tyler.durden/icingabeat
1
0
Fork 0
mirror of https://github.com/Icinga/icingabeat.git synced 2025-07-27 07:44:02 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update generated files

Browse Source
This commit is contained in:
Blerim Sheqa 2019-11-07 09:46:03 +01:00
parent ced805d846
commit 81be451ba5
6 changed files with 1782 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

452
_meta/kibana.generated/6/dashboard/Icingabeat-CheckResults.json Normal file
View File

@ -0,0 +1,452 @@
{
"objects": [
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"query": ""
}
}
},
"savedSearchId": "eb7896b0-e4bd-11e7-b4d1-8383451ae5a4",
"title": "CheckResults by State",
"uiStateJSON": {
"vis": {
"colors": {
"Critical": "#BF1B00",
"Ok": "#629E51",
"Unknown": "#962D82",
"Warning": "#E5AC0E"
}
}
},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customInterval": "2h",
"extended_bounds": {},
"field": "@timestamp",
"interval": "auto",
"min_doc_count": 1
},
"schema": "segment",
"type": "date_histogram"
},
{
"enabled": true,
"id": "3",
"params": {
"filters": [
{
"input": {
"query": "icinga.check_result.state:0"
},
"label": "Ok"
},
{
"input": {
"query": "icinga.check_result.state:1"
},
"label": "Warning"
},
{
"input": {
"query": "icinga.check_result.state:3"
},
"label": "Critical"
},
{
"input": {
"query": "icinga.check_result.state:4"
},
"label": "Unknown"
}
]
},
"schema": "group",
"type": "filters"
}
],
"params": {
"addLegend": true,
"addTimeMarker": false,
"addTooltip": true,
"categoryAxes": [
{
"id": "CategoryAxis-1",
"labels": {
"show": true,
"truncate": 100
},
"position": "bottom",
"scale": {
"type": "linear"
},
"show": true,
"style": {},
"title": {},
"type": "category"
}
],
"grid": {
"categoryLines": false,
"style": {
"color": "#eee"
}
},
"legendPosition": "right",
"seriesParams": [
{
"data": {
"id": "1",
"label": "Count"
},
"drawLinesBetweenPoints": true,
"mode": "stacked",
"show": "true",
"showCircles": true,
"type": "histogram",
"valueAxis": "ValueAxis-1"
}
],
"times": [],
"type": "histogram",
"valueAxes": [
{
"id": "ValueAxis-1",
"labels": {
"filter": false,
"rotate": 0,
"show": true,
"truncate": 100
},
"name": "LeftAxis-1",
"position": "left",
"scale": {
"mode": "normal",
"type": "linear"
},
"show": true,
"style": {},
"title": {
"text": "Count"
},
"type": "value"
}
]
},
"title": "CheckResults by State",
"type": "histogram"
}
},
"id": "a32bdf10-e4be-11e7-b4d1-8383451ae5a4",
"type": "visualization",
"updated_at": "2018-12-20T14:56:10.746Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"query": ""
}
}
},
"savedSearchId": "eb7896b0-e4bd-11e7-b4d1-8383451ae5a4",
"title": "CheckResult Count",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {
"customLabel": "CheckResults received"
},
"schema": "metric",
"type": "count"
}
],
"params": {
"addLegend": false,
"addTooltip": true,
"metric": {
"colorSchema": "Green to Red",
"colorsRange": [
{
"from": 0,
"to": 10000
}
],
"invertColors": false,
"labels": {
"show": true
},
"metricColorMode": "None",
"percentageMode": false,
"style": {
"bgColor": false,
"bgFill": "#000",
"fontSize": 60,
"labelColor": false,
"subText": ""
},
"useRanges": false
},
"type": "metric"
},
"title": "CheckResult Count",
"type": "metric"
}
},
"id": "3bf26530-e4be-11e7-b4d1-8383451ae5a4",
