Problems using ecs

Ruslan_Hafizov · August 26, 2025, 9:02am

I try to use ecs to standardize various logs from different applications. I don't always manage to find a field that suits the situation, especially when it comes to user authorization/authentication. I would like to provide an example of some logs and discuss whether it is possible to store some of the information in the standard ECS schema. Examples:

User s3 logged in via SSH with MFA enabled (true), using a web terminal named ko-ko.

user.name: s3

event.action: login

user.authentication.mfa: true (e)

user.authentication.count: 1 (e)

user.login.type: web-terminal (e)

user.login.terminal: ko-ko (e)

User s3 uploaded data to preferences-api with security settings.

user.name: s3

event.action: upload

label.resource.name: preferences-api (e)

label.resource.params: security (e)

User gen-ai used 5 commands to generate images. Output: "images1.png, images2.png will be generated."

user.name: gen-ai

user.session.command_count: 5 (e)

event.action: generate images

label.output: "images1.png, images2.png will be generated" (e)

Fields marked with (e) indicate that I did not find a suitable field in the standard ecs schema. Please share your experience if you have encountered storing this type of data or know a suitable field from the standard schema. Additionally, explain why you chose this particular field. I would appreciate your feedback.

Quan.Nguyen · August 29, 2025, 6:35pm

Thank you Ruslan_Hafizov for raising the issue, as you said there are no suitable definitions for the items that you’ve flagged. I’ve logged an issue with the ECS repository - ticket - to track your suggestion. We’ll go through a triaging process with the team.

Regarding the gen_ai fields, we recently added beta fields for gen_ai - (start here) link - which I think you should review to see if there are any suitable fields for the items you’ve mentioned

Doing a quick scan possibly these fields might be applicable for some of the fields. There are still some values that might not have a direct mapping to your example

gen_ai.output.type
gen_ai.operation.name
gen_ai.response.finish_reasons (possible error scenarios)

Topic		Replies	Views
How Elastic common schema names are define for the log fields Elasticsearch ecs-elastic-common-schema	2	587	July 18, 2019
ECS Logger Mapping Logs to ECS Fields Logs ecs-elastic-common-schema	8	1442	July 14, 2021
Authentication fields used by SIEM vs ECS SIEM ecs-elastic-common-schema	4	1174	January 3, 2020
ECS field for application data and payloads Elasticsearch ecs-elastic-common-schema	4	1142	December 2, 2020
Firewall log in ECS Elasticsearch ecs-elastic-common-schema	5	2613	October 14, 2019

Problems using ecs

Related topics