Observer
Fields describing an entity observing the event from outside the host.
Fields
Field Summary
| Field | Type | Level | Description |
|---|---|---|---|
observer.egress | object | Extended | Object field for egress information |
observer.egress.interface.alias | keyword | Extended | Interface alias |
observer.egress.interface.id | keyword | Extended | Interface ID |
observer.egress.interface.name | keyword | Extended | Interface name |
observer.egress.vlan.id | keyword | Extended | VLAN ID as reported by the observer. |
observer.egress.vlan.name | keyword | Extended | Optional VLAN name as reported by the observer. |
observer.egress.zone | keyword | Extended | Observer Egress zone |
observer.geo.city_name | keyword | Core | City name. |
observer.geo.continent_code | keyword | Core | Continent code. |
observer.geo.continent_name | keyword | Core | Name of the continent. |
observer.geo.country_iso_code | keyword | Core | Country ISO code. |
observer.geo.country_name | keyword | Core | Country name. |
observer.geo.location | geo_point | Core | Longitude and latitude. |
observer.geo.name | keyword | Extended | User-defined description of a location. |
observer.geo.postal_code | keyword | Core | Postal code. |
observer.geo.region_iso_code | keyword | Core | Region ISO code. |
observer.geo.region_name | keyword | Core | Region name. |
observer.geo.timezone | keyword | Core | Time zone. |
observer.hostname | keyword | Core | Hostname of the observer. |
observer.ingress | object | Extended | Object field for ingress information |
observer.ingress.interface.alias | keyword | Extended | Interface alias |
observer.ingress.interface.id | keyword | Extended | Interface ID |
observer.ingress.interface.name | keyword | Extended | Interface name |
observer.ingress.vlan.id | keyword | Extended | VLAN ID as reported by the observer. |
observer.ingress.vlan.name | keyword | Extended | Optional VLAN name as reported by the observer. |
observer.ingress.zone | keyword | Extended | Observer ingress zone |
observer.ip | ip | Core | IP addresses of the observer. |
observer.mac | keyword | Core | MAC addresses of the observer. |
observer.name | keyword | Extended | Custom name of the observer. |
observer.os.family | keyword | Extended | OS family (such as redhat, debian, freebsd, windows). |
observer.os.full | keyword | Extended | Operating system name, including the version or code name. |
observer.os.full.text | match_only_text | Extended | Operating system name, including the version or code name. |
observer.os.kernel | keyword | Extended | Operating system kernel version as a raw string. |
observer.os.name | keyword | Extended | Operating system name, without the version. |
observer.os.name.text | match_only_text | Extended | Operating system name, without the version. |
observer.os.platform | keyword | Extended | Operating system platform (such centos, ubuntu, windows). |
observer.os.type | keyword | Extended | Which commercial OS family (one of: linux, macos, unix, windows, ios or android). |
observer.os.version | keyword | Extended | Operating system version as a raw string. |
observer.product | keyword | Extended | The product name of the observer. |
observer.serial_number | keyword | Extended | Observer serial number. |
observer.type | keyword | Core | The type of the observer the data is coming from. |
observer.vendor | keyword | Core | Vendor name of the observer. |
observer.version | keyword | Core | Observer version. |
Field Details
observer.egress
Type: object
Level: Extended
Description: Object field for egress information
Indexed: true
observer.egress.interface.alias
Type: keyword
Level: Extended
Description: Interface alias
Example: outside
Indexed: true
observer.egress.interface.id
Type: keyword
Level: Extended
Description: Interface ID
Example: 10
Indexed: true
observer.egress.interface.name
Type: keyword
Level: Extended
Description: Interface name
Example: eth0
Indexed: true
observer.egress.vlan.id
Type: keyword
Level: Extended
Description: VLAN ID as reported by the observer.
Example: 10
Indexed: true
observer.egress.vlan.name
Type: keyword
Level: Extended
Description: Optional VLAN name as reported by the observer.
Example: outside
Indexed: true
observer.egress.zone
Type: keyword
Level: Extended
Description: Observer Egress zone
Example: Public_Internet
Indexed: true
observer.geo.city_name
Type: keyword
Level: Core
Description: City name.
Example: Montreal
Indexed: true
observer.geo.continent_code
Type: keyword
Level: Core
Description: Continent code.
Example: NA
Indexed: true
observer.geo.continent_name
Type: keyword
Level: Core
Description: Name of the continent.
