Elastic Common Schema (ECS)

The Elastic Common Schema is an open-source specification for storing structured data in Elasticsearch. It specifies a common set of field names and data types, as well as descriptions and examples of how to use them. The aim of ECS is to provide a consistent data structure to facilitate analysis, correlation, and visualization of data from diverse sources. NXLog Agent can be configured to send logs to Elasticsearch in a format that complies with ECS. This guide provides examples of how to normalize log records collected from different sources before they are forwarded to Elasticsearch.

ECS requirements

ECS requires data to be ingested in JSON format and uses the JSON dot notation. While the schema includes hundreds of fields, it simply acts as a guideline and can be tailored according to the use case. It also permits the use of additional user-defined fields, as long as they do not conflict with ECS fields, and ideally follow the ECS guidelines. See the Elastic documentation for Guidelines and Best Practices. ECS fields are organized into three levels, namely:

Core fields

A set of fields that are common for all log sources. They are defined as ECS top-level objects.

Extended fields

Fields that apply to specific log sources, or can be interpreted differently depending on the source. They are defined as ECS top-level objects.

Custom fields

User-supplied fields that ECS does not cater for. They exist as non-ECS top-level objects.

For a complete list of defined fields and their description, refer to the ECS Field Reference.

Although ECS is flexible and it is expected that not every log record will include all fields, platforms like Elastic Security, which requires ECS-compliant data, make use of specific fields to process and display data. See the Elastic documentation for a complete Elastic Security ECS field reference. Depending on your use case, careful consideration should be given to the requirements of your platform when mapping fields to ECS.

Data enrichment

ECS core fields are common across all log sources and their aim is to facilitate searching for and identifying events. Core fields contain information on the environment where the event occurred, the log collection tool used to process it, and other metadata pertaining to the event. Such fields may be required by Elastic Security and other SIEM solutions that support ECS-compliant data, however, information to populate them is generally not part of the original log record, making data enrichment necessary. NXLog Agent can enrich log data by populating fields with user-defined values or information retrieved from the environment. For more information and examples, see the Normalizing data with NXLog Agent section in the NXLog Agent User Guide.

Below is a list of fields that are commonly required for ECS compliance.

Table 1. ECS version and agent fields
Field Type Description

ecs.version

keyword

The ECS version in use when the data was parsed.

agent.type

keyword

The type of agent that collected the event, e.g. NXLog Agent.

agent.version

keyword

The version of the agent that collected the event.

Refer to the Elastic documentation for a complete list of Agent Fields.

Table 2. Base fields
Field Type Description

@timestamp

date

The date/time when the event was generated. This is a required field.

labels

object

Key/value pairs containing event metadata.

message

text

Log message, optimized for viewing in a log viewer. This field is indexed and supports full-text search.

tags

keyword

List of keywords used to tag the event.

Refer to the Elastic documentation for more information on Base Fields.

Table 3. Host fields
Field Type Description

host.architecture

keyword

Operating system architecture.

host.os.family

keyword

Operating system family (e.g., Windows, Red Hat, Debian etc.)

host.os.kernel

keyword

Version of the operating system kernel as a raw string.

host.os.name

keyword

Operating system name, excluding the version.

host.os.platform

keyword

Operating system platform (e.g., Windows, Ubuntu, CentOS etc.)

host.os.type

keyword

Broad operating system type. Must be one of linux, macos, unix, or windows.

host.os.version

keyword

Operating system version as a raw string.

Refer to the Elastic documentation for a complete list of Host Fields.

Normalizing data with NXLog Agent

Data coming in different formats requires normalization to align events to ECS. NXLog Agent can easily assist in the normalization of data with its input and extension modules, built-in regular expressions support, or its various string manipulation functions.

To transform data, the Rewrite (xm_rewrite) module supports renaming and deleting fields, while the JSON (xm_json) module provides functionality to output data in JSON format.

Modules like the Syslog (xm_syslog) extension and the Event log for Windows 2008/Vista and later (im_msvistalog) input modules support parsing specific log formats into structured data. For data enrichment, NXLog Agent supports loading of dynamic configuration with the include_stdout general directive, as well as execution of external scripts with support for Perl, Python, Ruby, Go, and Java.

Additionally, the NXLog Agent Elasticsearch (om_elasticsearch) output module can forward logs in bulk to an Elasticsearch instance and supports dynamic indexing. The Elasticsearch and Kibana integration guide provides further details and examples.

The configuration examples below demonstrate how NXLog Agent can collect logs from different sources, as well as transform and enrich the data before it is forwarded to Elasticsearch.

Example 1. Processing events from Windows Event Log

This configuration collects events from Windows Event Log with the im_msvistalog input module. It uses the xm_rewrite extension to transform the data to comply with ECS, and the xm_json extension to convert the data to JSON format.

To enrich log records, it uses a PowerShell script that retrieves operating system information from the Windows host. The include_stdout directive is used to execute the script once on every startup of NXLog Agent and dynamically add its output to the configuration.

nxlog.conf
define NXLOGVERSION nxlog_version()
define NXLOGEDITION 'nxlog-ee'
define ECSV '1.10.0'

# Path to windows_env.cmd file for Windows enrichment.
# Modify it if required or comment the line below if not needed.
include_stdout    C:\Program Files\nxlog\conf\windows_env.cmd

<Extension json>
    Module        xm_json
    DateFormat    YYYY-MM-DDThh:mm:ss.sUTC
</Extension>

<Extension win_ecs>
    Module        xm_rewrite
    <Exec>
      $timestamp = $EventTime;
      rename_field("timestamp","@timestamp");
      if defined $UtcTime ${event.time.utc} = $UtcTime;

