System fields

These are the fields generated by the system module.

event.origin: Origin of the event. This can be a file path (e.g. /var/log/log.1), or the name of the system component that supplied the data (e.g. netlink).

type: keyword

user.entity_id: ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name.

type: keyword

user.terminal: Terminal of the user.

type: keyword

process.thread.capabilities.effective: This is the set of capabilities used by the kernel to perform permission checks for the thread.

type: keyword

example: ["CAP_BPF", "CAP_SYS_ADMIN"]

process.thread.capabilities.permitted: This is a limiting superset for the effective capabilities that the thread may assume.

type: keyword

example: ["CAP_BPF", "CAP_SYS_ADMIN"]

hash

Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values.

process.hash.blake2b_256: BLAKE2b-256 hash of the executable.

type: keyword

process.hash.blake2b_384: BLAKE2b-384 hash of the executable.

type: keyword

process.hash.blake2b_512: BLAKE2b-512 hash of the executable.

type: keyword

process.hash.sha224: SHA224 hash of the executable.

type: keyword

process.hash.sha384: SHA384 hash of the executable.

type: keyword

process.hash.sha3_224: SHA3_224 hash of the executable.

type: keyword

process.hash.sha3_256: SHA3_256 hash of the executable.

type: keyword

process.hash.sha3_384: SHA3_384 hash of the executable.

type: keyword

process.hash.sha3_512: SHA3_512 hash of the executable.

type: keyword

process.hash.sha512_224: SHA512/224 hash of the executable.

type: keyword

process.hash.sha512_256: SHA512/256 hash of the executable.

type: keyword

process.hash.xxh64: XX64 hash of the executable.

type: keyword

system.audit

host

host contains general host information.

system.audit.host.uptime: Uptime in nanoseconds.

type: long

format: duration

system.audit.host.boottime: Boot time.

type: date

system.audit.host.containerized: Set if host is a container.

type: boolean

system.audit.host.timezone.name: Name of the timezone of the host, e.g. BST.

type: keyword

system.audit.host.timezone.offset.sec: Timezone offset in seconds.

type: long

system.audit.host.hostname: Hostname.

type: keyword

system.audit.host.id: Host ID.

type: keyword

system.audit.host.architecture: Host architecture (e.g. x86_64).

type: keyword

system.audit.host.mac: MAC addresses.

type: keyword

system.audit.host.ip: IP addresses.

type: ip

os

os contains information about the operating system.

system.audit.host.os.codename: OS codename, if any (e.g. stretch).

type: keyword

system.audit.host.os.platform: OS platform (e.g. centos, ubuntu, windows).

type: keyword

system.audit.host.os.name: OS name (e.g. Mac OS X).

type: keyword

system.audit.host.os.family: OS family (e.g. redhat, debian, freebsd, windows).

type: keyword

system.audit.host.os.version: OS version.

type: keyword

system.audit.host.os.kernel: The operating system’s kernel version.

type: keyword

system.audit.host.os.type: OS type (see ECS os.type).

type: keyword

package

package contains information about an installed or removed package.

system.audit.package.entity_id: ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version.

type: keyword

system.audit.package.name: Package name.

type: keyword

system.audit.package.version: Package version.

type: keyword

system.audit.package.release: Package release.

type: keyword

system.audit.package.arch: Package architecture.

type: keyword

system.audit.package.license: Package license.

type: keyword

system.audit.package.installtime: Package install time.

type: date

system.audit.package.size: Package size.

type: long

system.audit.package.summary: Package summary.
system.audit.package.url: Package URL.

type: keyword

user

user contains information about the users on a system.

system.audit.user.name: User name.

type: keyword

system.audit.user.uid: User ID.

type: keyword

system.audit.user.gid: Group ID.

type: keyword

system.audit.user.dir: User’s home directory.

type: keyword

system.audit.user.shell: Program to run at login.

type: keyword

system.audit.user.user_information: General user information. On Linux, this is the gecos field.

type: keyword

system.audit.user.group: group contains information about any groups the user is part of (beyond the user’s primary group).

type: object

password

password contains information about a user’s password (not the password itself).

system.audit.user.password.type: A user’s password type. Possible values are shadow_password (the password hash is in the shadow file), password_disabled, no_password (this is dangerous as anyone can log in), and crypt_password (when the password field in /etc/passwd seems to contain an encrypted password).

type: keyword

system.audit.user.password.last_changed: The day the user’s password was last changed.

type: date