tyler.durden/icingabeat
1
0
Fork 0
mirror of https://github.com/Icinga/icingabeat.git synced 2025-04-08 17:15:05 +02:00
Code Issues Packages Projects Releases Wiki Activity
icingabeat/vendor/github.com/elastic/beats/filebeat/docs/fields.asciidoc
Blerim Sheqa ced805d846 Update to libbeat 7.4.2
2019-11-07 09:44:14 +01:00

17660 lines
190 KiB
Plaintext
Raw Blame History

////
This file is generated! See _meta/fields.yml and scripts/generate_fields_docs.py
////
[[exported-fields]]
= Exported fields
[partintro]
--
This document describes the fields that are exported by Filebeat. They are
grouped in the following categories:
* <<exported-fields-apache>>
* <<exported-fields-auditd>>
* <<exported-fields-aws>>
* <<exported-fields-beat-common>>
* <<exported-fields-cef>>
* <<exported-fields-cef-module>>
* <<exported-fields-cisco>>
* <<exported-fields-cloud>>
* <<exported-fields-coredns>>
* <<exported-fields-docker-processor>>
* <<exported-fields-ecs>>
* <<exported-fields-elasticsearch>>
* <<exported-fields-envoyproxy>>
* <<exported-fields-googlecloud>>
* <<exported-fields-haproxy>>
* <<exported-fields-host-processor>>
* <<exported-fields-ibmmq>>
* <<exported-fields-icinga>>
* <<exported-fields-iis>>
* <<exported-fields-iptables>>
* <<exported-fields-jolokia-autodiscover>>
* <<exported-fields-kafka>>
* <<exported-fields-kibana>>
* <<exported-fields-kubernetes-processor>>
* <<exported-fields-log>>
* <<exported-fields-logstash>>
* <<exported-fields-mongodb>>
* <<exported-fields-mssql>>
* <<exported-fields-mysql>>
* <<exported-fields-nats>>
* <<exported-fields-netflow>>
* <<exported-fields-netflow-module>>
* <<exported-fields-nginx>>
* <<exported-fields-osquery>>
* <<exported-fields-panw>>
* <<exported-fields-postgresql>>
* <<exported-fields-process>>
* <<exported-fields-rabbitmq>>
* <<exported-fields-redis>>
* <<exported-fields-s3>>
* <<exported-fields-santa>>
* <<exported-fields-suricata>>
* <<exported-fields-system>>
* <<exported-fields-traefik>>
* <<exported-fields-zeek>>
--
[[exported-fields-apache]]
== Apache fields
Apache Module
[float]
=== apache2
Aliases for backward compatibility with old apache2 fields
*`apache2.access.remote_ip`*::
+
--
type: alias
alias to: source.address
--
*`apache2.access.ssl.protocol`*::
+
--
type: alias
alias to: apache.access.ssl.protocol
--
*`apache2.access.ssl.cipher`*::
+
--
type: alias
alias to: apache.access.ssl.cipher
--
*`apache2.access.body_sent.bytes`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`apache2.access.user_name`*::
+
--
type: alias
alias to: user.name
--
*`apache2.access.method`*::
+
--
type: alias
alias to: http.request.method
--
*`apache2.access.url`*::
+
--
type: alias
alias to: url.original
--
*`apache2.access.http_version`*::
+
--
type: alias
alias to: http.version
--
*`apache2.access.response_code`*::
+
--
type: alias
alias to: http.response.status_code
--
*`apache2.access.referrer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`apache2.access.agent`*::
+
--
type: alias
alias to: user_agent.original
--
*`apache2.access.user_agent.device`*::
+
--
type: alias
alias to: user_agent.device.name
--
*`apache2.access.user_agent.name`*::
+
--
type: alias
alias to: user_agent.name
--
*`apache2.access.user_agent.os`*::
+
--
type: alias
alias to: user_agent.os.full_name
--
*`apache2.access.user_agent.os_name`*::
+
--
type: alias
alias to: user_agent.os.name
--
*`apache2.access.user_agent.original`*::
+
--
type: alias
alias to: user_agent.original
--
*`apache2.access.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`apache2.access.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`apache2.access.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`apache2.access.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`apache2.access.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`apache2.access.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
*`apache2.error.level`*::
+
--
type: alias
alias to: log.level
--
*`apache2.error.message`*::
+
--
type: alias
alias to: message
--
*`apache2.error.pid`*::
+
--
type: alias
alias to: process.pid
--
*`apache2.error.tid`*::
+
--
type: alias
alias to: process.thread.id
--
*`apache2.error.module`*::
+
--
type: alias
alias to: apache.error.module
--
[float]
=== apache
Apache fields.
[float]
=== access
Contains fields for the Apache HTTP Server access logs.
*`apache.access.ssl.protocol`*::
+
--
SSL protocol version.
type: keyword
--
*`apache.access.ssl.cipher`*::
+
--
SSL cipher name.
type: keyword
--
[float]
=== error
Fields from the Apache error logs.
*`apache.error.module`*::
+
--
The module producing the logged message.
type: keyword
--
[[exported-fields-auditd]]
== Auditd fields
Module for parsing auditd logs.
*`user.terminal`*::
+
--
Terminal or tty device on which the user is performing the observed activity.
type: keyword
--
*`user.audit.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`user.audit.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
*`user.audit.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`user.audit.group.name`*::
+
--
Name of the group.
type: keyword
--
*`user.effective.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`user.effective.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
*`user.effective.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`user.effective.group.name`*::
+
--
Name of the group.
type: keyword
--
*`user.filesystem.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`user.filesystem.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
*`user.filesystem.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`user.filesystem.group.name`*::
+
--
Name of the group.
type: keyword
--
*`user.owner.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`user.owner.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
*`user.owner.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`user.owner.group.name`*::
+
--
Name of the group.
type: keyword
--
*`user.saved.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`user.saved.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
*`user.saved.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`user.saved.group.name`*::
+
--
Name of the group.
type: keyword
--
[float]
=== auditd
Fields from the auditd logs.
[float]
=== log
Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type.
*`auditd.log.old_auid`*::
+
--
For login events this is the old audit ID used for the user prior to this login.
--
*`auditd.log.new_auid`*::
+
--
For login events this is the new audit ID. The audit ID can be used to trace future events to the user even if their identity changes (like becoming root).
--
*`auditd.log.old_ses`*::
+
--
For login events this is the old session ID used for the user prior to this login.
--
*`auditd.log.new_ses`*::
+
--
For login events this is the new session ID. It can be used to tie a user to future events by session ID.
--
*`auditd.log.sequence`*::
+
--
The audit event sequence number.
type: long
--
*`auditd.log.items`*::
+
--
The number of items in an event.
--
*`auditd.log.item`*::
+
--
The item field indicates which item out of the total number of items. This number is zero-based; a value of 0 means it is the first item.
--
*`auditd.log.tty`*::
+
--
type: keyword
--
*`auditd.log.a0`*::
+
--
The first argument to the system call.
--
*`auditd.log.addr`*::
+
--
type: ip
--
*`auditd.log.rport`*::
+
--
type: long
--
*`auditd.log.laddr`*::
+
--
type: ip
--
*`auditd.log.lport`*::
+
--
type: long
--
*`auditd.log.acct`*::
+
--
type: alias
alias to: user.name
--
*`auditd.log.pid`*::
+
--
type: alias
alias to: process.pid
--
*`auditd.log.ppid`*::
+
--
type: alias
alias to: process.ppid
--
*`auditd.log.res`*::
+
--
type: alias
alias to: event.outcome
--
*`auditd.log.record_type`*::
+
--
type: alias
alias to: event.action
--
*`auditd.log.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`auditd.log.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`auditd.log.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`auditd.log.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`auditd.log.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`auditd.log.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
*`auditd.log.arch`*::
+
--
type: alias
alias to: host.architecture
--
*`auditd.log.gid`*::
+
--
type: alias
alias to: user.group.id
--
*`auditd.log.uid`*::
+
--
type: alias
alias to: user.id
--
*`auditd.log.agid`*::
+
--
type: alias
alias to: user.audit.group.id
--
*`auditd.log.auid`*::
+
--
type: alias
alias to: user.audit.id
--
*`auditd.log.fsgid`*::
+
--
type: alias
alias to: user.filesystem.group.id
--
*`auditd.log.fsuid`*::
+
--
type: alias
alias to: user.filesystem.id
--
*`auditd.log.egid`*::
+
--
type: alias
alias to: user.effective.group.id
--
*`auditd.log.euid`*::
+
--
type: alias
alias to: user.effective.id
--
*`auditd.log.sgid`*::
+
--
type: alias
alias to: user.saved.group.id
--
*`auditd.log.suid`*::
+
--
type: alias
alias to: user.saved.id
--
*`auditd.log.ogid`*::
+
--
type: alias
alias to: user.owner.group.id
--
*`auditd.log.ouid`*::
+
--
type: alias
alias to: user.owner.id
--
*`auditd.log.comm`*::
+
--
type: alias
alias to: process.name
--
*`auditd.log.exe`*::
+
--
type: alias
alias to: process.executable
--
*`auditd.log.terminal`*::
+
--
type: alias
alias to: user.terminal
--
*`auditd.log.msg`*::
+
--
type: alias
alias to: message
--
*`auditd.log.src`*::
+
--
type: alias
alias to: source.address
--
*`auditd.log.dst`*::
+
--
type: alias
alias to: destination.address
--
[[exported-fields-aws]]
== AWS fields
Module for handling logs from AWS.
[float]
=== aws
Fields from AWS logs.
[float]
=== s3access
Fields for AWS S3 server access logs.
*`aws.s3access.bucket_owner`*::
+
--
The canonical user ID of the owner of the source bucket.
type: keyword
--
*`aws.s3access.bucket`*::
+
--
The name of the bucket that the request was processed against.
type: keyword
--
*`aws.s3access.remote_ip`*::
+
--
The apparent internet address of the requester.
type: ip
--
*`aws.s3access.requester`*::
+
--
The canonical user ID of the requester, or a - for unauthenticated requests.
type: keyword
--
*`aws.s3access.request_id`*::
+
--
A string generated by Amazon S3 to uniquely identify each request.
type: keyword
--
*`aws.s3access.operation`*::
+
--
The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.
type: keyword
--
*`aws.s3access.key`*::
+
--
The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.
type: keyword
--
*`aws.s3access.request_uri`*::
+
--
The Request-URI part of the HTTP request message.
type: keyword
--
*`aws.s3access.http_status`*::
+
--
The numeric HTTP status code of the response.
type: long
--
*`aws.s3access.error_code`*::
+
--
The Amazon S3 Error Code, or "-" if no error occurred.
type: keyword
--
*`aws.s3access.bytes_sent`*::
+
--
The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.
type: long
--
*`aws.s3access.object_size`*::
+
--
The total size of the object in question.
type: long
--
*`aws.s3access.total_time`*::
+
--
The number of milliseconds the request was in flight from the server's perspective.
type: long
--
*`aws.s3access.turn_around_time`*::
+
--
The number of milliseconds that Amazon S3 spent processing your request.
type: long
--
*`aws.s3access.referrer`*::
+
--
The value of the HTTP Referrer header, if present.
type: keyword
--
*`aws.s3access.user_agent`*::
+
--
The value of the HTTP User-Agent header.
type: keyword
--
*`aws.s3access.version_id`*::
+
--
The version ID in the request, or "-" if the operation does not take a versionId parameter.
type: keyword
--
*`aws.s3access.host_id`*::
+
--
The x-amz-id-2 or Amazon S3 extended request ID.
type: keyword
--
*`aws.s3access.signature_version`*::
+
--
The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.
type: keyword
--
*`aws.s3access.cipher_suite`*::
+
--
The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.
type: keyword
--
*`aws.s3access.authentication_type`*::
+
--
The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.
type: keyword
--
*`aws.s3access.host_header`*::
+
--
The endpoint used to connect to Amazon S3.
type: keyword
--
*`aws.s3access.tls_version`*::
+
--
The Transport Layer Security (TLS) version negotiated by the client.
type: keyword
--
[[exported-fields-beat-common]]
== Beat fields
Contains common beat fields available in all event types.
*`agent.hostname`*::
+
--
Hostname of the agent.
type: keyword
--
*`beat.timezone`*::
+
--
type: alias
alias to: event.timezone
--
*`fields`*::
+
--
Contains user configurable fields.
type: object
--
[float]
=== error
Error fields containing additional info in case of errors.
*`error.type`*::
+
--
Error type.
type: keyword
--
*`beat.name`*::
+
--
type: alias
alias to: host.name
--
*`beat.hostname`*::
+
--
type: alias
alias to: agent.hostname
--
*`timeseries.instance`*::
+
--
Time series instance id
type: keyword
--
[[exported-fields-cef]]
== Decode CEF processor fields fields
Common Event Format (CEF) data.
[float]
=== cef
By default the `decode_cef` processor writes all data from the CEF message to this `cef` object. It contains the CEF header fields and the extension data.
*`cef.version`*::
+
--
Version of the CEF specification used by the message.
type: keyword
--
*`cef.device.vendor`*::
+
--
Vendor of the device that produced the message.
type: keyword
--
*`cef.device.product`*::
+
--
Product of the device that produced the message.
type: keyword
--
*`cef.device.version`*::
+
--
Version of the product that produced the message.
type: keyword
--
*`cef.device.event_class_id`*::
+
--
Unique identifier of the event type.
type: keyword
--
*`cef.severity`*::
+
--
Importance of the event. The valid string values are Unknown, Low, Medium, High, and Very-High. The valid integer values are 0-3=Low, 4-6=Medium, 7- 8=High, and 9-10=Very-High.
type: keyword
example: Very-High
--
*`cef.name`*::
+
--
Short description of the event.
type: keyword
--
*`cef.extensions`*::
+
--
Collection of key-value pairs carried in the CEF extension field.
type: object
--
*`observer.product`*::
+
--
Product name.
type: keyword
--
*`source.service.name`*::
+
--
Service that is the source of the event.
type: keyword
--
*`destination.service.name`*::
+
--
Service that is the target of the event.
type: keyword
--
[[exported-fields-cef-module]]
== CEF fields
Module for receiving CEF logs over Syslog. The module does not add fields beyond what the decode_cef processor provides.
[[exported-fields-cisco]]
== Cisco fields
Module for handling Cisco network device logs.
[float]
=== cisco
Fields from Cisco logs.
[float]
=== asa
Fields for Cisco ASA Firewall.
*`cisco.asa.message_id`*::
+
--
The Cisco ASA message identifier.
type: keyword
--
*`cisco.asa.suffix`*::
+
--
Optional suffix after %ASA identifier.
type: keyword
example: session
--
*`cisco.asa.source_interface`*::
+
--
Source interface for the flow or event.
type: keyword
--
*`cisco.asa.destination_interface`*::
+
--
Destination interface for the flow or event.
type: keyword
--
*`cisco.asa.rule_name`*::
+
--
Name of the Access Control List rule that matched this event.
type: keyword
--
*`cisco.asa.source_username`*::
+
--
Name of the user that is the source for this event.
type: keyword
--
*`cisco.asa.destination_username`*::
+
--
Name of the user that is the destination for this event.
type: keyword
--
*`cisco.asa.mapped_source_ip`*::
+
--
The translated source IP address.
type: ip
--
*`cisco.asa.mapped_source_port`*::
+
--
The translated source port.
type: long
--
*`cisco.asa.mapped_destination_ip`*::
+
--
The translated destination IP address.
type: ip
--
*`cisco.asa.mapped_destination_port`*::
+
--
The translated destination port.
type: long
--
*`cisco.asa.threat_level`*::
+
--
Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
type: keyword
--
*`cisco.asa.threat_category`*::
+
--
Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
type: keyword
--
*`cisco.asa.connection_id`*::
+
--
Unique identifier for a flow.
type: keyword
--
*`cisco.asa.icmp_type`*::
+
--
ICMP type.
type: short
--
*`cisco.asa.icmp_code`*::
+
--
ICMP code.
type: short
--
[float]
=== ftd
Fields for Cisco Firepower Threat Defense Firewall.
*`cisco.ftd.message_id`*::
+
--
The Cisco FTD message identifier.
type: keyword
--
*`cisco.ftd.suffix`*::
+
--
Optional suffix after %FTD identifier.
type: keyword
example: session
--
*`cisco.ftd.source_interface`*::
+
--
Source interface for the flow or event.
type: keyword
--
*`cisco.ftd.destination_interface`*::
+
--
Destination interface for the flow or event.
type: keyword
--
*`cisco.ftd.rule_name`*::
+
--
Name of the Access Control List rule that matched this event.
type: keyword
--
*`cisco.ftd.source_username`*::
+
--
Name of the user that is the source for this event.
type: keyword
--
*`cisco.ftd.destination_username`*::
+
--
Name of the user that is the destination for this event.
type: keyword
--
*`cisco.ftd.mapped_source_ip`*::
+
--
The translated source IP address. Use ECS source.nat.ip.
type: ip
--
*`cisco.ftd.mapped_source_port`*::
+
--
The translated source port. Use ECS source.nat.port.
type: long
--
*`cisco.ftd.mapped_destination_ip`*::
+
--
The translated destination IP address. Use ECS destination.nat.ip.
type: ip
--
*`cisco.ftd.mapped_destination_port`*::
+
--
The translated destination port. Use ECS destination.nat.port.
type: long
--
*`cisco.ftd.threat_level`*::
+
--
Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
type: keyword
--
*`cisco.ftd.threat_category`*::
+
--
Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
type: keyword
--
*`cisco.ftd.connection_id`*::
+
--
Unique identifier for a flow.
type: keyword
--
*`cisco.ftd.icmp_type`*::
+
--
ICMP type.
type: short
--
*`cisco.ftd.icmp_code`*::
+
--
ICMP code.
type: short
--
*`cisco.ftd.security`*::
+
--
Raw fields for Security Events.
type: object
--
[float]
=== ios
Fields for Cisco IOS logs.