      ${ecs.version} = %ECSV%;
      ${tags} = '["testing","'+$Hostname+'"]';
      ${agent.hostname} = $Hostname;
      ${agent.name} = $Hostname;
      ${agent.type} = %NXLOGEDITION%;
      ${agent.version} = %NXLOGVERSION%;
      ${nxlog.version} = %NXLOGVERSION%;

      ${host.architecture} = '%ARCHITECTURE%';
      ${host.ip} = host_ip();
      ${host.name} = $Hostname;
      ${host.os.build} = '%HOSTVER%';
      ${host.os.family} = '%FAMILY%';
      ${host.os.name} = '%OSNAME%';
      ${host.os.kernel} = '%WINBUILD%';
      ${host.os.platform} = '%PLATFORM%';
      ${host.os.type} = lc('%HOSTTYPE%');

      ${event.action} = $Category;
      ${event.original} = $raw_event;
      ${event.time.original} = $EventTime;
      ${event.time.received} = $EventReceivedTime;
      ${winlog.api} = 'wineventlog';
      ${winlog.computer_name} = $Hostname;

      if defined $Description
      {
        ${process.pe.description} = $Description;
        ${winlog.event_data.Description} = $Description;
      }

      # Regular Expressions to capture data from events
      if $Image =~ /\\(.*)\\(.*)/ ${process.name} = $2;
      if $Data =~ /[0-9]{1,4}-[0-9]{1,2}-[0-9]{1,2}T[0-9]{1,2}:[0-9]{1,2}:[0-9]{1,2}Z/
      {
        rename_field("data","windows.application.timestamp");
      }

      if $User =~ /(.*)\\(.*)/
      {
        ${user.domain} = $1;
        ${user.name} = $2;
        ${related.user} = $2;
      }
      if $Hashes =~ /(SHA256)=(.*)/ ${hash.sha256} = $2;

      # For Windows PowerShell
      if $Channel == "Windows PowerShell"
      {
        if $Data_2 =~ /NewEngineState=(.*)/ ${powershell.engine.new_state} = $1;
        if $Data_2 =~ /PreviousEngineState=(.*)/ ${powershell.engine.previous_state} = $1;
        if $Data_2 =~ /SequenceNumber=(.*)/ ${event.sequence} = $1;
        if $Data_2 =~ /HostName=(.*)/ ${process.title} = $1;
        if $Data_2 =~ /HostVersion=(.*)/ ${powershell.executable.version} = $1;
        if $Data_2 =~ /HostId=(.*)/ ${process.entity_id} = $1;
        if $Data_2 =~ /HostApplication=(.*)/ ${process.args} = $1;
        if $Data_2 =~ /HostApplication=(.*)/ ${process.command_line} = $1;
        if $Data_2 =~ /EngineVersion=(.*)/ ${powershell.engine.version} = $1;
        if $Data_2 =~ /RunspaceId=(.*)/ ${powershell.runspace_id} = $1;
      }
    </Exec>

    # Renamed Fields
    Rename        Version, winlog.version
    Rename        SourceModuleType, nxlog.module.type
    Rename        SourceModuleName, nxlog.module.name
    Rename        Message, message
    Rename        Channel, event.provider
    Rename        OpCode, log.level
    Rename        Image, process.executable
    Rename        ProcessGuid, process.entity_id
    Rename        ProcessId, process.pid
    Rename        SourceName, winlog.provider_name
    Rename        EventType, winlog.opcode
    Rename        Domain, winlog.user.name
    Rename        UserID, winlog.user.identifier
    Rename        ExecutionProcessID, winlog.process.pid
    Rename        ExecutionThreadID, winlog.process.thread
    Rename        ProviderGuid, winlog.provider_guid
    Rename        RecordNumber, winlog.record_id
    Rename        AccountType, winlog.user.type
    Rename        AccountName, winlog.user.name
    Rename        Category, winlog.task
    Rename        VirtualAccount, winlog.event_data.VirtualAccount
    Rename        TransmittedServices, winlog.event_data.TransmittedServices
    Rename        TargetUserSid, winlog.event_data.TargetUserSid
    Rename        TargetUserName, winlog.event_data.TargetUserName
    Rename        TargetOutboundUserName, winlog.event_data.TargetOutboundUserName
    Rename        TargetOutboundDomainName, winlog.event_data.TargetOutboundDomainName
    Rename        TargetLogonId, winlog.event_data.TargetLogonId
    Rename        TargetLinkedLogonId, winlog.event_data.TargetLinkedLogonId
    Rename        TargetDomainName, winlog.event_data.TargetDomainName
    Rename        SubjectUserSid, winlog.event_data.SubjectUserSid
    Rename        SubjectUserName, winlog.event_data.SubjectUserName
    Rename        SubjectLogonId, winlog.event_data.SubjectLogonId
    Rename        SubjectDomainName, winlog.event_data.SubjectDomainName
    Rename        RestrictedAdminMode, winlog.event_data.RestrictedAdminMode
    Rename        ProcessName, process.name
    Rename        LogonType, winlog.event_data.LogonType
    Rename        LogonProcessName, winlog.event_data.LogonProcessName
    Rename        LogonGuid, winlog.event_data.LogonGuid
    Rename        LmPackageName, winlog.event_data.LmPackageName
    Rename        KeyLength, winlog.event_data.KeyLength
    Rename        IpPort, winlog.event_data.IpPort
    Rename        IpAddress, winlog.event_data.IpAddress
    Rename        ImpersonationLevel, winlog.event_data.ImpersonationLevel
    Rename        ElevatedToken, winlog.event_data.ElevatedToken
    Rename        AuthenticationPackageName, winlog.event_data.AuthenticationPackageName
    Rename        ActivityID, winlog.activity_id
    Rename        AlgorithmName, winlog.event_data.AlgorithmName
    Rename        ClientCreationTime, winlog.event_data.ClientCreationTime
    Rename        ClientProcessId, winlog.event_data.ClientProcessId
    Rename        KeyName, winlog.event_data.KeyName
    Rename        KeyType, winlog.event_data.KeyType
    Rename        Operation, winlog.event_data.Operation
    Rename        ProviderName, winlog.event_data.ProviderName
    Rename        ReturnCode, winlog.event_data.ReturnCode
    Rename        OriginalFileName, process.pe.original_file_name
    Rename        ParentCommandLine, process.parent.command_line
    Rename        ParentImage, process.parent.executable
    Rename        ParentProcessGuid, process.parent.entity_id
    Rename        ParentProcessId ,process.parent.pid
    Rename        Product, process.pe.product
    Rename        TerminalSessionId, winlog.event_data.TerminalSessionId
    Rename        RuleName, winlog.event_data.RuleName
    Rename        LogonId, winlog.event_data.LogonId
    Rename        IntegrityLevel, winlog.event_data.IntegrityLevel
    Rename        FileVersion, winlog.event_data.FileVersion
    Rename        CurrentDirectory, process.working_directory
    Rename        Company, winlog.event_data.Company
    Rename        CommandLine, process.command_line
    Rename        AccountExpires, winlog.event_data.AccountExpires
    Rename        AccountName, winlog.event_data.AccountName
    Rename        ActivityId, winlog.activity_id
    Rename        AddServiceID.AddServiceStatus, winlog.user_data.AddServiceStatus
    Rename        AdvancedOptions, winlog.user_data.AdvancedOptions
    # End renamed fields

