Logit.io ECS Field Reference
What is ECS?
ECS (Elastic Common Schema) is an open-source specification that defines a common set of field names and data types for use in event data. Logit.io provides ECS field sets as component templates that you can use in your own index templates to standardize your log and event data.
Why Use ECS Fields?
ECS fields provide several key benefits:
- Consistency: Standardized field names across different data sources make it easier to search, analyze, and correlate events
- Interoperability: Data from different tools and systems can be normalized to the same schema, enabling unified analysis
- Best Practices: ECS incorporates industry best practices for observability, security, and compliance use cases
- Reusability: Component templates can be easily incorporated into your index templates, reducing configuration overhead
- Future-Proof: As ECS evolves, your data remains compatible with new tools and integrations that support the schema
How ECS Works
ECS organizes fields into logical groups called field sets. Each field set represents a domain of information (e.g., network, process, user). These field sets are provided as component templates that can be referenced in your OpenSearch index templates.
The Base field set contains fields that are defined directly at the root of events (like @timestamp, message, tags). All other field sets are defined as nested objects in OpenSearch, allowing for structured, hierarchical data organization.
Field Sets Reference
This documentation covers Logit.io ECS Schema version 9.0. Below is a complete reference of all available field sets:
| Field Set | Description |
|---|---|
| Base | All fields defined directly at the root of the events. |
| Agent | Fields about the monitoring agent. |
| Client | Fields about the client side of a network connection, used with server. |
| Cloud | Fields about the cloud resource. |
| Container | Fields describing the container that generated this event. |
| Data Stream | The data_stream fields take part in defining the new data stream naming scheme. |
| Destination | Fields about the destination side of a network connection, used with source. |
| Device | Fields characterizing a (mobile) device a process or application is running on. |
| DLL | These fields contain information about code libraries dynamically loaded into processes. |
| DNS | Fields describing DNS queries and answers. |
| ECS | Meta-information specific to ECS. |
| Describes an email transaction. | |
| Error | Fields about errors of any kind. |
| Event | Fields breaking down the event details. |
| FaaS | Fields describing functions as a service. |
| File | Fields describing files. |
| Group | User's group relevant to the event. |
| Host | Fields describing the relevant computing instance. |
| HTTP | Fields describing an HTTP request. |
| Log | Details about the event's logging mechanism. |
| Network | Fields describing the communication path over which the event happened. |
| Observer | Fields describing an entity observing the event from outside the host. |
| Orchestrator | Fields relevant to container orchestrators. |
| Organization | Fields describing the organization or company the event is associated with. |
| Package | These fields contain information about an installed software package. |
| Process | These fields contain information about a process. |
| Registry | Fields related to Windows Registry operations. |
| Related | Fields meant to facilitate pivoting around a piece of data. |
| Rule | Fields to capture details about rules used to generate alerts or other notable events. |
| Server | Fields about the server side of a network connection, used with client. |
| Service | Fields describing the service for or from which the data was collected. |
| Source | Fields about the source side of a network connection, used with destination. |
| Span | Fields related to distributed tracing. |
| Threat | Fields to classify events and alerts according to a threat taxonomy. |
| TLS | Fields describing a TLS connection. |
| Trace | Fields related to distributed tracing. |
| Transaction | Fields related to distributed tracing. |
| URL | Fields that let you store URLs in various forms. |
| User | Fields to describe the user relevant to the event. |
| User agent | Fields to describe a browser user_agent string. |
| Volume | Fields related to storage volume details. |
| Vulnerability | Fields to describe the vulnerability relevant to an event. |