*`cisco.ios.access_list`*::
+
--
Name of the IP access list.
type: keyword
--
*`cisco.ios.facility`*::
+
--
The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.
type: keyword
example: SEC
--
[[exported-fields-cloud]]
== Cloud provider metadata fields
Metadata from cloud providers added by the add_cloud_metadata processor.
*`cloud.project.id`*::
+
--
Name of the project in Google Cloud.
example: project-x
--
*`cloud.image.id`*::
+
--
Image ID for the cloud instance.
example: ami-abcd1234
--
*`meta.cloud.provider`*::
+
--
type: alias
alias to: cloud.provider
--
*`meta.cloud.instance_id`*::
+
--
type: alias
alias to: cloud.instance.id
--
*`meta.cloud.instance_name`*::
+
--
type: alias
alias to: cloud.instance.name
--
*`meta.cloud.machine_type`*::
+
--
type: alias
alias to: cloud.machine.type
--
*`meta.cloud.availability_zone`*::
+
--
type: alias
alias to: cloud.availability_zone
--
*`meta.cloud.project_id`*::
+
--
type: alias
alias to: cloud.project.id
--
*`meta.cloud.region`*::
+
--
type: alias
alias to: cloud.region
--
[[exported-fields-coredns]]
== Coredns fields
Module for handling logs produced by coredns
[float]
=== coredns
coredns fields after normalization
*`coredns.id`*::
+
--
id of the DNS transaction
type: keyword
--
*`coredns.query.size`*::
+
--
size of the DNS query
type: integer
format: bytes
--
*`coredns.query.class`*::
+
--
DNS query class
type: keyword
--
*`coredns.query.name`*::
+
--
DNS query name
type: keyword
--
*`coredns.query.type`*::
+
--
DNS query type
type: keyword
--
*`coredns.response.code`*::
+
--
DNS response code
type: keyword
--
*`coredns.response.flags`*::
+
--
DNS response flags
type: keyword
--
*`coredns.response.size`*::
+
--
size of the DNS response
type: integer
format: bytes
--
*`coredns.dnssec_ok`*::
+
--
dnssec flag
type: boolean
--
[[exported-fields-docker-processor]]
== Docker fields
Docker stats collected from Docker.
*`docker.container.id`*::
+
--
type: alias
alias to: container.id
--
*`docker.container.image`*::
+
--
type: alias
alias to: container.image.name
--
*`docker.container.name`*::
+
--
type: alias
alias to: container.name
--
*`docker.container.labels`*::
+
--
Image labels.
type: object
--
[[exported-fields-ecs]]
== ECS fields
ECS Fields.
*`@timestamp`*::
+
--
Date/time when the event originated.
This is the date/time extracted from the event, typically representing when the event was generated by the source.
If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline.
Required field for all events.
type: date
example: 2016-05-23T08:05:34.853Z
required: True
--
*`labels`*::
+
--
Custom key/value pairs.
Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword.
Example: `docker` and `k8s` labels.
type: object
example: {'application': 'foo-bar', 'env': 'production'}
--
*`message`*::
+
--
For log events the message field contains the log message, optimized for viewing in a log viewer.
For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event.
If multiple messages exist, they can be combined into one message.
type: text
example: Hello World
--
*`tags`*::
+
--
List of keywords used to tag each event.
type: keyword
example: ["production", "env2"]
--
[float]
=== agent
The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host.
Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken.
*`agent.ephemeral_id`*::
+
--
Ephemeral identifier of this agent (if one exists).
This id normally changes across restarts, but `agent.id` does not.
type: keyword
example: 8a4f500f
--
*`agent.id`*::
+
--
Unique identifier of this agent (if one exists).
Example: For Beats this would be beat.id.
type: keyword
example: 8a4f500d
--
*`agent.name`*::
+
--
Custom name of the agent.
This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from.
If no name is given, the name is often left empty.
type: keyword
example: foo
--
*`agent.type`*::
+
--
Type of the agent.
The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine.
type: keyword
example: filebeat
--
*`agent.version`*::
+
--
Version of the agent.
type: keyword
example: 6.0.0-rc2
--
[float]
=== as
An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain that presents a common, clearly defined routing policy to the internet.
*`as.number`*::
+
--
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
type: long
example: 15169
--
*`as.organization.name`*::
+
--
Organization name.
type: keyword
example: Google LLC
--
[float]
=== client
A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records.
For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
*`client.address`*::
+
--
Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
type: keyword
--
*`client.as.number`*::
+
--
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
type: long
example: 15169
--
*`client.as.organization.name`*::
+
--
Organization name.
type: keyword
example: Google LLC
--
*`client.bytes`*::
+
--
Bytes sent from the client to the server.
type: long
example: 184
format: bytes
--
*`client.domain`*::
+
--
Client domain.
type: keyword
--
*`client.geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`client.geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`client.geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`client.geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`client.geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`client.geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`client.geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`client.geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
*`client.ip`*::
+
--
IP address of the client.
Can be one or multiple IPv4 or IPv6 addresses.
type: ip
--
*`client.mac`*::
+
--
MAC address of the client.
type: keyword
--
*`client.nat.ip`*::
+
--
Translated IP of source based NAT sessions (e.g. internal client to internet).
Typically connections traversing load balancers, firewalls, or routers.
type: ip
--
*`client.nat.port`*::
+
--
Translated port of source based NAT sessions (e.g. internal client to internet).
Typically connections traversing load balancers, firewalls, or routers.
type: long
format: string
--
*`client.packets`*::
+
--
Packets sent from the client to the server.
type: long
example: 12
--
*`client.port`*::
+
--
Port of the client.
type: long
format: string
--
*`client.user.domain`*::
+
--
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
type: keyword
--
*`client.user.email`*::
+
--
User email address.
type: keyword
--
*`client.user.full_name`*::
+
--
User's full name, if available.
type: keyword
example: Albert Einstein
--
*`client.user.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`client.user.group.name`*::
+
--
Name of the group.
type: keyword
--
*`client.user.hash`*::
+
--
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used.
type: keyword
--
*`client.user.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`client.user.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
[float]
=== cloud
Fields related to the cloud or infrastructure the events are coming from.
*`cloud.account.id`*::
+
--
The cloud account or organization id used to identify different entities in a multi-tenant environment.
Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
type: keyword
example: 666777888999
--
*`cloud.availability_zone`*::
+
--
Availability zone in which this host is running.
type: keyword
example: us-east-1c
--
*`cloud.instance.id`*::
+
--
Instance ID of the host machine.
type: keyword
example: i-1234567890abcdef0
--
*`cloud.instance.name`*::
+
--
Instance name of the host machine.
type: keyword
--
*`cloud.machine.type`*::
+
--
Machine type of the host machine.
type: keyword
example: t2.medium
--
*`cloud.provider`*::
+
--
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
type: keyword
example: aws
--
*`cloud.region`*::
+
--
Region in which this host is running.
type: keyword
example: us-east-1
--
[float]
=== container
Container fields are used for meta information about the specific container that is the source of information.
These fields help correlate data based containers from any runtime.
*`container.id`*::
+
--
Unique container id.
type: keyword
--
*`container.image.name`*::
+
--
Name of the image the container was built on.
type: keyword
--
*`container.image.tag`*::
+
--
Container image tag.
type: keyword
--
*`container.labels`*::
+
--
Image labels.
type: object
--
*`container.name`*::
+
--
Container name.
type: keyword
--
*`container.runtime`*::
+
--
Runtime managing this container.
type: keyword
example: docker
--
[float]
=== destination
Destination fields describe details about the destination of a packet/event.
Destination fields are usually populated in conjunction with source fields.
*`destination.address`*::
+
--
Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
type: keyword
--
*`destination.as.number`*::
+
--
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
type: long
example: 15169
--
*`destination.as.organization.name`*::
+
--
Organization name.
type: keyword
example: Google LLC
--
*`destination.bytes`*::
+
--
Bytes sent from the destination to the source.
type: long
example: 184
format: bytes
--
*`destination.domain`*::
+
--
Destination domain.
type: keyword
--
*`destination.geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`destination.geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`destination.geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`destination.geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`destination.geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`destination.geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`destination.geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`destination.geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
*`destination.ip`*::
+
--
IP address of the destination.
Can be one or multiple IPv4 or IPv6 addresses.
type: ip
--
*`destination.mac`*::
+
--
MAC address of the destination.
type: keyword
--
*`destination.nat.ip`*::
+
--
Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
Typically used with load balancers, firewalls, or routers.
type: ip
--
*`destination.nat.port`*::
+
--
Port the source session is translated to by NAT Device.
Typically used with load balancers, firewalls, or routers.
type: long
format: string
--
*`destination.packets`*::
+
--
Packets sent from the destination to the source.
type: long
example: 12
--
*`destination.port`*::
+
--
Port of the destination.
type: long
format: string
--
*`destination.user.domain`*::
+
--
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
type: keyword
--
*`destination.user.email`*::
+
--
User email address.
type: keyword
--
*`destination.user.full_name`*::
+
--
User's full name, if available.
type: keyword
example: Albert Einstein
--
*`destination.user.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`destination.user.group.name`*::
+
--
Name of the group.
type: keyword
--
*`destination.user.hash`*::
+
--
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used.
type: keyword
--
*`destination.user.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`destination.user.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
[float]
=== dns
Fields describing DNS queries and answers.
DNS events should either represent a single DNS query prior to getting answers (`dns.type:query`) or they should represent a full exchange and contain the query details as well as all of the answers that were provided for this query (`dns.type:answer`).
*`dns.answers`*::
+
--
An array containing an object for each answer section returned by the server.
The main keys that should be present in these objects are defined by ECS. Records that have more information may contain more keys than what ECS defines.
Not all DNS data sources give all details about DNS answers. At minimum, answer objects must contain the `data` key. If more information is available, map as much of it to ECS as possible, and add any additional fields to the answer objects as custom fields.
type: object
--
*`dns.answers.class`*::
+
--
The class of DNS data contained in this resource record.
type: keyword
example: IN
--
*`dns.answers.data`*::
+
--
The data describing the resource.
The meaning of this data depends on the type and class of the resource record.
type: keyword
example: 10.10.10.10
--
*`dns.answers.name`*::
+
--
The domain name to which this resource record pertains.
If a chain of CNAME is being resolved, each answer's `name` should be the one that corresponds with the answer's `data`. It should not simply be the original `question.name` repeated.
type: keyword
example: www.google.com
--
*`dns.answers.ttl`*::
+
--
The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
type: long
example: 180
--
*`dns.answers.type`*::
+
--
The type of data contained in this resource record.
type: keyword
example: CNAME
--
*`dns.header_flags`*::
+
--
Array of 2 letter DNS header flags.
Expected values are: AA, TC, RD, RA, AD, CD, DO.
type: keyword
example: ['RD', 'RA']
--
*`dns.id`*::
+
--
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
type: keyword
example: 62111
--
*`dns.op_code`*::
+
--
The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
type: keyword
example: QUERY
--
*`dns.question.class`*::
+
--
The class of of records being queried.
type: keyword
example: IN
--
*`dns.question.name`*::
+
--
The name being queried.
If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively.
type: keyword
example: www.google.com
--
*`dns.question.registered_domain`*::
+
--
The highest registered domain, stripped of the subdomain.
For example, the registered domain for "foo.google.com" is "google.com".
This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk".
type: keyword
example: google.com
--
*`dns.question.type`*::
+
--
The type of record being queried.
type: keyword
example: AAAA
--
*`dns.resolved_ip`*::
+
--
Array containing all IPs seen in `answers.data`.
The `answers` array can be difficult to use, because of the variety of data formats it can contain. Extracting all IP addresses seen in there to `dns.resolved_ip` makes it possible to index them as IP addresses, and makes them easier to visualize and query for.
type: ip
example: ['10.10.10.10', '10.10.10.11']
--
*`dns.response_code`*::
+
--
The DNS response code.
type: keyword
example: NOERROR
--
*`dns.type`*::
+
--
The type of DNS event captured, query or answer.
If your source of DNS events only gives you DNS queries, you should only create dns events of type `dns.type:query`.
If your source of DNS events gives you answers as well, you should create one event per query (optionally as soon as the query is seen). And a second event containing all query details as well as an array of answers.
type: keyword
example: answer
--
[float]
=== ecs
Meta-information specific to ECS.
*`ecs.version`*::
+
--
ECS version this event conforms to. `ecs.version` is a required field and must exist in all events.
When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
type: keyword
example: 1.0.0
required: True
--
[float]
=== error
These fields can represent errors of any kind.
Use them for errors that happen while fetching events or in cases where the event itself contains an error.
*`error.code`*::
+
--
Error code describing the error.
type: keyword
--
*`error.id`*::
+
--
Unique identifier for the error.
type: keyword
--
*`error.message`*::
+
--
Error message.
type: text
--
[float]
=== event
The event fields are used for context information about the log or metric event itself.
A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host.
*`event.action`*::
+
--
The action captured by the event.
This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.
type: keyword
example: user-password-change
--
*`event.category`*::
+
--
Event category.
This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.
type: keyword
example: user-management
--
*`event.code`*::
+
--
Identification code for this event, if one exists.
Some event sources use event codes to identify messages unambiguously, regardless of message language or wording adjustments over time. An example of this is the Windows Event ID.
type: keyword
example: 4648
--
*`event.created`*::
+
--
event.created contains the date/time when the event was first read by an agent, or by your pipeline.
This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event.
In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source.
In case the two timestamps are identical, @timestamp should be used.
type: date
--
*`event.dataset`*::
+
--
Name of the dataset.
If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from.
It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
type: keyword
example: apache.access
--
*`event.duration`*::
+
--
Duration of the event in nanoseconds.
If event.start and event.end are known this value should be the difference between the end and start time.
type: long
format: duration
--
*`event.end`*::
+
--
event.end contains the date when the event ended or when the activity was last observed.
type: date
--
*`event.hash`*::
+
--
Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
type: keyword
example: 123456789012345678901234567890ABCD
--
*`event.id`*::
+
--
Unique ID to describe the event.
type: keyword
example: 8a4f500d
--
*`event.kind`*::
+
--
The kind of the event.
This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.
type: keyword
example: state
--
*`event.module`*::
+
--
Name of the module this data is coming from.
If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module.
type: keyword
example: apache
--
*`event.original`*::
+
--
Raw text message of entire event. Used to demonstrate log integrity.
This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`.
type: keyword
example: Sep 19 08:26:10 host CEF:0&#124;Security&#124; threatmanager&#124;1.0&#124;100&#124; worm successfully stopped&#124;10&#124;src=10.0.0.1 dst=2.1.2.2spt=1232
--
*`event.outcome`*::
+
--
The outcome of the event.
If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.
type: keyword
example: success
--
*`event.provider`*::
+
--
Source of the event.
Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing).
type: keyword
example: kernel
--
*`event.risk_score`*::
+
--
Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
type: float
--
*`event.risk_score_norm`*::
+
--
Normalized risk score or priority of the event, on a scale of 0 to 100.
This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
type: float
--
*`event.sequence`*::
+
--
Sequence number of the event.
The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regarless of the timestamp precision.
type: long
format: string
--
*`event.severity`*::
+
--
Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events.
type: long
example: 7
format: string
--
*`event.start`*::
+
--
event.start contains the date when the event started or when the activity was first observed.
type: date
--
*`event.timezone`*::
+
--
This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise.
Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00").
type: keyword
--
*`event.type`*::
+
--
Reserved for future usage.
Please avoid using this field for user data.
type: keyword
--
[float]
=== file
A file is defined as a set of information that has been created on, or has existed on a filesystem.
File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric.
*`file.accessed`*::
+
--
Last time the file was accessed.
Note that not all filesystems keep track of access time.
type: date
--
*`file.created`*::
+
--
File creation time.
Note that not all filesystems store the creation time.
type: date
--
*`file.ctime`*::
+
--
Last time the file attributes or metadata changed.
