Elastic Common Schema (ECS)
For more details, see the official documentation.
ECS Generic attributes table
| Attribute | Description | Values as an example |
|---|---|---|
| @timestamp | Date/time when the event originated. | 2022-05-23T08:05:34.853Z |
| client.ip | The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format. | 52.108.224.1 |
| cnt | Count of events. | 1 |
| destination.ip | The original destination IP address of the device that was used when the activity was logged. | 85.162.11.26 |
| ecs.version | ECS version this event conforms to. | 1.0.0 |
| event.action | Description of the original event that triggered creating of the particular log. | UserLoggedIn, MessageTrace, FilePreviewed |
| event.original | Full and unmodified log for auditing. | 10.42.42.42 - - [07/Dec ... |
| http.request.method | HTTP request is an action to be performed on a resource identified by a given Request-URL. | get |
| http.response.body.bytes | SIze of the HTTP request in bytes. | 2571 |
| http.response.status_code | HTTP response status codes indicate whether a specific HTTP request has been successfully completed. | 200 |
| http.version | Current version of the Hypertext Transfer Protocol. | 1.1 |
| host.hostname | Hostname of the host. | webserver-blog-prod |
| message | Text representation of the significant information from the event for succinct display in a log viewer. | "GET /blog HTTP/1.1" 200 2571 |
| service.name | Your custom name for this service. | Company blog |
| service.type | Type of the service used with this instance. | apache |
| source.geo.* | Fields for geo-location. | |
| url.original | Original url path. | /blog |
| user.name | Name of the user. | Albus Dumbledore |
| user_agent.* | Fields describing the user agent. | |
| event.dataset | Name of the dataset. | microsoft-office-365 |
| event.id | Unique identification value. | b4b4c44c-ff30-4ddd-bfbe-44e082570800 |
| event.ingested | Timestamp when an event arrived in the central data store. | 2022-05-23T08:05:34.853Z |
| event.kind | Value of this field can be used to inform how these kinds of events should be handled. | alert, enrichment, event, metric, state, pipeline_error, signal |
| log.original | Raw log formate that is received before the parcing process takes place. | <165>Jan 17 12:20:25 hostname %ASA-5-111010: User 'harry', running 'N/A' from IP 192.68.0.2, executed 'write memory' |
| organization.id | ID of the original source organization of an event. | TeskaLabsCom.onmicrosoft.com |
| recipient.address | E-mail address of original recipient of the message. | accounting@teskalabs.com |
| sender.address | E-mail address of original sender of the message. | support@teskalabs.com |
| source.ip | IP address of the source device or system. | 149.72.113.167 |
| tenant | Tenant identification in each event. | default |
| user.id | User identification of each event. | automata@teskalabs.com |