"type": "visualization",
"updated_at": "2018-12-20T14:56:10.746Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"query": ""
}
}
},
"savedSearchId": "eb7896b0-e4bd-11e7-b4d1-8383451ae5a4",
"title": "Hosts Tag Cloud",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Hosts",
"field": "icinga.host",
"order": "desc",
"orderBy": "1",
"size": 50
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"maxFontSize": 72,
"minFontSize": 18,
"orientation": "single",
"scale": "linear"
},
"title": "Hosts Tag Cloud",
"type": "tagcloud"
}
},
"id": "4a9d5c50-e4c0-11e7-b4d1-8383451ae5a4",
"type": "visualization",
"updated_at": "2018-12-20T14:56:10.746Z",
"version": 1
},
{
"attributes": {
"description": "",
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"query": {
"language": "lucene",
"query": ""
}
}
},
"savedSearchId": "eb7896b0-e4bd-11e7-b4d1-8383451ae5a4",
"title": "Services Tag Cloud",
"uiStateJSON": {},
"version": 1,
"visState": {
"aggs": [
{
"enabled": true,
"id": "1",
"params": {},
"schema": "metric",
"type": "count"
},
{
"enabled": true,
"id": "2",
"params": {
"customLabel": "Services",
"field": "icinga.service",
"order": "desc",
"orderBy": "1",
"size": 500
},
"schema": "segment",
"type": "terms"
}
],
"params": {
"maxFontSize": 72,
"minFontSize": 18,
"orientation": "single",
"scale": "linear"
},
"title": "Services Tag Cloud",
"type": "tagcloud"
}
},
"id": "6a23e300-e4c0-11e7-b4d1-8383451ae5a4",
"type": "visualization",
"updated_at": "2018-12-20T14:56:10.746Z",
"version": 1
},
{
"attributes": {
"columns": [
"_source"
],
"description": "",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"highlightAll": true,
"index": "icingabeat-*",
"query": {
"language": "lucene",
"query": "type:icingabeat.event.checkresult"
},
"version": true
}
},
"sort": [
"@timestamp",
"desc"
],
"title": "CheckResults",
"version": 1
},
"id": "eb7896b0-e4bd-11e7-b4d1-8383451ae5a4",
"type": "search",
"updated_at": "2018-12-20T14:56:10.746Z",
"version": 1
},
{
"attributes": {
"description": "Summary of check results received by Icinga",
"hits": 0,
"kibanaSavedObjectMeta": {
"searchSourceJSON": {
"filter": [],
"highlightAll": true,
"query": {
"language": "lucene",
"query": ""
},
"version": true
}
},
"optionsJSON": {
"darkTheme": false,
"hidePanelTitles": false,
"useMargins": true
},
"panelsJSON": [
{
"gridData": {
"h": 2,
"i": "1",
"w": 12,
"x": 0,
"y": 0
},
"id": "a32bdf10-e4be-11e7-b4d1-8383451ae5a4",
"panelIndex": "1",
"type": "visualization",
"version": "6.1.0"
},
{
"gridData": {
"h": 5,
"i": "2",
"w": 3,
"x": 0,
"y": 2
},
"id": "3bf26530-e4be-11e7-b4d1-8383451ae5a4",
"panelIndex": "2",
"type": "visualization",
"version": "6.1.0"
},
{
"gridData": {
"h": 5,
"i": "3",
"w": 4,
"x": 3,
"y": 2
},
"id": "4a9d5c50-e4c0-11e7-b4d1-8383451ae5a4",
"panelIndex": "3",
"type": "visualization",
"version": "6.1.0"
},
{
"gridData": {
"h": 5,
"i": "4",
"w": 5,
"x": 7,
"y": 2
},
"id": "6a23e300-e4c0-11e7-b4d1-8383451ae5a4",
"panelIndex": "4",
"type": "visualization",
"version": "6.1.0"
}
],
"timeRestore": false,
"title": "Icingabeat-CheckResults",
"uiStateJSON": {},
"version": 1
},
"id": "34e97340-e4ce-11e7-b4d1-8383451ae5a4",
"type": "dashboard",
"updated_at": "2018-12-20T14:56:10.746Z",
"version": 1
}
],
"version": "6.5.3"
}