    <Exec>
      ${winlog.event_id} = $EventID;
      ${event.code} = $EventID;

      delete("EventID");
      delete("Data_1");
      delete("Data_2");
      delete("Description");
      delete("Hostname");
      delete("User");
      delete("Image");
      delete("Data");
      delete("Hashes");
    </Exec>
</Extension>

<Input win_eventlog>
    Module        im_msvistalog
    <QueryXML>
        <QueryList>
            <Query Id='0'>
                <Select Path='Application'>*</Select>
                <Select Path='Security'>*[System/Level&lt;4]</Select>
                <Select Path='System'>*</Select>
                <Select Path='Microsoft-Windows-Sysmon/Operational'>*</Select>
                <Select Path='Microsoft-Windows-PowerShell/Operational'>*</Select>
                <Select Path='Windows PowerShell'>*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    Exec          win_ecs->process(); to_json();
</Input>
windows_env.cmd
@( Set "_= (
REM " ) <#
)
@Echo Off
SetLocal EnableExtensions DisableDelayedExpansion
set powershell=powershell.exe

REM Use this if you need 64-bit PowerShell (has no effect on 32-bit systems).
REM if defined PROCESSOR_ARCHITEW6432 (
REM set powershell=%SystemRoot%\SysNative\WindowsPowerShell\v1.0\powershell.exe
REM )

REM Use this if you need 32-bit PowerShell.
REM if NOT %PROCESSOR_ARCHITECTURE% == x86 (
REM set powershell=%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
REM )

%powershell% -ExecutionPolicy Bypass -NoProfile ^
-Command "iex ((gc '%~f0') -join [char]10)"
EndLocal & Exit /B %ErrorLevel%
#>

# PowerShell code starts here.

# To make NXLog return an error, write to standard error and exit 1
if ($false) {
    [Console]::Error.WriteLine("This is an error")
    exit 1
}
else {
# Anything written to standard output is used as configuration content
        $winbuild = (Get-CimInstance Win32_OperatingSystem).Version
        $architecture = (Get-WmiObject CIM_OperatingSystem).OSArchitecture
	$versionarray = (Get-CimInstance Win32_OperatingSystem).Version.Split(".")
	$majorversion = $versionarray[0]
	$minorversion = $versionarray[1]
        if ($architecture -like "64-bit"){
                $architecture = "x86_64"
        }else{
                $architecture = "x86"
        }
        $osname = (Get-WmiObject -Class Win32_OperatingSystem).caption
        Write-Output "define ARCHITECTURE $architecture"
        Write-Output "define FAMILY windows"
        Write-Output "define HOSTTYPE windows"
        Write-Output "define PLATFORM windows"
        Write-Output "define OSNAME $osname"
        Write-Output "define WINBUILD $winbuild"
        Write-Output "define HOSTVER $majorversion.$minorversion"
}
Output sample

The following JSON shows a Windows Event Log record after it was processed by NXLog Agent.

