diff --git a/packages/elasticsearch/data_stream/ccr/fields/ecs.yml b/packages/elasticsearch/data_stream/ccr/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/ccr/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/ccr/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/cluster_stats/fields/ecs.yml b/packages/elasticsearch/data_stream/cluster_stats/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/cluster_stats/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/cluster_stats/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/enrich/fields/ecs.yml b/packages/elasticsearch/data_stream/enrich/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/enrich/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/enrich/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/index/fields/ecs.yml b/packages/elasticsearch/data_stream/index/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/index/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/index/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/index_recovery/fields/ecs.yml b/packages/elasticsearch/data_stream/index_recovery/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/index_recovery/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/index_recovery/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/index_summary/fields/ecs.yml b/packages/elasticsearch/data_stream/index_summary/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/index_summary/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/index_summary/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/ml_job/fields/ecs.yml b/packages/elasticsearch/data_stream/ml_job/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/ml_job/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/ml_job/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/node/fields/ecs.yml b/packages/elasticsearch/data_stream/node/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/node/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/node/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/node_stats/fields/ecs.yml b/packages/elasticsearch/data_stream/node_stats/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/node_stats/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/node_stats/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/pending_tasks/fields/ecs.yml b/packages/elasticsearch/data_stream/pending_tasks/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/pending_tasks/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/pending_tasks/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/elasticsearch/data_stream/shard/fields/ecs.yml b/packages/elasticsearch/data_stream/shard/fields/ecs.yml
index 4ce6140fe3d..5d852e3c52d 100644
--- a/packages/elasticsearch/data_stream/shard/fields/ecs.yml
+++ b/packages/elasticsearch/data_stream/shard/fields/ecs.yml
@@ -17,3 +17,5 @@
   external: ecs
 - name: service.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/data_stream/cluster_actions/fields/ecs.yml b/packages/kibana/data_stream/cluster_actions/fields/ecs.yml
index 7a5b56ce613..c1a9369cc96 100644
--- a/packages/kibana/data_stream/cluster_actions/fields/ecs.yml
+++ b/packages/kibana/data_stream/cluster_actions/fields/ecs.yml
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/data_stream/cluster_rules/fields/ecs.yml b/packages/kibana/data_stream/cluster_rules/fields/ecs.yml
index 7a5b56ce613..c1a9369cc96 100644
--- a/packages/kibana/data_stream/cluster_rules/fields/ecs.yml
+++ b/packages/kibana/data_stream/cluster_rules/fields/ecs.yml
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/data_stream/node_actions/fields/ecs.yml b/packages/kibana/data_stream/node_actions/fields/ecs.yml
index 7a5b56ce613..c1a9369cc96 100644
--- a/packages/kibana/data_stream/node_actions/fields/ecs.yml
+++ b/packages/kibana/data_stream/node_actions/fields/ecs.yml
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/data_stream/node_rules/fields/ecs.yml b/packages/kibana/data_stream/node_rules/fields/ecs.yml
index 7a5b56ce613..c1a9369cc96 100644
--- a/packages/kibana/data_stream/node_rules/fields/ecs.yml
+++ b/packages/kibana/data_stream/node_rules/fields/ecs.yml
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/data_stream/stats/fields/ecs.yml b/packages/kibana/data_stream/stats/fields/ecs.yml
index 7a5b56ce613..c1a9369cc96 100644
--- a/packages/kibana/data_stream/stats/fields/ecs.yml
+++ b/packages/kibana/data_stream/stats/fields/ecs.yml
@@ -20,3 +20,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/data_stream/status/fields/ecs.yml b/packages/kibana/data_stream/status/fields/ecs.yml
index bb81f45e7a5..ff48f3f3b0d 100644
--- a/packages/kibana/data_stream/status/fields/ecs.yml
+++ b/packages/kibana/data_stream/status/fields/ecs.yml
@@ -11,3 +11,5 @@
 - name: service.address
   type: keyword
   description: Address where data about this service was collected from.
+- name: error.message
+  external: ecs
diff --git a/packages/kibana/docs/README.md b/packages/kibana/docs/README.md
index ae86564bbe2..e9865aab9cf 100644
--- a/packages/kibana/docs/README.md
+++ b/packages/kibana/docs/README.md
@@ -353,6 +353,7 @@ Cluster actions metrics documentation
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
@@ -465,6 +466,7 @@ Cluster rules metrics
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
@@ -577,6 +579,7 @@ Node actions metrics
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
@@ -685,6 +688,7 @@ Node rules metrics
 | data_stream.namespace | Data stream namespace. | constant_keyword |
 | data_stream.type | Data stream type. | constant_keyword |
 | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
+| error.message | Error message. | match_only_text |
 | event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | keyword |
 | event.duration | Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time. | long |
 | event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword |
diff --git a/packages/logstash/data_stream/node/fields/ecs.yml b/packages/logstash/data_stream/node/fields/ecs.yml
index cb8e74422f1..aad92fac0ef 100644
--- a/packages/logstash/data_stream/node/fields/ecs.yml
+++ b/packages/logstash/data_stream/node/fields/ecs.yml
@@ -23,3 +23,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs
diff --git a/packages/logstash/data_stream/node_stats/fields/ecs.yml b/packages/logstash/data_stream/node_stats/fields/ecs.yml
index cb8e74422f1..aad92fac0ef 100644
--- a/packages/logstash/data_stream/node_stats/fields/ecs.yml
+++ b/packages/logstash/data_stream/node_stats/fields/ecs.yml
@@ -23,3 +23,5 @@
   external: ecs
 - name: host.name
   external: ecs
+- name: error.message
+  external: ecs