786
docs/fields.asciidoc
View File

File diff suppressed because it is too large Load Diff

568
fields.yml
View File

@ -1,5 +1,5 @@
# WARNING! Do not edit this file directly, it was generated by the ECS project, # WARNING! Do not edit this file directly, it was generated by the ECS project,
# based on ECS version 1.0.1. # based on ECS version 1.1.0.
# Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields.
- key: ecs - key: ecs
@ -110,6 +110,27 @@
ignore_above: 1024 ignore_above: 1024
description: Version of the agent. description: Version of the agent.
example: 6.0.0-rc2 example: 6.0.0-rc2
- name: as
title: Autonomous System
group: 2
description: An autonomous system (AS) is a collection of connected Internet Protocol
(IP) routing prefixes under the control of one or more network operators on
behalf of a single administrative entity or domain that presents a common, clearly
defined routing policy to the internet.
type: group
fields:
- name: number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: organization.name
level: extended
type: keyword
ignore_above: 1024
description: Organization name.
example: Google LLC
- name: client - name: client
title: Client title: Client
group: 2 group: 2
@ -140,6 +161,18 @@
Then it should be duplicated to `.ip` or `.domain`, depending on which one Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.' it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
description: Organization name.
example: Google LLC
- name: bytes - name: bytes
level: core level: core
type: long type: long
@ -215,6 +248,21 @@
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: MAC address of the client. description: MAC address of the client.
- name: nat.ip
level: extended
type: ip
description: 'Translated IP of source based NAT sessions (e.g. internal client
to internet).
Typically connections traversing load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Translated port of source based NAT sessions (e.g. internal client
to internet).
Typically connections traversing load balancers, firewalls, or routers.'
- name: packets - name: packets
level: core level: core
type: long type: long
@ -225,6 +273,13 @@
type: long type: long
format: string format: string
description: Port of the client. description: Port of the client.
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email - name: user.email
level: extended level: extended
type: keyword type: keyword
@ -381,6 +436,18 @@
Then it should be duplicated to `.ip` or `.domain`, depending on which one Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.' it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
description: Organization name.
example: Google LLC
- name: bytes - name: bytes
level: core level: core
type: long type: long
@ -456,6 +523,20 @@
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: MAC address of the destination. description: MAC address of the destination.
- name: nat.ip
level: extended
type: ip
description: 'Translated ip of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Port the source session is translated to by NAT Device.
Typically used with load balancers, firewalls, or routers.'
- name: packets - name: packets
level: core level: core
type: long type: long
@ -466,6 +547,13 @@
type: long type: long
format: string format: string
description: Port of the destination. description: Port of the destination.
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email - name: user.email
level: extended level: extended
type: keyword type: keyword
@ -507,6 +595,159 @@
ignore_above: 1024 ignore_above: 1024
description: Short name or login of the user. description: Short name or login of the user.
example: albert example: albert
- name: dns
title: DNS
group: 2
description: 'Fields describing DNS queries and answers.
DNS events should either represent a single DNS query prior to getting answers
(`dns.type:query`) or they should represent a full exchange and contain the
query details as well as all of the answers that were provided for this query
(`dns.type:answer`).'
type: group
fields:
- name: answers
level: extended
type: object
object_type: keyword
description: 'An array containing an object for each answer section returned
by the server.
The main keys that should be present in these objects are defined by ECS.
Records that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer
objects must contain the `data` key. If more information is available, map
as much of it to ECS as possible, and add any additional fields to the answer
objects as custom fields.'
- name: answers.class
level: extended
type: keyword
ignore_above: 1024
description: The class of DNS data contained in this resource record.
example: IN
- name: answers.data
level: extended
type: keyword
ignore_above: 1024
description: 'The data describing the resource.
The meaning of this data depends on the type and class of the resource record.'
example: 10.10.10.10
- name: answers.name
level: extended
type: keyword
ignore_above: 1024
description: 'The domain name to which this resource record pertains.
If a chain of CNAME is being resolved, each answer''s `name` should be the
one that corresponds with the answer''s `data`. It should not simply be the
original `question.name` repeated.'
example: www.google.com
- name: answers.ttl
level: extended
type: long
description: The time interval in seconds that this resource record may be cached
before it should be discarded. Zero values mean that the data should not be
cached.
example: 180
- name: answers.type
level: extended
type: keyword
ignore_above: 1024
description: The type of data contained in this resource record.
example: CNAME
- name: header_flags
level: extended
type: keyword
ignore_above: 1024
description: 'Array of 2 letter DNS header flags.
Expected values are: AA, TC, RD, RA, AD, CD, DO.'
example:
- RD
- RA
- name: id
level: extended
type: keyword
ignore_above: 1024
description: The DNS packet identifier assigned by the program that generated
the query. The identifier is copied to the response.
example: 62111
- name: op_code
level: extended
type: keyword
ignore_above: 1024
description: The DNS operation code that specifies the kind of query in the
message. This value is set by the originator of a query and copied into the