Note that changes to the file content will update `mtime`. This implies `ctime` will be adjusted at the same time, since `mtime` is an attribute of the file.
type: date
--
*`file.device`*::
+
--
Device that is the source of the file.
type: keyword
example: sda
--
*`file.directory`*::
+
--
Directory where the file is located.
type: keyword
example: /home/alice
--
*`file.extension`*::
+
--
File extension.
type: keyword
example: png
--
*`file.gid`*::
+
--
Primary group ID (GID) of the file.
type: keyword
example: 1001
--
*`file.group`*::
+
--
Primary group name of the file.
type: keyword
example: alice
--
*`file.hash.md5`*::
+
--
MD5 hash.
type: keyword
--
*`file.hash.sha1`*::
+
--
SHA1 hash.
type: keyword
--
*`file.hash.sha256`*::
+
--
SHA256 hash.
type: keyword
--
*`file.hash.sha512`*::
+
--
SHA512 hash.
type: keyword
--
*`file.inode`*::
+
--
Inode representing the file in the filesystem.
type: keyword
example: 256383
--
*`file.mode`*::
+
--
Mode of the file in octal representation.
type: keyword
example: 0640
--
*`file.mtime`*::
+
--
Last time the file content was modified.
type: date
--
*`file.name`*::
+
--
Name of the file including the extension, without the directory.
type: keyword
example: example.png
--
*`file.owner`*::
+
--
File owner's username.
type: keyword
example: alice
--
*`file.path`*::
+
--
Full path to the file.
type: keyword
example: /home/alice/example.png
--
*`file.size`*::
+
--
File size in bytes.
Only relevant when `file.type` is "file".
type: long
example: 16384
--
*`file.target_path`*::
+
--
Target path for symlinks.
type: keyword
--
*`file.type`*::
+
--
File type (file, dir, or symlink).
type: keyword
example: file
--
*`file.uid`*::
+
--
The user ID (UID) or security identifier (SID) of the file owner.
type: keyword
example: 1001
--
[float]
=== geo
Geo fields can carry data about a specific location related to an event.
This geolocation information can be derived from techniques such as Geo IP, or be user-supplied.
*`geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
[float]
=== group
The group fields are meant to represent groups that are relevant to the event.
*`group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`group.name`*::
+
--
Name of the group.
type: keyword
--
[float]
=== hash
The hash fields represent different hash algorithms and their values.
Field names for common hashes (e.g. MD5, SHA1) are predefined. Add fields for other hashes by lowercasing the hash algorithm name and using underscore separators as appropriate (snake case, e.g. sha3_512).
*`hash.md5`*::
+
--
MD5 hash.
type: keyword
--
*`hash.sha1`*::
+
--
SHA1 hash.
type: keyword
--
*`hash.sha256`*::
+
--
SHA256 hash.
type: keyword
--
*`hash.sha512`*::
+
--
SHA512 hash.
type: keyword
--
[float]
=== host
A host is defined as a general computing instance.
ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.
*`host.architecture`*::
+
--
Operating system architecture.
type: keyword
example: x86_64
--
*`host.geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`host.geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`host.geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`host.geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`host.geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`host.geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`host.geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`host.geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
*`host.hostname`*::
+
--
Hostname of the host.
It normally contains what the `hostname` command returns on the host machine.
type: keyword
--
*`host.id`*::
+
--
Unique host id.
As hostname is not always unique, use values that are meaningful in your environment.
Example: The current usage of `beat.name`.
type: keyword
--
*`host.ip`*::
+
--
Host ip address.
type: ip
--
*`host.mac`*::
+
--
Host mac address.
type: keyword
--
*`host.name`*::
+
--
Name of the host.
It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
type: keyword
--
*`host.os.family`*::
+
--
OS family (such as redhat, debian, freebsd, windows).
type: keyword
example: debian
--
*`host.os.full`*::
+
--
Operating system name, including the version or code name.
type: keyword
example: Mac OS Mojave
--
*`host.os.kernel`*::
+
--
Operating system kernel version as a raw string.
type: keyword
example: 4.4.0-112-generic
--
*`host.os.name`*::
+
--
Operating system name, without the version.
type: keyword
example: Mac OS X
--
*`host.os.platform`*::
+
--
Operating system platform (such centos, ubuntu, windows).
type: keyword
example: darwin
--
*`host.os.version`*::
+
--
Operating system version as a raw string.
type: keyword
example: 10.14.1
--
*`host.type`*::
+
--
Type of host.
For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.
type: keyword
--
*`host.uptime`*::
+
--
Seconds the host has been up.
type: long
example: 1325
--
*`host.user.domain`*::
+
--
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
type: keyword
--
*`host.user.email`*::
+
--
User email address.
type: keyword
--
*`host.user.full_name`*::
+
--
User's full name, if available.
type: keyword
example: Albert Einstein
--
*`host.user.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`host.user.group.name`*::
+
--
Name of the group.
type: keyword
--
*`host.user.hash`*::
+
--
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used.
type: keyword
--
*`host.user.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`host.user.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
[float]
=== http
Fields related to HTTP activity. Use the `url` field set to store the url of the request.
*`http.request.body.bytes`*::
+
--
Size in bytes of the request body.
type: long
example: 887
format: bytes
--
*`http.request.body.content`*::
+
--
The full HTTP request body.
type: keyword
example: Hello world
--
*`http.request.bytes`*::
+
--
Total size in bytes of the request (body and headers).
type: long
example: 1437
format: bytes
--
*`http.request.method`*::
+
--
HTTP request method.
The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
type: keyword
example: get, post, put
--
*`http.request.referrer`*::
+
--
Referrer for this HTTP request.
type: keyword
example: https://blog.example.com/
--
*`http.response.body.bytes`*::
+
--
Size in bytes of the response body.
type: long
example: 887
format: bytes
--
*`http.response.body.content`*::
+
--
The full HTTP response body.
type: keyword
example: Hello world
--
*`http.response.bytes`*::
+
--
Total size in bytes of the response (body and headers).
type: long
example: 1437
format: bytes
--
*`http.response.status_code`*::
+
--
HTTP response status code.
type: long
example: 404
format: string
--
*`http.version`*::
+
--
HTTP version.
type: keyword
example: 1.1
--
[float]
=== log
Fields which are specific to log events.
*`log.level`*::
+
--
Original log level of the log event.
Some examples are `warn`, `error`, `i`.
type: keyword
example: err
--
*`log.logger`*::
+
--
The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
type: keyword
example: org.elasticsearch.bootstrap.Bootstrap
--
*`log.original`*::
+
--
This is the original log message and contains the full log message before splitting it up in multiple parts.
In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.
This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`.
type: keyword
example: Sep 19 08:26:10 localhost My log
--
[float]
=== network
The network is defined as the communication path over which a host or network event happens.
The network.* fields should be populated with details about the network activity associated with an event.
*`network.application`*::
+
--
A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format.
The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
type: keyword
example: aim
--
*`network.bytes`*::
+
--
Total bytes transferred in both directions.
If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum.
type: long
example: 368
format: bytes
--
*`network.community_id`*::
+
--
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
Learn more at https://github.com/corelight/community-id-spec.
type: keyword
example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
--
*`network.direction`*::
+
--
Direction of the network traffic.
Recommended values are:
* inbound
* outbound
* internal
* external
* unknown
When mapping events from a host-based monitoring context, populate this field from the host's point of view.
When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.
type: keyword
example: inbound
--
*`network.forwarded_ip`*::
+
--
Host IP address when the source IP address is the proxy.
type: ip
example: 192.1.1.2
--
*`network.iana_number`*::
+
--
IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
type: keyword
example: 6
--
*`network.name`*::
+
--
Name given by operators to sections of their network.
type: keyword
example: Guest Wifi
--
*`network.packets`*::
+
--
Total packets transferred in both directions.
If `source.packets` and `destination.packets` are known, `network.packets` is their sum.
type: long
example: 24
--
*`network.protocol`*::
+
--
L7 Network protocol name. ex. http, lumberjack, transport protocol.
The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
type: keyword
example: http
--
*`network.transport`*::
+
--
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
type: keyword
example: tcp
--
*`network.type`*::
+
--
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".
type: keyword
example: ipv4
--
[float]
=== observer
An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics.
This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS.
*`observer.geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`observer.geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`observer.geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`observer.geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`observer.geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`observer.geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`observer.geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`observer.geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
*`observer.hostname`*::
+
--
Hostname of the observer.
type: keyword
--
*`observer.ip`*::
+
--
IP address of the observer.
type: ip
--
*`observer.mac`*::
+
--
MAC address of the observer
type: keyword
--
*`observer.os.family`*::
+
--
OS family (such as redhat, debian, freebsd, windows).
type: keyword
example: debian
--
*`observer.os.full`*::
+
--
Operating system name, including the version or code name.
type: keyword
example: Mac OS Mojave
--
*`observer.os.kernel`*::
+
--
Operating system kernel version as a raw string.
type: keyword
example: 4.4.0-112-generic
--
*`observer.os.name`*::
+
--
Operating system name, without the version.
type: keyword
example: Mac OS X
--
*`observer.os.platform`*::
+
--
Operating system platform (such centos, ubuntu, windows).
type: keyword
example: darwin
--
*`observer.os.version`*::
+
--
Operating system version as a raw string.
type: keyword
example: 10.14.1
--
*`observer.serial_number`*::
+
--
Observer serial number.
type: keyword
--
*`observer.type`*::
+
--
The type of the observer the data is coming from.
There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`.
type: keyword
example: firewall
--
*`observer.vendor`*::
+
--
observer vendor information.
type: keyword
--
*`observer.version`*::
+
--
Observer version.
type: keyword
--
[float]
=== organization
The organization fields enrich data with information about the company or entity the data is associated with.
These fields help you arrange or filter data stored in an index by one or multiple organizations.
*`organization.id`*::
+
--
Unique identifier for the organization.
type: keyword
--
*`organization.name`*::
+
--
Organization name.
type: keyword
--
[float]
=== os
The OS fields contain information about the operating system.
*`os.family`*::
+
--
OS family (such as redhat, debian, freebsd, windows).
type: keyword
example: debian
--
*`os.full`*::
+
--
Operating system name, including the version or code name.
type: keyword
example: Mac OS Mojave
--
*`os.kernel`*::
+
--
Operating system kernel version as a raw string.
type: keyword
example: 4.4.0-112-generic
--
*`os.name`*::
+
--
Operating system name, without the version.
type: keyword
example: Mac OS X
--
*`os.platform`*::
+
--
Operating system platform (such centos, ubuntu, windows).
type: keyword
example: darwin
--
*`os.version`*::
+
--
Operating system version as a raw string.
type: keyword
example: 10.14.1
--
[float]
=== process
These fields contain information about a process.
These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation.
*`process.args`*::
+
--
Array of process arguments.
May be filtered to protect sensitive information.
type: keyword
example: ['ssh', '-l', 'user', '10.0.0.16']
--
*`process.executable`*::
+
--
Absolute path to the process executable.
type: keyword
example: /usr/bin/ssh
--
*`process.hash.md5`*::
+
--
MD5 hash.
type: keyword
--
*`process.hash.sha1`*::
+
--
SHA1 hash.
type: keyword
--
*`process.hash.sha256`*::
+
--
SHA256 hash.
type: keyword
--
*`process.hash.sha512`*::
+
--
SHA512 hash.
type: keyword
--
*`process.name`*::
+
--
Process name.
Sometimes called program name or similar.
type: keyword
example: ssh
--
*`process.pgid`*::
+
--
Identifier of the group of processes the process belongs to.
type: long
format: string
--
*`process.pid`*::
+
--
Process id.
type: long
example: 4242
format: string
--
*`process.ppid`*::
+
--
Parent process' pid.
type: long
example: 4241
format: string
--
*`process.start`*::
+
--
The time the process started.
type: date
example: 2016-05-23T08:05:34.853Z
--
*`process.thread.id`*::
+
--
Thread ID.
type: long
example: 4242
format: string
--
*`process.thread.name`*::
+
--
Thread name.
type: keyword
example: thread-0
--
*`process.title`*::
+
--
Process title.
The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened.
type: keyword
--
*`process.uptime`*::
+
--
Seconds the process has been up.
type: long
example: 1325
--
*`process.working_directory`*::
+
--
The working directory of the process.
type: keyword
example: /home/alice
--
[float]
=== related
This field set is meant to facilitate pivoting around a piece of data.
Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`.
A concrete example is IP addresses, which can be under host, observer, source, destination, client, server, and network.forwarded_ip. If you append all IPs to `related.ip`, you can then search for a given IP trivially, no matter where it appeared, by querying `related.ip:a.b.c.d`.
*`related.ip`*::
+
--
All of the IPs seen on your event.
type: ip
--
[float]
=== server
A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records.
For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events.
Client / server representations can add semantic context to an exchange, which is helpful to visualize the data in certain situations. If your context falls in that category, you should still ensure that source and destination are filled appropriately.
*`server.address`*::
+
--
Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
type: keyword
--
*`server.as.number`*::
+
--
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
type: long
example: 15169
--
*`server.as.organization.name`*::
+
--
Organization name.
type: keyword
example: Google LLC
--
*`server.bytes`*::
+
--
Bytes sent from the server to the client.
type: long
example: 184
format: bytes
--
*`server.domain`*::
+
--
Server domain.
type: keyword
--
*`server.geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`server.geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`server.geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`server.geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`server.geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`server.geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`server.geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`server.geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
*`server.ip`*::
+
--
IP address of the server.
Can be one or multiple IPv4 or IPv6 addresses.
type: ip
--
*`server.mac`*::
+
--
MAC address of the server.
type: keyword
--
*`server.nat.ip`*::
+
--
Translated ip of destination based NAT sessions (e.g. internet to private DMZ)
Typically used with load balancers, firewalls, or routers.
type: ip
--
*`server.nat.port`*::
+
--
Translated port of destination based NAT sessions (e.g. internet to private DMZ)
Typically used with load balancers, firewalls, or routers.
type: long
format: string
--
*`server.packets`*::
+
--
Packets sent from the server to the client.
type: long
example: 12
--
*`server.port`*::
+
--
Port of the server.
type: long
format: string
--
*`server.user.domain`*::
+
--
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
type: keyword
--
*`server.user.email`*::
+
--
User email address.
type: keyword
--
*`server.user.full_name`*::
+
--
User's full name, if available.
type: keyword
example: Albert Einstein
--
*`server.user.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`server.user.group.name`*::
+
--
Name of the group.
type: keyword
--
*`server.user.hash`*::
+
--
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used.
type: keyword
--
*`server.user.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`server.user.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
[float]
=== service
The service fields describe the service for or from which the data was collected.
These fields help you find and correlate logs for a specific service and version.
*`service.ephemeral_id`*::
+
--
Ephemeral identifier of this service (if one exists).
This id normally changes across restarts, but `service.id` does not.
type: keyword
example: 8a4f500f
--
*`service.id`*::
+
--
Unique identifier of the running service. If the service is comprised of many nodes, the `service.id` should be the same for all nodes.
This id should uniquely identify the service. This makes it possible to correlate logs and metrics for one specific service, no matter which particular node emitted the event.
Note that if you need to see the events from one specific host of the service, you should filter on that `host.name` or `host.id` instead.
type: keyword
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
--
*`service.name`*::
+
--
Name of the service data is collected from.
The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`.
Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name.
In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified.
type: keyword
example: elasticsearch-metrics
--
*`service.state`*::
+
--
Current state of the service.
type: keyword
--
*`service.type`*::
+
--
The type of the service data is collected from.
The type can be used to group and correlate logs and metrics from one service type.
Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`.
type: keyword
example: elasticsearch
--
*`service.version`*::
+
--
Version of the service the data was collected from.
This allows to look at a data set only for a specific version of a service.
type: keyword
example: 3.2.4
--
[float]
=== source
Source fields describe details about the source of a packet/event.
Source fields are usually populated in conjunction with destination fields.
*`source.address`*::
+
--
Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field.
Then it should be duplicated to `.ip` or `.domain`, depending on which one it is.
type: keyword
--
*`source.as.number`*::
+
--
Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet.
type: long
example: 15169
--
*`source.as.organization.name`*::
+
--
Organization name.
type: keyword
example: Google LLC
--
*`source.bytes`*::
+
--
Bytes sent from the source to the destination.
type: long
example: 184
format: bytes
--
*`source.domain`*::
+
--
Source domain.
type: keyword
--
*`source.geo.city_name`*::
+
--
City name.
type: keyword
example: Montreal
--
*`source.geo.continent_name`*::
+
--
Name of the continent.
type: keyword
example: North America
--
*`source.geo.country_iso_code`*::
+
--
Country ISO code.
type: keyword
example: CA
--
*`source.geo.country_name`*::
+
--
Country name.
type: keyword
example: Canada
--
*`source.geo.location`*::
+
--
Longitude and latitude.
type: geo_point
example: { "lon": -73.614830, "lat": 45.505918 }
--
*`source.geo.name`*::
+
--
User-defined description of a location, at the level of granularity they care about.
Could be the name of their data centers, the floor number, if this describes a local physical entity, city names.