{
  "EventTime": "2021-07-12T09:13:37.347673Z",
  "Keywords": "9259400833873739776",
  "winlog.opcode": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "winlog.provider_name": "Service Control Manager",
  "winlog.provider_guid": "{555908D1-A6D7-4695-8E1E-26931D2012F4}",
  "winlog.version": 0,
  "TaskValue": 0,
  "OpcodeValue": 0,
  "winlog.record_id": 14052,
  "winlog.process.pid": 544,
  "winlog.process.thread": 1672,
  "event.provider": "System",
  "message": "The nxlog service entered the running state.",
  "param1": "nxlog",
  "param2": "running",
  "EventData.Binary": "6E0078006C006F0067002F0034000000",
  "EventReceivedTime": "2021-07-12T09:13:38.613296Z",
  "nxlog.module.name": "win_eventlog",
  "nxlog.module.type": "im_msvistalog",
  "@timestamp": "021-07-12T09:13:38.613296Z",
  "ecs.version": "1.10.0",
  "tags": [
    "testing",
    "server02"
  ],
  "agent.hostname": "server02",
  "agent.name": "server02",
  "agent.type": "nxlog-ee",
  "agent.version": "5.3.7022",
  "nxlog.version": "5.3.7022",
  "host.architecture": "x86_64",
  "host.ip": "10.0.2.15",
  "host.name": "server02",
  "host.os.build": "10.0",
  "host.os.family": "windows",
  "host.os.name": "Microsoft Windows Server 2016 Standard",
  "host.os.kernel": "10.0.14393.693",
  "host.os.platform": "windows",
  "host.os.type": "windows",
  "event.action": null,
  "event.original": "2021-07-12 10:13:37 server02 INFO Keywords=\"9259400833873739776\" EventType=\"INFO\" SeverityValue=\"2\" EventID=\"7036\" SourceName=\"Service Control Manager\" ProviderGuid=\"{555908D1-A6D7-4695-8E1E-26931D2012F4}\" Version=\"0\" TaskValue=\"0\" OpcodeValue=\"0\" RecordNumber=\"14052\" ExecutionProcessID=\"544\" ExecutionThreadID=\"1672\" Channel=\"System\" Message=\"The nxlog service entered the running state.\" param1=\"nxlog\" param2=\"running\" EventData.Binary=\"6E0078006C006F0067002F0034000000\"",
  "event.time.original": "22021-07-12T09:13:38.613296Z",
  "event.time.received": "2021-07-12T09:13:38.613296Z",
  "winlog.api": "wineventlog",
  "winlog.computer_name": "server02",
  "winlog.event_id": 7036,
  "event.code": 7036
}
Example 2. Processing syslog messages on Linux

This configuration listens for syslog messages on UDP port 514 with the im_udp input module. It makes use of three extension modules; xm_syslog to parse log records into structured data, xm_rewrite to transform the data to comply with ECS, and xm_json to convert the data to JSON format.

To enrich log records, it uses a bash script that retrieves operating system information from the Linux host. The include_stdout directive is used to execute the script once on every startup of NXLog Agent and dynamically add its output to the configuration.

nxlog.conf
define NXLOGVERSION nxlog_version()
define NXLOGEDITION 'nxlog-ee'
define ECSV '1.10.0'

# Path to linux_env.sh file for Linux enrichment.
# Modify it if required or comment the line below if not needed.
include_stdout    /opt/nxlog/etc/linux_env.sh

<Extension json>
    Module        xm_json
    DateFormat    YYYY-MM-DDThh:mm:ss.sUTC
</Extension>

<Extension syslog>
    Module        xm_syslog
</Extension>

<Extension linux_ecs>
    Module        xm_rewrite
    Rename        SourceModuleType, nxlog.module.type
    Rename        SourceModuleName, nxlog.module.name
    Rename        Message, message
    Rename        MessageSourceAddress, host.ip
    <Exec>
      if defined $pid
      {
        ${process.pid} = $pid;
        delete($pid);
      }

      if defined $uid
      {
        ${user.id} = $uid;
        delete($uid);
      }
    </Exec>
</Extension>

<Input syslog_systems>
    Module        im_udp
    ListenAddr    0.0.0.0:514
    <Exec>
      parse_syslog();

      $timestamp = $EventReceivedTime;
      rename_field("timestamp","@timestamp");

      ${ecs.version} = %ECSV%;
      ${tags} = '["testing","'+$Hostname+'"]';

      ${agent.hostname} = $Hostname;
      ${agent.name} = $Hostname;
      ${agent.type} = %NXLOGEDITION%;
      ${agent.version} = %NXLOGVERSION%;
      ${nxlog.version} = %NXLOGVERSION%;

      ${host.architecture} = '%ARCHITECTURE%';
      ${host.name} = $Hostname;
      ${host.os.codename} = '%CODENAME%';
      ${host.os.family} = '%FAMILY%';
      ${host.os.kernel} = '%KERNEL%';
      ${host.os.name} = '%OSNAME%';
      ${host.os.platform} = '%PLATFORM%';
      ${host.os.type} = lc('%TYPE%');
      ${host.os.version} = '%OSVERSION%';

      ${event.original} = $raw_event;

      linux_ecs->process(); to_json();
    </Exec>
</Input>
linux_env.sh
#!/bin/bash

# The following list of variables are for the following
# ECS fields in order to comply with ECS enrichment
# host.architecture 	| $ARCHITECTURE
# host.os.codename 	| $CODENAME
# host.os.family 	| $FAMILY
# host.os.kernel 	| $KERNEL
# host.os.name 		| $OSNAME
# host.os.platform 	| $PLATFORM
# host.os.type 		| $TYPE
# host.os.version	| $OSVERSION

ARCHITECTURE=$(uname -m)
FAMILY=$(cat /etc/os-release | grep -oP "^ID=\K\w+")
KERNEL=$(uname -r)
PLATFORM=$(cat /etc/os-release | grep -oP "^ID=\K\w+")
TYPE=$(uname -s)
OSNAME=$(cat /etc/os-release | grep -oP '^NAME=.*' | grep -oP '"(.*)"' | sed s/\"//g)
CODENAME=$(cat /etc/os-release | grep -oP "VERSION_CODENAME=\K\w+")
OSVERSION=$(cat /etc/os-release | grep VERSION= | grep -oP '"(.*)"' | sed s/\"//g)

echo "define ARCHITECTURE $ARCHITECTURE"
echo "define FAMILY $FAMILY"
echo "define KERNEL $KERNEL"
echo "define PLATFORM $PLATFORM"
echo "define TYPE $TYPE"
echo "define OSNAME $OSNAME"
echo "define CODENAME $CODENAME"
echo "define OSVERSION $OSVERSION"
Output sample

The following JSON shows a syslog message after it was processed by NXLog Agent.

