ECS
Elastic Common Schema (ECS) is a specification that defines a common set of fields for ingesting data into Elasticsearch. Field groups include:
| Field Group | Core Fields | Description |
|---|---|---|
| Base Fields | @timestamp, tags, labels, message | Universal fields that appear in every event |
| Host | host.name, host.ip, host.os.*, host.mac | Information about the host machine |
| Network | network.protocol, network.type, network.direction, network.bytes | Network activity details |
| Source/Destination | source.ip, source.port, dest.ip, dest.port | Communication endpoint information |
| User | user.id, user.name, user.domain, user.email | User-related information |
| Event | event.category, event.type, event.action, event.outcome | Event classification details |
| File | file.path, file.size, file.type, file.hash.* | File-related information |
| Process | process.pid, process.name, process.args, process.parent.* | Process execution details |
| Error | error.code, error.message, error.type, error.stack_trace | Error-related information |
| Trace | trace.id, span.id, transaction.id | Distributed tracing data |