S03E03: What is the Elastic Common Schema?

A presentation at Elastic Daily B(y|i)te - S03 in October 2021 in by David Pilato

Slide 1

Slide 1

Daily Elastic Observability B(y|i)te What is the Elastic Common Schema? David Pilato (@dadoonet)

Slide 2

Slide 2

ECS: Elastic Common Schema • ECS is an open source specification ‒ https://www.elastic.co/guide/en/ecs/current/index.html ‒ https://github.com/elastic/ecs

Slide 3

Slide 3

Why ECS?

Slide 4

Slide 4

Why ECS?

Slide 5

Slide 5

source.ip Source fields capture details about the sender of a network exchange/packet. These fields are populated from a network event, packet, or other event containing details of a network transaction. https://www.elastic.co/guide/en/ecs/current/ecs-source.html

Slide 6

Slide 6

host.ip A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. https://www.elastic.co/guide/en/ecs/current/ecs-host.html

Slide 7

Slide 7

Contributing https://github.com/elastic/ecs/blob/master/schemas/host.yml

Slide 8

Slide 8

In action

Slide 9

Slide 9

Elastic Common Schema security analytics metrics monitoring infra logging apm