The taxonomy of structured events is based on the ECS specification. This taxonomy defines a set of field available for values in parsers.
- When a raw event encompasses a datetime, parse this information with a stage date and set result in the field
@timestamp. - Define
event.category,event.typeandevent.kindaccording to the event categorization fields. - Define
event.categoryandevent.typeas array. - As possible, define
event.dataset. - As possbile, define observer information in
observer.*. - For events collected from cloud services, provide cloud information in
cloud.*(The cloud account id must land incloud.account.id). - The name of an action must be hosted in
event.action - The reason of the event must be hosted in
event.reason - Error code and error message must land in
error.codeanderror.message email.to.address,email.from.addressandemail.cc.addressare arrays- As documented in the ECS specification,
host.hostnamemust contain the hostname as return by the command hostname on the host.host.nameis more permissive.
When a valuable information is present in the raw event, and no ECS fields is suitable to host the information, a custom field may be defined.
The custom taxonomy is defined in the directory _meta/fields.yml in the format. The document is written in JSON dialect.
A custom field consists of three elements:
-
name: The name of the field. it corresponds to the path (dot-notation) of the field in the structured event.
We recommend prefixing the field with the vendor and the name of the product (e.g for AWS cloud trail, custom taxonomy is prefixing with
aws.cloudtrail) -
type: The type of the field.
Available types are:
- keyword for textual values
- boolean for boolean values
- long for integer and long values
- float for float values
- array for list
- dict for dictionaries
-
description: a short description to understand the value of the field
see AWS CloudTrail