Operating System Fieldsedit

The OS fields contain information about the operating system.

Operating System Field Detailsedit

Field Description Level

os.family

OS family (such as redhat, debian, freebsd, windows).

type: keyword

example: debian

extended

os.full

Operating system name, including the version or code name.

type: keyword

Multi-fields:

* os.full.text (type: match_only_text)

example: Mac OS Mojave

extended

os.kernel

Operating system kernel version as a raw string.

type: keyword

example: 4.4.0-112-generic

extended

os.name

Operating system name, without the version.

type: keyword

Multi-fields:

* os.name.text (type: match_only_text)

example: Mac OS X

extended

os.platform

Operating system platform (such centos, ubuntu, windows).

type: keyword

example: darwin

extended

os.type

Use the os.type field to categorize the operating system into one of the broad commercial families.

One of these following values should be used (lowercase): linux, macos, unix, windows.

If the OS you’re dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition.

type: keyword

example: macos

extended

os.version

Operating system version as a raw string.

type: keyword

example: 10.14.1

extended

Field Reuseedit

The os fields are expected to be nested at:

  • host.os
  • observer.os
  • user_agent.os

Note also that the os fields are not expected to be used directly at the root of the events.