Example: North America
Indexed: true
observer.geo.country_iso_code
Type: keyword
Level: Core
Description: Country ISO code.
Example: CA
Indexed: true
observer.geo.country_name
Type: keyword
Level: Core
Description: Country name.
Example: Canada
Indexed: true
observer.geo.location
Type: geo_point
Level: Core
Description: Longitude and latitude.
Example: { "lon": -73.614830, "lat": 45.505918 }
Indexed: true
observer.geo.name
Type: keyword
Level: Extended
Description: User-defined description of a location.
Example: boston-dc
Indexed: true
observer.geo.postal_code
Type: keyword
Level: Core
Description: Postal code.
Example: 94040
Indexed: true
observer.geo.region_iso_code
Type: keyword
Level: Core
Description: Region ISO code.
Example: CA-QC
Indexed: true
observer.geo.region_name
Type: keyword
Level: Core
Description: Region name.
Example: Quebec
Indexed: true
observer.geo.timezone
Type: keyword
Level: Core
Description: Time zone.
Example: America/Argentina/Buenos_Aires
Indexed: true
observer.hostname
Type: keyword
Level: Core
Description: Hostname of the observer.
Indexed: true
observer.ingress
Type: object
Level: Extended
Description: Object field for ingress information
Indexed: true
observer.ingress.interface.alias
Type: keyword
Level: Extended
Description: Interface alias
Example: outside
Indexed: true
observer.ingress.interface.id
Type: keyword
Level: Extended
Description: Interface ID
Example: 10
Indexed: true
observer.ingress.interface.name
Type: keyword
Level: Extended
Description: Interface name
Example: eth0
Indexed: true
observer.ingress.vlan.id
Type: keyword
Level: Extended
Description: VLAN ID as reported by the observer.
Example: 10
Indexed: true
observer.ingress.vlan.name
Type: keyword
Level: Extended
Description: Optional VLAN name as reported by the observer.
Example: outside
Indexed: true
observer.ingress.zone
Type: keyword
Level: Extended
Description: Observer ingress zone
Example: DMZ
Indexed: true
observer.ip
Type: ip
Level: Core
Description: IP addresses of the observer.
Normalization: array
Indexed: true
observer.mac
Type: keyword
Level: Core
Description: MAC addresses of the observer.
Example: ["00-00-5E-00-53-23", "00-00-5E-00-53-24"]
Normalization: array
Indexed: true
observer.name
Type: keyword
Level: Extended
Description: Custom name of the observer.
Example: 1_proxySG
Indexed: true
observer.os.family
Type: keyword
Level: Extended
Description: OS family (such as redhat, debian, freebsd, windows).
Example: debian
Indexed: true
observer.os.full
Type: keyword
Level: Extended
Description: Operating system name, including the version or code name.
Example: Mac OS Mojave
Indexed: true
observer.os.full.text
Type: match_only_text
Level: Extended
Description: Operating system name, including the version or code name.
Example: Mac OS Mojave
Indexed: true
observer.os.kernel
Type: keyword
Level: Extended
Description: Operating system kernel version as a raw string.
Example: 4.4.0-112-generic
Indexed: true
observer.os.name
Type: keyword
Level: Extended
Description: Operating system name, without the version.
Example: Mac OS X
Indexed: true
observer.os.name.text
Type: match_only_text
Level: Extended
Description: Operating system name, without the version.
Example: Mac OS X
Indexed: true
observer.os.platform
Type: keyword
Level: Extended
Description: Operating system platform (such centos, ubuntu, windows).
Example: darwin
Indexed: true
observer.os.type
Type: keyword
Level: Extended
Description: Which commercial OS family (one of: linux, macos, unix, windows, ios or android).
Example: macos
Indexed: true
observer.os.version
Type: keyword
Level: Extended
Description: Operating system version as a raw string.
Example: 10.14.1
Indexed: true
observer.product
Type: keyword
Level: Extended
Description: The product name of the observer.
Example: s200
Indexed: true
observer.serial_number
Type: keyword
Level: Extended
Description: Observer serial number.
Indexed: true
observer.type
Type: keyword
Level: Core
Description: The type of the observer the data is coming from.
Example: firewall
Indexed: true
observer.vendor
Type: keyword
Level: Core
Description: Vendor name of the observer.
Example: Symantec
Indexed: true
observer.version
Type: keyword
Level: Core
Description: Observer version.
Indexed: true