Representing web server access logs in ECS.
This use case uses previous definitions for http and user_agent fields sets, which were taken out of ECS temporarily for Beta1. Their official definition in ECS is expected to change slightly.
Using the fields as represented here is not expected to conflict with ECS, but may require a transition, when they are re-introduced officially.
| Field | Description | Level | Type | Example |
|---|---|---|---|---|
| @timestamp | Time at which the response was sent, and the web server log created. | core | date | 2016-05-23T08:05:34.853Z |
| http.* | Fields related to HTTP requests and responses. |
|||
| http.request.method | Http request method. | extended | keyword | GET, POST, PUT |
| http.request.referrer | Referrer for this HTTP request. | extended | keyword | https://blog.example.com/ |
| http.response.status_code | Http response status code. | extended | long | 404 |
| http.response.body.content | The full http response body. | extended | keyword | Hello world |
| http.version | Http version. | extended | keyword | 1.1 |
| user_agent.* | The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. |
|||
| user_agent.original | Unparsed version of the user_agent. | extended | keyword | Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 |
| user_agent.device | Name of the physical device. | (use case) | keyword | |
| user_agent.version | Version of the physical device. | extended | keyword | 12.0 |
| user_agent.major | Major version of the user agent. | (use case) | long | |
| user_agent.minor | Minor version of the user agent. | (use case) | long | |
| user_agent.patch | Patch version of the user agent. | (use case) | keyword | |
| user_agent.name | Name of the user agent. | extended | keyword | Chrome |