Not typically used in automated geolocation.
type: keyword
example: boston-dc
--
*`source.geo.region_iso_code`*::
+
--
Region ISO code.
type: keyword
example: CA-QC
--
*`source.geo.region_name`*::
+
--
Region name.
type: keyword
example: Quebec
--
*`source.ip`*::
+
--
IP address of the source.
Can be one or multiple IPv4 or IPv6 addresses.
type: ip
--
*`source.mac`*::
+
--
MAC address of the source.
type: keyword
--
*`source.nat.ip`*::
+
--
Translated ip of source based NAT sessions (e.g. internal client to internet)
Typically connections traversing load balancers, firewalls, or routers.
type: ip
--
*`source.nat.port`*::
+
--
Translated port of source based NAT sessions. (e.g. internal client to internet)
Typically used with load balancers, firewalls, or routers.
type: long
format: string
--
*`source.packets`*::
+
--
Packets sent from the source to the destination.
type: long
example: 12
--
*`source.port`*::
+
--
Port of the source.
type: long
format: string
--
*`source.user.domain`*::
+
--
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
type: keyword
--
*`source.user.email`*::
+
--
User email address.
type: keyword
--
*`source.user.full_name`*::
+
--
User's full name, if available.
type: keyword
example: Albert Einstein
--
*`source.user.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`source.user.group.name`*::
+
--
Name of the group.
type: keyword
--
*`source.user.hash`*::
+
--
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used.
type: keyword
--
*`source.user.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`source.user.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
[float]
=== tracing
Distributed tracing makes it possible to analyze performance throughout a microservice architecture all in one view. This is accomplished by tracing all of the requests - from the initial web request in the front-end service - to queries made through multiple back-end services.
*`tracing.trace.id`*::
+
--
Unique identifier of the trace.
A trace groups multiple events like transactions that belong together. For example, a user request handled by multiple inter-connected services.
type: keyword
example: 4bf92f3577b34da6a3ce929d0e0e4736
--
*`tracing.transaction.id`*::
+
--
Unique identifier of the transaction.
A transaction is the highest level of work measured within a service, such as a request to a server.
type: keyword
example: 00f067aa0ba902b7
--
[float]
=== url
URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on.
*`url.domain`*::
+
--
Domain of the url, such as "www.elastic.co".
In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field.
type: keyword
example: www.elastic.co
--
*`url.fragment`*::
+
--
Portion of the url after the `#`, such as "top".
The `#` is not part of the fragment.
type: keyword
--
*`url.full`*::
+
--
If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source.
type: keyword
example: https://www.elastic.co:443/search?q=elasticsearch#top
--
*`url.original`*::
+
--
Unmodified original url as seen in the event source.
Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path.
This field is meant to represent the URL as it was observed, complete or not.
type: keyword
example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch
--
*`url.password`*::
+
--
Password of the request.
type: keyword
--
*`url.path`*::
+
--
Path of the request, such as "/search".
type: keyword
--
*`url.port`*::
+
--
Port of the request, such as 443.
type: long
example: 443
format: string
--
*`url.query`*::
+
--
The query field describes the query string of the request, such as "q=elasticsearch".
The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases.
type: keyword
--
*`url.scheme`*::
+
--
Scheme of the request, such as "https".
Note: The `:` is not part of the scheme.
type: keyword
example: https
--
*`url.username`*::
+
--
Username of the request.
type: keyword
--
[float]
=== user
The user fields describe information about the user that is relevant to the event.
Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
*`user.domain`*::
+
--
Name of the directory the user is a member of.
For example, an LDAP or Active Directory domain name.
type: keyword
--
*`user.email`*::
+
--
User email address.
type: keyword
--
*`user.full_name`*::
+
--
User's full name, if available.
type: keyword
example: Albert Einstein
--
*`user.group.id`*::
+
--
Unique identifier for the group on the system/platform.
type: keyword
--
*`user.group.name`*::
+
--
Name of the group.
type: keyword
--
*`user.hash`*::
+
--
Unique user hash to correlate information for a user in anonymized form.
Useful if `user.id` or `user.name` contain confidential information and cannot be used.
type: keyword
--
*`user.id`*::
+
--
One or multiple unique identifiers of the user.
type: keyword
--
*`user.name`*::
+
--
Short name or login of the user.
type: keyword
example: albert
--
[float]
=== user_agent
The user_agent fields normally come from a browser request.
They often show up in web service logs coming from the parsed user agent string.
*`user_agent.device.name`*::
+
--
Name of the device.
type: keyword
example: iPhone
--
*`user_agent.name`*::
+
--
Name of the user agent.
type: keyword
example: Safari
--
*`user_agent.original`*::
+
--
Unparsed version of the user_agent.
type: keyword
example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1
--
*`user_agent.os.family`*::
+
--
OS family (such as redhat, debian, freebsd, windows).
type: keyword
example: debian
--
*`user_agent.os.full`*::
+
--
Operating system name, including the version or code name.
type: keyword
example: Mac OS Mojave
--
*`user_agent.os.kernel`*::
+
--
Operating system kernel version as a raw string.
type: keyword
example: 4.4.0-112-generic
--
*`user_agent.os.name`*::
+
--
Operating system name, without the version.
type: keyword
example: Mac OS X
--
*`user_agent.os.platform`*::
+
--
Operating system platform (such centos, ubuntu, windows).
type: keyword
example: darwin
--
*`user_agent.os.version`*::
+
--
Operating system version as a raw string.
type: keyword
example: 10.14.1
--
*`user_agent.version`*::
+
--
Version of the user agent.
type: keyword
example: 12.0
--
[[exported-fields-elasticsearch]]
== elasticsearch fields
elasticsearch Module
[float]
=== elasticsearch
*`elasticsearch.component`*::
+
--
Elasticsearch component from where the log event originated
type: keyword
example: o.e.c.m.MetaDataCreateIndexService
--
*`elasticsearch.cluster.uuid`*::
+
--
UUID of the cluster
type: keyword
example: GmvrbHlNTiSVYiPf8kxg9g
--
*`elasticsearch.cluster.name`*::
+
--
Name of the cluster
type: keyword
example: docker-cluster
--
*`elasticsearch.node.id`*::
+
--
ID of the node
type: keyword
example: DSiWcTyeThWtUXLB9J0BMw
--
*`elasticsearch.node.name`*::
+
--
Name of the node
type: keyword
example: vWNJsZ3
--
*`elasticsearch.index.name`*::
+
--
Index name
type: keyword
example: filebeat-test-input
--
*`elasticsearch.index.id`*::
+
--
Index id
type: keyword
example: aOGgDwbURfCV57AScqbCgw
--
*`elasticsearch.shard.id`*::
+
--
Id of the shard
type: keyword
example: 0
--
[float]
=== audit
*`elasticsearch.audit.layer`*::
+
--
The layer from which this event originated: rest, transport or ip_filter
type: keyword
example: rest
--
*`elasticsearch.audit.event_type`*::
+
--
The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied
type: keyword
example: access_granted
--
*`elasticsearch.audit.origin.type`*::
+
--
Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request)
type: keyword
example: local_node
--
*`elasticsearch.audit.realm`*::
+
--
The authentication realm the authentication was validated against
type: keyword
--
*`elasticsearch.audit.user.realm`*::
+
--
The user's authentication realm, if authenticated
type: keyword
--
*`elasticsearch.audit.user.roles`*::
+
--
Roles to which the principal belongs
type: keyword
example: ['kibana_user', 'beats_admin']
--
*`elasticsearch.audit.action`*::
+
--
The name of the action that was executed
type: keyword
example: cluster:monitor/main
--
*`elasticsearch.audit.url.params`*::
+
--
REST URI parameters
example: {username=jacknich2}
--
*`elasticsearch.audit.indices`*::
+
--
Indices accessed by action
type: keyword
example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06']
--
*`elasticsearch.audit.request.id`*::
+
--
Unique ID of request
type: keyword
example: WzL_kb6VSvOhAq0twPvHOQ
--
*`elasticsearch.audit.request.name`*::
+
--
The type of request that was executed
type: keyword
example: ClearScrollRequest
--
*`elasticsearch.audit.request_body`*::
+
--
type: alias
alias to: http.request.body.content
--
*`elasticsearch.audit.origin_address`*::
+
--
type: alias
alias to: source.ip
--
*`elasticsearch.audit.uri`*::
+
--
type: alias
alias to: url.original
--
*`elasticsearch.audit.principal`*::
+
--
type: alias
alias to: user.name
--
*`elasticsearch.audit.message`*::
+
--
type: text
--
[float]
=== deprecation
[float]
=== gc
GC fileset fields.
[float]
=== phase
Fields specific to GC phase.
*`elasticsearch.gc.phase.name`*::
+
--
Name of the GC collection phase.
type: keyword
--
*`elasticsearch.gc.phase.duration_sec`*::
+
--
Collection phase duration according to the Java virtual machine.
type: float
--
*`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*::
+
--
Pause time in seconds cleaning up symbol tables.
type: float
--
*`elasticsearch.gc.phase.scrub_string_table_time_sec`*::
+
--
Pause time in seconds cleaning up string tables.
type: float
--
*`elasticsearch.gc.phase.weak_refs_processing_time_sec`*::
+
--
Time spent processing weak references in seconds.
type: float
--
*`elasticsearch.gc.phase.parallel_rescan_time_sec`*::
+
--
Time spent in seconds marking live objects while application is stopped.
type: float
--
*`elasticsearch.gc.phase.class_unload_time_sec`*::
+
--
Time spent unloading unused classes in seconds.
type: float
--
[float]
=== cpu_time
Process CPU time spent performing collections.
*`elasticsearch.gc.phase.cpu_time.user_sec`*::
+
--
CPU time spent outside the kernel.
type: float
--
*`elasticsearch.gc.phase.cpu_time.sys_sec`*::
+
--
CPU time spent inside the kernel.
type: float
--
*`elasticsearch.gc.phase.cpu_time.real_sec`*::
+
--
Total elapsed CPU time spent to complete the collection from start to finish.
type: float
--
*`elasticsearch.gc.jvm_runtime_sec`*::
+
--
The time from JVM start up in seconds, as a floating point number.
type: float
--
*`elasticsearch.gc.threads_total_stop_time_sec`*::
+
--
Garbage collection threads total stop time seconds.
type: float
--
*`elasticsearch.gc.stopping_threads_time_sec`*::
+
--
Time took to stop threads seconds.
type: float
--
*`elasticsearch.gc.tags`*::
+
--
GC logging tags.
type: keyword
--
[float]
=== heap
Heap allocation and total size.
*`elasticsearch.gc.heap.size_kb`*::
+
--
Total heap size in kilobytes.
type: integer
--
*`elasticsearch.gc.heap.used_kb`*::
+
--
Used heap in kilobytes.
type: integer
--
[float]
=== old_gen
Old generation occupancy and total size.
*`elasticsearch.gc.old_gen.size_kb`*::
+
--
Total size of old generation in kilobytes.
type: integer
--
*`elasticsearch.gc.old_gen.used_kb`*::
+
--
Old generation occupancy in kilobytes.
type: integer
--
[float]
=== young_gen
Young generation occupancy and total size.
*`elasticsearch.gc.young_gen.size_kb`*::
+
--
Total size of young generation in kilobytes.
type: integer
--
*`elasticsearch.gc.young_gen.used_kb`*::
+
--
Young generation occupancy in kilobytes.
type: integer
--
[float]
=== server
Server log file
*`elasticsearch.server.stacktrace`*::
+
--
Field is not indexed.
--
[float]
=== gc
GC log
[float]
=== young
Young GC
*`elasticsearch.server.gc.young.one`*::
+
--
type: long
example:
--
*`elasticsearch.server.gc.young.two`*::
+
--
type: long
example:
--
*`elasticsearch.server.gc.overhead_seq`*::
+
--
Sequence number
type: long
example: 3449992
--
*`elasticsearch.server.gc.collection_duration.ms`*::
+
--
Time spent in GC, in milliseconds
type: float
example: 1600
--
*`elasticsearch.server.gc.observation_duration.ms`*::
+
--
Total time over which collection was observed, in milliseconds
type: float
example: 1800
--
[float]
=== slowlog
Slowlog events from Elasticsearch
*`elasticsearch.slowlog.logger`*::
+
--
Logger name
type: keyword
example: index.search.slowlog.fetch
--
*`elasticsearch.slowlog.took`*::
+
--
Time it took to execute the query
type: keyword
example: 300ms
--
*`elasticsearch.slowlog.types`*::
+
--
Types
type: keyword
example:
--
*`elasticsearch.slowlog.stats`*::
+
--
Stats groups
type: keyword
example: group1
--
*`elasticsearch.slowlog.search_type`*::
+
--
Search type
type: keyword
example: QUERY_THEN_FETCH
--
*`elasticsearch.slowlog.source_query`*::
+
--
Slow query
type: keyword
example: {"query":{"match_all":{"boost":1.0}}}
--
*`elasticsearch.slowlog.extra_source`*::
+
--
Extra source information
type: keyword
example:
--
*`elasticsearch.slowlog.total_hits`*::
+
--
Total hits
type: keyword
example: 42
--
*`elasticsearch.slowlog.total_shards`*::
+
--
Total queried shards
type: keyword
example: 22
--
*`elasticsearch.slowlog.routing`*::
+
--
Routing
type: keyword
example: s01HZ2QBk9jw4gtgaFtn
--
*`elasticsearch.slowlog.id`*::
+
--
Id
type: keyword
example:
--
*`elasticsearch.slowlog.type`*::
+
--
Type
type: keyword
example: doc
--
*`elasticsearch.slowlog.source`*::
+
--
Source of document that was indexed
type: keyword
--
[[exported-fields-envoyproxy]]
== Envoyproxy fields
Module for handling logs produced by envoy
[float]
=== envoyproxy
Fields from envoy proxy logs after normalization
*`envoyproxy.log_type`*::
+
--
Envoy log type, normally ACCESS
type: keyword
--
*`envoyproxy.response_flags`*::
+
--
Response flags
type: keyword
--
*`envoyproxy.upstream_service_time`*::
+
--
Upstream service time in nanoseconds
type: long
format: duration
--
*`envoyproxy.request_id`*::
+
--
ID of the request
type: keyword
--
*`envoyproxy.authority`*::
+
--
Envoy proxy authority field
type: keyword
--
*`envoyproxy.proxy_type`*::
+
--
Envoy proxy type, tcp or http
type: keyword
--
[[exported-fields-googlecloud]]
== Google Cloud fields
Module for handling logs from Google Cloud.
[float]
=== googlecloud
Fields from Google Cloud logs.
[float]
=== vpcflow
Fields for Google Cloud VPC flow logs.
*`googlecloud.vpcflow.reporter`*::
+
--
The side which reported the flow. Can be either 'SRC' or 'DEST'.
type: keyword
--
*`googlecloud.vpcflow.rtt.ms`*::
+
--
Latency as measured (for TCP flows only) during the time interval. This is the time elapsed between sending a SEQ and receiving a corresponding ACK and it contains the network RTT as well as the application related delay.
type: long
--
[float]
=== destination.instance
If the destination of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
*`googlecloud.vpcflow.destination.instance.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.destination.instance.region`*::
+
--
Region of the VM.
type: keyword
--
*`googlecloud.vpcflow.destination.instance.zone`*::
+
--
Zone of the VM.
type: keyword
--
[float]
=== destination.vpc
If the destination of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
*`googlecloud.vpcflow.destination.vpc.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.destination.vpc.vpc_name`*::
+
--
VPC on which the VM is operating.
type: keyword
--
*`googlecloud.vpcflow.destination.vpc.subnetwork_name`*::
+
--
Subnetwork on which the VM is operating.
type: keyword
--
[float]
=== source.instance
If the source of the connection was a VM located on the same VPC, this field is populated with VM instance details. In a Shared VPC configuration, project_id corresponds to the project that owns the instance, usually the service project.
*`googlecloud.vpcflow.source.instance.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.source.instance.region`*::
+
--
Region of the VM.
type: keyword
--
*`googlecloud.vpcflow.source.instance.zone`*::
+
--
Zone of the VM.
type: keyword
--
[float]
=== source.vpc
If the source of the connection was a VM located on the same VPC, this field is populated with VPC network details. In a Shared VPC configuration, project_id corresponds to that of the host project.
*`googlecloud.vpcflow.source.vpc.project_id`*::
+
--
ID of the project containing the VM.
type: keyword
--
*`googlecloud.vpcflow.source.vpc.vpc_name`*::
+
--
VPC on which the VM is operating.
type: keyword
--
*`googlecloud.vpcflow.source.vpc.subnetwork_name`*::
+
--
Subnetwork on which the VM is operating.
type: keyword
--
[[exported-fields-haproxy]]
== haproxy fields
haproxy Module
[float]
=== haproxy
*`haproxy.frontend_name`*::
+
--
Name of the frontend (or listener) which received and processed the connection.
--
*`haproxy.backend_name`*::
+
--
Name of the backend (or listener) which was selected to manage the connection to the server.