response.
example: QUERY
- name: question.class
level: extended
type: keyword
ignore_above: 1024
description: The class of of records being queried.
example: IN
- name: question.name
level: extended
type: keyword
ignore_above: 1024
description: 'The name being queried.
If the name field contains non-printable characters (below 32 or above 126),
those characters should be represented as escaped base 10 integers (\DDD).
Back slashes and quotes should be escaped. Tabs, carriage returns, and line
feeds should be converted to \t, \r, and \n respectively.'
example: www.google.com
- name: question.registered_domain
level: extended
type: keyword
ignore_above: 1024
description: 'The highest registered domain, stripped of the subdomain.
For example, the registered domain for "foo.google.com" is "google.com".
This value can be determined precisely with a list like the public suffix
list (http://publicsuffix.org). Trying to approximate this by simply taking
the last two labels will not work well for TLDs such as "co.uk".'
example: google.com
- name: question.type
level: extended
type: keyword
ignore_above: 1024
description: The type of record being queried.
example: AAAA
- name: resolved_ip
level: extended
type: ip
description: 'Array containing all IPs seen in `answers.data`.
The `answers` array can be difficult to use, because of the variety of data
formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip`
makes it possible to index them as IP addresses, and makes them easier to
visualize and query for.'
example:
- 10.10.10.10
- 10.10.10.11
- name: response_code
level: extended
type: keyword
ignore_above: 1024
description: The DNS response code.
example: NOERROR
- name: type
level: extended
type: keyword
ignore_above: 1024
description: 'The type of DNS event captured, query or answer.
If your source of DNS events only gives you DNS queries, you should only create
dns events of type `dns.type:query`.
If your source of DNS events gives you answers as well, you should create
one event per query (optionally as soon as the query is seen). And a second
event containing all query details as well as an array of answers.'
example: answer
- name: ecs - name: ecs
title: ECS title: ECS
group: 2 group: 2
@ -585,6 +826,16 @@
multiple actions. Warning: In future versions of ECS, we plan to provide a multiple actions. Warning: In future versions of ECS, we plan to provide a
list of acceptable values for this field, please use with caution.' list of acceptable values for this field, please use with caution.'
example: user-management example: user-management
- name: code
level: extended
type: keyword
ignore_above: 1024
description: 'Identification code for this event, if one exists.
Some event sources use event codes to identify messages unambiguously, regardless
of message language or wording adjustments over time. An example of this is
the Windows Event ID.'
example: 4648
- name: created - name: created
level: core level: core
type: date type: date
@ -606,10 +857,13 @@
ignore_above: 1024 ignore_above: 1024
description: 'Name of the dataset. description: 'Name of the dataset.
The concept of a `dataset` (fileset / metricset) is used in Beats as a subset If an event source publishes more than one type of log or events (e.g. access
of modules. It contains the information which is currently stored in metricset.name log, error log), the dataset is used to specify which one the event comes
and metricset.module or fileset.name.' from.
example: stats
It''s recommended but not required to start the dataset name with the module
name, followed by a dot, then the dataset name.'
example: apache.access
- name: duration - name: duration
level: core level: core
type: long type: long
@ -656,8 +910,10 @@
ignore_above: 1024 ignore_above: 1024
description: 'Name of the module this data is coming from. description: 'Name of the module this data is coming from.
This information is coming from the modules used in Beats or Logstash.' If your monitoring agent supports the concept of modules or plugins to process
example: mysql events of a given source (e.g. Apache logs), `event.module` should contain
the name of this module.'
example: apache
- name: original - name: original
level: core level: core
type: keyword type: keyword
@ -679,6 +935,17 @@
versions of ECS, we plan to provide a list of acceptable values for this field, versions of ECS, we plan to provide a list of acceptable values for this field,
please use with caution.' please use with caution.'
example: success example: success
- name: provider
level: extended
type: keyword
ignore_above: 1024
description: 'Source of the event.
Event transports such as Syslog or the Windows Event Log typically mention
the source of an event. It can be the name of the software that generated
the event (e.g. Sysmon, httpd), or of a subsystem of the operating system
(kernel, Microsoft-Windows-Security-Auditing).'
example: kernel
- name: risk_score - name: risk_score
level: core level: core
type: float type: float
@ -692,6 +959,14 @@
This is mainly useful if you use more than one system that assigns risk scores, This is mainly useful if you use more than one system that assigns risk scores,
and you want to see a normalized value across all systems.' and you want to see a normalized value across all systems.'
- name: sequence
level: extended
type: long
format: string
description: 'Sequence number of the event.
The sequence number is a value published by some event sources, to make the
exact ordering of events unambiguous, regarless of the timestamp precision.'
- name: severity - name: severity
level: core level: core
type: long type: long
@ -734,62 +1009,116 @@
the event or metric.' the event or metric.'
type: group type: group
fields: fields:
- name: accessed
level: extended
type: date
description: 'Last time the file was accessed.
Note that not all filesystems keep track of access time.'
- name: created
level: extended
type: date
description: 'File creation time.
Note that not all filesystems store the creation time.'
- name: ctime - name: ctime
level: extended level: extended
type: date type: date
description: Last time file metadata changed. description: 'Last time the file attributes or metadata changed.
