* | Kubernetes annotations map | object | | | +| kubernetes.container.image | Kubernetes container image | keyword | | | +| kubernetes.container.name | Kubernetes container name | keyword | | | +| kubernetes.deployment.name | Kubernetes deployment name | keyword | | | +| kubernetes.labels.\* | Kubernetes labels map | object | | | +| kubernetes.namespace | Kubernetes namespace | keyword | | | +| kubernetes.node.hostname | Kubernetes hostname as reported by the node’s kernel | keyword | | | +| kubernetes.node.name | Kubernetes node name | keyword | | | +| kubernetes.pod.ip | Kubernetes pod IP | ip | | | +| kubernetes.pod.name | Kubernetes pod name | keyword | | | +| kubernetes.pod.uid | Kubernetes pod UID | keyword | | | +| kubernetes.replicaset.name | Kubernetes replicaset name | keyword | | | +| kubernetes.selectors.\* | Kubernetes Service selectors map | object | | | +| kubernetes.statefulset.name | Kubernetes statefulset name | keyword | | | +| kubernetes.volume.fs.available.bytes | Filesystem total available in bytes | long | byte | gauge | +| kubernetes.volume.fs.capacity.bytes | Filesystem total capacity in bytes | long | byte | gauge | +| kubernetes.volume.fs.inodes.count | Total inodes | long | | gauge | +| kubernetes.volume.fs.inodes.free | Free inodes | long | | gauge | +| kubernetes.volume.fs.inodes.pct | Percentage of used inodes | scaled_float | percent | gauge | +| kubernetes.volume.fs.inodes.used | Used inodes | long | | gauge | +| kubernetes.volume.fs.used.bytes | Filesystem total used in bytes | long | byte | gauge | +| kubernetes.volume.fs.used.pct | Percentage of filesystem total used | scaled_float | percent | gauge | +| kubernetes.volume.name | Volume name | keyword | | | +| orchestrator.cluster.name | Name of the cluster. | keyword | | | +| orchestrator.cluster.url | URL of the API used to manage the cluster. | keyword | | | +| service.address | Address where data about this service was collected from. This should be a URI, network address (ipv4:port or [ipv6]:port) or a resource path (sockets). | keyword | | | +| service.type | The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. | keyword | | | diff --git a/packages/panw/data_stream/panos/fields/fields.yml b/packages/panw/data_stream/panos/fields/fields.yml index 4981d2b007a..3625a118742 100644 --- a/packages/panw/data_stream/panos/fields/fields.yml +++ b/packages/panw/data_stream/panos/fields/fields.yml @@ -332,3 +332,25 @@ type: keyword description: | A string showing the how the GlobalProtect app connects to Gateway. +- name: labels.pcap_included + type: boolean +- name: labels.ipv6_session + type: boolean +- name: labels.ssl_decrypted + type: boolean +- name: labels.url_filter_denied + type: boolean +- name: labels.nat_translated + type: boolean +- name: labels.captive_portal + type: boolean +- name: labels.x_forwarded_for + type: boolean +- name: labels.http_proxy + type: boolean +- name: labels.container_page + type: boolean +- name: labels.temporary_match + type: boolean +- name: labels.symmetric_return + type: boolean diff --git a/packages/panw/docs/README.md b/packages/panw/docs/README.md index 71cfc697320..873410c3a78 100644 --- a/packages/panw/docs/README.md +++ b/packages/panw/docs/README.md @@ -99,6 +99,17 @@ The ingest-geoip Elasticsearch plugin is required to run this module. | http.request.referer | Referrer for this HTTP request. | keyword | | input.type | Type of Filebeat input. | keyword | | labels | Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. | object | +| labels.captive_portal | | boolean | +| labels.container_page | | boolean | +| labels.http_proxy | | boolean | +| labels.ipv6_session | | boolean | +| labels.nat_translated | | boolean | +| labels.pcap_included | | boolean | +| labels.ssl_decrypted | | boolean | +| labels.symmetric_return | | boolean | +| labels.temporary_match | | boolean | +| labels.url_filter_denied | | boolean | +| labels.x_forwarded_for | | boolean | | log.file.path | Path to the log file. | keyword | | log.flags | Flags for the log file. | keyword | | log.level | Original log level of the log event. If the source of the event provides a log level or textual severity, this is the one that goes in `log.level`. If your source doesn't specify one, you may put your event transport's severity here (e.g. Syslog severity). Some examples are `warn`, `err`, `i`, `informational`. | keyword | From 2b2f05da5a423cc8baf2bec1a0bb9afd9c008932 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 18:22:35 +0200 Subject: [PATCH 19/28] Use elastic-package from master for testing --- go.mod | 4 +++- go.sum | 10 +++++----- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index 3749e28590b..8086cb261fd 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,7 @@ require ( github.com/elastic/go-sysinfo v1.7.1 // indirect github.com/elastic/go-ucfg v0.8.4 // indirect github.com/elastic/go-windows v1.0.1 // indirect - github.com/elastic/package-spec v1.7.0 // indirect + github.com/elastic/package-spec v1.8.0 // indirect github.com/emirpasic/gods v1.12.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect @@ -164,3 +164,5 @@ require ( sigs.k8s.io/structured-merge-diff/v4 v4.2.1 // indirect sigs.k8s.io/yaml v1.3.0 // indirect ) + +replace github.com/elastic/elastic-package => github.com/elastic/elastic-package v0.48.1-0.20220511104207-12db194afa2d diff --git a/go.sum b/go.sum index 350adafef43..82d0d0ce1b6 100644 --- a/go.sum +++ b/go.sum @@ -409,8 +409,8 @@ github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj6 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= -github.com/elastic/elastic-package v0.48.0 h1:9zGRDPP14SSCAR5s+3Avcg+YgXkx8qKe+tE5jb+pGjw= -github.com/elastic/elastic-package v0.48.0/go.mod h1:dfwpbABdh4+BA/PmKf+0fB/KtqawaWWa0Ax0HhdqcL8= +github.com/elastic/elastic-package v0.48.1-0.20220511104207-12db194afa2d h1:p38gJ7OEa58gawB8XDQ4sdzFfsHQlxvlmXh/vaiOEZ8= +github.com/elastic/elastic-package v0.48.1-0.20220511104207-12db194afa2d/go.mod h1:0xJUNGxEvB3+scNrdVf1TMXUMjpL6VGyLYQAIfMDZss= github.com/elastic/go-elasticsearch/v7 v7.17.1 h1:49mHcHx7lpCL8cW1aioEwSEVKQF3s+Igi4Ye/QTWwmk= github.com/elastic/go-elasticsearch/v7 v7.17.1/go.mod h1:OJ4wdbtDNk5g503kvlHLyErCgQwwzmDtaFC4XyOxXA4= github.com/elastic/go-licenser v0.3.1/go.mod h1:D8eNQk70FOCVBl3smCGQt/lv7meBeQno2eI1S5apiHQ= @@ -427,8 +427,8 @@ github.com/elastic/go-windows v1.0.1 h1:AlYZOldA+UJ0/2nBuqWdo90GFCgG9xuyw9SYzGUt github.com/elastic/go-windows v1.0.1/go.mod h1:FoVvqWSun28vaDQPbj2Elfc0JahhPB7WQEGa3c814Ss= github.com/elastic/package-registry v1.8.0 h1:c2nUbBZct3c2LZ6uw0HotB+11PmYM8xh0ynvyeuzFBY= github.com/elastic/package-registry v1.8.0/go.mod h1:zh8h1v9v2VYBQvlZK2KoD/uDJlYC7re5PLf4eDALEFA= -github.com/elastic/package-spec v1.7.0 h1:cwWMVz3YIAbyUDFrVOdPfqwn3btZoMPSKSedfT0VlZA= -github.com/elastic/package-spec v1.7.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= +github.com/elastic/package-spec v1.8.0 h1:/5P4SwQhJgfULRg1b7I83TOzij4/L+J39o1LJiJTiJ0= +github.com/elastic/package-spec v1.8.0/go.mod h1:KzGTSDqCkdhmL1IFpOH2ZQNSSE9JEhNtndxU3ZrQilA= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153 h1:yUdfgN0XgIJw7foRItutHYUIhlcKzcSf5vDpdhQAKTc= github.com/elazarl/goproxy v0.0.0-20180725130230-947c36da3153/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= @@ -1950,7 +1950,7 @@ gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -gotest.tools/gotestsum v1.8.0/go.mod h1:ctqdxBSCPv80kAFjYvFNpPntBrE5HAQnLiOKBGLmOBs= +gotest.tools/gotestsum v1.8.1/go.mod h1:ctqdxBSCPv80kAFjYvFNpPntBrE5HAQnLiOKBGLmOBs= gotest.tools/v3 v3.0.2/go.mod h1:3SzNCllyD9/Y+b5r9JIKQ474KzkZyqLqEfYqMsX94Bk= gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0= gotest.tools/v3 v3.0.3/go.mod h1:Z7Lb0S5l+klDB31fvDQX8ss/FlKDxtlFlw3Oa8Ymbl8= From 876186ee5e37e2a9bee04e637897c2f3444c8a44 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 18:34:48 +0200 Subject: [PATCH 20/28] Adjustments in AWS --- .../auditd/data_stream/log/fields/agent.yml | 18 ------ .../auditd/data_stream/log/fields/ecs.yml | 4 +- packages/auditd/docs/README.md | 8 +++ .../aws/data_stream/billing/fields/ecs.yml | 2 +- .../billing/fields/package-fields.yml | 4 +- .../cloudfront_logs/fields/agent.yml | 50 +++++++++++++++++ .../cloudfront_logs/fields/package-fields.yml | 3 + .../data_stream/cloudtrail/fields/agent.yml | 42 ++++++++++++++ .../cloudwatch_logs/fields/agent.yml | 56 +++++++++++++++++++ .../cloudwatch_metrics/fields/ecs.yml | 2 +- .../fields/package-fields.yml | 3 + .../aws/data_stream/dynamodb/fields/ecs.yml | 2 +- .../dynamodb/fields/package-fields.yml | 3 + packages/aws/data_stream/ebs/fields/ecs.yml | 2 +- .../data_stream/ebs/fields/package-fields.yml | 3 + .../aws/data_stream/ec2_logs/fields/agent.yml | 56 +++++++++++++++++++ .../data_stream/ec2_metrics/fields/ecs.yml | 2 +- .../ec2_metrics/fields/package-fields.yml | 3 + .../aws/data_stream/elb_logs/fields/agent.yml | 50 +++++++++++++++++ .../data_stream/elb_metrics/fields/ecs.yml | 2 +- .../elb_metrics/fields/package-fields.yml | 3 + .../firewall_logs/fields/agent.yml | 42 ++++++++++++++ .../firewall_metrics/fields/ecs.yml | 2 +- .../fields/package-fields.yml | 3 + .../aws/data_stream/lambda/fields/ecs.yml | 2 +- .../lambda/fields/package-fields.yml | 3 + .../aws/data_stream/natgateway/fields/ecs.yml | 2 +- .../natgateway/fields/package-fields.yml | 3 + packages/aws/data_stream/rds/fields/ecs.yml | 2 +- .../data_stream/rds/fields/package-fields.yml | 3 + .../route53_public_logs/fields/agent.yml | 56 +++++++++++++++++++ .../route53_resolver_logs/fields/agent.yml | 56 +++++++++++++++++++ .../s3_daily_storage/fields/ecs.yml | 2 +- .../fields/package-fields.yml | 3 + .../aws/data_stream/s3_request/fields/ecs.yml | 2 +- .../s3_request/fields/package-fields.yml | 3 + .../s3_storage_lens/fields/ecs.yml | 2 +- .../s3_storage_lens/fields/package-fields.yml | 3 + .../aws/data_stream/s3access/fields/agent.yml | 50 +++++++++++++++++ packages/aws/data_stream/sns/fields/ecs.yml | 2 +- .../data_stream/sns/fields/package-fields.yml | 3 + packages/aws/data_stream/sqs/fields/ecs.yml | 2 +- .../data_stream/sqs/fields/package-fields.yml | 3 + .../data_stream/transitgateway/fields/ecs.yml | 2 +- .../transitgateway/fields/package-fields.yml | 3 + packages/aws/data_stream/usage/fields/ecs.yml | 2 +- .../usage/fields/package-fields.yml | 3 + .../aws/data_stream/vpcflow/fields/agent.yml | 36 ++++++++++++ packages/aws/data_stream/vpn/fields/ecs.yml | 2 +- .../data_stream/vpn/fields/package-fields.yml | 3 + packages/aws/data_stream/waf/fields/agent.yml | 50 +++++++++++++++++ packages/aws/data_stream/waf/fields/ecs.yml | 2 +- packages/aws/docs/billing.md | 6 ++ packages/aws/docs/cloudfront.md | 8 +++ packages/aws/docs/cloudtrail.md | 7 +++ packages/aws/docs/cloudwatch.md | 15 +++++ packages/aws/docs/dynamodb.md | 6 ++ packages/aws/docs/ebs.md | 6 ++ packages/aws/docs/ec2.md | 15 +++++ packages/aws/docs/elb.md | 14 +++++ packages/aws/docs/firewall.md | 13 +++++ packages/aws/docs/lambda.md | 6 ++ packages/aws/docs/natgateway.md | 6 ++ packages/aws/docs/rds.md | 6 ++ packages/aws/docs/route53.md | 18 ++++++ packages/aws/docs/s3.md | 20 +++++++ packages/aws/docs/s3_storage_lens.md | 6 ++ packages/aws/docs/sns.md | 6 ++ packages/aws/docs/sqs.md | 6 ++ packages/aws/docs/transitgateway.md | 6 ++ packages/aws/docs/usage.md | 6 ++ packages/aws/docs/vpcflow.md | 6 ++ packages/aws/docs/vpn.md | 6 ++ packages/aws/docs/waf.md | 32 ++--------- 74 files changed, 821 insertions(+), 69 deletions(-) diff --git a/packages/auditd/data_stream/log/fields/agent.yml b/packages/auditd/data_stream/log/fields/agent.yml index 3a282e597f5..ba1facea249 100644 --- a/packages/auditd/data_stream/log/fields/agent.yml +++ b/packages/auditd/data_stream/log/fields/agent.yml @@ -54,24 +54,6 @@ - name: image.id type: keyword description: Image ID for the cloud instance. -- name: container - title: Container - group: 2 - description: 'Container fields are used for meta information about the specific container that is the source of information. - - These fields help correlate data based containers from any runtime.' - type: group - fields: - - name: image.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the image the container was built on. - - name: labels - level: extended - type: object - object_type: keyword - description: Image labels. - name: host title: Host group: 2 diff --git a/packages/auditd/data_stream/log/fields/ecs.yml b/packages/auditd/data_stream/log/fields/ecs.yml index 8337d204ca3..027dc739fc9 100644 --- a/packages/auditd/data_stream/log/fields/ecs.yml +++ b/packages/auditd/data_stream/log/fields/ecs.yml @@ -1,7 +1,5 @@ - external: ecs - name: container.name -- external: ecs - name: container.runtime + name: container - external: ecs name: destination.address - external: ecs diff --git a/packages/auditd/docs/README.md b/packages/auditd/docs/README.md index 4daeaaa60dd..5f9d12a83d7 100644 --- a/packages/auditd/docs/README.md +++ b/packages/auditd/docs/README.md @@ -183,9 +183,17 @@ An example event for `log` looks as following: | cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host is running. | keyword | +| container.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. | scaled_float | +| container.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | +| container.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | +| container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | +| container.image.tag | Container image tags. | keyword | | container.labels | Image labels. | object | +| container.memory.usage | Memory usage percentage and it ranges from 0 to 1. Scaling factor: 1000. | scaled_float | | container.name | Container name. | keyword | +| container.network.egress.bytes | The number of bytes (gauge) sent out on all network interfaces by the container since the last metric collection. | long | +| container.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the container since the last metric collection. | long | | container.runtime | Runtime managing this container. | keyword | | data_stream.dataset | Data stream dataset. | constant_keyword | | data_stream.namespace | Data stream namespace. | constant_keyword | diff --git a/packages/aws/data_stream/billing/fields/ecs.yml b/packages/aws/data_stream/billing/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/billing/fields/ecs.yml +++ b/packages/aws/data_stream/billing/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/billing/fields/package-fields.yml b/packages/aws/data_stream/billing/fields/package-fields.yml index 7adc9facb0c..2f867802104 100644 --- a/packages/aws/data_stream/billing/fields/package-fields.yml +++ b/packages/aws/data_stream/billing/fields/package-fields.yml @@ -29,4 +29,6 @@ type: keyword description: > Name or alias used to identify linked account. - +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/cloudfront_logs/fields/agent.yml b/packages/aws/data_stream/cloudfront_logs/fields/agent.yml index 57264f48bfa..c4046b50136 100644 --- a/packages/aws/data_stream/cloudfront_logs/fields/agent.yml +++ b/packages/aws/data_stream/cloudfront_logs/fields/agent.yml @@ -1,3 +1,53 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml b/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml index ce27e3defb7..7c255e78153 100644 --- a/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml +++ b/packages/aws/data_stream/cloudfront_logs/fields/package-fields.yml @@ -6,3 +6,6 @@ description: |- The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number (for example, DFW3). The three-letter code typically corresponds with the International Air Transport Association (IATA) airport code for an airport near the edge location’s geographic location. path: aws.cloudfront.edge_location +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/cloudtrail/fields/agent.yml b/packages/aws/data_stream/cloudtrail/fields/agent.yml index 57264f48bfa..f159d392948 100644 --- a/packages/aws/data_stream/cloudtrail/fields/agent.yml +++ b/packages/aws/data_stream/cloudtrail/fields/agent.yml @@ -1,3 +1,45 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml b/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml index 57264f48bfa..da4e652c53b 100644 --- a/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml +++ b/packages/aws/data_stream/cloudwatch_logs/fields/agent.yml @@ -1,3 +1,59 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml b/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/cloudwatch_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/dynamodb/fields/ecs.yml b/packages/aws/data_stream/dynamodb/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/dynamodb/fields/ecs.yml +++ b/packages/aws/data_stream/dynamodb/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/dynamodb/fields/package-fields.yml b/packages/aws/data_stream/dynamodb/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/dynamodb/fields/package-fields.yml +++ b/packages/aws/data_stream/dynamodb/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/ebs/fields/ecs.yml b/packages/aws/data_stream/ebs/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/ebs/fields/ecs.yml +++ b/packages/aws/data_stream/ebs/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/ebs/fields/package-fields.yml b/packages/aws/data_stream/ebs/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/ebs/fields/package-fields.yml +++ b/packages/aws/data_stream/ebs/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/ec2_logs/fields/agent.yml b/packages/aws/data_stream/ec2_logs/fields/agent.yml index 57264f48bfa..da4e652c53b 100644 --- a/packages/aws/data_stream/ec2_logs/fields/agent.yml +++ b/packages/aws/data_stream/ec2_logs/fields/agent.yml @@ -1,3 +1,59 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml b/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/ec2_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/elb_logs/fields/agent.yml b/packages/aws/data_stream/elb_logs/fields/agent.yml index 57264f48bfa..4351e0e8210 100644 --- a/packages/aws/data_stream/elb_logs/fields/agent.yml +++ b/packages/aws/data_stream/elb_logs/fields/agent.yml @@ -1,3 +1,53 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/elb_metrics/fields/ecs.yml b/packages/aws/data_stream/elb_metrics/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/elb_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/elb_metrics/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/elb_metrics/fields/package-fields.yml b/packages/aws/data_stream/elb_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/elb_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/elb_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/firewall_logs/fields/agent.yml b/packages/aws/data_stream/firewall_logs/fields/agent.yml index 57264f48bfa..f159d392948 100644 --- a/packages/aws/data_stream/firewall_logs/fields/agent.yml +++ b/packages/aws/data_stream/firewall_logs/fields/agent.yml @@ -1,3 +1,45 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/firewall_metrics/fields/ecs.yml b/packages/aws/data_stream/firewall_metrics/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/ecs.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml b/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml +++ b/packages/aws/data_stream/firewall_metrics/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/lambda/fields/ecs.yml b/packages/aws/data_stream/lambda/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/lambda/fields/ecs.yml +++ b/packages/aws/data_stream/lambda/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/lambda/fields/package-fields.yml b/packages/aws/data_stream/lambda/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/lambda/fields/package-fields.yml +++ b/packages/aws/data_stream/lambda/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/natgateway/fields/ecs.yml b/packages/aws/data_stream/natgateway/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/natgateway/fields/ecs.yml +++ b/packages/aws/data_stream/natgateway/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/natgateway/fields/package-fields.yml b/packages/aws/data_stream/natgateway/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/natgateway/fields/package-fields.yml +++ b/packages/aws/data_stream/natgateway/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/rds/fields/ecs.yml b/packages/aws/data_stream/rds/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/rds/fields/ecs.yml +++ b/packages/aws/data_stream/rds/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/rds/fields/package-fields.yml b/packages/aws/data_stream/rds/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/rds/fields/package-fields.yml +++ b/packages/aws/data_stream/rds/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/route53_public_logs/fields/agent.yml b/packages/aws/data_stream/route53_public_logs/fields/agent.yml index 57264f48bfa..da4e652c53b 100644 --- a/packages/aws/data_stream/route53_public_logs/fields/agent.yml +++ b/packages/aws/data_stream/route53_public_logs/fields/agent.yml @@ -1,3 +1,59 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml b/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml index 57264f48bfa..da4e652c53b 100644 --- a/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml +++ b/packages/aws/data_stream/route53_resolver_logs/fields/agent.yml @@ -1,3 +1,59 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml b/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml b/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml +++ b/packages/aws/data_stream/s3_daily_storage/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3_request/fields/ecs.yml b/packages/aws/data_stream/s3_request/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/s3_request/fields/ecs.yml +++ b/packages/aws/data_stream/s3_request/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/s3_request/fields/package-fields.yml b/packages/aws/data_stream/s3_request/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/s3_request/fields/package-fields.yml +++ b/packages/aws/data_stream/s3_request/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml b/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml b/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml +++ b/packages/aws/data_stream/s3_storage_lens/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/s3access/fields/agent.yml b/packages/aws/data_stream/s3access/fields/agent.yml index 57264f48bfa..4351e0e8210 100644 --- a/packages/aws/data_stream/s3access/fields/agent.yml +++ b/packages/aws/data_stream/s3access/fields/agent.yml @@ -1,3 +1,53 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/sns/fields/ecs.yml b/packages/aws/data_stream/sns/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/sns/fields/ecs.yml +++ b/packages/aws/data_stream/sns/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/sns/fields/package-fields.yml b/packages/aws/data_stream/sns/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/sns/fields/package-fields.yml +++ b/packages/aws/data_stream/sns/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/sqs/fields/ecs.yml b/packages/aws/data_stream/sqs/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/sqs/fields/ecs.yml +++ b/packages/aws/data_stream/sqs/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/sqs/fields/package-fields.yml b/packages/aws/data_stream/sqs/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/sqs/fields/package-fields.yml +++ b/packages/aws/data_stream/sqs/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/transitgateway/fields/ecs.yml b/packages/aws/data_stream/transitgateway/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/transitgateway/fields/ecs.yml +++ b/packages/aws/data_stream/transitgateway/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/transitgateway/fields/package-fields.yml b/packages/aws/data_stream/transitgateway/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/transitgateway/fields/package-fields.yml +++ b/packages/aws/data_stream/transitgateway/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/usage/fields/ecs.yml b/packages/aws/data_stream/usage/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/usage/fields/ecs.yml +++ b/packages/aws/data_stream/usage/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/usage/fields/package-fields.yml b/packages/aws/data_stream/usage/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/usage/fields/package-fields.yml +++ b/packages/aws/data_stream/usage/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/vpcflow/fields/agent.yml b/packages/aws/data_stream/vpcflow/fields/agent.yml index 57264f48bfa..f5878ee6bf7 100644 --- a/packages/aws/data_stream/vpcflow/fields/agent.yml +++ b/packages/aws/data_stream/vpcflow/fields/agent.yml @@ -1,3 +1,39 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/vpn/fields/ecs.yml b/packages/aws/data_stream/vpn/fields/ecs.yml index 3ee1d551d0b..5cf1142beb2 100644 --- a/packages/aws/data_stream/vpn/fields/ecs.yml +++ b/packages/aws/data_stream/vpn/fields/ecs.yml @@ -3,6 +3,6 @@ - external: ecs name: ecs.version - external: ecs - name: error.message + name: error - external: ecs name: service.type diff --git a/packages/aws/data_stream/vpn/fields/package-fields.yml b/packages/aws/data_stream/vpn/fields/package-fields.yml index