--
*`haproxy.server_name`*::
+
--
Name of the last server to which the connection was sent.
--
*`haproxy.total_waiting_time_ms`*::
+
--
Total time in milliseconds spent waiting in the various queues
type: long
--
*`haproxy.connection_wait_time_ms`*::
+
--
Total time in milliseconds spent waiting for the connection to establish to the final server
type: long
--
*`haproxy.bytes_read`*::
+
--
Total number of bytes transmitted to the client when the log is emitted.
type: long
--
*`haproxy.time_queue`*::
+
--
Total time in milliseconds spent waiting in the various queues.
type: long
--
*`haproxy.time_backend_connect`*::
+
--
Total time in milliseconds spent waiting for the connection to establish to the final server, including retries.
type: long
--
*`haproxy.server_queue`*::
+
--
Total number of requests which were processed before this one in the server queue.
type: long
--
*`haproxy.backend_queue`*::
+
--
Total number of requests which were processed before this one in the backend's global queue.
type: long
--
*`haproxy.bind_name`*::
+
--
Name of the listening address which received the connection.
--
*`haproxy.error_message`*::
+
--
Error message logged by HAProxy in case of error.
type: text
--
*`haproxy.source`*::
+
--
The HAProxy source of the log
type: keyword
--
*`haproxy.termination_state`*::
+
--
Condition the session was in when the session ended.
--
*`haproxy.mode`*::
+
--
mode that the frontend is operating (TCP or HTTP)
type: keyword
--
[float]
=== connections
Contains various counts of connections active in the process.
*`haproxy.connections.active`*::
+
--
Total number of concurrent connections on the process when the session was logged.
type: long
--
*`haproxy.connections.frontend`*::
+
--
Total number of concurrent connections on the frontend when the session was logged.
type: long
--
*`haproxy.connections.backend`*::
+
--
Total number of concurrent connections handled by the backend when the session was logged.
type: long
--
*`haproxy.connections.server`*::
+
--
Total number of concurrent connections still active on the server when the session was logged.
type: long
--
*`haproxy.connections.retries`*::
+
--
Number of connection retries experienced by this session when trying to connect to the server.
type: long
--
[float]
=== client
Information about the client doing the request
*`haproxy.client.ip`*::
+
--
type: alias
alias to: source.address
--
*`haproxy.client.port`*::
+
--
type: alias
alias to: source.port
--
*`haproxy.process_name`*::
+
--
type: alias
alias to: process.name
--
*`haproxy.pid`*::
+
--
type: alias
alias to: process.pid
--
[float]
=== destination
Destination information
*`haproxy.destination.port`*::
+
--
type: alias
alias to: destination.port
--
*`haproxy.destination.ip`*::
+
--
type: alias
alias to: destination.ip
--
[float]
=== geoip
Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
*`haproxy.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`haproxy.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`haproxy.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`haproxy.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`haproxy.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`haproxy.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[float]
=== http
Please add description
[float]
=== response
Fields related to the HTTP response
*`haproxy.http.response.captured_cookie`*::
+
--
Optional "name=value" entry indicating that the client had this cookie in the response.
--
*`haproxy.http.response.captured_headers`*::
+
--
List of headers captured in the response due to the presence of the "capture response header" statement in the frontend.
type: keyword
--
*`haproxy.http.response.status_code`*::
+
--
type: alias
alias to: http.response.status_code
--
[float]
=== request
Fields related to the HTTP request
*`haproxy.http.request.captured_cookie`*::
+
--
Optional "name=value" entry indicating that the server has returned a cookie with its request.
--
*`haproxy.http.request.captured_headers`*::
+
--
List of headers captured in the request due to the presence of the "capture request header" statement in the frontend.
type: keyword
--
*`haproxy.http.request.raw_request_line`*::
+
--
Complete HTTP request line, including the method, request and HTTP version string.
type: keyword
--
*`haproxy.http.request.time_wait_without_data_ms`*::
+
--
Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data.
type: long
--
*`haproxy.http.request.time_wait_ms`*::
+
--
Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received.
type: long
--
[float]
=== tcp
TCP log format
*`haproxy.tcp.connection_waiting_time_ms`*::
+
--
Total time in milliseconds elapsed between the accept and the last close
type: long
--
[[exported-fields-host-processor]]
== Host fields
Info collected for the host machine.
*`host.containerized`*::
+
--
If the host is a container.
type: boolean
--
*`host.os.build`*::
+
--
OS build information.
type: keyword
example: 18D109
--
*`host.os.codename`*::
+
--
OS codename, if any.
type: keyword
example: stretch
--
[[exported-fields-ibmmq]]
== ibmmq fields
ibmmq Module
[float]
=== ibmmq
[float]
=== errorlog
IBM MQ error logs
*`ibmmq.errorlog.installation`*::
+
--
This is the installation name which can be given at installation time.
Each installation of IBM MQ on UNIX, Linux, and Windows, has a unique identifier known as an installation name. The installation name is used to associate things such as queue managers and configuration files with an installation.
type: keyword
--
*`ibmmq.errorlog.qmgr`*::
+
--
Name of the queue manager. Queue managers provide queuing services to applications, and manages the queues that belong to them.
type: keyword
--
*`ibmmq.errorlog.arithinsert`*::
+
--
Changing content based on error.id
type: keyword
--
*`ibmmq.errorlog.commentinsert`*::
+
--
Changing content based on error.id
type: keyword
--
*`ibmmq.errorlog.errordescription`*::
+
--
Please add description
type: text
example: Please add example
--
*`ibmmq.errorlog.explanation`*::
+
--
Explaines the error in more detail
type: keyword
--
*`ibmmq.errorlog.action`*::
+
--
Defines what to do when the error occurs
type: keyword
--
*`ibmmq.errorlog.code`*::
+
--
Error code.
type: keyword
--
[[exported-fields-icinga]]
== Icinga fields
Icinga Module
[float]
=== icinga
[float]
=== debug
Contains fields for the Icinga debug logs.
*`icinga.debug.facility`*::
+
--
Specifies what component of Icinga logged the message.
type: keyword
--
*`icinga.debug.severity`*::
+
--
type: alias
alias to: log.level
--
*`icinga.debug.message`*::
+
--
type: alias
alias to: message
--
[float]
=== main
Contains fields for the Icinga main logs.
*`icinga.main.facility`*::
+
--
Specifies what component of Icinga logged the message.
type: keyword
--
*`icinga.main.severity`*::
+
--
type: alias
alias to: log.level
--
*`icinga.main.message`*::
+
--
type: alias
alias to: message
--
[float]
=== startup
Contains fields for the Icinga startup logs.
*`icinga.startup.facility`*::
+
--
Specifies what component of Icinga logged the message.
type: keyword
--
*`icinga.startup.severity`*::
+
--
type: alias
alias to: log.level
--
*`icinga.startup.message`*::
+
--
type: alias
alias to: message
--
[[exported-fields-iis]]
== IIS fields
Module for parsing IIS log files.
[float]
=== iis
Fields from IIS log files.
[float]
=== access
Contains fields for IIS access logs.
*`iis.access.sub_status`*::
+
--
The HTTP substatus code.
type: long
--
*`iis.access.win32_status`*::
+
--
The Windows status code.
type: long
--
*`iis.access.site_name`*::
+
--
The site name and instance number.
type: keyword
--
*`iis.access.server_name`*::
+
--
The name of the server on which the log file entry was generated.
type: keyword
--
*`iis.access.cookie`*::
+
--
The content of the cookie sent or received, if any.
type: keyword
--
*`iis.access.body_received.bytes`*::
+
--
type: alias
alias to: http.request.body.bytes
--
*`iis.access.body_sent.bytes`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`iis.access.server_ip`*::
+
--
type: alias
alias to: destination.address
--
*`iis.access.method`*::
+
--
type: alias
alias to: http.request.method
--
*`iis.access.url`*::
+
--
type: alias
alias to: url.path
--
*`iis.access.query_string`*::
+
--
type: alias
alias to: url.query
--
*`iis.access.port`*::
+
--
type: alias
alias to: destination.port
--
*`iis.access.user_name`*::
+
--
type: alias
alias to: user.name
--
*`iis.access.remote_ip`*::
+
--
type: alias
alias to: source.address
--
*`iis.access.referrer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`iis.access.response_code`*::
+
--
type: alias
alias to: http.response.status_code
--
*`iis.access.http_version`*::
+
--
type: alias
alias to: http.version
--
*`iis.access.hostname`*::
+
--
type: alias
alias to: host.hostname
--
*`iis.access.user_agent.device`*::
+
--
type: alias
alias to: user_agent.device.name
--
*`iis.access.user_agent.name`*::
+
--
type: alias
alias to: user_agent.name
--
*`iis.access.user_agent.os`*::
+
--
type: alias
alias to: user_agent.os.full_name
--
*`iis.access.user_agent.os_name`*::
+
--
type: alias
alias to: user_agent.os.name
--
*`iis.access.user_agent.original`*::
+
--
type: alias
alias to: user_agent.original
--
*`iis.access.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`iis.access.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`iis.access.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`iis.access.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`iis.access.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`iis.access.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[float]
=== error
Contains fields for IIS error logs.
*`iis.error.reason_phrase`*::
+
--
The HTTP reason phrase.
type: keyword
--
*`iis.error.queue_name`*::
+
--
The IIS application pool name.
type: keyword
--
*`iis.error.remote_ip`*::
+
--
type: alias
alias to: source.address
--
*`iis.error.remote_port`*::
+
--
type: alias
alias to: source.port
--
*`iis.error.server_ip`*::
+
--
type: alias
alias to: destination.address
--
*`iis.error.server_port`*::
+
--
type: alias
alias to: destination.port
--
*`iis.error.http_version`*::
+
--
type: alias
alias to: http.version
--
*`iis.error.method`*::
+
--
type: alias
alias to: http.request.method
--
*`iis.error.url`*::
+
--
type: alias
alias to: url.original
--
*`iis.error.response_code`*::
+
--
type: alias
alias to: http.response.status_code
--
*`iis.error.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`iis.error.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`iis.error.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`iis.error.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`iis.error.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`iis.error.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[[exported-fields-iptables]]
== iptables fields
Module for handling the iptables logs.
[float]
=== iptables
Fields from the iptables logs.
*`iptables.ether_type`*::
+
--
Value of the ethernet type field identifying the network layer protocol.
type: long
--
*`iptables.flow_label`*::
+
--
IPv6 flow label.
type: integer
--
*`iptables.fragment_flags`*::
+
--
IP fragment flags. A combination of CE, DF and MF.
type: keyword
--
*`iptables.fragment_offset`*::
+
--
Offset of the current IP fragment.
type: long
--
[float]
=== icmp
ICMP fields.
*`iptables.icmp.code`*::
+
--
ICMP code.
type: long
--
*`iptables.icmp.id`*::
+
--
ICMP ID.
type: long
--
*`iptables.icmp.parameter`*::
+
--
ICMP parameter.
type: long
--
*`iptables.icmp.redirect`*::
+
--
ICMP redirect address.
type: ip
--
*`iptables.icmp.seq`*::
+
--
ICMP sequence number.
type: long
--
*`iptables.icmp.type`*::
+
--
ICMP type.
type: long
--
*`iptables.id`*::
+
--
Packet identifier.
type: long
--
*`iptables.incomplete_bytes`*::
+
--
Number of incomplete bytes.
type: long
--
*`iptables.input_device`*::
+
--
Device that received the packet.
type: keyword
--
*`iptables.precedence_bits`*::
+
--
IP precedence bits.
type: short
--
*`iptables.tos`*::
+
--
IP Type of Service field.
type: long
--
*`iptables.length`*::
+
--
Packet length.
type: long
--
*`iptables.output_device`*::
+
--
Device that output the packet.
type: keyword
--
[float]
=== tcp
TCP fields.
*`iptables.tcp.flags`*::
+
--
TCP flags.
type: keyword
--
*`iptables.tcp.reserved_bits`*::
+
--
TCP reserved bits.
type: short
--
*`iptables.tcp.seq`*::
+
--
TCP sequence number.
type: long
--
*`iptables.tcp.ack`*::
+
--
TCP Acknowledgment number.
type: long
--
*`iptables.tcp.window`*::
+
--
Advertised TCP window size.
type: long
--
*`iptables.ttl`*::
+
--
Time To Live field.
type: integer
--
[float]
=== udp
UDP fields.
*`iptables.udp.length`*::
+
--
Length of the UDP header and payload.
type: long
--
[float]
=== ubiquiti
Fields for Ubiquiti network devices.
*`iptables.ubiquiti.input_zone`*::
+
--
Input zone.
type: keyword
--
*`iptables.ubiquiti.output_zone`*::
+
--
Output zone.
type: keyword
--
*`iptables.ubiquiti.rule_number`*::
+
--
The rule number within the rule set.
type: keyword
--
*`iptables.ubiquiti.rule_set`*::
+
--
The rule set name.
type: keyword
--
[[exported-fields-jolokia-autodiscover]]
== Jolokia Discovery autodiscover provider fields
Metadata from Jolokia Discovery added by the jolokia provider.
*`jolokia.agent.version`*::
+
--
Version number of jolokia agent.
type: keyword
--
*`jolokia.agent.id`*::
+
--
Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type.
type: keyword
--
*`jolokia.server.product`*::
+
--
The container product if detected.
type: keyword
--
*`jolokia.server.version`*::
+
--
The container's version (if detected).
type: keyword
--
*`jolokia.server.vendor`*::
+
--
The vendor of the container the agent is running in.
type: keyword
--
*`jolokia.url`*::
+
--
The URL how this agent can be contacted.
type: keyword
--
*`jolokia.secured`*::
+
--
Whether the agent was configured for authentication or not.
type: boolean
--
[[exported-fields-kafka]]
== Kafka fields
Kafka module
[float]
=== kafka
[float]
=== log
Kafka log lines.
*`kafka.log.level`*::
+
--
type: alias
alias to: log.level
--
*`kafka.log.message`*::
+
--
type: alias
alias to: message
--
*`kafka.log.component`*::
+
--
Component the log is coming from.
type: keyword
--
*`kafka.log.class`*::
+
--
Java class the log is coming from.
type: keyword
--
[float]
=== trace
Trace in the log line.
*`kafka.log.trace.class`*::
+
--
Java class the trace is coming from.
type: keyword
--
*`kafka.log.trace.message`*::
+
--
Message part of the trace.
type: text
--
[[exported-fields-kibana]]
== kibana fields
kibana Module
[float]
=== kibana
[float]
=== log
Kafka log lines.
*`kibana.log.tags`*::
+
--
Kibana logging tags.
type: keyword
--
*`kibana.log.state`*::
+
--
Current state of Kibana.
type: keyword
--
*`kibana.log.meta`*::
+
--
type: object
--
*`kibana.log.kibana.log.meta.req.headers.referer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`kibana.log.kibana.log.meta.req.referer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`kibana.log.kibana.log.meta.req.headers.user-agent`*::
+
--
type: alias
alias to: user_agent.original
--
*`kibana.log.kibana.log.meta.req.remoteAddress`*::
+
--
type: alias
alias to: source.address
--
*`kibana.log.kibana.log.meta.req.url`*::
+
--
type: alias
alias to: url.original
--
*`kibana.log.kibana.log.meta.statusCode`*::
+
--
type: alias
alias to: http.response.status_code
--
*`kibana.log.kibana.log.meta.method`*::
+
--
type: alias
alias to: http.request.method
--
[[exported-fields-kubernetes-processor]]
== Kubernetes fields
Kubernetes metadata added by the kubernetes processor
*`kubernetes.pod.name`*::
+
--
Kubernetes pod name
type: keyword
--
*`kubernetes.pod.uid`*::
+
--
Kubernetes Pod UID
type: keyword
--
*`kubernetes.namespace`*::
+
--
Kubernetes namespace
type: keyword
--
*`kubernetes.node.name`*::
+
--
Kubernetes node name
type: keyword
--
*`kubernetes.labels.*`*::
+
--
Kubernetes labels map
type: object
--
*`kubernetes.annotations.*`*::
+
--
Kubernetes annotations map
type: object
--
*`kubernetes.replicaset.name`*::
+
--
Kubernetes replicaset name
type: keyword
--
*`kubernetes.deployment.name`*::
+
--
Kubernetes deployment name
type: keyword
--
*`kubernetes.statefulset.name`*::
+
--
Kubernetes statefulset name
type: keyword
--
*`kubernetes.container.name`*::
+
--
Kubernetes container name
type: keyword
--
*`kubernetes.container.image`*::
+
--
Kubernetes container image
type: keyword
--
[[exported-fields-log]]
== Log file content fields
Contains log file lines.