{
  "EventReceivedTime": "2021-07-12T11:26:33.192630Z",
  "nxlog.module.name": "syslog_udp",
  "nxlog.module.type": "im_file",
  "SyslogFacilityValue": 1,
  "SyslogFacility": "USER",
  "SyslogSeverityValue": 5,
  "SyslogSeverity": "NOTICE",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Hostname": "server01",
  "EventTime": "2021-07-12T10:24:05.000000Z",
  "SourceName": "systemd",
  "ProcessID": 1,
  "message": "Starting NXLog daemon...",
  "@timestamp": "2021-07-12T11:26:33.192630Z",
  "ecs.version": "1.10.0",
  "tags": [
    "testing",
    "server01"
  ],
  "agent.hostname": "server01",
  "agent.name": "server01",
  "agent.type": "nxlog-ee",
  "agent.version": "5.3.7022",
  "nxlog.version": "5.3.7022",
  "host.architecture": "x86_64",
  "host.name": "server01",
  "host.os.codename": "focal",
  "host.os.family": "ubuntu",
  "host.os.kernel": "5.8.0-59-generic",
  "host.os.name": "Ubuntu",
  "host.os.platform": "ubuntu",
  "host.os.type": "linux",
  "host.os.version": "20.04.2 LTS (Focal Fossa)",
  "event.original": "Jul 12 12:24:05 server01 systemd[1]: Starting NXLog daemon..."
}
The scripts in this guide are provided "AS IS" without warranty of any kind, either expressed or implied. Use at your own risk.

Elasticsearch mapping

The following is an example mapping file for proper visualization of Windows events inside Elasticsearch. This is part of the template component portion of Elasticsearch.

