If I have events coming from a Virtual Machine and want to enrich the events with information about the host it is running on, in ECS, where would I put that information?
For example, the add_host_metadata processor for Beats adds the following information for the VM under host.*, but I'd want to add similar information about the physical machine its running on.
{
"host":{
"architecture":"x86_64",
"name":"example-host",
"id":"",
"os":{
"family":"darwin",
"build":"16G1212",
"platform":"darwin",
"version":"10.12.6",
"kernel":"16.7.0",
"name":"Mac OS X"
},
"ip": ["192.168.0.1", "10.0.0.1"],
"mac": ["00:25:96:12:34:56", "72:00:06:ff:79:f1"],
"geo": {
"continent_name": "North America",
"country_iso_code": "US",
"region_name": "New York",
"region_iso_code": "NY",
"city_name": "New York",
"name": "nyc-dc1-rack1",
"location": "40.7128, -74.0060"
}
}
}