Note that changes to the file content will update `mtime`. This implies `ctime`
will be adjusted at the same time, since `mtime` is an attribute of the file.'
- name: device - name: device
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Device that is the source of the file. description: Device that is the source of the file.
example: sda
- name: directory
level: extended
type: keyword
ignore_above: 1024
description: Directory where the file is located.
example: /home/alice
- name: extension - name: extension
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: 'File extension. description: File extension.
This should allow easy filtering by file extensions.'
example: png example: png
- name: gid - name: gid
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Primary group ID (GID) of the file. description: Primary group ID (GID) of the file.
example: '1001'
- name: group - name: group
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Primary group name of the file. description: Primary group name of the file.
example: alice
- name: hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
- name: hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
- name: hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
- name: hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
- name: inode - name: inode
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Inode representing the file in the filesystem. description: Inode representing the file in the filesystem.
example: '256383'
- name: mode - name: mode
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Mode of the file in octal representation. description: Mode of the file in octal representation.
example: 416 example: '0640'
- name: mtime - name: mtime
level: extended level: extended
type: date type: date
description: Last time file content was modified. description: Last time the file content was modified.
- name: name
level: extended
type: keyword
ignore_above: 1024
description: Name of the file including the extension, without the directory.
example: example.png
- name: owner - name: owner
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: File owner's username. description: File owner's username.
example: alice
- name: path - name: path
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Path to the file. description: Full path to the file.
example: /home/alice/example.png
- name: size - name: size
level: extended level: extended
type: long type: long
description: File size in bytes (field is only added when `type` is `file`). description: 'File size in bytes.
Only relevant when `file.type` is "file".'
example: 16384
- name: target_path - name: target_path
level: extended level: extended
type: keyword type: keyword
@ -800,11 +1129,13 @@
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: File type (file, dir, or symlink). description: File type (file, dir, or symlink).
example: file
- name: uid - name: uid
level: extended level: extended
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: The user ID (UID) or security identifier (SID) of the file owner. description: The user ID (UID) or security identifier (SID) of the file owner.
example: '1001'
- name: geo - name: geo
title: Geo title: Geo
group: 2 group: 2
@ -885,6 +1216,36 @@
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: Name of the group. description: Name of the group.
- name: hash
title: Hash
group: 2
description: 'The hash fields represent different hash algorithms and their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for
other hashes by lowercasing the hash algorithm name and using underscore separators
as appropriate (snake case, e.g. sha3_512).'
type: group
fields:
- name: md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
- name: sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
- name: sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
- name: sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
- name: host - name: host
title: Host title: Host
group: 2 group: 2
@ -1033,6 +1394,18 @@
For Cloud providers this can be the machine type like `t2.medium`. If vm, For Cloud providers this can be the machine type like `t2.medium`. If vm,
this could be the container, for example, or other information meaningful this could be the container, for example, or other information meaningful
in your environment.' in your environment.'
- name: uptime
level: extended
type: long
description: Seconds the host has been up.
example: 1325
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email - name: user.email
level: extended level: extended
type: keyword type: keyword
@ -1158,6 +1531,13 @@
Some examples are `warn`, `error`, `i`.' Some examples are `warn`, `error`, `i`.'
example: err example: err
- name: logger
level: core
type: keyword
ignore_above: 1024
description: The name of the logger inside an application. This is usually the
name of the class which initialized the logger, or can be a custom name.
example: org.elasticsearch.bootstrap.Bootstrap
- name: original - name: original
level: core level: core
type: keyword type: keyword
@ -1516,6 +1896,26 @@
ignore_above: 1024 ignore_above: 1024
description: Absolute path to the process executable. description: Absolute path to the process executable.
example: /usr/bin/ssh example: /usr/bin/ssh
- name: hash.md5
level: extended
type: keyword
ignore_above: 1024
description: MD5 hash.
- name: hash.sha1
level: extended
type: keyword
ignore_above: 1024
description: SHA1 hash.
- name: hash.sha256
level: extended
type: keyword
ignore_above: 1024
description: SHA256 hash.
- name: hash.sha512
level: extended
type: keyword
ignore_above: 1024
description: SHA512 hash.
- name: name - name: name
level: extended level: extended
type: keyword type: keyword
@ -1524,6 +1924,11 @@
Sometimes called program name or similar.' Sometimes called program name or similar.'
example: ssh example: ssh
- name: pgid
level: extended
type: long
format: string
description: Identifier of the group of processes the process belongs to.
- name: pid - name: pid
level: core level: core
type: long type: long
@ -1547,6 +1952,12 @@
format: string format: string
description: Thread ID. description: Thread ID.
example: 4242 example: 4242
- name: thread.name
level: extended
type: keyword
ignore_above: 1024
