⚠️ Outdated Version: You are viewing ECS version 8.17, which is outdated. View the latest version (9.0)

ECS Version:

Server

Fields about the server side of a network connection, used with client.

Fields

Field Summary

Field	Type	Level	Description
`server.address`	keyword	Extended	Server network address.
`server.as.number`	long	Extended	Unique number allocated to the autonomous system.
`server.as.organization.name`	keyword	Extended	Organization name.
`server.as.organization.name.text`	match_only_text	Extended	Organization name.
`server.bytes`	long	Core	Bytes sent from the server to the client.
`server.domain`	keyword	Core	The domain name of the server.
`server.geo.city_name`	keyword	Core	City name.
`server.geo.continent_code`	keyword	Core	Continent code.
`server.geo.continent_name`	keyword	Core	Name of the continent.
`server.geo.country_iso_code`	keyword	Core	Country ISO code.
`server.geo.country_name`	keyword	Core	Country name.
`server.geo.location`	geo_point	Core	Longitude and latitude.
`server.geo.name`	keyword	Extended	User-defined description of a location.
`server.geo.postal_code`	keyword	Core	Postal code.
`server.geo.region_iso_code`	keyword	Core	Region ISO code.
`server.geo.region_name`	keyword	Core	Region name.
`server.geo.timezone`	keyword	Core	Time zone.
`server.ip`	ip	Core	IP address of the server.
`server.mac`	keyword	Core	MAC address of the server.
`server.nat.ip`	ip	Extended	Server NAT ip
`server.nat.port`	long	Extended	Server NAT port
`server.packets`	long	Core	Packets sent from the server to the client.
`server.port`	long	Core	Port of the server.
`server.registered_domain`	keyword	Extended	The highest registered server domain, stripped of the subdomain.
`server.subdomain`	keyword	Extended	The subdomain of the domain.
`server.top_level_domain`	keyword	Extended	The effective top level domain (com, org, net, co.uk).
`server.user.domain`	keyword	Extended	Name of the directory the user is a member of.
`server.user.email`	keyword	Extended	User email address.
`server.user.full_name`	keyword	Extended	User's full name, if available.
`server.user.full_name.text`	match_only_text	Extended	User's full name, if available.
`server.user.group.domain`	keyword	Extended	Name of the directory the group is a member of.
`server.user.group.id`	keyword	Extended	Unique identifier for the group on the system/platform.
`server.user.group.name`	keyword	Extended	Name of the group.
`server.user.hash`	keyword	Extended	Unique user hash to correlate information for a user in anonymized form.
`server.user.id`	keyword	Core	Unique identifier of the user.
`server.user.name`	keyword	Core	Short name or login of the user.
`server.user.name.text`	match_only_text	Core	Short name or login of the user.
`server.user.roles`	keyword	Extended	Array of user roles at the time of the event.

Field Details

`server.address`

Type: keyword

Level: Extended

Description: Server network address.

Indexed: true

`server.as.number`

Type: long

Level: Extended

Description: Unique number allocated to the autonomous system.

Example: 15169

Indexed: true

`server.as.organization.name`

Type: keyword

Level: Extended

Description: Organization name.

Example: Google LLC

Indexed: true

`server.as.organization.name.text`

Type: match_only_text

Level: Extended

Description: Organization name.

Example: Google LLC

Indexed: true

`server.bytes`

Type: long

Level: Core

Description: Bytes sent from the server to the client.

Example: 184

Indexed: true

`server.domain`

Type: keyword

Level: Core

Description: The domain name of the server.

Example: foo.example.com

Indexed: true

`server.geo.city_name`

Type: keyword

Level: Core

Description: City name.

Example: Montreal

Indexed: true

`server.geo.continent_code`

Type: keyword

Level: Core

Description: Continent code.

Example: NA

Indexed: true

`server.geo.continent_name`

Type: keyword

Level: Core

Description: Name of the continent.

Example: North America

Indexed: true

`server.geo.country_iso_code`

Type: keyword

Level: Core

Description: Country ISO code.

Example: CA

Indexed: true

`server.geo.country_name`

Type: keyword

Level: Core

Description: Country name.

Example: Canada

Indexed: true

`server.geo.location`

Type: geo_point

Level: Core

Description: Longitude and latitude.

Example: { "lon": -73.614830, "lat": 45.505918 }

Indexed: true

`server.geo.name`

Type: keyword

Level: Extended

Description: User-defined description of a location.

Example: boston-dc

Indexed: true

`server.geo.postal_code`

Type: keyword

Level: Core

Description: Postal code.

Example: 94040

Indexed: true

`server.geo.region_iso_code`

Type: keyword

Level: Core

Description: Region ISO code.

Example: CA-QC

Indexed: true

`server.geo.region_name`

Type: keyword

Level: Core

Description: Region name.

Example: Quebec

Indexed: true

`server.geo.timezone`

Type: keyword

Level: Core

Description: Time zone.

Example: America/Argentina/Buenos_Aires

Indexed: true

`server.ip`

Type: ip

Level: Core

Description: IP address of the server.

Indexed: true

`server.mac`

Type: keyword

Level: Core

Description: MAC address of the server.

Example: 00-00-5E-00-53-23

Indexed: true

`server.nat.ip`

Type: ip

Level: Extended

Description: Server NAT ip

Indexed: true

`server.nat.port`

Type: long

Level: Extended

Description: Server NAT port

Indexed: true

`server.packets`

Type: long

Level: Core

Description: Packets sent from the server to the client.

Example: 12

Indexed: true

`server.port`

Type: long

Level: Core

Description: Port of the server.

Indexed: true

`server.registered_domain`

Type: keyword

Level: Extended

Description: The highest registered server domain, stripped of the subdomain.

Example: example.com

Indexed: true

`server.subdomain`

Type: keyword

Level: Extended

Description: The subdomain of the domain.

Example: east

Indexed: true

`server.top_level_domain`

Type: keyword

Level: Extended

Description: The effective top level domain (com, org, net, co.uk).

Example: co.uk

Indexed: true

`server.user.domain`

Type: keyword

Level: Extended

Description: Name of the directory the user is a member of.

Indexed: true

`server.user.email`

Type: keyword

Level: Extended

Description: User email address.

Indexed: true

`server.user.full_name`

Type: keyword

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`server.user.full_name.text`

Type: match_only_text

Level: Extended

Description: User's full name, if available.

Example: Albert Einstein

Indexed: true

`server.user.group.domain`

Type: keyword

Level: Extended

Description: Name of the directory the group is a member of.

Indexed: true

`server.user.group.id`

Type: keyword

Level: Extended

Description: Unique identifier for the group on the system/platform.

Indexed: true

`server.user.group.name`

Type: keyword

Level: Extended

Description: Name of the group.

Indexed: true

`server.user.hash`

Type: keyword

Level: Extended

Description: Unique user hash to correlate information for a user in anonymized form.

Indexed: true

`server.user.id`

Type: keyword

Level: Core

Description: Unique identifier of the user.

Example: S-1-5-21-202424912787-2692429404-2351956786-1000

Indexed: true

`server.user.name`

Type: keyword

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`server.user.name.text`

Type: match_only_text

Level: Core

Description: Short name or login of the user.

Example: a.einstein

Indexed: true

`server.user.roles`

Type: keyword

Level: Extended

Description: Array of user roles at the time of the event.

Example: ["kibana_admin", "reporting_user"]

Normalization: array

Indexed: true

Rule Service