⚠️ Outdated Version: You are viewing ECS version 1.12, which is outdated. View the latest version (9.0)

ECS Version:

Host

Fields describing the relevant computing instance.

Fields

Field Summary

Field	Type	Level	Description
`host.architecture`	keyword	Core	Operating system architecture.
`host.cpu.usage`	scaled_float	Extended	Percent CPU used, between 0 and 1.
`host.disk.read.bytes`	long	Extended	The number of bytes read by all disks.
`host.disk.write.bytes`	long	Extended	The number of bytes written on all disks.
`host.domain`	keyword	Extended	Name of the directory the group is a member of.
`host.geo.city_name`	keyword	Core	City name.
`host.geo.continent_code`	keyword	Core	Continent code.
`host.geo.continent_name`	keyword	Core	Name of the continent.
`host.geo.country_iso_code`	keyword	Core	Country ISO code.
`host.geo.country_name`	keyword	Core	Country name.
`host.geo.location`	geo_point	Core	Longitude and latitude.
`host.geo.name`	keyword	Extended	User-defined description of a location.
`host.geo.postal_code`	keyword	Core	Postal code.
`host.geo.region_iso_code`	keyword	Core	Region ISO code.
`host.geo.region_name`	keyword	Core	Region name.
`host.geo.timezone`	keyword	Core	Time zone.
`host.hostname`	keyword	Core	Hostname of the host.
`host.id`	keyword	Core	Unique host id.
`host.ip`	ip	Core	Host ip addresses.
`host.mac`	keyword	Core	Host MAC addresses.
`host.name`	keyword	Core	Name of the host.
`host.network.egress.bytes`	long	Extended	The number of bytes sent on all network interfaces.
`host.network.egress.packets`	long	Extended	The number of packets sent on all network interfaces.
`host.network.ingress.bytes`	long	Extended	The number of bytes received on all network interfaces.
`host.network.ingress.packets`	long	Extended	The number of packets received on all network interfaces.
`host.os.family`	keyword	Extended	OS family (such as redhat, debian, freebsd, windows).
`host.os.full`	keyword	Extended	Operating system name, including the version or code name.
`host.os.full.text`	match_only_text	Extended	Operating system name, including the version or code name.
`host.os.kernel`	keyword	Extended	Operating system kernel version as a raw string.
`host.os.name`	keyword	Extended	Operating system name, without the version.
`host.os.name.text`	match_only_text	Extended	Operating system name, without the version.
`host.os.platform`	keyword	Extended	Operating system platform (such centos, ubuntu, windows).
`host.os.type`	keyword	Extended	Which commercial OS family (one of: linux, macos, unix or windows).
`host.os.version`	keyword	Extended	Operating system version as a raw string.
`host.type`	keyword	Core	Type of host.
`host.uptime`	long	Extended	Seconds the host has been up.
`host.user.domain`	keyword	Extended	Name of the directory the user is a member of.
`host.user.email`	keyword	Extended	User email address.
`host.user.full_name`	keyword	Extended	User's full name, if available.
`host.user.full_name.text`	match_only_text	Extended	User's full name, if available.
`host.user.group.domain`	keyword	Extended	Name of the directory the group is a member of.
`host.user.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`host.user.group.name`	keyword	Extended	Name of the group.
`host.user.hash`	keyword	Extended	Unique user hash to correlate information for a user in anonymized form.
`host.user.id`	keyword	Core	Unique identifier of the user.
`host.user.name`	keyword	Core	Short name or login of the user.
`host.user.name.text`	match_only_text	Core	Short name or login of the user.
`host.user.roles`	keyword	Extended	Array of user roles at the time of the event.

Field Details

`host.architecture`

Type: keyword

Level: Core

Description: Operating system architecture.

Example: x86_64

Indexed: true

`host.cpu.usage`

Type: scaled_float

Level: Extended

Description: Percent CPU used, between 0 and 1.

Indexed: true

`host.disk.read.bytes`

Type: long

Level: Extended

Description: The number of bytes read by all disks.

Indexed: true

`host.disk.write.bytes`

Type: long

Level: Extended

Description: The number of bytes written on all disks.

Indexed: true

`host.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Example: CONTOSO

Indexed: true

`host.geo.city_name`

Type: keyword

Level: Core

Description: City name.

Example: Montreal

Indexed: true

`host.geo.continent_code`

Type: keyword

Level: Core

Description: Continent code.

Example: NA

Indexed: true

`host.geo.continent_name`

Type: keyword

Level: Core

Description: Name of the continent.

Example: North America

Indexed: true

`host.geo.country_iso_code`

Type: keyword

Level: Core

Description: Country ISO code.