*`log.file.path`*::
+
--
The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`.
type: keyword
required: False
--
*`log.source.address`*::
+
--
Source address from which the log event was read / sent from.
type: keyword
required: False
--
*`log.offset`*::
+
--
The file offset the reported line starts at.
type: long
required: False
--
*`stream`*::
+
--
Log stream when reading container logs, can be 'stdout' or 'stderr'
type: keyword
required: False
--
*`input.type`*::
+
--
The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file.
required: True
--
*`syslog.facility`*::
+
--
The facility extracted from the priority.
type: long
required: False
--
*`syslog.priority`*::
+
--
The priority of the syslog event.
type: long
required: False
--
*`syslog.severity_label`*::
+
--
The human readable severity.
type: keyword
required: False
--
*`syslog.facility_label`*::
+
--
The human readable facility.
type: keyword
required: False
--
*`process.program`*::
+
--
The name of the program.
type: keyword
required: False
--
*`log.flags`*::
+
--
This field contains the flags of the event.
--
*`http.response.content_length`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`user_agent.os.full_name`*::
+
--
type: keyword
--
*`fileset.name`*::
+
--
The Filebeat fileset that generated this event.
type: keyword
--
*`fileset.module`*::
+
--
type: alias
alias to: event.module
--
*`read_timestamp`*::
+
--
type: alias
alias to: event.created
--
*`docker.attrs`*::
+
--
docker.attrs contains labels and environment variables written by docker's JSON File logging driver. These fields are only available when they are configured in the logging driver options.
type: object
--
*`icmp.code`*::
+
--
ICMP code.
type: keyword
--
*`icmp.type`*::
+
--
ICMP type.
type: keyword
--
*`igmp.type`*::
+
--
IGMP type.
type: keyword
--
*`kafka.topic`*::
+
--
Kafka topic
type: keyword
--
*`kafka.partition`*::
+
--
Kafka partition number
type: long
--
*`kafka.offset`*::
+
--
Kafka offset of this message
type: long
--
*`kafka.key`*::
+
--
Kafka key, corresponding to the Kafka value stored in the message
type: keyword
--
*`kafka.block_timestamp`*::
+
--
Kafka outer (compressed) block timestamp
type: date
--
*`kafka.headers`*::
+
--
An array of Kafka header strings for this message, in the form "<key>: <value>".
type: array
--
[[exported-fields-logstash]]
== logstash fields
logstash Module
[float]
=== logstash
[float]
=== log
Fields from the Logstash logs.
*`logstash.log.module`*::
+
--
The module or class where the event originate.
type: keyword
--
*`logstash.log.thread`*::
+
--
Information about the running thread where the log originate.
type: keyword
--
*`logstash.log.thread.text`*::
+
--
type: text
--
*`logstash.log.log_event`*::
+
--
key and value debugging information.
type: object
--
*`logstash.log.message`*::
+
--
type: alias
alias to: message
--
*`logstash.log.level`*::
+
--
type: alias
alias to: log.level
--
[float]
=== slowlog
slowlog
*`logstash.slowlog.module`*::
+
--
The module or class where the event originate.
type: keyword
--
*`logstash.slowlog.thread`*::
+
--
Information about the running thread where the log originate.
type: keyword
--
*`logstash.slowlog.thread.text`*::
+
--
type: text
--
*`logstash.slowlog.event`*::
+
--
Raw dump of the original event
type: keyword
--
*`logstash.slowlog.event.text`*::
+
--
type: text
--
*`logstash.slowlog.plugin_name`*::
+
--
Name of the plugin
type: keyword
--
*`logstash.slowlog.plugin_type`*::
+
--
Type of the plugin: Inputs, Filters, Outputs or Codecs.
type: keyword
--
*`logstash.slowlog.took_in_millis`*::
+
--
Execution time for the plugin in milliseconds.
type: long
--
*`logstash.slowlog.plugin_params`*::
+
--
String value of the plugin configuration
type: keyword
--
*`logstash.slowlog.plugin_params.text`*::
+
--
type: text
--
*`logstash.slowlog.plugin_params_object`*::
+
--
key -> value of the configuration used by the plugin.
type: object
--
*`logstash.slowlog.level`*::
+
--
type: alias
alias to: log.level
--
*`logstash.slowlog.took_in_nanos`*::
+
--
type: alias
alias to: event.duration
--
[[exported-fields-mongodb]]
== mongodb fields
Module for parsing MongoDB log files.
[float]
=== mongodb
Fields from MongoDB logs.
[float]
=== log
Contains fields from MongoDB logs.
*`mongodb.log.component`*::
+
--
Functional categorization of message
type: keyword
example: COMMAND
--
*`mongodb.log.context`*::
+
--
Context of message
type: keyword
example: initandlisten
--
*`mongodb.log.severity`*::
+
--
type: alias
alias to: log.level
--
*`mongodb.log.message`*::
+
--
type: alias
alias to: message
--
[[exported-fields-mssql]]
== mssql fields
MS SQL Filebeat Module
[float]
=== mssql
Fields from the MSSQL log files
[float]
=== log
Common log fields
*`mssql.log.origin`*::
+
--
Origin of the message, usually the server but it can also be a recovery process
type: keyword
--
[[exported-fields-mysql]]
== MySQL fields
Module for parsing the MySQL log files.
[float]
=== mysql
Fields from the MySQL log files.
*`mysql.thread_id`*::
+
--
The connection or thread ID for the query.
type: long
--
[float]
=== error
Contains fields from the MySQL error logs.
*`mysql.error.thread_id`*::
+
--
type: alias
alias to: mysql.thread_id
--
*`mysql.error.level`*::
+
--
type: alias
alias to: log.level
--
*`mysql.error.message`*::
+
--
type: alias
alias to: message
--
[float]
=== slowlog
Contains fields from the MySQL slow logs.
*`mysql.slowlog.lock_time.sec`*::
+
--
The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number.
type: float
--
*`mysql.slowlog.rows_sent`*::
+
--
The number of rows returned by the query.
type: long
--
*`mysql.slowlog.rows_examined`*::
+
--
The number of rows scanned by the query.
type: long
--
*`mysql.slowlog.rows_affected`*::
+
--
The number of rows modified by the query.
type: long
--
*`mysql.slowlog.bytes_sent`*::
+
--
The number of bytes sent to client.
type: long
format: bytes
--
*`mysql.slowlog.bytes_received`*::
+
--
The number of bytes received from client.
type: long
format: bytes
--
*`mysql.slowlog.query`*::
+
--
The slow query.
--
*`mysql.slowlog.id`*::
+
--
type: alias
alias to: mysql.thread_id
--
*`mysql.slowlog.schema`*::
+
--
The schema where the slow query was executed.
type: keyword
--
*`mysql.slowlog.current_user`*::
+
--
Current authenticated user, used to determine access privileges. Can differ from the value for user.
type: keyword
--
*`mysql.slowlog.last_errno`*::
+
--
Last SQL error seen.
type: keyword
--
*`mysql.slowlog.killed`*::
+
--
Code of the reason if the query was killed.
type: keyword
--
*`mysql.slowlog.query_cache_hit`*::
+
--
Whether the query cache was hit.
type: boolean
--
*`mysql.slowlog.tmp_table`*::
+
--
Whether a temporary table was used to resolve the query.
type: boolean
--
*`mysql.slowlog.tmp_table_on_disk`*::
+
--
Whether the query needed temporary tables on disk.
type: boolean
--
*`mysql.slowlog.tmp_tables`*::
+
--
Number of temporary tables created for this query
type: long
--
*`mysql.slowlog.tmp_disk_tables`*::
+
--
Number of temporary tables created on disk for this query.
type: long
--
*`mysql.slowlog.tmp_table_sizes`*::
+
--
Size of temporary tables created for this query.
type: long
format: bytes
--
*`mysql.slowlog.filesort`*::
+
--
Whether filesort optimization was used.
type: boolean
--
*`mysql.slowlog.filesort_on_disk`*::
+
--
Whether filesort optimization was used and it needed temporary tables on disk.
type: boolean
--
*`mysql.slowlog.priority_queue`*::
+
--
Whether a priority queue was used for filesort.
type: boolean
--
*`mysql.slowlog.full_scan`*::
+
--
Whether a full table scan was needed for the slow query.
type: boolean
--
*`mysql.slowlog.full_join`*::
+
--
Whether a full join was needed for the slow query (no indexes were used for joins).
type: boolean
--
*`mysql.slowlog.merge_passes`*::
+
--
Number of merge passes executed for the query.
type: long
--
*`mysql.slowlog.sort_merge_passes`*::
+
--
Number of merge passes that the sort algorithm has had to do.
type: long
--
*`mysql.slowlog.sort_range_count`*::
+
--
Number of sorts that were done using ranges.
type: long
--
*`mysql.slowlog.sort_rows`*::
+
--
Number of sorted rows.
type: long
--
*`mysql.slowlog.sort_scan_count`*::
+
--
Number of sorts that were done by scanning the table.
type: long
--
*`mysql.slowlog.log_slow_rate_type`*::
+
--
Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query.
type: keyword
--
*`mysql.slowlog.log_slow_rate_limit`*::
+
--
Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged.
type: keyword
--
*`mysql.slowlog.read_first`*::
+
--
The number of times the first entry in an index was read.
type: long
--
*`mysql.slowlog.read_last`*::
+
--
The number of times the last key in an index was read.
type: long
--
*`mysql.slowlog.read_key`*::
+
--
The number of requests to read a row based on a key.
type: long
--
*`mysql.slowlog.read_next`*::
+
--
The number of requests to read the next row in key order.
type: long
--
*`mysql.slowlog.read_prev`*::
+
--
The number of requests to read the previous row in key order.
type: long
--
*`mysql.slowlog.read_rnd`*::
+
--
The number of requests to read a row based on a fixed position.
type: long
--
*`mysql.slowlog.read_rnd_next`*::
+
--
The number of requests to read the next row in the data file.
type: long
--
[float]
=== innodb
Contains fields relative to InnoDB engine
*`mysql.slowlog.innodb.trx_id`*::
+
--
Transaction ID
type: keyword
--
*`mysql.slowlog.innodb.io_r_ops`*::
+
--
Number of page read operations.
type: long
--
*`mysql.slowlog.innodb.io_r_bytes`*::
+
--
Bytes read during page read operations.
type: long
format: bytes
--
*`mysql.slowlog.innodb.io_r_wait.sec`*::
+
--
How long it took to read all needed data from storage.
type: long
--
*`mysql.slowlog.innodb.rec_lock_wait.sec`*::
+
--
How long the query waited for locks.
type: long
--
*`mysql.slowlog.innodb.queue_wait.sec`*::
+
--
How long the query waited to enter the InnoDB queue and to be executed once in the queue.
type: long
--
*`mysql.slowlog.innodb.pages_distinct`*::
+
--
Approximated count of pages accessed to execute the query.
type: long
--
*`mysql.slowlog.user`*::
+
--
type: alias
alias to: user.name
--
*`mysql.slowlog.host`*::
+
--
type: alias
alias to: source.domain
--
*`mysql.slowlog.ip`*::
+
--
type: alias
alias to: source.ip
--
[[exported-fields-nats]]
== nats fields
Module for parsing NATS log files.
[float]
=== nats
Fields from NATS logs.
[float]
=== log
Nats log files
[float]
=== client
Fields from NATS logs client.
*`nats.log.client.id`*::
+
--
The id of the client
type: integer
--
[float]
=== msg
Fields from NATS logs message.
*`nats.log.msg.bytes`*::
+
--
Size of the payload in bytes
type: long
format: bytes
--
*`nats.log.msg.type`*::
+
--
The protocol message type
type: keyword
--
*`nats.log.msg.subject`*::
+
--
Subject name this message was received on
type: keyword
--
*`nats.log.msg.sid`*::
+
--
The unique alphanumeric subscription ID of the subject
type: integer
--
*`nats.log.msg.reply_to`*::
+
--
The inbox subject on which the publisher is listening for responses
type: keyword
--
*`nats.log.msg.max_messages`*::
+
--
An optional number of messages to wait for before automatically unsubscribing
type: integer
--
*`nats.log.msg.error.message`*::
+
--
Details about the error occurred
type: text
--
*`nats.log.msg.queue_group`*::
+
--
The queue group which subscriber will join
type: text
--
[[exported-fields-netflow]]
== NetFlow fields
Fields from NetFlow and IPFIX flows.
[float]
=== netflow
Fields from NetFlow and IPFIX.
*`netflow.type`*::
+
--
The type of NetFlow record described by this event.
type: keyword
--
[float]
=== exporter
Metadata related to the exporter device that generated this record.
*`netflow.exporter.address`*::
+
--
Exporter's network address in IP:port format.
type: keyword
--
*`netflow.exporter.source_id`*::
+
--
Observation domain ID to which this record belongs.
type: long
--
*`netflow.exporter.timestamp`*::
+
--
Time and date of export.
type: date
--
*`netflow.exporter.uptime_millis`*::
+
--
How long the exporter process has been running, in milliseconds.
type: long
--
*`netflow.exporter.version`*::
+
--
NetFlow version used.
