//// This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py //// [[exported-fields]] = Exported fields [partintro] -- This document describes the fields that are exported by Filebeat. They are grouped in the following categories: * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> -- [[exported-fields-apache2]] == Apache2 fields Apache2 Module [float] == apache2 fields Apache2 fields. [float] == access fields Contains fields for the Apache2 HTTPD access logs. [float] === `apache2.access.remote_ip` type: keyword Client IP address. [float] === `apache2.access.user_name` type: keyword The user name used when basic authentication is used. [float] === `apache2.access.method` type: keyword example: GET The request HTTP method. [float] === `apache2.access.url` type: keyword The request HTTP URL. [float] === `apache2.access.http_version` type: keyword The HTTP version. [float] === `apache2.access.response_code` type: long The HTTP response code. [float] === `apache2.access.body_sent.bytes` type: long format: bytes The number of bytes of the server response body. [float] === `apache2.access.referrer` type: keyword The HTTP referrer. [float] === `apache2.access.agent` type: text Contains the un-parsed user agent string. Only present if the user agent Elasticsearch plugin is not available or not used. [float] == user_agent fields Contains the parsed User agent field. Only present if the user agent Elasticsearch plugin is available and used. [float] === `apache2.access.user_agent.device` type: keyword The name of the physical device. [float] === `apache2.access.user_agent.major` type: long The major version of the user agent. [float] === `apache2.access.user_agent.minor` type: long The minor version of the user agent. [float] === `apache2.access.user_agent.patch` type: keyword The patch version of the user agent. [float] === `apache2.access.user_agent.name` type: keyword example: Chrome The name of the user agent. [float] === `apache2.access.user_agent.os` type: keyword The name of the operating system. [float] === `apache2.access.user_agent.os_major` type: long The major version of the operating system. [float] === `apache2.access.user_agent.os_minor` type: long The minor version of the operating system. [float] === `apache2.access.user_agent.os_name` type: keyword The name of the operating system. [float] == geoip fields Contains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used. [float] === `apache2.access.geoip.continent_name` type: keyword The name of the continent. [float] === `apache2.access.geoip.country_iso_code` type: keyword Country ISO code. [float] === `apache2.access.geoip.location` type: geo_point The longitude and latitude. [float] === `apache2.access.geoip.region_name` type: keyword The region name. [float] === `apache2.access.geoip.city_name` type: keyword The city name. [float] == error fields Fields from the Apache error logs. [float] === `apache2.error.level` type: keyword The severity level of the message. [float] === `apache2.error.client` type: keyword The IP address of the client that generated the error. [float] === `apache2.error.message` type: text The logged message. [float] === `apache2.error.pid` type: long The process ID. [float] === `apache2.error.tid` type: long The thread ID. [float] === `apache2.error.module` type: keyword The module producing the logged message. [[exported-fields-auditd]] == Auditd fields Module for parsing auditd logs. [float] == auditd fields Fields from the auditd logs. [float] == log fields Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type. [float] === `auditd.log.record_type` The audit event type. [float] === `auditd.log.old_auid` For login events this is the old audit ID used for the user prior to this login. [float] === `auditd.log.new_auid` For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root). [float] === `auditd.log.old_ses` For login events this is the old session ID used for the user prior to this login. [float] === `auditd.log.new_ses` For login events this is the new session ID. It can be used to tie a user to future events by session ID. [float] === `auditd.log.sequence` type: long The audit event sequence number. [float] === `auditd.log.acct` The user account name associated with the event. [float] === `auditd.log.pid` The ID of the process. [float] === `auditd.log.ppid` The ID of the process. [float] === `auditd.log.items` The number of items in an event. [float] === `auditd.log.item` The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item. [float] === `auditd.log.a0` The first argument to the system call. [float] === `auditd.log.res` The result of the system call (success or failure). [float] == geoip fields Contains GeoIP information gathered based on the `auditd.log.addr` field. Only present if the GeoIP Elasticsearch plugin is available and used. [float] === `auditd.log.geoip.continent_name` type: keyword The name of the continent. [float] === `auditd.log.geoip.city_name` type: keyword The name of the city. [float] === `auditd.log.geoip.region_name` type: keyword The name of the region. [float] === `auditd.log.geoip.country_iso_code` type: keyword Country ISO