elasticsearch-windows-template.json
{
  "version": 0,
  "template": {
    "settings": {
      "codec": "best_compression"
    },
    "mappings": {
      "properties": {
        "@timestamp": {
          "type": "date"
        },
        "winlog": {
          "properties": {
            "event_id": {
              "type": "keyword"
            },
            "provider_name": {
              "type": "keyword"
            },
            "opcode": {
              "type": "keyword"
            },
            "user": {
              "properties": {
                "name": {
                  "type": "keyword"
                },
                "identifier": {
                  "type": "keyword"
                },
                "type": {
                  "type": "keyword"
                },
                "domain": {
                  "type": "keyword"
                }
              }
            },
            "process": {
              "properties": {
                "pid": {
                  "type": "long"
                },
                "thread": {
                  "type": "long"
                },
                "id": {
                  "type": "keyword"
                }
              }
            },
            "provider_guid": {
              "type": "keyword"
            },
            "record_id": {
              "type": "keyword"
            },
            "task": {
              "type": "keyword"
            },
            "event_data": {
              "type": "object"
            },
            "activity_id": {
              "type": "keyword"
            },
            "computer_name": {
              "type": "keyword"
            },
            "api": {
              "type": "keyword"
            },
            "logon": {
              "properties": {
                "type": {
                  "type": "keyword"
                },
                "id": {
                  "type": "keyword"
                },
                "failure": {
                  "properties": {
                    "reason": {
                      "type": "keyword"
                    },
                    "status": {
                      "type": "keyword"
                    },
                    "sub_status": {
                      "type": "keyword"
                    }
                  }
                }
              }
            },
            "keywords": {
              "type": "keyword"
            },
            "channel": {
              "type": "keyword"
            },
            "related_activity_id": {
              "type": "keyword"
            },
            "time_created": {
              "type": "keyword"
            },
            "user_data": {
              "type": "keyword"
            },
            "version": {
              "type": "long"
            },
            "VirtualAccount": {
              "type": "keyword"
            }
          }
        },
        "powershell": {
          "properties": {
            "engine": {
              "properties": {
                "new_state": {
                  "type": "keyword"
                },
                "previous_state": {
                  "type": "keyword"
                },
                "version": {
                  "type": "keyword"
                }
              }
            },
            "executable": {
              "properties": {
                "version": {
                  "type": "keyword"
                }
              }
            },
            "runspace_id": {
              "type": "keyword"
            },
            "id": {
              "type": "keyword"
            },
            "pipeline_id": {
              "type": "keyword"
            },
            "sequence": {
              "type": "long"
            },
            "total": {
              "type": "long"
            },
            "command": {
              "properties": {
                "path": {
                  "type": "keyword"
                },
                "name": {
                  "type": "keyword"
                },
                "value": {
                  "type": "keyword"
                },
                "invocation_details": {
                  "properties": {
                    "type": {
                      "type": "keyword"
                    },
                    "related_command": {
                      "type": "keyword"
                    },
                    "name": {
                      "type": "keyword"
                    },
                    "value": {
                      "type": "text"
                    }
                  }
                }
              }
            },
            "connected_user": {
              "properties": {
                "domain": {
                  "type": "keyword"
                },
                "name": {
                  "type": "keyword"
                }
              }
            },
            "file": {
              "properties": {
                "script_block_id": {
                  "type": "keyword"
                },
                "script_block_text": {
                  "type": "text"
                }
              }
            },
            "process": {
              "properties": {
                "executable_version": {
                  "type": "keyword"
                }
              }
            },
            "provider": {
              "properties": {
                "new_state": {
                  "type": "keyword"
                },
                "name": {
                  "type": "keyword"
                }
              }
            }
          }
        },
        "event": {
          "properties": {
            "sequence": {
              "type": "long"
            },
            "time": {
              "properties": {
                "original": {
                  "type": "date"
                },
                "received": {
                  "type": "date"
                }
              }
            },
            "original": {
              "type": "keyword"
            },
            "action": {
              "type": "keyword"
            },
            "code": {
              "type": "keyword"
            }
          }
        },
        "process": {
          "properties": {
            "title": {
              "type": "keyword"
            },
            "entity_id": {
              "type": "keyword"
            },
            "args": {
              "type": "keyword"
            },
            "command_line": {
              "type": "keyword"
            },
            "name": {
              "type": "keyword"
            },
            "pe": {
              "properties": {
                "description": {
                  "type": "keyword"
                }
              }
            },
            "exe": {
              "type": "alias",
              "path": "process.executable"
            },
            "executable": {
              "type": "keyword"
            }
          }
        },
        "windows": {
          "properties": {
            "application": {
              "properties": {
                "timestamp": {
                  "type": "date"
                }
              }
            }
          }
        },
        "user": {
          "type": "keyword"
        },
        "related": {
          "properties": {
            "user": {
              "type": "keyword"
            }
          }
        },
        "hash": {
          "properties": {
            "sha256": {
              "type": "keyword"
            }
          }
        },
        "agent": {
          "properties": {
            "name": {
              "type": "keyword"
            },
            "hostname": {
              "type": "keyword"
            },
            "type": {
              "type": "keyword"
            },
            "version": {
              "type": "keyword"
            },
            "build": {
              "properties": {
                "original": {
                  "type": "keyword"
                }
              }
            },
            "ephimeral_id": {
              "type": "keyword"
            },
            "id": {
              "type": "keyword"
            }
          }
        },
        "host": {
          "properties": {
            "name": {
              "type": "keyword"
            },
            "ip": {
              "type": "ip"
            },
            "containerized": {
              "type": "boolean"
            },
            "os": {
              "properties": {
                "build": {
                  "type": "keyword"
                },
                "codename": {
                  "type": "keyword"
                }
              }
            }
          }
        },
        "nxlog": {
          "properties": {
            "version": {
              "type": "keyword"
            },
            "module": {
              "properties": {
                "name": {
                  "type": "keyword"
                },
