diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md index c05fd1c2f7..07872e22dd 100644 --- a/CHANGELOG.next.md +++ b/CHANGELOG.next.md @@ -18,6 +18,7 @@ Thanks, you're awesome :-) --> * Added `event.category` "registry". #1040 * Added `event.category` "session". #1049 +* Added `os.type`. #1111 #### Improvements diff --git a/code/go/ecs/os.go b/code/go/ecs/os.go index a118950bbf..3284a5357c 100644 --- a/code/go/ecs/os.go +++ b/code/go/ecs/os.go @@ -21,6 +21,15 @@ package ecs // The OS fields contain information about the operating system. type Os struct { + // Use the `os.type` field to categorize the operating system into one of + // the broad commercial families. + // One of these following values should be used (lowercase): linux, macos, + // unix, windows. + // If the OS you're dealing with is not in the list, the field should not + // be populated. Please let us know by opening an issue with ECS, to + // propose its addition. + Type string `ecs:"type"` + // Operating system platform (such centos, ubuntu, windows). Platform string `ecs:"platform"` diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc index 25f01313b3..ae14752657 100644 --- a/docs/field-details.asciidoc +++ b/docs/field-details.asciidoc @@ -3930,6 +3930,23 @@ example: `darwin` // =============================================================== +| os.type +| Use the `os.type` field to categorize the operating system into one of the broad commercial families. + +One of these following values should be used (lowercase): linux, macos, unix, windows. + +If the OS you're dealing with is not in the list, the field should not be populated. Please let us know by opening an issue with ECS, to propose its addition. + +type: keyword + + + +example: `macos` + +| extended + +// =============================================================== + | os.version | Operating system version as a raw string. diff --git a/experimental/generated/beats/fields.ecs.yml b/experimental/generated/beats/fields.ecs.yml index 185a64addd..3ee89c2a22 100644 --- a/experimental/generated/beats/fields.ecs.yml +++ b/experimental/generated/beats/fields.ecs.yml @@ -2181,6 +2181,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2929,6 +2944,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3034,6 +3064,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5716,6 +5761,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/experimental/generated/csv/fields.csv b/experimental/generated/csv/fields.csv index d92245dcaa..afea0e16c6 100644 --- a/experimental/generated/csv/fields.csv +++ b/experimental/generated/csv/fields.csv @@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,host,host.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev+exp,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev+exp,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev+exp,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev+exp,true,host,host.type,keyword,core,,,Type of host. 2.0.0-dev+exp,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,observer,observer.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev+exp,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev+exp,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev+exp,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev+exp,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 2.0.0-dev+exp,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -703,6 +705,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev+exp,true,user_agent,user_agent.os.name,wildcard,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev+exp,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev+exp,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev+exp,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev+exp,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev+exp,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 2.0.0-dev+exp,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/experimental/generated/ecs/ecs_flat.yml b/experimental/generated/ecs/ecs_flat.yml index e67d668343..5aefba80d3 100644 --- a/experimental/generated/ecs/ecs_flat.yml +++ b/experimental/generated/ecs/ecs_flat.yml @@ -3423,6 +3423,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4559,6 +4578,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8796,6 +8834,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/ecs/ecs_nested.yml b/experimental/generated/ecs/ecs_nested.yml index 57b2385bee..977a5c2232 100644 --- a/experimental/generated/ecs/ecs_nested.yml +++ b/experimental/generated/ecs/ecs_nested.yml @@ -4086,6 +4086,26 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5339,6 +5359,26 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5542,6 +5582,25 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -10110,6 +10169,26 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/experimental/generated/elasticsearch/7/template.json b/experimental/generated/elasticsearch/7/template.json index fcfc663168..0bfd44d084 100644 --- a/experimental/generated/elasticsearch/7/template.json +++ b/experimental/generated/elasticsearch/7/template.json @@ -1134,6 +1134,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1589,6 +1593,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3237,6 +3245,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml index 12a6db1f75..0361f97cdf 100644 --- a/generated/beats/fields.ecs.yml +++ b/generated/beats/fields.ecs.yml @@ -2214,6 +2214,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -2973,6 +2988,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword @@ -3081,6 +3111,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: version level: extended type: keyword @@ -5586,6 +5631,21 @@ ignore_above: 1024 description: Operating system platform (such centos, ubuntu, windows). example: darwin + - name: os.type + level: extended + type: keyword + ignore_above: 1024 + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + default_field: false - name: os.version level: extended type: keyword diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv index 2a8688c22b..784459a3cc 100644 --- a/generated/csv/fields.csv +++ b/generated/csv/fields.csv @@ -251,6 +251,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,host,host.type,keyword,core,,,Type of host. 2.0.0-dev,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. @@ -342,6 +343,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. 2.0.0-dev,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. @@ -667,6 +669,7 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description 2.0.0-dev,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.name.text,text,extended,,Mac OS X,"Operating system name, without the version." 2.0.0-dev,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +2.0.0-dev,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix or windows)." 2.0.0-dev,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. 2.0.0-dev,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. 2.0.0-dev,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml index 9447fa982b..78ef1eaec8 100644 --- a/generated/ecs/ecs_flat.yml +++ b/generated/ecs/ecs_flat.yml @@ -3455,6 +3455,25 @@ host.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -4602,6 +4621,25 @@ observer.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -8503,6 +8541,25 @@ user_agent.os.platform: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword +user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into one + of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/ecs/ecs_nested.yml b/generated/ecs/ecs_nested.yml index f8b86c0ee0..1352e844e5 100644 --- a/generated/ecs/ecs_nested.yml +++ b/generated/ecs/ecs_nested.yml @@ -4120,6 +4120,26 @@ host: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + host.os.type: + dashed_name: host-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: host.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword host.os.version: dashed_name: host-os-version description: Operating system version as a raw string. @@ -5384,6 +5404,26 @@ observer: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + observer.os.type: + dashed_name: observer-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: observer.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword observer.os.version: dashed_name: observer-os-version description: Operating system version as a raw string. @@ -5590,6 +5630,25 @@ os: normalize: [] short: Operating system platform (such centos, ubuntu, windows). type: keyword + os.type: + dashed_name: os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword os.version: dashed_name: os-version description: Operating system version as a raw string. @@ -9801,6 +9860,26 @@ user_agent: original_fieldset: os short: Operating system platform (such centos, ubuntu, windows). type: keyword + user_agent.os.type: + dashed_name: user-agent-os-type + description: 'Use the `os.type` field to categorize the operating system into + one of the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, + windows. + + If the OS you''re dealing with is not in the list, the field should not be + populated. Please let us know by opening an issue with ECS, to propose its + addition.' + example: macos + flat_name: user_agent.os.type + ignore_above: 1024 + level: extended + name: type + normalize: [] + original_fieldset: os + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + type: keyword user_agent.os.version: dashed_name: user-agent-os-version description: Operating system version as a raw string. diff --git a/generated/elasticsearch/6/template.json b/generated/elasticsearch/6/template.json index 0f6e8dfb83..c80ed9eab5 100644 --- a/generated/elasticsearch/6/template.json +++ b/generated/elasticsearch/6/template.json @@ -1167,6 +1167,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1633,6 +1637,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3161,6 +3169,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/generated/elasticsearch/7/template.json b/generated/elasticsearch/7/template.json index 8583630fb1..2065369a1c 100644 --- a/generated/elasticsearch/7/template.json +++ b/generated/elasticsearch/7/template.json @@ -1166,6 +1166,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1632,6 +1636,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -3160,6 +3168,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" diff --git a/schemas/os.yml b/schemas/os.yml index 71bf1dd36e..8b8cfcdad7 100644 --- a/schemas/os.yml +++ b/schemas/os.yml @@ -13,6 +13,20 @@ type: group fields: + - name: type + level: extended + type: keyword + short: 'Which commercial OS family (one of: linux, macos, unix or windows).' + description: > + Use the `os.type` field to categorize the operating system into one of + the broad commercial families. + + One of these following values should be used (lowercase): linux, macos, unix, windows. + + If the OS you're dealing with is not in the list, the field should not be populated. + Please let us know by opening an issue with ECS, to propose its addition. + example: macos + - name: platform level: extended type: keyword