type: integer
--
*`netflow.octet_delta_count`*::
+
--
type: long
--
*`netflow.packet_delta_count`*::
+
--
type: long
--
*`netflow.delta_flow_count`*::
+
--
type: long
--
*`netflow.protocol_identifier`*::
+
--
type: short
--
*`netflow.ip_class_of_service`*::
+
--
type: short
--
*`netflow.tcp_control_bits`*::
+
--
type: integer
--
*`netflow.source_transport_port`*::
+
--
type: integer
--
*`netflow.source_ipv4_address`*::
+
--
type: ip
--
*`netflow.source_ipv4_prefix_length`*::
+
--
type: short
--
*`netflow.ingress_interface`*::
+
--
type: long
--
*`netflow.destination_transport_port`*::
+
--
type: integer
--
*`netflow.destination_ipv4_address`*::
+
--
type: ip
--
*`netflow.destination_ipv4_prefix_length`*::
+
--
type: short
--
*`netflow.egress_interface`*::
+
--
type: long
--
*`netflow.ip_next_hop_ipv4_address`*::
+
--
type: ip
--
*`netflow.bgp_source_as_number`*::
+
--
type: long
--
*`netflow.bgp_destination_as_number`*::
+
--
type: long
--
*`netflow.bgp_next_hop_ipv4_address`*::
+
--
type: ip
--
*`netflow.post_mcast_packet_delta_count`*::
+
--
type: long
--
*`netflow.post_mcast_octet_delta_count`*::
+
--
type: long
--
*`netflow.flow_end_sys_up_time`*::
+
--
type: long
--
*`netflow.flow_start_sys_up_time`*::
+
--
type: long
--
*`netflow.post_octet_delta_count`*::
+
--
type: long
--
*`netflow.post_packet_delta_count`*::
+
--
type: long
--
*`netflow.minimum_ip_total_length`*::
+
--
type: long
--
*`netflow.maximum_ip_total_length`*::
+
--
type: long
--
*`netflow.source_ipv6_address`*::
+
--
type: ip
--
*`netflow.destination_ipv6_address`*::
+
--
type: ip
--
*`netflow.source_ipv6_prefix_length`*::
+
--
type: short
--
*`netflow.destination_ipv6_prefix_length`*::
+
--
type: short
--
*`netflow.flow_label_ipv6`*::
+
--
type: long
--
*`netflow.icmp_type_code_ipv4`*::
+
--
type: integer
--
*`netflow.igmp_type`*::
+
--
type: short
--
*`netflow.sampling_interval`*::
+
--
type: long
--
*`netflow.sampling_algorithm`*::
+
--
type: short
--
*`netflow.flow_active_timeout`*::
+
--
type: integer
--
*`netflow.flow_idle_timeout`*::
+
--
type: integer
--
*`netflow.engine_type`*::
+
--
type: short
--
*`netflow.engine_id`*::
+
--
type: short
--
*`netflow.exported_octet_total_count`*::
+
--
type: long
--
*`netflow.exported_message_total_count`*::
+
--
type: long
--
*`netflow.exported_flow_record_total_count`*::
+
--
type: long
--
*`netflow.ipv4_router_sc`*::
+
--
type: ip
--
*`netflow.source_ipv4_prefix`*::
+
--
type: ip
--
*`netflow.destination_ipv4_prefix`*::
+
--
type: ip
--
*`netflow.mpls_top_label_type`*::
+
--
type: short
--
*`netflow.mpls_top_label_ipv4_address`*::
+
--
type: ip
--
*`netflow.sampler_id`*::
+
--
type: short
--
*`netflow.sampler_mode`*::
+
--
type: short
--
*`netflow.sampler_random_interval`*::
+
--
type: long
--
*`netflow.class_id`*::
+
--
type: short
--
*`netflow.minimum_ttl`*::
+
--
type: short
--
*`netflow.maximum_ttl`*::
+
--
type: short
--
*`netflow.fragment_identification`*::
+
--
type: long
--
*`netflow.post_ip_class_of_service`*::
+
--
type: short
--
*`netflow.source_mac_address`*::
+
--
type: keyword
--
*`netflow.post_destination_mac_address`*::
+
--
type: keyword
--
*`netflow.vlan_id`*::
+
--
type: integer
--
*`netflow.post_vlan_id`*::
+
--
type: integer
--
*`netflow.ip_version`*::
+
--
type: short
--
*`netflow.flow_direction`*::
+
--
type: short
--
*`netflow.ip_next_hop_ipv6_address`*::
+
--
type: ip
--
*`netflow.bgp_next_hop_ipv6_address`*::
+
--
type: ip
--
*`netflow.ipv6_extension_headers`*::
+
--
type: long
--
*`netflow.mpls_top_label_stack_section`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section2`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section3`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section4`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section5`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section6`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section7`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section8`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section9`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section10`*::
+
--
type: short
--
*`netflow.destination_mac_address`*::
+
--
type: keyword
--
*`netflow.post_source_mac_address`*::
+
--
type: keyword
--
*`netflow.interface_name`*::
+
--
type: keyword
--
*`netflow.interface_description`*::
+
--
type: keyword
--
*`netflow.sampler_name`*::
+
--
type: keyword
--
*`netflow.octet_total_count`*::
+
--
type: long
--
*`netflow.packet_total_count`*::
+
--
type: long
--
*`netflow.flags_and_sampler_id`*::
+
--
type: long
--
*`netflow.fragment_offset`*::
+
--
type: integer
--
*`netflow.forwarding_status`*::
+
--
type: short
--
*`netflow.mpls_vpn_route_distinguisher`*::
+
--
type: short
--
*`netflow.mpls_top_label_prefix_length`*::
+
--
type: short
--
*`netflow.src_traffic_index`*::
+
--
type: long
--
*`netflow.dst_traffic_index`*::
+
--
type: long
--
*`netflow.application_description`*::
+
--
type: keyword
--
*`netflow.application_id`*::
+
--
type: short
--
*`netflow.application_name`*::
+
--
type: keyword
--
*`netflow.post_ip_diff_serv_code_point`*::
+
--
type: short
--
*`netflow.multicast_replication_factor`*::
+
--
type: long
--
*`netflow.class_name`*::
+
--
type: keyword
--
*`netflow.classification_engine_id`*::
+
--
type: short
--
*`netflow.layer2packet_section_offset`*::
+
--
type: integer
--
*`netflow.layer2packet_section_size`*::
+
--
type: integer
--
*`netflow.layer2packet_section_data`*::
+
--
type: short
--
*`netflow.bgp_next_adjacent_as_number`*::
+
--
type: long
--
*`netflow.bgp_prev_adjacent_as_number`*::
+
--
type: long
--
*`netflow.exporter_ipv4_address`*::
+
--
type: ip
--
*`netflow.exporter_ipv6_address`*::
+
--
type: ip
--
*`netflow.dropped_octet_delta_count`*::
+
--
type: long
--
*`netflow.dropped_packet_delta_count`*::
+
--
type: long
--
*`netflow.dropped_octet_total_count`*::
+
--
type: long
--
*`netflow.dropped_packet_total_count`*::
+
--
type: long
--
*`netflow.flow_end_reason`*::
+
--
type: short
--
*`netflow.common_properties_id`*::
+
--
type: long
--
*`netflow.observation_point_id`*::
+
--
type: long
--
*`netflow.icmp_type_code_ipv6`*::
+
--
type: integer
--
*`netflow.mpls_top_label_ipv6_address`*::
+
--
type: ip
--
*`netflow.line_card_id`*::
+
--
type: long
--
*`netflow.port_id`*::
+
--
type: long
--
*`netflow.metering_process_id`*::
+
--
type: long
--
*`netflow.exporting_process_id`*::
+
--
type: long
--
*`netflow.template_id`*::
+
--
type: integer
--
*`netflow.wlan_channel_id`*::
+
--
type: short
--
*`netflow.wlan_ssid`*::
+
--
type: keyword
--
*`netflow.flow_id`*::
+
--
type: long
--
*`netflow.observation_domain_id`*::
+
--
type: long
--
*`netflow.flow_start_seconds`*::
+
--
type: date
--
*`netflow.flow_end_seconds`*::
+
--
type: date
--
*`netflow.flow_start_milliseconds`*::
+
--
type: date
--
*`netflow.flow_end_milliseconds`*::
+
--
type: date
--
*`netflow.flow_start_microseconds`*::
+
--
type: date
--
*`netflow.flow_end_microseconds`*::
+
--
type: date
--
*`netflow.flow_start_nanoseconds`*::
+
--
type: date
--
*`netflow.flow_end_nanoseconds`*::
+
--
type: date
--
*`netflow.flow_start_delta_microseconds`*::
+
--
type: long
--
*`netflow.flow_end_delta_microseconds`*::
+
--
type: long
--
*`netflow.system_init_time_milliseconds`*::
+
--
type: date
--
*`netflow.flow_duration_milliseconds`*::
+
--
type: long
--
*`netflow.flow_duration_microseconds`*::
+
--
type: long
--
*`netflow.observed_flow_total_count`*::
+
--
type: long
--
*`netflow.ignored_packet_total_count`*::
+
--
type: long
--
*`netflow.ignored_octet_total_count`*::
+
--
type: long
--
*`netflow.not_sent_flow_total_count`*::
+
--
type: long
--
*`netflow.not_sent_packet_total_count`*::
+
--
type: long
--
*`netflow.not_sent_octet_total_count`*::
+
--
type: long
--
*`netflow.destination_ipv6_prefix`*::
+
--
type: ip
--
*`netflow.source_ipv6_prefix`*::
+
--
type: ip
--
*`netflow.post_octet_total_count`*::
+
--
type: long
--
*`netflow.post_packet_total_count`*::
+
--
type: long
--
*`netflow.flow_key_indicator`*::
+
--
type: long
--
*`netflow.post_mcast_packet_total_count`*::
+
--
type: long
--
*`netflow.post_mcast_octet_total_count`*::
+
--
type: long
--
*`netflow.icmp_type_ipv4`*::
+
--
type: short
--
*`netflow.icmp_code_ipv4`*::
+
--
type: short
--
*`netflow.icmp_type_ipv6`*::
+
--
type: short
--
*`netflow.icmp_code_ipv6`*::
+
--
type: short
--
*`netflow.udp_source_port`*::
+
--
type: integer
--
*`netflow.udp_destination_port`*::
+
--
type: integer
--
*`netflow.tcp_source_port`*::
+
--
type: integer
--
*`netflow.tcp_destination_port`*::
+
--
type: integer
--
*`netflow.tcp_sequence_number`*::
+
--
type: long
--
*`netflow.tcp_acknowledgement_number`*::
+
--
type: long
--
*`netflow.tcp_window_size`*::
+
--
type: integer
--
*`netflow.tcp_urgent_pointer`*::
+
--
type: integer
--
*`netflow.tcp_header_length`*::
+
--
type: short
--
*`netflow.ip_header_length`*::
+
--
type: short
--
*`netflow.total_length_ipv4`*::
+
--
type: integer
--
*`netflow.payload_length_ipv6`*::
+
--
type: integer
--
*`netflow.ip_ttl`*::
+
--
type: short
--
*`netflow.next_header_ipv6`*::
+
--
type: short
--
*`netflow.mpls_payload_length`*::
+
--
type: long
--
*`netflow.ip_diff_serv_code_point`*::
+
--
type: short
--
*`netflow.ip_precedence`*::
+
--
type: short
--
*`netflow.fragment_flags`*::
+
--
type: short
--
*`netflow.octet_delta_sum_of_squares`*::
+
--
type: long
--
*`netflow.octet_total_sum_of_squares`*::
+
--
type: long
--
*`netflow.mpls_top_label_ttl`*::
+
--
type: short
--
*`netflow.mpls_label_stack_length`*::
+
--
type: long
--
*`netflow.mpls_label_stack_depth`*::
+
--
type: long
--
*`netflow.mpls_top_label_exp`*::
+
--
type: short
--
*`netflow.ip_payload_length`*::
+
--
type: long
--
*`netflow.udp_message_length`*::
+
--
type: integer
--
*`netflow.is_multicast`*::
+
--
type: short
--
*`netflow.ipv4_ihl`*::
+
--
type: short
--
*`netflow.ipv4_options`*::
+
--
type: long
--
*`netflow.tcp_options`*::
+
--
type: long
--
*`netflow.padding_octets`*::
+
--
type: short
--
*`netflow.collector_ipv4_address`*::
+
--
type: ip
--
*`netflow.collector_ipv6_address`*::
+
--
type: ip
--
*`netflow.export_interface`*::
+
--
type: long
--
*`netflow.export_protocol_version`*::
+
--
type: short
--
*`netflow.export_transport_protocol`*::
+
--
type: short
--
*`netflow.collector_transport_port`*::
+
--
type: integer
--
*`netflow.exporter_transport_port`*::
+
--
type: integer
--
*`netflow.tcp_syn_total_count`*::
+
--
type: long
--
*`netflow.tcp_fin_total_count`*::
+
--
type: long
--
*`netflow.tcp_rst_total_count`*::
+
--
type: long
--
*`netflow.tcp_psh_total_count`*::
+
--
type: long
--
*`netflow.tcp_ack_total_count`*::
+
--
type: long
--
*`netflow.tcp_urg_total_count`*::
+
--
type: long
--
*`netflow.ip_total_length`*::
+
--
type: long
--
*`netflow.post_nat_source_ipv4_address`*::
+
--
type: ip
--
*`netflow.post_nat_destination_ipv4_address`*::
+
--
type: ip
--
*`netflow.post_napt_source_transport_port`*::
+
--
type: integer
--
*`netflow.post_napt_destination_transport_port`*::
+
--
type: integer
--
*`netflow.nat_originating_address_realm`*::
+
--
type: short
--
*`netflow.nat_event`*::
+
--
type: short
--
*`netflow.initiator_octets`*::
+
--
type: long
--
*`netflow.responder_octets`*::
+
--
type: long
--
*`netflow.firewall_event`*::
+
--
type: short
--
*`netflow.ingress_vrfid`*::
+
--
type: long
--
*`netflow.egress_vrfid`*::
+
--
type: long
--
*`netflow.vr_fname`*::
+
--
type: keyword
--
*`netflow.post_mpls_top_label_exp`*::
+
--
type: short
--
*`netflow.tcp_window_scale`*::
+
--
type: integer
--
*`netflow.biflow_direction`*::
+
--
type: short
--
*`netflow.ethernet_header_length`*::
+
--
type: short
--
*`netflow.ethernet_payload_length`*::
+
--
type: integer
--
*`netflow.ethernet_total_length`*::
+
--
type: integer
--
*`netflow.dot1q_vlan_id`*::
+
--
type: integer
--
*`netflow.dot1q_priority`*::
+
--
type: short
--
*`netflow.dot1q_customer_vlan_id`*::
+
--
type: integer
--
*`netflow.dot1q_customer_priority`*::
+
--
type: short
--
*`netflow.metro_evc_id`*::
+
--
type: keyword
--
*`netflow.metro_evc_type`*::
+
--
type: short
--
*`netflow.pseudo_wire_id`*::
+
--
type: long
--
*`netflow.pseudo_wire_type`*::
+
--
type: integer
--
*`netflow.pseudo_wire_control_word`*::
+
--
type: long
--
*`netflow.ingress_physical_interface`*::
+
--
type: long
--
*`netflow.egress_physical_interface`*::
+
--
type: long
--
*`netflow.post_dot1q_vlan_id`*::
+
--
type: integer
--
*`netflow.post_dot1q_customer_vlan_id`*::
+
--
type: integer
--
*`netflow.ethernet_type`*::
+
--
type: integer
--
*`netflow.post_ip_precedence`*::
+
--
type: short
--
*`netflow.collection_time_milliseconds`*::
+
--
type: date
--
*`netflow.export_sctp_stream_id`*::
+
--
type: integer
--
*`netflow.max_export_seconds`*::
+
--
type: date
--
*`netflow.max_flow_end_seconds`*::
+
--
type: date
--
*`netflow.message_md5_checksum`*::
+
--
type: short
--
*`netflow.message_scope`*::
+
--
type: short
--
*`netflow.min_export_seconds`*::
+
--
type: date
--
*`netflow.min_flow_start_seconds`*::
+
--
type: date
--
*`netflow.opaque_octets`*::
+
--
type: short
--
*`netflow.session_scope`*::
+
--
type: short
--
*`netflow.max_flow_end_microseconds`*::
+
--
type: date
--
*`netflow.max_flow_end_milliseconds`*::
+
--
type: date
--
*`netflow.max_flow_end_nanoseconds`*::
+
--
type: date
--
*`netflow.min_flow_start_microseconds`*::
+
--
type: date
--
*`netflow.min_flow_start_milliseconds`*::
+
--
type: date
--
*`netflow.min_flow_start_nanoseconds`*::
+
--
type: date
--
*`netflow.collector_certificate`*::
+
--
type: short
--
*`netflow.exporter_certificate`*::
+
--
type: short
--
*`netflow.data_records_reliability`*::
+
--
type: boolean
--
*`netflow.observation_point_type`*::
+
--
type: short
--
*`netflow.new_connection_delta_count`*::
+
--
type: long
--
*`netflow.connection_sum_duration_seconds`*::
+
--
type: long
--
*`netflow.connection_transaction_id`*::
+
--
type: long
--
*`netflow.post_nat_source_ipv6_address`*::
+
--
type: ip
--
*`netflow.post_nat_destination_ipv6_address`*::
+
--
type: ip
--
*`netflow.nat_pool_id`*::
+
--
type: long
--
*`netflow.nat_pool_name`*::
+
--
type: keyword
--
*`netflow.anonymization_flags`*::
+
--
type: integer
--
*`netflow.anonymization_technique`*::
+
--
type: integer
--
*`netflow.information_element_index`*::
+
--
type: integer
--
*`netflow.p2p_technology`*::
+
--
type: keyword
--
*`netflow.tunnel_technology`*::
+
--
type: keyword
--
*`netflow.encrypted_technology`*::
+
--
type: keyword
--
*`netflow.bgp_validity_state`*::
+
--
type: short
--
*`netflow.ip_sec_spi`*::
+
--
type: long
--
*`netflow.gre_key`*::
+
--
type: long
--
*`netflow.nat_type`*::
+
--
type: short
--
*`netflow.initiator_packets`*::
+
--
type: long
--
*`netflow.responder_packets`*::
+
--
type: long
--
*`netflow.observation_domain_name`*::
+
--
type: keyword
--
*`netflow.selection_sequence_id`*::
+
--
type: long
--
*`netflow.selector_id`*::
+
--
type: long
--
*`netflow.information_element_id`*::
+
--
type: integer
--
*`netflow.selector_algorithm`*::
+
--
type: integer
--
*`netflow.sampling_packet_interval`*::
+
--
type: long
--
*`netflow.sampling_packet_space`*::
+
--
type: long
--
*`netflow.sampling_time_interval`*::
+
--
type: long
--
*`netflow.sampling_time_space`*::
+
--
type: long
--
*`netflow.sampling_size`*::
+
--
type: long
--
*`netflow.sampling_population`*::
+
--
type: long
--
*`netflow.sampling_probability`*::
+
--
type: double
--
*`netflow.data_link_frame_size`*::
+
--
type: integer
--
*`netflow.ip_header_packet_section`*::
+
--
type: short
--
*`netflow.ip_payload_packet_section`*::
+
--
type: short
--
*`netflow.data_link_frame_section`*::
+
--
type: short
--
*`netflow.mpls_label_stack_section`*::
+
--
type: short
--
*`netflow.mpls_payload_packet_section`*::
+
--
type: short
--
*`netflow.selector_id_total_pkts_observed`*::
+
--
type: long
--
*`netflow.selector_id_total_pkts_selected`*::
+
--
type: long
--
*`netflow.absolute_error`*::
+
--
type: double
--
*`netflow.relative_error`*::
+
--
type: double
--
*`netflow.observation_time_seconds`*::
+
--
type: date
--