code. [float] === `auditd.log.geoip.location` type: geo_point The longitude and latitude. [[exported-fields-beat]] == Beat fields Contains common beat fields available in all event types. [float] === `beat.name` The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file. [float] === `beat.hostname` The hostname as returned by the operating system on which the Beat is running. [float] === `beat.timezone` The timezone as returned by the operating system on which the Beat is running. [float] === `beat.version` The version of the beat that generated this event. [float] === `@timestamp` type: date example: August 26th 2016, 12:35:53.332 format: date required: True The timestamp when the event log record was generated. [float] === `tags` Arbitrary tags that can be set per Beat and per transaction type. [float] === `fields` type: object Contains user configurable fields. [float] == error fields Error fields containing additional info in case of errors. [float] === `error.message` type: text Error message. [float] === `error.code` type: long Error code. [float] === `error.type` type: keyword Error type. [[exported-fields-cloud]] == Cloud provider metadata fields Metadata from cloud providers added by the add_cloud_metadata processor. [float] === `meta.cloud.provider` example: ec2 Name of the cloud provider. Possible values are ec2, gce, or digitalocean. [float] === `meta.cloud.instance_id` Instance ID of the host machine. [float] === `meta.cloud.instance_name` Instance name of the host machine. [float] === `meta.cloud.machine_type` example: t2.medium Machine type of the host machine. [float] === `meta.cloud.availability_zone` example: us-east-1c Availability zone in which this host is running. [float] === `meta.cloud.project_id` example: project-x Name of the project in Google Cloud. [float] === `meta.cloud.region` Region in which this host is running. [[exported-fields-docker-processor]] == Docker fields beta[] Docker stats collected from Docker. [float] === `docker.container.id` type: keyword Unique container id. [float] === `docker.container.image` type: keyword Name of the image the container was built on. [float] === `docker.container.name` type: keyword Container name. [float] === `docker.container.labels` type: object Image labels. [[exported-fields-icinga]] == Icinga fields Icinga Module [float] == icinga fields [float] == debug fields Contains fields for the Icinga debug logs. [float] === `icinga.debug.facility` type: keyword Specifies what component of Icinga logged the message. [float] === `icinga.debug.severity` type: keyword Possible values are "debug", "notice", "information", "warning" or "critical". [float] === `icinga.debug.message` type: text The logged message. [float] == main fields Contains fields for the Icinga main logs. [float] === `icinga.main.facility` type: keyword Specifies what component of Icinga logged the message. [float] === `icinga.main.severity` type: keyword Possible values are "debug", "notice", "information", "warning" or "critical". [float] === `icinga.main.message` type: text The logged message. [float] == startup fields Contains fields for the Icinga startup logs. [float] === `icinga.startup.facility` type: keyword Specifies what component of Icinga logged the message. [float] === `icinga.startup.severity` type: keyword Possible values are "debug", "notice", "information", "warning" or "critical". [float] === `icinga.startup.message` type: text The logged message. [[exported-fields-kafka]] == Kafka fields Kafka module [float] == kafka fields [float] == log fields Kafka log lines. [float] === `kafka.log.timestamp` The timestamp from the log line. [float] === `kafka.log.level` example: WARN The log level. [float] === `kafka.log.message` type: text The logged message. [float] === `kafka.log.component` type: keyword Component the log is coming from. [float] === `kafka.log.class` type: text Java class the log is coming from. [float] == trace fields Trace in the log line. [float] === `kafka.log.trace.class` type: keyword Java class the trace is coming from. [float] === `kafka.log.trace.message` type: text Message part of the trace. [float] === `kafka.log.trace.full` type: text The full trace in the log line. [[exported-fields-kubernetes-processor]] == Kubernetes fields beta[] Kubernetes metadata added by the kubernetes processor [float] === `kubernetes.pod.name` type: keyword Kubernetes pod name [float] === `kubernetes.namespace` type: keyword Kubernetes namespace [float] === `kubernetes.labels` type: object Kubernetes labels map [float] === `kubernetes.annotations` type: object Kubernetes annotations map [float] === `kubernetes.container.name` type: keyword Kubernetes container name [float] === `kubernetes.container.image` type: keyword Kubernetes container image [[exported-fields-log]] == Log file content fields Contains log file lines. [float] === `source` type: keyword required: True The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. [float] === `offset` type: long required: False The file offset the reported line starts at. [float] === `message` type: text required: True The content of the line read from the log file. [float] === `stream` type: keyword