a8a7ee8dcce..d8d37c4717c 100644 --- a/packages/aws/data_stream/vpn/fields/package-fields.yml +++ b/packages/aws/data_stream/vpn/fields/package-fields.yml @@ -17,3 +17,6 @@ type: object description: | Metrics that returned from Cloudwatch API query. +- name: cloud.image.id + type: keyword + description: Image ID for the cloud instance. diff --git a/packages/aws/data_stream/waf/fields/agent.yml b/packages/aws/data_stream/waf/fields/agent.yml index 57264f48bfa..4351e0e8210 100644 --- a/packages/aws/data_stream/waf/fields/agent.yml +++ b/packages/aws/data_stream/waf/fields/agent.yml @@ -1,3 +1,53 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. + + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. - name: container title: Container group: 2 diff --git a/packages/aws/data_stream/waf/fields/ecs.yml b/packages/aws/data_stream/waf/fields/ecs.yml index 019be5d6dba..cf3ab8d9b70 100644 --- a/packages/aws/data_stream/waf/fields/ecs.yml +++ b/packages/aws/data_stream/waf/fields/ecs.yml @@ -3,7 +3,7 @@ - external: ecs name: source.ip - external: ecs - name: cloud + name: cloud.provider - external: ecs name: ecs.version - external: ecs diff --git a/packages/aws/docs/billing.md b/packages/aws/docs/billing.md index 194a4b35eaf..30ab544715e 100644 --- a/packages/aws/docs/billing.md +++ b/packages/aws/docs/billing.md @@ -100,6 +100,7 @@ An example event for `billing` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -138,7 +139,12 @@ An example event for `billing` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/cloudfront.md b/packages/aws/docs/cloudfront.md index cbf3caffed1..9385659f60e 100644 --- a/packages/aws/docs/cloudfront.md +++ b/packages/aws/docs/cloudfront.md @@ -17,6 +17,14 @@ The `cloudfront` dataset collects standard logs(also called access logs) from AW | aws.cloudfront.edge_result_type | How the server classified the response after the last byte left the server. In some cases, the result type can change between the time that the server is ready to send the response and the time that it finishes sending the response. See also the x-edge-response-result-type field. For example, in HTTP streaming, suppose the server finds a segment of the stream in the cache. In that scenario, the value of this field would ordinarily be Hit. However, if the viewer closes the connection before the server has delivered the entire segment, the final result type (and the value of this field) is Error. WebSocket connections will have a value of Miss for this field because the content is not cacheable and is proxied directly to the origin. | keyword | | aws.cloudfront.time_to_first_byte | The number of seconds between receiving the request and writing the first byte of the response, as measured on the server. | float | | aws.edge_location | The edge location that served the request. Each edge location is identified by a three-letter code and an arbitrarily assigned number (for example, DFW3). The three-letter code typically corresponds with the International Air Transport Association (IATA) airport code for an airport near the edge location’s geographic location. | alias | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/cloudtrail.md b/packages/aws/docs/cloudtrail.md index 345dafd381e..f482e9994cc 100644 --- a/packages/aws/docs/cloudtrail.md +++ b/packages/aws/docs/cloudtrail.md @@ -56,6 +56,13 @@ events for the account. If user creates a trail, it delivers those events as log | aws.cloudtrail.user_identity.type | The type of the identity | keyword | | aws.cloudtrail.vpc_endpoint_id | Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | diff --git a/packages/aws/docs/cloudwatch.md b/packages/aws/docs/cloudwatch.md index 17ccd0a9f3a..550d0460241 100644 --- a/packages/aws/docs/cloudwatch.md +++ b/packages/aws/docs/cloudwatch.md @@ -13,6 +13,15 @@ setup already. |---|---|---| | @timestamp | Event timestamp. | date | | aws.cloudwatch.message | CloudWatch log message. | text | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -147,6 +156,7 @@ An example event for `cloudwatch` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -185,7 +195,12 @@ An example event for `cloudwatch` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/dynamodb.md b/packages/aws/docs/dynamodb.md index 3a98d5d9561..33f6d0c6d65 100644 --- a/packages/aws/docs/dynamodb.md +++ b/packages/aws/docs/dynamodb.md @@ -114,6 +114,7 @@ An example event for `dynamodb` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -152,7 +153,12 @@ An example event for `dynamodb` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/ebs.md b/packages/aws/docs/ebs.md index d603e40e0d7..4ab4588e1d0 100644 --- a/packages/aws/docs/ebs.md +++ b/packages/aws/docs/ebs.md @@ -98,6 +98,7 @@ An example event for `ebs` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -136,7 +137,12 @@ An example event for `ebs` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/ec2.md b/packages/aws/docs/ec2.md index 7f537b42c1f..98ddb98bdf6 100644 --- a/packages/aws/docs/ec2.md +++ b/packages/aws/docs/ec2.md @@ -13,6 +13,15 @@ and `process.name`. For logs from other services, please use `cloudwatch` datase |---|---|---| | @timestamp | Event timestamp. | date | | aws.ec2.ip_address | The internet address of the requester. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -293,6 +302,7 @@ An example event for `ec2` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -331,7 +341,12 @@ An example event for `ec2` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/elb.md b/packages/aws/docs/elb.md index 271e6e741c9..19d93e6394f 100644 --- a/packages/aws/docs/elb.md +++ b/packages/aws/docs/elb.md @@ -47,7 +47,15 @@ For network load balancer, please follow [enable access log for network load bal | aws.elb.tls_named_group | The TLS named group. | keyword | | aws.elb.trace_id | The contents of the `X-Amzn-Trace-Id` header. | keyword | | aws.elb.type | The type of the load balancer for v2 Load Balancers. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -358,6 +366,7 @@ An example event for `elb` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -396,7 +405,12 @@ An example event for `elb` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/firewall.md b/packages/aws/docs/firewall.md index 052c1fbcae3..da815d78c24 100644 --- a/packages/aws/docs/firewall.md +++ b/packages/aws/docs/firewall.md @@ -162,6 +162,13 @@ An example event for `firewall` looks as following: | aws.firewall.tcp_flags | The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST | keyword | | aws.firewall.tcp_flags_array | List of TCP flags: 'fin, syn, rst, psh, ack, urg' | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | | cloud.region | Region in which this host, resource, or service is located. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | @@ -366,6 +373,7 @@ An example event for `firewall` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -404,7 +412,12 @@ An example event for `firewall` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/lambda.md b/packages/aws/docs/lambda.md index 3cc4ee1a6a6..274cf05d534 100644 --- a/packages/aws/docs/lambda.md +++ b/packages/aws/docs/lambda.md @@ -94,6 +94,7 @@ An example event for `lambda` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -132,7 +133,12 @@ An example event for `lambda` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/natgateway.md b/packages/aws/docs/natgateway.md index f78b4ce5de8..99e023381ab 100644 --- a/packages/aws/docs/natgateway.md +++ b/packages/aws/docs/natgateway.md @@ -119,6 +119,7 @@ An example event for `natgateway` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -157,7 +158,12 @@ An example event for `natgateway` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/rds.md b/packages/aws/docs/rds.md index 040c56899a9..17e2acf4872 100644 --- a/packages/aws/docs/rds.md +++ b/packages/aws/docs/rds.md @@ -201,6 +201,7 @@ An example event for `rds` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -239,7 +240,12 @@ An example event for `rds` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/route53.md b/packages/aws/docs/route53.md index ee451d2b133..0c0ab49f5f7 100644 --- a/packages/aws/docs/route53.md +++ b/packages/aws/docs/route53.md @@ -126,6 +126,15 @@ An example event for `route53_public` looks as following: | awscloudwatch.ingestion_time | AWS CloudWatch ingest time | date | | awscloudwatch.log_group | AWS CloudWatch Log Group name | keyword | | awscloudwatch.log_stream | AWS CloudWatch Log Stream name | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -344,6 +353,15 @@ An example event for `route53_resolver` looks as following: | awscloudwatch.ingestion_time | AWS CloudWatch ingest time | date | | awscloudwatch.log_group | AWS CloudWatch Log Group name | keyword | | awscloudwatch.log_stream | AWS CloudWatch Log Stream name | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/s3.md b/packages/aws/docs/s3.md index 83a2a707a46..4f8c063b1a3 100644 --- a/packages/aws/docs/s3.md +++ b/packages/aws/docs/s3.md @@ -41,7 +41,15 @@ for sending server access logs to S3 bucket. | client.address | Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | client.ip | IP address of the client (IPv4 or IPv6). | ip | | client.user.id | Unique identifier of the user. | keyword | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | @@ -305,6 +313,7 @@ An example event for `s3_daily_storage` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -343,7 +352,12 @@ An example event for `s3_daily_storage` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | @@ -465,6 +479,7 @@ An example event for `s3_request` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -503,7 +518,12 @@ An example event for `s3_request` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/s3_storage_lens.md b/packages/aws/docs/s3_storage_lens.md index 1ba60211d06..1d5ee6a49ed 100644 --- a/packages/aws/docs/s3_storage_lens.md +++ b/packages/aws/docs/s3_storage_lens.md @@ -187,6 +187,7 @@ An example event for `s3_storage_lens` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -225,7 +226,12 @@ An example event for `s3_storage_lens` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/sns.md b/packages/aws/docs/sns.md index 9b4a69dffc9..70d2efceb2d 100644 --- a/packages/aws/docs/sns.md +++ b/packages/aws/docs/sns.md @@ -93,6 +93,7 @@ An example event for `sns` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -131,7 +132,12 @@ An example event for `sns` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/sqs.md b/packages/aws/docs/sqs.md index 1e8ede4a88c..3faf5884524 100644 --- a/packages/aws/docs/sqs.md +++ b/packages/aws/docs/sqs.md @@ -84,6 +84,7 @@ An example event for `sqs` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -122,7 +123,12 @@ An example event for `sqs` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/transitgateway.md b/packages/aws/docs/transitgateway.md index 5516961408c..de223d2b6b5 100644 --- a/packages/aws/docs/transitgateway.md +++ b/packages/aws/docs/transitgateway.md @@ -91,6 +91,7 @@ An example event for `transitgateway` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -129,7 +130,12 @@ An example event for `transitgateway` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/usage.md b/packages/aws/docs/usage.md index e2cd39aae73..7d932b4635e 100644 --- a/packages/aws/docs/usage.md +++ b/packages/aws/docs/usage.md @@ -77,6 +77,7 @@ An example event for `usage` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -115,7 +116,12 @@ An example event for `usage` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/vpcflow.md b/packages/aws/docs/vpcflow.md index 174fe555625..1092fe40574 100644 --- a/packages/aws/docs/vpcflow.md +++ b/packages/aws/docs/vpcflow.md @@ -48,8 +48,14 @@ This integration supports various plain text VPC flow log formats: | aws.vpcflow.version | The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3. | keyword | | aws.vpcflow.vpc_id | The ID of the VPC that contains the network interface for which the traffic is recorded. | keyword | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | diff --git a/packages/aws/docs/vpn.md b/packages/aws/docs/vpn.md index 4630aae7f4c..c0eda9a54c4 100644 --- a/packages/aws/docs/vpn.md +++ b/packages/aws/docs/vpn.md @@ -76,6 +76,7 @@ An example event for `vpn` looks as following: | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | | cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | | cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | @@ -114,7 +115,12 @@ An example event for `vpn` looks as following: | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.code | Error code describing the error. | keyword | +| error.id | Unique identifier for the error. | keyword | | error.message | Error message. | match_only_text | +| error.stack_trace | The stack trace of this error in plain text. | wildcard | +| error.stack_trace.text | Multi-field of `error.stack_trace`. | match_only_text | +| error.type | The type of the error, for example the class name of the exception. | keyword | | event.dataset | Event dataset | constant_keyword | | event.module | Event module | constant_keyword | | host.architecture | Operating system architecture. | keyword | diff --git a/packages/aws/docs/waf.md b/packages/aws/docs/waf.md index e09d0c24598..79a504b6699 100644 --- a/packages/aws/docs/waf.md +++ b/packages/aws/docs/waf.md @@ -19,38 +19,14 @@ The `waf` dataset is specifically for WAF logs. Export logs from Kinesis Data Fi | aws.waf.source.name | The source of the request. Possible values: CF for Amazon CloudFront, APIGW for Amazon API Gateway, ALB for Application Load Balancer, and APPSYNC for AWS AppSync. | keyword | | aws.waf.terminating_rule_match_details | Detailed information about the terminating rule that matched the request. A terminating rule has an action that ends the inspection process against a web request. Possible actions for a terminating rule are ALLOW and BLOCK. This is only populated for SQL injection and cross-site scripting (XSS) match rule statements. As with all rule statements that inspect for more than one thing, AWS WAF applies the action on the first match and stops inspecting the web request. A web request with a terminating action could contain other threats, in addition to the one reported in the log. | nested | | cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | | cloud.instance.id | Instance ID of the host machine. | keyword | | cloud.instance.name | Instance name of the host machine. | keyword | | cloud.machine.type | Machine type of the host machine. | keyword | -| cloud.origin.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.origin.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.origin.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.origin.instance.id | Instance ID of the host machine. | keyword | -| cloud.origin.instance.name | Instance name of the host machine. | keyword | -| cloud.origin.machine.type | Machine type of the host machine. | keyword | -| cloud.origin.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.origin.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | -| cloud.origin.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.origin.region | Region in which this host, resource, or service is located. | keyword | -| cloud.origin.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| cloud.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | | cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.region | Region in which this host, resource, or service is located. | keyword | -| cloud.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | -| cloud.target.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | -| cloud.target.account.name | The cloud account name or alias used to identify different entities in a multi-tenant environment. Examples: AWS account name, Google Cloud ORG display name. | keyword | -| cloud.target.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | -| cloud.target.instance.id | Instance ID of the host machine. | keyword | -| cloud.target.instance.name | Instance name of the host machine. | keyword | -| cloud.target.machine.type | Machine type of the host machine. | keyword | -| cloud.target.project.id | The cloud project identifier. Examples: Google Cloud Project id, Azure Project id. | keyword | -| cloud.target.project.name | The cloud project name. Examples: Google Cloud Project name, Azure Project name. | keyword | -| cloud.target.