description: Thread name.
example: thread-0
- name: title - name: title
level: extended level: extended
type: keyword type: keyword
@ -1555,6 +1966,11 @@
The proctitle, some times the same as process name. Can also be different: The proctitle, some times the same as process name. Can also be different:
for example a browser setting its title to the web page currently opened.' for example a browser setting its title to the web page currently opened.'
- name: uptime
level: extended
type: long
description: Seconds the process has been up.
example: 1325
- name: working_directory - name: working_directory
level: extended level: extended
type: keyword type: keyword
@ -1611,6 +2027,18 @@
Then it should be duplicated to `.ip` or `.domain`, depending on which one Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.' it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
description: Organization name.
example: Google LLC
- name: bytes - name: bytes
level: core level: core
type: long type: long
@ -1686,6 +2114,21 @@
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: MAC address of the server. description: MAC address of the server.
- name: nat.ip
level: extended
type: ip
description: 'Translated ip of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Translated port of destination based NAT sessions (e.g. internet
to private DMZ)
Typically used with load balancers, firewalls, or routers.'
- name: packets - name: packets
level: core level: core
type: long type: long
@ -1696,6 +2139,13 @@
type: long type: long
format: string format: string
description: Port of the server. description: Port of the server.
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email - name: user.email
level: extended level: extended
type: keyword type: keyword
@ -1758,13 +2208,15 @@
level: core level: core
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: 'Unique identifier of the running service. description: 'Unique identifier of the running service. If the service is comprised
of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify this service. This makes it possible to correlate This id should uniquely identify the service. This makes it possible to correlate
logs and metrics for one specific service. logs and metrics for one specific service, no matter which particular node
emitted the event.
Example: If you are experiencing issues with one redis instance, you can filter Note that if you need to see the events from one specific host of the service,
on that id to see metrics and logs for that single instance.' you should filter on that `host.name` or `host.id` instead.'
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
- name: name - name: name
level: core level: core
@ -1826,6 +2278,18 @@
Then it should be duplicated to `.ip` or `.domain`, depending on which one Then it should be duplicated to `.ip` or `.domain`, depending on which one
it is.' it is.'
- name: as.number
level: extended
type: long
description: Unique number allocated to the autonomous system. The autonomous
system number (ASN) uniquely identifies each network on the Internet.
example: 15169
- name: as.organization.name
level: extended
type: keyword
ignore_above: 1024
description: Organization name.
example: Google LLC
- name: bytes - name: bytes
level: core level: core
type: long type: long
@ -1901,6 +2365,21 @@
type: keyword type: keyword
ignore_above: 1024 ignore_above: 1024
description: MAC address of the source. description: MAC address of the source.
- name: nat.ip
level: extended
type: ip
description: 'Translated ip of source based NAT sessions (e.g. internal client
to internet)
Typically connections traversing load balancers, firewalls, or routers.'
- name: nat.port
level: extended
type: long
format: string
description: 'Translated port of source based NAT sessions. (e.g. internal client
to internet)
Typically used with load balancers, firewalls, or routers.'
- name: packets - name: packets
level: core level: core
type: long type: long
@ -1911,6 +2390,13 @@
type: long type: long
format: string format: string
description: Port of the source. description: Port of the source.
- name: user.domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: user.email - name: user.email
level: extended level: extended
type: keyword type: keyword
@ -1952,6 +2438,33 @@
ignore_above: 1024 ignore_above: 1024
description: Short name or login of the user. description: Short name or login of the user.
example: albert example: albert
- name: tracing
title: Tracing
group: 2
description: Distributed tracing makes it possible to analyze performance throughout
a microservice architecture all in one view. This is accomplished by tracing
all of the requests - from the initial web request in the front-end service
- to queries made through multiple back-end services.
type: group
fields:
- name: trace.id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier of the trace.
A trace groups multiple events like transactions that belong together. For
example, a user request handled by multiple inter-connected services.'
example: 4bf92f3577b34da6a3ce929d0e0e4736
- name: transaction.id
level: extended
type: keyword
ignore_above: 1024
description: 'Unique identifier of the transaction.
A transaction is the highest level of work measured within a service, such
as a request to a server.'
example: 00f067aa0ba902b7
- name: url - name: url
title: URL title: URL
group: 2 group: 2
@ -2044,6 +2557,13 @@
provide an array that includes all of them.' provide an array that includes all of them.'
type: group type: group
fields: fields:
- name: domain
level: extended
type: keyword
ignore_above: 1024
description: 'Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.'
- name: email - name: email
level: extended level: extended
type: keyword type: keyword
@ -2340,13 +2860,17 @@
description: > description: >
Kubernetes node name Kubernetes node name
- name: labels - name: labels.*
type: object type: object
object_type: keyword
object_type_mapping_type: "*"
description: > description: >
Kubernetes labels map Kubernetes labels map
- name: annotations - name: annotations.*
type: object type: object
object_type: keyword
object_type_mapping_type: "*"
description: > description: >
Kubernetes annotations map Kubernetes annotations map