required: False Log stream when reading container logs, can be 'stdout' or 'stderr' [float] === `prospector.type` required: True The prospector type from which the event was generated. This field is set to the value specified for the `type` option in the prospector section of the Filebeat config file. [float] === `read_timestamp` In case the ingest pipeline parses the timestamp from the log contents, it stores the original `@timestamp` (representing the time when the log line was read) in this field. [float] === `fileset.module` The Filebeat module that generated this event. [float] === `fileset.name` The Filebeat fileset that generated this event. [[exported-fields-logstash]] == logstash fields logstash Module [float] == logstash fields [float] == log fields Fields from the Logstash logs. [float] === `logstash.log.message` type: text Contains the un-parsed log message [float] === `logstash.log.level` type: keyword The log level of the message, this correspond to Log4j levels. [float] === `logstash.log.module` type: keyword The module or class where the event originate. [float] === `logstash.log.thread` type: text Information about the running thread where the log originate. [float] === `logstash.log.log_event` type: object key and value debugging information. [float] == slowlog fields slowlog [float] === `logstash.slowlog.message` type: text Contains the un-parsed log message [float] === `logstash.slowlog.level` type: keyword The log level of the message, this correspond to Log4j levels. [float] === `logstash.slowlog.module` type: keyword The module or class where the event originate. [float] === `logstash.slowlog.thread` type: text Information about the running thread where the log originate. [float] === `logstash.slowlog.event` type: text Raw dump of the original event [float] === `logstash.slowlog.plugin_name` type: keyword Name of the plugin [float] === `logstash.slowlog.plugin_type` type: keyword Type of the plugin: Inputs, Filters, Outputs or Codecs. [float] === `logstash.slowlog.took_in_millis` type: long Execution time for the plugin in milliseconds. [float] === `logstash.slowlog.took_in_nanos` type: long Execution time for the plugin in nanoseconds. [float] === `logstash.slowlog.plugin_params` type: text String value of the plugin configuration [float] === `logstash.slowlog.plugin_params_object` type: object key -> value of the configuration used by the plugin. [[exported-fields-mysql]] == MySQL fields Module for parsing the MySQL log files. [float] == mysql fields Fields from the MySQL log files. [float] == error fields Contains fields from the MySQL error logs. [float] === `mysql.error.timestamp` The timestamp from the log line. [float] === `mysql.error.thread_id` type: long As of MySQL 5.7.2, this is the thread id. For MySQL versions prior to 5.7.2, this field contains the process id. [float] === `mysql.error.level` example: Warning The log level. [float] === `mysql.error.message` type: text The logged message. [float] == slowlog fields Contains fields from the MySQL slow logs. [float] === `mysql.slowlog.user` The MySQL user that created the query. [float] === `mysql.slowlog.host` The host from where the user that created the query logged in. [float] === `mysql.slowlog.ip` The IP address from where the user that created the query logged in. [float] === `mysql.slowlog.query_time.sec` type: float The total time the query took, in seconds, as a floating point number. [float] === `mysql.slowlog.lock_time.sec` type: float The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. [float] === `mysql.slowlog.rows_sent` type: long The number of rows returned by the query. [float] === `mysql.slowlog.rows_examined` type: long The number of rows scanned by the query. [float] === `mysql.slowlog.timestamp` type: long The unix timestamp taken from the `SET timestamp` query. [float] === `mysql.slowlog.query` The slow query. [float] === `mysql.slowlog.id` type: long The connection ID for the query. [[exported-fields-nginx]] == Nginx fields Module for parsing the Nginx log files. [float] == nginx fields Fields from the Nginx log files. [float] == access fields Contains fields for the Nginx access logs. [float] === `nginx.access.remote_ip_list` type: array An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. See also the `remote_ip` field. [float] === `nginx.access.remote_ip` type: keyword Client IP address. The first public IP address from the `remote_ip_list` array. If no public IP addresses are present, this field contains the first private IP address from the `remote_ip_list` array. [float] === `nginx.access.user_name` type: keyword The user name used when basic authentication is used. [float] === `nginx.access.method` type: keyword example: GET The request HTTP method. [float] === `nginx.access.url` type: keyword The request HTTP URL. [float] === `nginx.access.http_version` type: keyword The HTTP version. [float] === `nginx.access.response_code` type: long The HTTP response code. [float] === `nginx.access.body_sent.bytes` type: long format: bytes The number of bytes of the server response body. [float] === `nginx.access.referrer` type: keyword The HTTP referrer. [float] === `nginx.access.agent` type: text Contains the un-parsed user agent string. Only present if the user agent Elasticsearch plugin is not available or not used. [float] == user_agent fields Contains the parsed User agent field. Only present if the user agent Elasticsearch plugin is available and used. [float] === `nginx.access.user_agent.device` type: keyword The name of the physical device. [float] === `nginx.access.user_agent.major` type: long The major version of the user agent. [float] === `nginx.access.user_agent.minor` type: long The minor version of the user agent. [float] === `nginx.access.user_agent.patch` type: keyword The patch version of the user agent. [float] === `nginx.access.user_agent.name` type: keyword example: Chrome The name of the user agent. [float] === `nginx.access.user_agent.os` type: keyword The name of the operating system. [float] === `nginx.access.user_agent.os_major` type: long The major version of the operating system. [float] === `nginx.access.user_agent.os_minor` type: long The minor version of the operating system. [float] === `nginx.access.user_agent.os_name` type: keyword The name of the operating system. [float] == geoip fields Contains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used. [float] === `nginx.access.geoip.continent_name` type: keyword The name of the continent. [float] === `nginx.access.geoip.country_iso_code` type: keyword Country ISO code. [float] === `nginx.access.geoip.location` type: geo_point The longitude and latitude. [float] === `nginx.access.geoip.region_name` type: keyword The region name. [float] === `nginx.access.geoip.city_name` type: keyword The city name. [float] == error fields Contains fields for the Nginx error logs. [float] === `nginx.error.level` type: keyword Error level (e.g. error, critical). [float] === `nginx.error.pid` type: long Process identifier (PID). [float] === `nginx.error.tid` type: long Thread identifier. [float] === `nginx.error.connection_id` type: long Connection identifier. [float] === `nginx.error.message` type: text The error message [[exported-fields-postgresql]] == PostgreSQL fields Module for parsing the PostgreSQL log files. [float] == postgresql fields Fields from PostgreSQL logs. [float] == log fields Fields from the PostgreSQL log files. [float] === `postgresql.log.timestamp` The timestamp from the log line. [float] === `postgresql.log.timezone` The timezone of timestamp. [float] === `postgresql.log.thread_id` type: long Process id [float] === `postgresql.log.user` example: admin Name of user [float] === `postgresql.log.database` example: mydb Name of database [float] === `postgresql.log.level` example: FATAL The log level. [float] === `postgresql.log.duration` type: float example: 30.0 Duration of a query. [float] === `postgresql.log.query` example: SELECT * FROM users; Query statement. [float] === `postgresql.log.message` type: text The logged message. [[exported-fields-redis]] == Redis fields Redis Module [float] == redis fields [float] == log fields Redis log files [float] === `redis.log.pid` type: long The process ID of the Redis server. [float] === `redis.log.role` type: keyword The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. [float] === `redis.log.level` type: keyword The log level. Can be one of `debug`, `verbose`, `notice`, or `warning`. [float] === `redis.log.message` type: text The log message [float] == slowlog fields Slow logs are retrieved from Redis via a network connection. [float] === `redis.slowlog.cmd` type: keyword The command executed. [float] === `redis.slowlog.duration.us` type: long How long it took to execute the command in microseconds. [float] === `redis.slowlog.id` type: long The ID of the query. [float] === `redis.slowlog.key` type: keyword The key on which the command was executed. [float] === `redis.slowlog.args` type: keyword The arguments with which the command was called. [[exported-fields-system]] == System fields Module for parsing system log files. [float] == system fields Fields from the system log files. [float] == auth fields Fields from the Linux authorization logs. [float] === `system.auth.timestamp` The timestamp as read from the auth message. [float] === `system.auth.hostname` The hostname as read from the auth message. [float] === `system.auth.program` The process name as read from the auth message. [float] === `system.auth.pid` type: long The PID of the process that sent the auth message. [float] === `system.auth.message` The message in the log line. [float] === `system.auth.user` The Unix user that this event refers to. [float] == ssh fields Fields specific to SSH login events. [float] === `system.auth.ssh.event` The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed. [float] === `system.auth.ssh.method` The SSH authentication method. Can be one of "password" or "publickey". [float] === `system.auth.ssh.ip` type: ip The client IP from where the login attempt was made. [float] === `system.auth.ssh.dropped_ip` type: ip The client IP from SSH connections that are open and immediately dropped. [float] === `system.auth.ssh.port` type: long The client port from where the login attempt was made. [float] === `system.auth.ssh.signature` The