These are the fields generated by the system module.
-
event.origin
-
Origin of the event. This can be a file path (e.g.
/var/log/log.1
), or the name of the system component that supplied the data (e.g.netlink
).type: keyword
-
user.entity_id
-
ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.
type: keyword
-
user.terminal
-
Terminal of the user.
type: keyword
Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.
-
process.hash.blake2b_256
-
BLAKE2b-256 hash of the executable.
type: keyword
-
process.hash.blake2b_384
-
BLAKE2b-384 hash of the executable.
type: keyword
-
process.hash.blake2b_512
-
BLAKE2b-512 hash of the executable.
type: keyword
-
process.hash.sha224
-
SHA224 hash of the executable.
type: keyword
-
process.hash.sha384
-
SHA384 hash of the executable.
type: keyword
-
process.hash.sha3_224
-
SHA3_224 hash of the executable.
type: keyword
-
process.hash.sha3_256
-
SHA3_256 hash of the executable.
type: keyword
-
process.hash.sha3_384
-
SHA3_384 hash of the executable.
type: keyword
-
process.hash.sha3_512
-
SHA3_512 hash of the executable.
type: keyword
-
process.hash.sha512_224
-
SHA512/224 hash of the executable.
type: keyword
-
process.hash.sha512_256
-
SHA512/256 hash of the executable.
type: keyword
-
process.hash.xxh64
-
XX64 hash of the executable.
type: keyword
host
contains general host information.
-
system.audit.host.uptime
-
Uptime in nanoseconds.
type: long
format: duration
-
system.audit.host.boottime
-
Boot time.
type: date
-
system.audit.host.containerized
-
Set if host is a container.
type: boolean
-
system.audit.host.timezone.name
-
Name of the timezone of the host, e.g. BST.
type: keyword
-
system.audit.host.timezone.offset.sec
-
Timezone offset in seconds.
type: long
-
system.audit.host.hostname
-
Hostname.
type: keyword
-
system.audit.host.id
-
Host ID.
type: keyword
-
system.audit.host.architecture
-
Host architecture (e.g. x86_64).
type: keyword
-
system.audit.host.mac
-
MAC addresses.
type: keyword
-
system.audit.host.ip
-
IP addresses.
type: ip
os
contains information about the operating system.
-
system.audit.host.os.codename
-
OS codename, if any (e.g. stretch).
type: keyword
-
system.audit.host.os.platform
-
OS platform (e.g. centos, ubuntu, windows).
type: keyword
-
system.audit.host.os.name
-
OS name (e.g. Mac OS X).
type: keyword
-
system.audit.host.os.family
-
OS family (e.g. redhat, debian, freebsd, windows).
type: keyword
-
system.audit.host.os.version
-
OS version.
type: keyword
-
system.audit.host.os.kernel
-
The operating system’s kernel version.
type: keyword
-
system.audit.host.os.type
-
OS type (see ECS os.type).
type: keyword
package
contains information about an installed or removed package.
-
system.audit.package.entity_id
-
ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.
type: keyword
-
system.audit.package.name
-
Package name.
type: keyword
-
system.audit.package.version
-
Package version.
type: keyword
-
system.audit.package.release
-
Package release.
type: keyword
-
system.audit.package.arch
-
Package architecture.
type: keyword
-
system.audit.package.license
-
Package license.
type: keyword
-
system.audit.package.installtime
-
Package install time.
type: date
-
system.audit.package.size
-
Package size.
type: long
-
system.audit.package.summary
-
Package summary.
-
system.audit.package.url
-
Package URL.
type: keyword
user
contains information about the users on a system.
-
system.audit.user.name
-
User name.
type: keyword
-
system.audit.user.uid
-
User ID.
type: keyword
-
system.audit.user.gid
-
Group ID.
type: keyword
-
system.audit.user.dir
-
User’s home directory.
type: keyword
-
system.audit.user.shell
-
Program to run at login.
type: keyword
-
system.audit.user.user_information
-
General user information. On Linux, this is the gecos field.
type: keyword
-
system.audit.user.group
-
group
contains information about any groups the user is part of (beyond the user’s primary group).type: object
password
contains information about a user’s password (not the password itself).
-
system.audit.user.password.type
-
A user’s password type. Possible values are
shadow_password
(the password hash is in the shadow file),password_disabled
,no_password
(this is dangerous as anyone can log in), andcrypt_password
(when the password field in /etc/passwd seems to contain an encrypted password).type: keyword
-
system.audit.user.password.last_changed
-
The day the user’s password was last changed.
type: date