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | -| cloud.target.region | Region in which this host, resource, or service is located. | keyword | -| cloud.target.service.name | The cloud service name is intended to distinguish services running on different platforms within a provider, eg AWS EC2 vs Lambda, GCP GCE vs App Engine, Azure VM vs App Server. Examples: app engine, app service, cloud run, fargate, lambda. | keyword | +| cloud.region | Region in which this host is running. | keyword | | container.id | Unique container id. | keyword | | container.image.name | Name of the image the container was built on. | keyword | | container.labels | Image labels. | object | From 96a98416a1ae5b4430a73eaff8322162ab875cd2 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 18:42:30 +0200 Subject: [PATCH 21/28] Recover host.containerized --- .../data_stream/app_insights/fields/package-fields.yml | 9 +++++++++ .../data_stream/app_state/fields/package-fields.yml | 9 +++++++++ packages/azure_application_insights/docs/README.md | 3 +++ packages/azure_application_insights/docs/app_state.md | 3 +++ 4 files changed, 24 insertions(+) diff --git a/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml b/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml index 4ac170ddf8d..1b60a77aa9f 100644 --- a/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml +++ b/packages/azure_application_insights/data_stream/app_insights/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml b/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml index 4ac170ddf8d..1b60a77aa9f 100644 --- a/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml +++ b/packages/azure_application_insights/data_stream/app_state/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_application_insights/docs/README.md b/packages/azure_application_insights/docs/README.md index 477718938c7..2e7df9c7b79 100644 --- a/packages/azure_application_insights/docs/README.md +++ b/packages/azure_application_insights/docs/README.md @@ -204,6 +204,7 @@ An example event for `app_insights` looks as following: | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -228,6 +229,8 @@ An example event for `app_insights` looks as following: | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_application_insights/docs/app_state.md b/packages/azure_application_insights/docs/app_state.md index 95aaba39a55..99688ec36b2 100644 --- a/packages/azure_application_insights/docs/app_state.md +++ b/packages/azure_application_insights/docs/app_state.md @@ -71,6 +71,7 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -95,6 +96,8 @@ Costs: Metric queries are charged based on the number of standard API calls. Mor | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | From b4c3119e8a356bb74b00f036735444d61d51a7d3 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 18:48:57 +0200 Subject: [PATCH 22/28] Fixes for azure --- .../compute_vm/fields/package-fields.yml | 9 +++++++ .../fields/package-fields.yml | 9 +++++++ .../fields/package-fields.yml | 9 +++++++ .../fields/package-fields.yml | 9 +++++++ .../fields/package-fields.yml | 9 +++++++ .../fields/package-fields.yml | 9 +++++++ .../monitor/fields/package-fields.yml | 9 +++++++ .../storage_account/fields/package-fields.yml | 9 +++++++ packages/azure_metrics/docs/README.md | 24 +++++++++++++++++++ packages/azure_metrics/docs/compute_vm.md | 3 +++ .../azure_metrics/docs/compute_vm_scaleset.md | 3 +++ .../azure_metrics/docs/container_instance.md | 3 +++ .../azure_metrics/docs/container_registry.md | 3 +++ .../azure_metrics/docs/container_service.md | 3 +++ .../azure_metrics/docs/database_account.md | 3 +++ packages/azure_metrics/docs/monitor.md | 3 +++ .../azure_metrics/docs/storage_account.md | 3 +++ 17 files changed, 120 insertions(+) diff --git a/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml b/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/compute_vm/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/compute_vm_scaleset/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/container_instance/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/container_registry/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml b/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/container_service/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml b/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/database_account/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml b/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/monitor/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml b/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml index 28fa99283bd..daa81e8339e 100644 --- a/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml +++ b/packages/azure_metrics/data_stream/storage_account/fields/package-fields.yml @@ -69,3 +69,12 @@ description: > Metrics returned. +- name: host.containerized + type: boolean + description: If the host is a container. +- name: host.os.build + type: keyword + description: OS build information. +- name: host.os.codename + type: keyword + description: OS codename, if any. diff --git a/packages/azure_metrics/docs/README.md b/packages/azure_metrics/docs/README.md index 2e128ebcc8c..4c7a5a58ce2 100644 --- a/packages/azure_metrics/docs/README.md +++ b/packages/azure_metrics/docs/README.md @@ -95,6 +95,7 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -119,6 +120,8 @@ aggregation list, namespaces and metric dimensions. The monitor metrics will hav | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -177,6 +180,7 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -201,6 +205,8 @@ so the `period` for `compute_vm` should be `300s` or multiples of `300s`. | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -259,6 +265,7 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -283,6 +290,8 @@ so the `period` for `compute_vm_scaleset` should be `300s` or multiples of `300s | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -341,6 +350,7 @@ so the `period` for `storage_account` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -365,6 +375,8 @@ so the `period` for `storage_account` should be `300s` or multiples of `300s`. | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -423,6 +435,7 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s` | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -447,6 +460,8 @@ so the `period` for `container_instance` should be `300s` or multiples of `300s` | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -505,6 +520,7 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s` | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -529,6 +545,8 @@ so the `period` for `container_registry` should be `300s` or multiples of `300s` | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -587,6 +605,7 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -611,6 +630,8 @@ so the `period` for `container_service` should be `300s` or multiples of `300s`. | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | @@ -669,6 +690,7 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -693,6 +715,8 @@ so the `period` for `database_account` should be `300s` or multiples of `300s`. | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/compute_vm.md b/packages/azure_metrics/docs/compute_vm.md index 3160aa9be11..71ea2fac557 100644 --- a/packages/azure_metrics/docs/compute_vm.md +++ b/packages/azure_metrics/docs/compute_vm.md @@ -109,6 +109,7 @@ Authentication: Dedicated authentication token will be created and updated regul | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -133,6 +134,8 @@ Authentication: Dedicated authentication token will be created and updated regul | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/compute_vm_scaleset.md b/packages/azure_metrics/docs/compute_vm_scaleset.md index 3fee8875136..d110d28053f 100644 --- a/packages/azure_metrics/docs/compute_vm_scaleset.md +++ b/packages/azure_metrics/docs/compute_vm_scaleset.md @@ -106,6 +106,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -130,6 +131,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/container_instance.md b/packages/azure_metrics/docs/container_instance.md index 3ba44dac6a1..e5d67268cd8 100644 --- a/packages/azure_metrics/docs/container_instance.md +++ b/packages/azure_metrics/docs/container_instance.md @@ -106,6 +106,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -130,6 +131,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/container_registry.md b/packages/azure_metrics/docs/container_registry.md index 20b18df7bd5..e8d61dfc2e7 100644 --- a/packages/azure_metrics/docs/container_registry.md +++ b/packages/azure_metrics/docs/container_registry.md @@ -106,6 +106,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -130,6 +131,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/container_service.md b/packages/azure_metrics/docs/container_service.md