Example: CA

Indexed: true

`host.geo.country_name`

Type: keyword

Level: Core

Description: Country name.

Example: Canada

Indexed: true

`host.geo.location`

Type: geo_point

Level: Core

Description: Longitude and latitude.

Example: { "lon": -73.614830, "lat": 45.505918 }

Indexed: true

`host.geo.name`

Type: keyword

Level: Extended

Description: User-defined description of a location.

Example: boston-dc

Indexed: true

`host.geo.postal_code`

Type: keyword

Level: Core

Description: Postal code.

Example: 94040

Indexed: true

`host.geo.region_iso_code`

Type: keyword

Level: Core

Description: Region ISO code.

Example: CA-QC

Indexed: true

`host.geo.region_name`

Type: keyword

Level: Core

Description: Region name.

Example: Quebec

Indexed: true

`host.geo.timezone`

Type: keyword

Level: Core

Description: Time zone.

Example: America/Argentina/Buenos_Aires

Indexed: true

`host.hostname`

Type: keyword

Level: Core

Description: Hostname of the host.

Indexed: true

`host.id`

Type: keyword

Level: Core

Description: Unique host id.

Indexed: true

`host.ip`

Type: ip

Level: Core

Description: Host ip addresses.

Normalization: array

Indexed: true

`host.mac`

Type: keyword

Level: Core

Description: Host MAC addresses.

Example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]

Normalization: array

Indexed: true

`host.name`

Type: keyword

Level: Core

Description: Name of the host.

Indexed: true

`host.network.egress.bytes`

Type: long

Level: Extended

Description: The number of bytes sent on all network interfaces.

Indexed: true

`host.network.egress.packets`

Type: long

Level: Extended

Description: The number of packets sent on all network interfaces.

Indexed: true

`host.network.ingress.bytes`

Type: long

Level: Extended

Description: The number of bytes received on all network interfaces.

Indexed: true

`host.network.ingress.packets`

Type: long

Level: Extended

Description: The number of packets received on all network interfaces.

Indexed: true

`host.os.family`

Type: keyword

Level: Extended

Description: OS family (such as redhat, debian, freebsd, windows).

Example: debian

Indexed: true

`host.os.full`

Type: keyword

Level: Extended

Description: Operating system name, including the version or code name.

Example: Mac OS Mojave

Indexed: true

`host.os.full.text`

Type: match_only_text

Level: Extended

Description: Operating system name, including the version or code name.

Example: Mac OS Mojave

Indexed: true

`host.os.kernel`

Type: keyword

Level: Extended

Description: Operating system kernel version as a raw string.

Example: 4.4.0-112-generic

Indexed: true

`host.os.name`

Type: keyword

Level: Extended

Description: Operating system name, without the version.

Example: Mac OS X

Indexed: true

`host.os.name.text`

Type: match_only_text

Level: Extended

Description: Operating system name, without the version.

Example: Mac OS X

Indexed: true

`host.os.platform`

Type: keyword

Level: Extended

Description: Operating system platform (such centos, ubuntu, windows).

Example: darwin

Indexed: true

`host.os.type`

Type: keyword

Level: Extended

Description: Which commercial OS family (one of: linux, macos, unix or windows).

Example: macos

Indexed: true

`host.os.version`

Type: keyword

Level: Extended

Description: Operating system version as a raw string.

Example: 10.14.1

Indexed: true

`host.type`

Type: keyword

Level: Core

Description: Type of host.

Indexed: true

`host.uptime`

Type: long

Level: Extended

Description: Seconds the host has been up.

Example: 1325

Indexed: true

`host.user.domain`

Type: keyword

Level: Extended

Description: Name of the directory the user is a member of.

Indexed: true

`host.user.email`

Type: keyword

Level: Extended

Description: User email address.

Indexed: true

`host.user.full_name`

Type: keyword

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`host.user.full_name.text`

Type: match_only_text

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`host.user.group.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Indexed: true

`host.user.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`host.user.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`host.user.hash`

Type: keyword

Level: Extended

Description: Unique user hash to correlate information for a user in anonymized form.

Indexed: true

`host.user.id`

Type: keyword

Level: Core

Description: Unique identifier of the user.

Example: S-1-5-21-202424912787-2692429404-2351956786-1000

Indexed: true

`host.user.name`

Type: keyword

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`host.user.name.text`

Type: match_only_text

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`host.user.roles`

Type: keyword

Level: Extended

Description: Array of user roles at the time of the event.

Example: ["kibana_admin", "reporting_user"]

Normalization: array

Indexed: true

Group HTTP