                "type": {
                  "type": "keyword"
                }
              }
            }
          }
        },
        "ecs": {
          "properties": {
            "version": {
              "type": "keyword"
            }
          }
        },
        "tags": {
          "type": "keyword"
        },
        "labels": {
          "type": "object"
        },
        "message": {
          "type": "keyword"
        },
        "kubernetes": {
          "properties": {
            "pod": {
              "properties": {
                "name": {
                  "type": "keyword"
                },
                "uid": {
                  "type": "keyword"
                },
                "ip": {
                  "type": "ip"
                }
              }
            },
            "namespace": {
              "type": "keyword"
            },
            "node": {
              "properties": {
                "name": {
                  "type": "keyword"
                },
                "hostname": {
                  "type": "keyword"
                }
              }
            },
            "labels": {
              "properties": {
                "*": {
                  "type": "object"
                }
              }
            },
            "annotations": {
              "properties": {
                "*": {
                  "type": "object"
                }
              }
            },
            "selectors": {
              "properties": {
                "*": {
                  "type": "object"
                }
              }
            },
            "replicaset": {
              "properties": {
                "name": {
                  "type": "keyword"
                }
              }
            },
            "deployment": {
              "properties": {
                "name": {
                  "type": "keyword"
                }
              }
            },
            "statefulset": {
              "properties": {
                "name": {
                  "type": "keyword"
                }
              }
            },
            "container": {
              "properties": {
                "name": {
                  "type": "keyword"
                },
                "image": {
                  "type": "alias",
                  "path": "container.image.name"
                }
              }
            }
          }
        },
        "sysmon": {
          "properties": {
            "dns": {
              "properties": {
                "status": {
                  "type": "keyword"
                }
              }
            },
            "file": {
              "properties": {
                "archived": {
                  "type": "boolean"
                },
                "is_executable": {
                  "type": "boolean"
                }
              }
            }
          }
        },
        "container": {
          "properties": {
            "image": {
              "properties": {
                "name": {
                  "type": "keyword"
                }
              }
            }
          }
        },
        "event_id": {
          "type": "keyword"
        },
        "provider_name": {
          "type": "keyword"
        },
        "opcode": {
          "type": "keyword"
        },
        "name": {
          "type": "keyword"
        },
        "identifier": {
          "type": "keyword"
        },
        "pid": {
          "type": "long"
        },
        "thread": {
          "type": "long"
        },
        "provider_guid": {
          "type": "keyword"
        },
        "record_id": {
          "type": "keyword"
        },
        "type": {
          "type": "keyword"
        },
        "task": {
          "type": "keyword"
        },
        "event_data": {
          "type": "object"
        },
        "TransmittedServices": {
          "type": "keyword"
        },
        "TargetUserSid": {
          "type": "keyword"
        },
        "TargetUserName": {
          "type": "keyword"
        },
        "TargetOutboundUserName": {
          "type": "keyword"
        },
        "TargetOutboundDomainName": {
          "type": "keyword"
        },
        "TargetLogonId": {
          "type": "keyword"
        },
        "TargetLinkedLogonId": {
          "type": "keyword"
        },
        "TargetDomainName": {
          "type": "keyword"
        },
        "SubjectUserSid": {
          "type": "keyword"
        },
        "SubjectUserName": {
          "type": "keyword"
        },
        "SubjectLogonId": {
          "type": "keyword"
        },
        "SubjectDomainName": {
          "type": "keyword"
        },
        "RestrictedAdminMode": {
          "type": "keyword"
        },
        "LogonType": {
          "type": "keyword"
        },
        "LogonProcessName": {
          "type": "keyword"
        },
        "LogonGuid": {
          "type": "keyword"
        },
        "LmPackageName": {
          "type": "keyword"
        },
        "KeyLength": {
          "type": "keyword"
        },
        "IpPort": {
          "type": "keyword"
        },
        "IpAddress": {
          "type": "ip"
        },
        "ImpersonationLevel": {
          "type": "keyword"
        },
        "ElevatedToken": {
          "type": "keyword"
        },
        "AuthenticationPackageName": {
          "type": "keyword"
        },
        "activity_id": {
          "type": "keyword"
        },
        "AlgorithmName": {
          "type": "keyword"
        },
        "ClientCreationTime": {
          "type": "keyword"
        },
        "ClientProcessId": {
          "type": "keyword"
        },
        "KeyName": {
          "type": "keyword"
        },
        "KeyType": {
          "type": "keyword"
        },
        "Operation": {
          "type": "keyword"
        },
        "ProviderName": {
          "type": "keyword"
        },
        "ReturnCode": {
          "type": "keyword"
        },
        "TerminalSessionId": {
          "type": "keyword"
        },
        "RuleName": {
          "type": "keyword"
        },
        "LogonId": {
          "type": "keyword"
        },
        "IntegrityLevel": {
          "type": "keyword"
        },
        "FileVersion": {
          "type": "keyword"
        },
        "Company": {
          "type": "keyword"
        },
        "engine": {
          "properties": {
            "new_state": {
              "type": "keyword"
            }
          }
        },
        "previous_state": {
          "type": "keyword"
        },
        "sequence": {
          "type": "long"
        },
        "title": {
          "type": "keyword"
        },
        "executable": {
          "type": "keyword"
        },
        "entity_id": {
          "type": "keyword"
        },
        "args": {
          "type": "keyword"
        },
        "command_line": {
          "type": "keyword"
        },
        "version": {
          "type": "keyword"
        },
        "runspace_id": {
          "type": "keyword"
        },
        "application": {
          "properties": {
            "timestamp": {
              "type": "date"
            }
          }
        },
        "domain": {
          "type": "keyword"
        },
        "sha256": {
          "type": "keyword"
        },
        "time": {
          "properties": {
            "original": {
              "type": "date"
            }
          }
        },
        "received": {
          "type": "date"
        },
        "hostname": {
          "type": "keyword"
        },
        "computer_name": {
          "type": "keyword"
        },
        "api": {
          "type": "keyword"
        },
        "original": {
          "type": "keyword"
        },
        "ip": {
          "type": "ip"
        },
        "action": {
          "type": "keyword"
        },
        "pe": {
          "properties": {
            "description": {
              "type": "keyword"
            }
          }
        },
        "Description": {
          "type": "keyword"
        },
        "module": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        },
        "build": {
          "type": "keyword"
        },
        "ephimeral_id": {
          "type": "keyword"
        },
        "id": {
          "type": "keyword"
        },
        "containerized": {
          "type": "boolean"
        },
        "os": {
          "properties": {
            "build": {
              "type": "keyword"
            }
          }
        },
        "codename": {
          "type": "keyword"
        },
        "pod": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        },
        "uid": {
          "type": "keyword"
        },
        "namespace": {
          "type": "keyword"
        },
        "node": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        },
        "*": {
          "type": "object"
        },
        "annotations": {
          "properties": {