index 54e794391a0..6208fbc38c2 100644 --- a/packages/azure_metrics/docs/container_service.md +++ b/packages/azure_metrics/docs/container_service.md @@ -107,6 +107,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -131,6 +132,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/database_account.md b/packages/azure_metrics/docs/database_account.md index 26edde99968..b55c63ade33 100644 --- a/packages/azure_metrics/docs/database_account.md +++ b/packages/azure_metrics/docs/database_account.md @@ -105,6 +105,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -129,6 +130,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/monitor.md b/packages/azure_metrics/docs/monitor.md index ee34f6396c1..8a02b1f2a02 100644 --- a/packages/azure_metrics/docs/monitor.md +++ b/packages/azure_metrics/docs/monitor.md @@ -158,6 +158,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -182,6 +183,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | diff --git a/packages/azure_metrics/docs/storage_account.md b/packages/azure_metrics/docs/storage_account.md index b45e4210a62..f4f9dc82a6f 100644 --- a/packages/azure_metrics/docs/storage_account.md +++ b/packages/azure_metrics/docs/storage_account.md @@ -107,6 +107,7 @@ Authentication: we are handling authentication on our side (creating/renewing th | dataset.type | Dataset type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | | host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | | host.cpu.usage | Percent CPU used which is normalized by the number of CPU cores and it ranges from 0 to 1. Scaling factor: 1000. For example: For a two core host, this value should be the average of the two cores, between 0 and 1. | scaled_float | | host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | | host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | @@ -131,6 +132,8 @@ Authentication: we are handling authentication on our side (creating/renewing th | host.network.egress.packets | The number of packets (gauge) sent out on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.bytes | The number of bytes received (gauge) on all network interfaces by the host since the last metric collection. | long | | host.network.ingress.packets | The number of packets (gauge) received on all network interfaces by the host since the last metric collection. | long | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | | host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | | host.os.full | Operating system name, including the version or code name. | keyword | | host.os.full.text | Multi-field of `host.os.full`. | match_only_text | From 00dc316e52fa372d0efe90fb051b57a5b3a081af Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 18:52:16 +0200 Subject: [PATCH 23/28] Cisco --- packages/cisco/data_stream/asa/fields/ecs.yml | 4 ++++ packages/cisco/data_stream/ftd/fields/ecs.yml | 4 ++++ packages/cisco/docs/README.md | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/packages/cisco/data_stream/asa/fields/ecs.yml b/packages/cisco/data_stream/asa/fields/ecs.yml index 4e5fb4847d5..ee8b04ed51f 100644 --- a/packages/cisco/data_stream/asa/fields/ecs.yml +++ b/packages/cisco/data_stream/asa/fields/ecs.yml @@ -84,6 +84,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco/data_stream/ftd/fields/ecs.yml b/packages/cisco/data_stream/ftd/fields/ecs.yml index 8894597527b..f611e8ee32a 100644 --- a/packages/cisco/data_stream/ftd/fields/ecs.yml +++ b/packages/cisco/data_stream/ftd/fields/ecs.yml @@ -104,6 +104,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco/docs/README.md b/packages/cisco/docs/README.md index 5ef587a2db0..750e050d29e 100644 --- a/packages/cisco/docs/README.md +++ b/packages/cisco/docs/README.md @@ -257,6 +257,8 @@ An example event for `asa` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | @@ -633,6 +635,8 @@ An example event for `ftd` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | From 6482a5af3e591afbe23b6f7761aca71e1f09b09b Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 18:56:27 +0200 Subject: [PATCH 24/28] Revert more deletions --- packages/cisco_asa/data_stream/log/fields/ecs.yml | 4 ++++ packages/cisco_asa/docs/README.md | 2 ++ packages/cisco_ftd/data_stream/log/fields/ecs.yml | 4 ++++ packages/cisco_ftd/docs/README.md | 2 ++ packages/gcp/data_stream/dns/fields/ecs.yml | 10 ++++++++++ packages/gcp/docs/README.md | 5 +++++ packages/gcp/docs/dns.md | 5 +++++ .../hid_bravura_monitor/data_stream/log/fields/ecs.yml | 4 ++++ packages/hid_bravura_monitor/docs/README.md | 2 ++ 9 files changed, 38 insertions(+) diff --git a/packages/cisco_asa/data_stream/log/fields/ecs.yml b/packages/cisco_asa/data_stream/log/fields/ecs.yml index 1888e518e62..6779904532a 100644 --- a/packages/cisco_asa/data_stream/log/fields/ecs.yml +++ b/packages/cisco_asa/data_stream/log/fields/ecs.yml @@ -88,6 +88,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco_asa/docs/README.md b/packages/cisco_asa/docs/README.md index 99e13422e71..a1b7a6d6170 100644 --- a/packages/cisco_asa/docs/README.md +++ b/packages/cisco_asa/docs/README.md @@ -256,6 +256,8 @@ An example event for `log` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | diff --git a/packages/cisco_ftd/data_stream/log/fields/ecs.yml b/packages/cisco_ftd/data_stream/log/fields/ecs.yml index 6c51d63c154..23cf593c2ea 100644 --- a/packages/cisco_ftd/data_stream/log/fields/ecs.yml +++ b/packages/cisco_ftd/data_stream/log/fields/ecs.yml @@ -112,6 +112,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/cisco_ftd/docs/README.md b/packages/cisco_ftd/docs/README.md index f8da1286849..acde41953a9 100644 --- a/packages/cisco_ftd/docs/README.md +++ b/packages/cisco_ftd/docs/README.md @@ -319,6 +319,8 @@ An example event for `log` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | In the OSI Model this would be the Application Layer protocol. For example, `http`, `dns`, or `ssh`. The field value must be normalized to lowercase for querying. | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. | keyword | diff --git a/packages/gcp/data_stream/dns/fields/ecs.yml b/packages/gcp/data_stream/dns/fields/ecs.yml index a7acc4fb82d..f008e47d957 100644 --- a/packages/gcp/data_stream/dns/fields/ecs.yml +++ b/packages/gcp/data_stream/dns/fields/ecs.yml @@ -4,6 +4,16 @@ name: destination.ip - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.question.name - external: ecs diff --git a/packages/gcp/docs/README.md b/packages/gcp/docs/README.md index a29a9407879..c070e2f3f6b 100644 --- a/packages/gcp/docs/README.md +++ b/packages/gcp/docs/README.md @@ -950,6 +950,11 @@ The `dns` dataset collects queries that name servers resolve for your Virtual Pr | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/gcp/docs/dns.md b/packages/gcp/docs/dns.md index 87fae2ac287..18f0001dae4 100644 --- a/packages/gcp/docs/dns.md +++ b/packages/gcp/docs/dns.md @@ -28,6 +28,11 @@ The `dns` dataset collects queries that name servers resolve for your Virtual Pr | destination.address | Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. | keyword | | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.question.name | The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. | keyword | | dns.question.registered_domain | The highest registered domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". | keyword | | dns.question.subdomain | The subdomain is all of the labels under the registered_domain. If the domain has multiple levels of subdomain, such as "sub2.sub1.example.com", the subdomain field should contain "sub2.sub1", with no trailing period. | keyword | diff --git a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml index 7cafdae9e7c..fb78acf4391 100644 --- a/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml +++ b/packages/hid_bravura_monitor/data_stream/log/fields/ecs.yml @@ -86,6 +86,10 @@ name: network.iana_number - external: ecs name: network.inner +- external: ecs + name: network.inner.vlan.id +- external: ecs + name: network.inner.vlan.name - external: ecs name: network.protocol - external: ecs diff --git a/packages/hid_bravura_monitor/docs/README.md b/packages/hid_bravura_monitor/docs/README.md index 5ad6994de9b..ae419ff7169 100644 --- a/packages/hid_bravura_monitor/docs/README.md +++ b/packages/hid_bravura_monitor/docs/README.md @@ -360,6 +360,8 @@ An example event for `log` looks as following: | network.direction | Direction of the network traffic. Recommended values are: \* ingress \* egress \* inbound \* outbound \* internal \* external \* unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view, using the values "ingress" or "egress". When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values "inbound", "outbound", "internal" or "external". Note that "internal" is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that "external" is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers. | keyword | | network.iana_number | IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. | keyword | | network.inner | Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.) | object | +| network.inner.vlan.id | VLAN ID as reported by the observer. | keyword | +| network.inner.vlan.name | Optional VLAN name as reported by the observer. | keyword | | network.protocol | L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.transport | Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | | network.type | In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". | keyword | From badb3606de35946851c6f77539d7397ff27ba265 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 19:00:51 +0200 Subject: [PATCH 25/28] Fix netflow --- .../netflow/data_stream/log/fields/ecs.yml | 20 +++++++++++++++++++ packages/netflow/docs/README.md | 10 ++++++++++ 2 files changed, 30 insertions(+) diff --git a/packages/netflow/data_stream/log/fields/ecs.yml b/packages/netflow/data_stream/log/fields/ecs.yml index b0076c63316..8d3da9674be 100644 --- a/packages/netflow/data_stream/log/fields/ecs.yml +++ b/packages/netflow/data_stream/log/fields/ecs.yml @@ -166,6 +166,16 @@ name: destination.user.name - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs @@ -396,6 +406,16 @@ name: log.origin.function - external: ecs name: log.syslog +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name - external: ecs name: message - external: ecs diff --git a/packages/netflow/docs/README.md b/packages/netflow/docs/README.md index f77aa075236..fccb3cf0bd7 100644 --- a/packages/netflow/docs/README.md +++ b/packages/netflow/docs/README.md @@ -115,6 +115,11 @@ The `log` dataset collects netflow logs. | destination.user.name | Short name or login of the user. | keyword | | destination.user.name.text | Multi-field of `destination.user.name`. | match_only_text | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | @@ -245,6 +250,11 @@ The `log` dataset collects netflow logs. | log.origin.file.name | The name of the file containing the source code which originated the log event. Note that this field is not meant to capture the log file. The correct field to capture the log file is `log.file.path`. | keyword | | log.origin.function | The name of the function or method which originated the log event. | keyword | | log.syslog | The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164. | object | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | | message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | | netflow.absolute_error | | double | | netflow.address_pool_high_threshold | | long | From da3a9068c8e7757571c2d1491b6ed1f2d0c45a73 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 19:03:58 +0200 Subject: [PATCH 26/28] Revert changes in network_traffic --- .../network_traffic/data_stream/dns/fields/ecs.yml | 10 ++++++++++ packages/network_traffic/docs/README.md | 5 +++++ 2 files changed, 15 insertions(+) diff --git a/packages/network_traffic/data_stream/dns/fields/ecs.yml b/packages/network_traffic/data_stream/dns/fields/ecs.yml index 3469d6b233d..d78aee57951 100644 --- a/packages/network_traffic/data_stream/dns/fields/ecs.yml +++ b/packages/network_traffic/data_stream/dns/fields/ecs.yml @@ -12,6 +12,16 @@ name: destination.port - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/network_traffic/docs/README.md b/packages/network_traffic/docs/README.md index 3d7903d80be..947d820e0ca 100644 --- a/packages/network_traffic/docs/README.md +++ b/packages/network_traffic/docs/README.md @@ -928,6 +928,11 @@ Fields published for DNS packets. | dns.additionals.type | The type of data contained in this resource record. | keyword | | dns.additionals_count | The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.answers_count | The number of resource records contained in the `dns.answers` field. | long | | dns.authorities | An array containing a dictionary for each authority section from the answer. | object | | dns.authorities.class | The class of DNS data contained in this resource record. | keyword | From 25b9989a1abfbc042379c3d9ff8bedbc5c7ea05d Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 19:13:29 +0200 Subject: [PATCH 27/28] Revert removal of dns.answers --- .../data_stream/sysmon_operational/fields/ecs.yml | 10 ++++++++++ packages/windows/docs/README.md | 5 +++++ packages/zeek/data_stream/dns/fields/ecs.yml | 10 ++++++++++ packages/zeek/docs/README.md | 5 +++++ 4 files changed, 30 insertions(+) diff --git a/packages/windows/data_stream/sysmon_operational/fields/ecs.yml b/packages/windows/data_stream/sysmon_operational/fields/ecs.yml index e598973dc5d..03b3598d44c 100644 --- a/packages/windows/data_stream/sysmon_operational/fields/ecs.yml +++ b/packages/windows/data_stream/sysmon_operational/fields/ecs.yml @@ -6,6 +6,16 @@ name: destination.port - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/windows/docs/README.md b/packages/windows/docs/README.md index 62ef8db33be..2f9e3154f82 100644 --- a/packages/windows/docs/README.md +++ b/packages/windows/docs/README.md @@ -983,6 +983,11 @@ An example event for `sysmon_operational` looks as following: | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.op_code | The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. | keyword | diff --git a/packages/zeek/data_stream/dns/fields/ecs.yml b/packages/zeek/data_stream/dns/fields/ecs.yml index 0fb85555012..b183a600a17 100644 --- a/packages/zeek/data_stream/dns/fields/ecs.yml +++ b/packages/zeek/data_stream/dns/fields/ecs.yml @@ -28,6 +28,16 @@ name: destination.port - external: ecs name: dns.answers +- external: ecs + name: dns.answers.class +- external: ecs + name: dns.answers.data +- external: ecs + name: dns.answers.name +- external: ecs + name: dns.answers.ttl +- external: ecs + name: dns.answers.type - external: ecs name: dns.header_flags - external: ecs diff --git a/packages/zeek/docs/README.md b/packages/zeek/docs/README.md index ca8bcd4148e..2d9054112e0 100644 --- a/packages/zeek/docs/README.md +++ b/packages/zeek/docs/README.md @@ -529,6 +529,11 @@ activity. | destination.ip | IP address of the destination (IPv4 or IPv6). | ip | | destination.port | Port of the destination. | long | | dns.answers | An array containing an object for each answer section returned by the server. The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines. Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields. | object | +| dns.answers.class | The class of DNS data contained in this resource record. | keyword | +| dns.answers.data | The data describing the resource. The meaning of this data depends on the type and class of the resource record. | keyword | +| dns.answers.name | The domain name to which this resource record pertains. If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated. | keyword | +| dns.answers.ttl | The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. | long | +| dns.answers.type | The type of data contained in this resource record. | keyword | | dns.header_flags | Array of 2 letter DNS header flags. Expected values are: AA, TC, RD, RA, AD, CD, DO. | keyword | | dns.id | The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. | keyword | | dns.question.class | The class of records being queried. | keyword | From 84a335a9ea3798f5369613888378db6ad5a0a9b3 Mon Sep 17 00:00:00 2001 From: Jaime Soriano Pastor Date: Wed, 11 May 2022 19:38:04 +0200 Subject: [PATCH 28/28] Fix format --- packages/aws/data_stream/billing/fields/package-fields.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/aws/data_stream/billing/fields/package-fields.yml b/packages/aws/data_stream/billing/fields/package-fields.yml index 2f867802104..eaacb160c09 100644 --- a/packages/aws/data_stream/billing/fields/package-fields.yml +++ b/packages/aws/data_stream/billing/fields/package-fields.yml @@ -29,6 +29,7 @@ type: keyword description: > Name or alias used to identify linked account. + - name: cloud.image.id type: keyword description: Image ID for the cloud instance.