Common fieldsedit

Contains common fields available in all event types.

The name of the module that generated the event.
The name of the module’s dataset that generated the event.

type: keyword

example: logged-in

Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.

type: keyword

example: 8a4f500d

Unique ID to describe the event.


type: keyword

example: state

The kind of the event. This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are event, state, alarm. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.


type: text

example: Hello World

For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.

process fieldsedit

These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The often stays in the metric itself and is copied to the global field for correlation.


type: date

example: 2016-05-23T08:05:34.853Z

The time the process started.


type: keyword

example: /home/alice

The working directory of the process.


type: keyword

example: /usr/bin/ssh

Absolute path to the process executable.


type: keyword

example: IPv4

In the OSI Model this would be the Network Layer. IPv4, IPv6, IPSec, PIM, etc

user fieldsedit

The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

type: keyword

One or multiple unique identifiers of the user.

type: keyword

example: albert

Short name or login of the user.

file fieldsedit

File attributes.


type: text

The path to the file.


type: keyword

The path to the file. This is a non-analyzed field that is useful for aggregations.


type: keyword

The target path for symlinks.


type: keyword

The file type (file, dir, or symlink).


type: keyword

The device.


type: keyword

The inode representing the file in the filesystem.


type: keyword

The user ID (UID) or security identifier (SID) of the file owner.


type: keyword

The file owner’s username.


type: keyword

The primary group ID (GID) of the file.

type: keyword

The primary group name of the file.


type: keyword

example: 416

The mode of the file in octal representation.


type: boolean

example: True

Set if the file has the setuid bit set. Omitted otherwise.


type: boolean

example: True

Set if the file has the setgid bit set. Omitted otherwise.


type: long

The file size in bytes (field is only added when type is file).


type: date

The last modified time of the file (time when content was modified).


type: date

The last change time of the file (time when metadata was changed).


type: text

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.


type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.

selinux fieldsedit

The SELinux identity of the file.


type: keyword

The owner of the object.


type: keyword

The object’s SELinux role.


type: keyword

The object’s SELinux domain or type.


type: keyword

example: s0

The object’s SELinux level.