Expand description
An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, web proxies, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
Constants§
- OBSERVER_
EGRESS - Observer.egress holds information like interface number and name, vlan, and zone information to classify egress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
- OBSERVER_
EGRESS_ INTERFACE_ ALIAS - Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
- OBSERVER_
EGRESS_ INTERFACE_ ID - Interface ID as reported by an observer (typically SNMP interface ID).
- OBSERVER_
EGRESS_ INTERFACE_ NAME - Interface name as reported by the system.
- OBSERVER_
EGRESS_ VLAN_ ID - VLAN ID as reported by the observer.
- OBSERVER_
EGRESS_ VLAN_ NAME - Optional VLAN name as reported by the observer.
- OBSERVER_
EGRESS_ ZONE - Network zone of outbound traffic as reported by the observer to categorize the destination area of egress traffic, e.g. Internal, External, DMZ, HR, Legal, etc.
- OBSERVER_
GEO_ CITY_ NAME - City name.
- OBSERVER_
GEO_ CONTINENT_ CODE - Two-letter code representing continent’s name.
- OBSERVER_
GEO_ CONTINENT_ NAME - Name of the continent.
- OBSERVER_
GEO_ COUNTRY_ ISO_ CODE - Country ISO code.
- OBSERVER_
GEO_ COUNTRY_ NAME - Country name.
- OBSERVER_
GEO_ LOCATION - Longitude and latitude.
- OBSERVER_
GEO_ NAME - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation.
- OBSERVER_
GEO_ POSTAL_ CODE - Postal code associated with the location. Values appropriate for this field may also be known as a postcode or ZIP code and will vary widely from country to country.
- OBSERVER_
GEO_ REGION_ ISO_ CODE - Region ISO code.
- OBSERVER_
GEO_ REGION_ NAME - Region name.
- OBSERVER_
GEO_ TIMEZONE - The time zone of the location, such as IANA time zone name.
- OBSERVER_
HOSTNAME - Hostname of the observer.
- OBSERVER_
INGRESS - Observer.ingress holds information like interface number and name, vlan, and zone information to classify ingress traffic. Single armed monitoring such as a network sensor on a span port should only use observer.ingress to categorize traffic.
- OBSERVER_
INGRESS_ INTERFACE_ ALIAS - Interface alias as reported by the system, typically used in firewall implementations for e.g. inside, outside, or dmz logical interface naming.
- OBSERVER_
INGRESS_ INTERFACE_ ID - Interface ID as reported by an observer (typically SNMP interface ID).
- OBSERVER_
INGRESS_ INTERFACE_ NAME - Interface name as reported by the system.
- OBSERVER_
INGRESS_ VLAN_ ID - VLAN ID as reported by the observer.
- OBSERVER_
INGRESS_ VLAN_ NAME - Optional VLAN name as reported by the observer.
- OBSERVER_
INGRESS_ ZONE - Network zone of incoming traffic as reported by the observer to categorize the source area of ingress traffic. e.g. internal, External, DMZ, HR, Legal, etc.
- OBSERVER_
IP - IP addresses of the observer.
- OBSERVER_
MAC - MAC addresses of the observer. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen.
- OBSERVER_
NAME - Custom name of the observer. This is a name that can be given to an observer. This can be helpful for example if multiple firewalls of the same model are used in an organization. If no custom name is needed, the field can be left empty.
- OBSERVER_
OS_ FAMILY - OS family (such as redhat, debian, freebsd, windows).
- OBSERVER_
OS_ FULL - Operating system name, including the version or code name.
- OBSERVER_
OS_ KERNEL - Operating system kernel version as a raw string.
- OBSERVER_
OS_ NAME - Operating system name, without the version.
- OBSERVER_
OS_ PLATFORM - Operating system platform (such centos, ubuntu, windows).
- OBSERVER_
OS_ TYPE - Use the
os.typefield to categorize the operating system into one of the broad commercial families. If the OS you’re dealing with is not listed as an expected value, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. - OBSERVER_
OS_ VERSION - Operating system version as a raw string.
- OBSERVER_
PRODUCT - The product name of the observer.
- OBSERVER_
SERIAL_ NUMBER - Observer serial number.
- OBSERVER_
TYPE - The type of the observer the data is coming from.
There is no predefined list of observer types. Some examples are
forwarder,firewall,ids,ips,proxy,poller,sensor,APM server. - OBSERVER_
VENDOR - Vendor name of the observer.
- OBSERVER_
VERSION - Observer version.