9
icingabeat.reference.yml
View File

@ -40,7 +40,7 @@
#flush.min_events: 2048 #flush.min_events: 2048
# Maximum duration after which events are available to the outputs, # Maximum duration after which events are available to the outputs,
# if the number of events stored in the queue is < min_flush_events. # if the number of events stored in the queue is < `flush.min_events`.
#flush.timeout: 1s #flush.timeout: 1s
# The spool queue will store events in a local spool file, before # The spool queue will store events in a local spool file, before
@ -1102,7 +1102,7 @@ logging.files:
#logging.json: false #logging.json: false
#============================== Xpack Monitoring =============================== #============================== X-Pack Monitoring ===============================
# Icingabeat can export internal metrics to a central Elasticsearch monitoring # Icingabeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default. # reporting is disabled by default.
@ -1110,6 +1110,11 @@ logging.files:
# Set to true to enable the monitoring reporter. # Set to true to enable the monitoring reporter.
#monitoring.enabled: false #monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Icingabeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the # Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. # Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster. # Note that the settings should point to your Elasticsearch *monitoring* cluster.

7
icingabeat.yml
View File

@ -178,7 +178,7 @@ processors:
# "publish", "service". # "publish", "service".
#logging.selectors: ["*"] #logging.selectors: ["*"]
#============================== Xpack Monitoring =============================== #============================== X-Pack Monitoring ===============================
# icingabeat can export internal metrics to a central Elasticsearch monitoring # icingabeat can export internal metrics to a central Elasticsearch monitoring
# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The # cluster. This requires xpack monitoring to be enabled in Elasticsearch. The
# reporting is disabled by default. # reporting is disabled by default.
@ -186,6 +186,11 @@ processors:
# Set to true to enable the monitoring reporter. # Set to true to enable the monitoring reporter.
#monitoring.enabled: false #monitoring.enabled: false
# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Icingabeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:
# Uncomment to send the metrics to Elasticsearch. Most settings from the # Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well. # Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster. # Note that the settings should point to your Elasticsearch *monitoring* cluster.

2
include/fields.go
View File

File diff suppressed because one or more lines are too long