signature of the client public key. [float] == geoip fields Contains GeoIP information gathered based on the `system.auth.ip` field. Only present if the GeoIP Elasticsearch plugin is available and used. [float] === `system.auth.ssh.geoip.continent_name` type: keyword The name of the continent. [float] === `system.auth.ssh.geoip.city_name` type: keyword The name of the city. [float] === `system.auth.ssh.geoip.region_name` type: keyword The name of the region. [float] === `system.auth.ssh.geoip.country_iso_code` type: keyword Country ISO code. [float] === `system.auth.ssh.geoip.location` type: geo_point The longitude and latitude. [float] == sudo fields Fields specific to events created by the `sudo` command. [float] === `system.auth.sudo.error` example: user NOT in sudoers The error message in case the sudo command failed. [float] === `system.auth.sudo.tty` The TTY where the sudo command is executed. [float] === `system.auth.sudo.pwd` The current directory where the sudo command is executed. [float] === `system.auth.sudo.user` example: root The target user to which the sudo command is switching. [float] === `system.auth.sudo.command` The command executed via sudo. [float] == useradd fields Fields specific to events created by the `useradd` command. [float] === `system.auth.useradd.name` The user name being added. [float] === `system.auth.useradd.uid` type: long The user ID. [float] === `system.auth.useradd.gid` type: long The group ID. [float] === `system.auth.useradd.home` The home folder for the new user. [float] === `system.auth.useradd.shell` The default shell for the new user. [float] == groupadd fields Fields specific to events created by the `groupadd` command. [float] === `system.auth.groupadd.name` The name of the new group. [float] === `system.auth.groupadd.gid` type: long The ID of the new group. [float] == syslog fields Contains fields from the syslog system logs. [float] === `system.syslog.timestamp` The timestamp as read from the syslog message. [float] === `system.syslog.hostname` The hostname as read from the syslog message. [float] === `system.syslog.program` The process name as read from the syslog message. [float] === `system.syslog.pid` The PID of the process that sent the syslog message. [float] === `system.syslog.message` The message in the log line. [[exported-fields-traefik]] == Traefik fields Module for parsing the Traefik log files. [float] == traefik fields Fields from the Traefik log files. [float] == access fields Contains fields for the Traefik access logs. [float] === `traefik.access.remote_ip` type: keyword Client IP address. [float] === `traefik.access.user_name` type: keyword The user name used when basic authentication is used. [float] === `traefik.access.method` type: keyword example: GET The request HTTP method. [float] === `traefik.access.url` type: keyword The request HTTP URL. [float] === `traefik.access.http_version` type: keyword The HTTP version. [float] === `traefik.access.response_code` type: long The HTTP response code. [float] === `traefik.access.body_sent.bytes` type: long format: bytes The number of bytes of the server response body. [float] === `traefik.access.referrer` type: keyword The HTTP referrer. [float] === `traefik.access.agent` type: text Contains the un-parsed user agent string. Only present if the user agent Elasticsearch plugin is not available or not used. [float] == user_agent fields Contains the parsed User agent field. Only present if the user agent Elasticsearch plugin is available and used. [float] === `traefik.access.user_agent.device` type: keyword The name of the physical device. [float] === `traefik.access.user_agent.major` type: long The major version of the user agent. [float] === `traefik.access.user_agent.minor` type: long The minor version of the user agent. [float] === `traefik.access.user_agent.patch` type: keyword The patch version of the user agent. [float] === `traefik.access.user_agent.name` type: keyword example: Chrome The name of the user agent. [float] === `traefik.access.user_agent.os` type: keyword The name of the operating system. [float] === `traefik.access.user_agent.os_major` type: long The major version of the operating system. [float] === `traefik.access.user_agent.os_minor` type: long The minor version of the operating system. [float] === `traefik.access.user_agent.os_name` type: keyword The name of the operating system. [float] == geoip fields Contains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used. [float] === `traefik.access.geoip.continent_name` type: keyword The name of the continent. [float] === `traefik.access.geoip.country_iso_code` type: keyword Country ISO code. [float] === `traefik.access.geoip.location` type: geo_point The longitude and latitude. [float] === `traefik.access.geoip.region_name` type: keyword The region name. [float] === `traefik.access.geoip.city_name` type: keyword The city name. [float] === `traefik.access.request_count` type: long The number of requests [float] === `traefik.access.frontend_name` type: text The name of the frontend used [float] === `traefik.access.backend_url` type: text The url of the backend where request is forwarded