            "*": {
              "type": "object"
            }
          }
        },
        "selectors": {
          "properties": {
            "*": {
              "type": "object"
            }
          }
        },
        "replicaset": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        },
        "deployment": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        },
        "statefulset": {
          "properties": {
            "name": {
              "type": "keyword"
            }
          }
        },
        "image": {
          "type": "alias",
          "path": "container.image.name"
        },
        "pipeline_id": {
          "type": "keyword"
        },
        "total": {
          "type": "long"
        },
        "command": {
          "properties": {
            "path": {
              "type": "keyword"
            }
          }
        },
        "value": {
          "type": "text"
        },
        "invocation_details": {
          "properties": {
            "type": {
              "type": "keyword"
            }
          }
        },
        "related_command": {
          "type": "keyword"
        },
        "connected_user": {
          "properties": {
            "domain": {
              "type": "keyword"
            }
          }
        },
        "file": {
          "properties": {
            "script_block_id": {
              "type": "keyword"
            }
          }
        },
        "script_block_text": {
          "type": "text"
        },
        "executable_version": {
          "type": "keyword"
        },
        "provider": {
          "type": "keyword"
        },
        "exe": {
          "type": "alias",
          "path": "process.executable"
        },
        "logon": {
          "properties": {
            "type": {
              "type": "keyword"
            }
          }
        },
        "failure": {
          "properties": {
            "reason": {
              "type": "keyword"
            }
          }
        },
        "status": {
          "type": "keyword"
        },
        "sub_status": {
          "type": "keyword"
        },
        "dns": {
          "properties": {
            "status": {
              "type": "keyword"
            }
          }
        },
        "archived": {
          "type": "boolean"
        },
        "is_executable": {
          "type": "boolean"
        },
        "BitlockerUserInputTime": {
          "type": "keyword"
        },
        "BootMode": {
          "type": "keyword"
        },
        "BootType": {
          "type": "keyword"
        },
        "BuildVersion": {
          "type": "keyword"
        },
        "CorruptionActionState": {
          "type": "keyword"
        },
        "CreationUtcTime": {
          "type": "keyword"
        },
        "Detail": {
          "type": "keyword"
        },
        "DeviceName": {
          "type": "keyword"
        },
        "DeviceNameLength": {
          "type": "keyword"
        },
        "DeviceTime": {
          "type": "keyword"
        },
        "DeviceVersionMajor": {
          "type": "keyword"
        },
        "DeviceVersionMinor": {
          "type": "keyword"
        },
        "DriveName": {
          "type": "keyword"
        },
        "DriverName": {
          "type": "keyword"
        },
        "DriverNameLength": {
          "type": "keyword"
        },
        "DwordVal": {
          "type": "keyword"
        },
        "EntryCount": {
          "type": "keyword"
        },
        "ExtraInfo": {
          "type": "keyword"
        },
        "FailureName": {
          "type": "keyword"
        },
        "FailureNameLength": {
          "type": "keyword"
        },
        "FinalStatus": {
          "type": "keyword"
        },
        "Group": {
          "type": "keyword"
        },
        "IdleImplementation": {
          "type": "keyword"
        },
        "IdleStateCount": {
          "type": "keyword"
        },
        "LastBootGood": {
          "type": "keyword"
        },
        "LastShutdownGood": {
          "type": "keyword"
        },
        "MajorVersion": {
          "type": "keyword"
        },
        "MaximumPerformancePercent": {
          "type": "keyword"
        },
        "MemberName": {
          "type": "keyword"
        },
        "MemberSid": {
          "type": "keyword"
        },
        "MinimumPerformancePercent": {
          "type": "keyword"
        },
        "MinimumThrottlePercent": {
          "type": "keyword"
        },
        "MinorVersion": {
          "type": "keyword"
        },
        "NewProcessId": {
          "type": "keyword"
        },
        "NewProcessName": {
          "type": "keyword"
        },
        "NewSchemeGuid": {
          "type": "keyword"
        },
        "NewTime": {
          "type": "keyword"
        },
        "NormalFrequency": {
          "type": "keyword"
        },
        "Number": {
          "type": "keyword"
        },
        "OldSchemeGuid": {
          "type": "keyword"
        },
        "OldTime": {
          "type": "keyword"
        },
        "OriginalFileName": {
          "type": "keyword"
        },
        "Path": {
          "type": "keyword"
        },
        "PerformanceImplementation": {
          "type": "keyword"
        },
        "PreviousCreationUtcTime": {
          "type": "keyword"
        },
        "PreviousTime": {
          "type": "keyword"
        },
        "PrivilegeList": {
          "type": "keyword"
        },
        "ProcessId": {
          "type": "keyword"
        },
        "ProcessName": {
          "type": "keyword"
        },
        "ProcessPath": {
          "type": "keyword"
        },
        "ProcessPid": {
          "type": "keyword"
        },
        "Product": {
          "type": "keyword"
        },
        "PuaCount": {
          "type": "keyword"
        },
        "PuaPolicyId": {
          "type": "keyword"
        },
        "QfeVersion": {
          "type": "keyword"
        },
        "Reason": {
          "type": "keyword"
        },
        "SchemaVersion": {
          "type": "keyword"
        },
        "ScriptBlockText": {
          "type": "keyword"
        },
        "ServiceName": {
          "type": "keyword"
        },
        "ServiceVersion": {
          "type": "keyword"
        },
        "ShutdownActionType": {
          "type": "keyword"
        },
        "ShutdownEventCode": {
          "type": "keyword"
        },
        "ShutdownReason": {
          "type": "keyword"
        },
        "Signature": {
          "type": "keyword"
        },
        "SignatureStatus": {
          "type": "keyword"
        },
        "Signed": {
          "type": "keyword"
        },
        "StartTime": {
          "type": "keyword"
        },
        "State": {
          "type": "keyword"
        },
        "Status": {
          "type": "keyword"
        },
        "StopTime": {
          "type": "keyword"
        },
        "Tsid": {
          "type": "keyword"
        },
        "TargetInfo": {
          "type": "keyword"
        },
        "TargetLogonGuid": {
          "type": "keyword"
        },
        "TargetServerName": {
          "type": "keyword"
        },
        "TokenElevationType": {
          "type": "keyword"
        },
        "UserSid": {
          "type": "keyword"
        },
        "Version": {
          "type": "keyword"
        },
        "Workstation": {
          "type": "keyword"
        },
        "param1": {
          "type": "keyword"
        },
        "param2": {
          "type": "keyword"
        },
        "param3": {
          "type": "keyword"
        },
        "param4": {
          "type": "keyword"
        },
        "param5": {
          "type": "keyword"
        },
        "param6": {
          "type": "keyword"
        },
        "param7": {
          "type": "keyword"
        },
        "param8": {
          "type": "keyword"
        },
        "keywords": {
          "type": "keyword"
        },
        "channel": {
          "type": "keyword"
        },
        "related_activity_id": {
          "type": "keyword"
        },
        "time_created": {
          "type": "keyword"
        },
        "user_data": {
          "type": "keyword"
        },
        "VirtualAccount": {
          "type": "keyword"
        },
        "new_state": {
          "type": "keyword"
        },
        "timestamp": {
          "type": "date"
        },
        "description": {
          "type": "keyword"
        },
        "path": {
          "type": "keyword"
        },
        "script_block_id": {
          "type": "keyword"
        },
        "reason": {
          "type": "keyword"
        },
        "code": {
          "type": "keyword"
        }
      }
    }
  },
  "_meta": {
    "description": "Component Template for ECS Base Fields"
  }
}
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

ECS version 1.10.0
NXLog Agent version 5.3.7022
Ubuntu 20.04
Windows Server 2016

Last revision: 13 July 2021