Description
Summary
The current OS fields in ECS were inherited from Beats, and didn't come with very strong guidance on how to populate them. This has led to a few of the fields being used inconsistently across data sources (mainly os.platform, os.family and to a lesser extent os.name, os.full).
This in turn means it's difficult to reliably filter for "Linux" events, for example. Currently some sources put "Linux" in one of the fields, some other sources put distro details in some of these fields (e.g. rhel / redhat) with no trace of the word Linux in sight 🙂
Motivation:
We want to make it easy to filter for Windows, Linux, Unix and MacOS events. They're broadly speaking the main commercial platforms out there.
Detailed Design:
The proposal is to add a single new field that will have allowed values that need to be used.
Field name: os.type
Field type: keyword
Allowed values (lowercase):
- windows
- linux
- unix
- macos
Note: This issue is not about revamping the guidance on the OS field set; although this would be worth doing, in preparation for the next major release.