*`netflow.observation_time_milliseconds`*::
+
--
type: date
--
*`netflow.observation_time_microseconds`*::
+
--
type: date
--
*`netflow.observation_time_nanoseconds`*::
+
--
type: date
--
*`netflow.digest_hash_value`*::
+
--
type: long
--
*`netflow.hash_ip_payload_offset`*::
+
--
type: long
--
*`netflow.hash_ip_payload_size`*::
+
--
type: long
--
*`netflow.hash_output_range_min`*::
+
--
type: long
--
*`netflow.hash_output_range_max`*::
+
--
type: long
--
*`netflow.hash_selected_range_min`*::
+
--
type: long
--
*`netflow.hash_selected_range_max`*::
+
--
type: long
--
*`netflow.hash_digest_output`*::
+
--
type: boolean
--
*`netflow.hash_initialiser_value`*::
+
--
type: long
--
*`netflow.selector_name`*::
+
--
type: keyword
--
*`netflow.upper_ci_limit`*::
+
--
type: double
--
*`netflow.lower_ci_limit`*::
+
--
type: double
--
*`netflow.confidence_level`*::
+
--
type: double
--
*`netflow.information_element_data_type`*::
+
--
type: short
--
*`netflow.information_element_description`*::
+
--
type: keyword
--
*`netflow.information_element_name`*::
+
--
type: keyword
--
*`netflow.information_element_range_begin`*::
+
--
type: long
--
*`netflow.information_element_range_end`*::
+
--
type: long
--
*`netflow.information_element_semantics`*::
+
--
type: short
--
*`netflow.information_element_units`*::
+
--
type: integer
--
*`netflow.private_enterprise_number`*::
+
--
type: long
--
*`netflow.virtual_station_interface_id`*::
+
--
type: short
--
*`netflow.virtual_station_interface_name`*::
+
--
type: keyword
--
*`netflow.virtual_station_uuid`*::
+
--
type: short
--
*`netflow.virtual_station_name`*::
+
--
type: keyword
--
*`netflow.layer2_segment_id`*::
+
--
type: long
--
*`netflow.layer2_octet_delta_count`*::
+
--
type: long
--
*`netflow.layer2_octet_total_count`*::
+
--
type: long
--
*`netflow.ingress_unicast_packet_total_count`*::
+
--
type: long
--
*`netflow.ingress_multicast_packet_total_count`*::
+
--
type: long
--
*`netflow.ingress_broadcast_packet_total_count`*::
+
--
type: long
--
*`netflow.egress_unicast_packet_total_count`*::
+
--
type: long
--
*`netflow.egress_broadcast_packet_total_count`*::
+
--
type: long
--
*`netflow.monitoring_interval_start_milli_seconds`*::
+
--
type: date
--
*`netflow.monitoring_interval_end_milli_seconds`*::
+
--
type: date
--
*`netflow.port_range_start`*::
+
--
type: integer
--
*`netflow.port_range_end`*::
+
--
type: integer
--
*`netflow.port_range_step_size`*::
+
--
type: integer
--
*`netflow.port_range_num_ports`*::
+
--
type: integer
--
*`netflow.sta_mac_address`*::
+
--
type: keyword
--
*`netflow.sta_ipv4_address`*::
+
--
type: ip
--
*`netflow.wtp_mac_address`*::
+
--
type: keyword
--
*`netflow.ingress_interface_type`*::
+
--
type: long
--
*`netflow.egress_interface_type`*::
+
--
type: long
--
*`netflow.rtp_sequence_number`*::
+
--
type: integer
--
*`netflow.user_name`*::
+
--
type: keyword
--
*`netflow.application_category_name`*::
+
--
type: keyword
--
*`netflow.application_sub_category_name`*::
+
--
type: keyword
--
*`netflow.application_group_name`*::
+
--
type: keyword
--
*`netflow.original_flows_present`*::
+
--
type: long
--
*`netflow.original_flows_initiated`*::
+
--
type: long
--
*`netflow.original_flows_completed`*::
+
--
type: long
--
*`netflow.distinct_count_of_source_ip_address`*::
+
--
type: long
--
*`netflow.distinct_count_of_destination_ip_address`*::
+
--
type: long
--
*`netflow.distinct_count_of_source_ipv4_address`*::
+
--
type: long
--
*`netflow.distinct_count_of_destination_ipv4_address`*::
+
--
type: long
--
*`netflow.distinct_count_of_source_ipv6_address`*::
+
--
type: long
--
*`netflow.distinct_count_of_destination_ipv6_address`*::
+
--
type: long
--
*`netflow.value_distribution_method`*::
+
--
type: short
--
*`netflow.rfc3550_jitter_milliseconds`*::
+
--
type: long
--
*`netflow.rfc3550_jitter_microseconds`*::
+
--
type: long
--
*`netflow.rfc3550_jitter_nanoseconds`*::
+
--
type: long
--
*`netflow.dot1q_dei`*::
+
--
type: boolean
--
*`netflow.dot1q_customer_dei`*::
+
--
type: boolean
--
*`netflow.flow_selector_algorithm`*::
+
--
type: integer
--
*`netflow.flow_selected_octet_delta_count`*::
+
--
type: long
--
*`netflow.flow_selected_packet_delta_count`*::
+
--
type: long
--
*`netflow.flow_selected_flow_delta_count`*::
+
--
type: long
--
*`netflow.selector_id_total_flows_observed`*::
+
--
type: long
--
*`netflow.selector_id_total_flows_selected`*::
+
--
type: long
--
*`netflow.sampling_flow_interval`*::
+
--
type: long
--
*`netflow.sampling_flow_spacing`*::
+
--
type: long
--
*`netflow.flow_sampling_time_interval`*::
+
--
type: long
--
*`netflow.flow_sampling_time_spacing`*::
+
--
type: long
--
*`netflow.hash_flow_domain`*::
+
--
type: integer
--
*`netflow.transport_octet_delta_count`*::
+
--
type: long
--
*`netflow.transport_packet_delta_count`*::
+
--
type: long
--
*`netflow.original_exporter_ipv4_address`*::
+
--
type: ip
--
*`netflow.original_exporter_ipv6_address`*::
+
--
type: ip
--
*`netflow.original_observation_domain_id`*::
+
--
type: long
--
*`netflow.intermediate_process_id`*::
+
--
type: long
--
*`netflow.ignored_data_record_total_count`*::
+
--
type: long
--
*`netflow.data_link_frame_type`*::
+
--
type: integer
--
*`netflow.section_offset`*::
+
--
type: integer
--
*`netflow.section_exported_octets`*::
+
--
type: integer
--
*`netflow.dot1q_service_instance_tag`*::
+
--
type: short
--
*`netflow.dot1q_service_instance_id`*::
+
--
type: long
--
*`netflow.dot1q_service_instance_priority`*::
+
--
type: short
--
*`netflow.dot1q_customer_source_mac_address`*::
+
--
type: keyword
--
*`netflow.dot1q_customer_destination_mac_address`*::
+
--
type: keyword
--
*`netflow.post_layer2_octet_delta_count`*::
+
--
type: long
--
*`netflow.post_mcast_layer2_octet_delta_count`*::
+
--
type: long
--
*`netflow.post_layer2_octet_total_count`*::
+
--
type: long
--
*`netflow.post_mcast_layer2_octet_total_count`*::
+
--
type: long
--
*`netflow.minimum_layer2_total_length`*::
+
--
type: long
--
*`netflow.maximum_layer2_total_length`*::
+
--
type: long
--
*`netflow.dropped_layer2_octet_delta_count`*::
+
--
type: long
--
*`netflow.dropped_layer2_octet_total_count`*::
+
--
type: long
--
*`netflow.ignored_layer2_octet_total_count`*::
+
--
type: long
--
*`netflow.not_sent_layer2_octet_total_count`*::
+
--
type: long
--
*`netflow.layer2_octet_delta_sum_of_squares`*::
+
--
type: long
--
*`netflow.layer2_octet_total_sum_of_squares`*::
+
--
type: long
--
*`netflow.layer2_frame_delta_count`*::
+
--
type: long
--
*`netflow.layer2_frame_total_count`*::
+
--
type: long
--
*`netflow.pseudo_wire_destination_ipv4_address`*::
+
--
type: ip
--
*`netflow.ignored_layer2_frame_total_count`*::
+
--
type: long
--
*`netflow.mib_object_value_integer`*::
+
--
type: integer
--
*`netflow.mib_object_value_octet_string`*::
+
--
type: short
--
*`netflow.mib_object_value_oid`*::
+
--
type: short
--
*`netflow.mib_object_value_bits`*::
+
--
type: short
--
*`netflow.mib_object_value_ip_address`*::
+
--
type: ip
--
*`netflow.mib_object_value_counter`*::
+
--
type: long
--
*`netflow.mib_object_value_gauge`*::
+
--
type: long
--
*`netflow.mib_object_value_time_ticks`*::
+
--
type: long
--
*`netflow.mib_object_value_unsigned`*::
+
--
type: long
--
*`netflow.mib_object_identifier`*::
+
--
type: short
--
*`netflow.mib_sub_identifier`*::
+
--
type: long
--
*`netflow.mib_index_indicator`*::
+
--
type: long
--
*`netflow.mib_capture_time_semantics`*::
+
--
type: short
--
*`netflow.mib_context_engine_id`*::
+
--
type: short
--
*`netflow.mib_context_name`*::
+
--
type: keyword
--
*`netflow.mib_object_name`*::
+
--
type: keyword
--
*`netflow.mib_object_description`*::
+
--
type: keyword
--
*`netflow.mib_object_syntax`*::
+
--
type: keyword
--
*`netflow.mib_module_name`*::
+
--
type: keyword
--
*`netflow.mobile_imsi`*::
+
--
type: keyword
--
*`netflow.mobile_msisdn`*::
+
--
type: keyword
--
*`netflow.http_status_code`*::
+
--
type: integer
--
*`netflow.source_transport_ports_limit`*::
+
--
type: integer
--
*`netflow.http_request_method`*::
+
--
type: keyword
--
*`netflow.http_request_host`*::
+
--
type: keyword
--
*`netflow.http_request_target`*::
+
--
type: keyword
--
*`netflow.http_message_version`*::
+
--
type: keyword
--
*`netflow.nat_instance_id`*::
+
--
type: long
--
*`netflow.internal_address_realm`*::
+
--
type: short
--
*`netflow.external_address_realm`*::
+
--
type: short
--
*`netflow.nat_quota_exceeded_event`*::
+
--
type: long
--
*`netflow.nat_threshold_event`*::
+
--
type: long
--
*`netflow.http_user_agent`*::
+
--
type: keyword
--
*`netflow.http_content_type`*::
+
--
type: keyword
--
*`netflow.http_reason_phrase`*::
+
--
type: keyword
--
*`netflow.max_session_entries`*::
+
--
type: long
--
*`netflow.max_bib_entries`*::
+
--
type: long
--
*`netflow.max_entries_per_user`*::
+
--
type: long
--
*`netflow.max_subscribers`*::
+
--
type: long
--
*`netflow.max_fragments_pending_reassembly`*::
+
--
type: long
--
*`netflow.address_pool_high_threshold`*::
+
--
type: long
--
*`netflow.address_pool_low_threshold`*::
+
--
type: long
--
*`netflow.address_port_mapping_high_threshold`*::
+
--
type: long
--
*`netflow.address_port_mapping_low_threshold`*::
+
--
type: long
--
*`netflow.address_port_mapping_per_user_high_threshold`*::
+
--
type: long
--
*`netflow.global_address_mapping_high_threshold`*::
+
--
type: long
--
*`netflow.vpn_identifier`*::
+
--
type: short
--
[[exported-fields-netflow-module]]
== NetFlow fields
Module for receiving NetFlow and IPFIX flow records over UDP. The module does not add fields beyond what the netflow input provides.
[[exported-fields-nginx]]
== Nginx fields
Module for parsing the Nginx log files.
[float]
=== nginx
Fields from the Nginx log files.
[float]
=== access
Contains fields for the Nginx access logs.
*`nginx.access.remote_ip_list`*::
+
--
An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`.
type: array
--
*`nginx.access.body_sent.bytes`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`nginx.access.user_name`*::
+
--
type: alias
alias to: user.name
--
*`nginx.access.method`*::
+
--
type: alias
alias to: http.request.method
--
*`nginx.access.url`*::
+
--
type: alias
alias to: url.original
--
*`nginx.access.http_version`*::
+
--
type: alias
alias to: http.version
--
*`nginx.access.response_code`*::
+
--
type: alias
alias to: http.response.status_code
--
*`nginx.access.referrer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`nginx.access.agent`*::
+
--
type: alias
alias to: user_agent.original
--
*`nginx.access.user_agent.device`*::
+
--
type: alias
alias to: user_agent.device.name
--
*`nginx.access.user_agent.name`*::
+
--
type: alias
alias to: user_agent.name
--
*`nginx.access.user_agent.os`*::
+
--
type: alias
alias to: user_agent.os.full_name
--
*`nginx.access.user_agent.os_name`*::
+
--
type: alias
alias to: user_agent.os.name
--
*`nginx.access.user_agent.original`*::
+
--
type: alias
alias to: user_agent.original
--
*`nginx.access.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`nginx.access.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`nginx.access.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`nginx.access.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`nginx.access.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`nginx.access.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[float]
=== error
Contains fields for the Nginx error logs.
*`nginx.error.connection_id`*::
+
--
Connection identifier.
type: long
--
*`nginx.error.level`*::
+
--
type: alias
alias to: log.level
--
*`nginx.error.pid`*::
+
--
type: alias
alias to: process.pid
--
*`nginx.error.tid`*::
+
--
type: alias
alias to: process.thread.id
--
*`nginx.error.message`*::
+
--
type: alias
alias to: message
--
[[exported-fields-osquery]]
== Osquery fields
Fields exported by the `osquery` module
[float]
=== osquery
[float]
=== result
Common fields exported by the result metricset.
*`osquery.result.name`*::
+
--
The name of the query that generated this event.
type: keyword
--
*`osquery.result.action`*::
+
--
For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot".
type: keyword
--
*`osquery.result.host_identifier`*::
+
--
The identifier for the host on which the osquery agent is running. Normally the hostname.
type: keyword
--
*`osquery.result.unix_time`*::
+
--
Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column.
type: long
--
*`osquery.result.calendar_time`*::
+
--
String representation of the collection time, as formatted by osquery.
type: keyword
--
[[exported-fields-panw]]
== panw fields
Module for Palo Alto Networks (PAN-OS)
[float]
=== panw
Fields from the panw module.
[float]
=== panos
Fields for the Palo Alto Networks PAN-OS logs.
*`panw.panos.ruleset`*::
+
--
Name of the rule that matched this session.
type: keyword
--
[float]
=== source
Fields to extend the top-level source object.
*`panw.panos.source.zone`*::
+
--
Source zone for this session.
type: keyword
--
*`panw.panos.source.interface`*::
+
--
Source interface for this session.
type: keyword
--
[float]
=== nat
Post-NAT source address, if source NAT is performed.
*`panw.panos.source.nat.ip`*::
+
--
Post-NAT source IP.
type: ip
--
*`panw.panos.source.nat.port`*::
+
--
Post-NAT source port.
type: long
--
[float]
=== destination
Fields to extend the top-level destination object.
*`panw.panos.destination.zone`*::
+
--
Destination zone for this session.
type: keyword
--
*`panw.panos.destination.interface`*::
+
--
Destination interface for this session.
type: keyword
--
[float]
=== nat
Post-NAT destination address, if destination NAT is performed.
*`panw.panos.destination.nat.ip`*::
+
--
Post-NAT destination IP.
type: ip
--
*`panw.panos.destination.nat.port`*::
+
--
Post-NAT destination port.
type: long
--
[float]
=== network
Fields to extend the top-level network object.
*`panw.panos.network.pcap_id`*::
+
--
Packet capture ID for a threat.
type: keyword
--
*`panw.panos.network.nat.community_id`*::
+
--
Community ID flow-hash for the NAT 5-tuple.
type: keyword
--
[float]
=== file
Fields to extend the top-level file object.
*`panw.panos.file.hash`*::
+
--
Binary hash for a threat file sent to be analyzed by the WildFire service.
type: keyword
--
[float]
=== url
Fields to extend the top-level url object.
*`panw.panos.url.category`*::
+
--
For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'.
type: keyword
--
*`panw.panos.flow_id`*::
+
--
Internal numeric identifier for each session.
type: keyword
--
*`panw.panos.sequence_number`*::
+
--
Log entry identifier that is incremented sequentially. Unique for each log type.
type: long
--
*`panw.panos.threat.resource`*::
+
--
URL or file name for a threat.
type: keyword
--
*`panw.panos.threat.id`*::
+
--
Palo Alto Networks identifier for the threat.
type: keyword
--
*`panw.panos.threat.name`*::
+
--
Palo Alto Networks name for the threat.
type: keyword
--
[[exported-fields-postgresql]]
== PostgreSQL fields
Module for parsing the PostgreSQL log files.
[float]
=== postgresql
Fields from PostgreSQL logs.
[float]
=== log
Fields from the PostgreSQL log files.
*`postgresql.log.timestamp`*::
+
--
deprecated:[7.3.0]
The timestamp from the log line.
--
*`postgresql.log.core_id`*::
+
--
Core id
type: long
--
*`postgresql.log.database`*::
+
--
Name of database
example: mydb
--
*`postgresql.log.query`*::
+
--
Query statement.
example: SELECT * FROM users;
--
*`postgresql.log.error.code`*::
+
--
Error code returned by Postgres (if any)
type: long
--
*`postgresql.log.timezone`*::
+
--
type: alias
alias to: event.timezone
--
*`postgresql.log.thread_id`*::
+
--
type: alias
alias to: process.pid
--
*`postgresql.log.user`*::
+
--
type: alias
alias to: user.name
--
*`postgresql.log.level`*::
+
--
type: alias
alias to: log.level
--
*`postgresql.log.message`*::
+
--
type: alias
alias to: message
--
[[exported-fields-process]]
== Process fields
Process metadata fields
*`process.exe`*::
+
--
type: alias
alias to: process.executable
--
[[exported-fields-rabbitmq]]
== RabbitMQ fields
RabbitMQ Module
[float]
=== rabbitmq
[float]
=== log
RabbitMQ log files
*`rabbitmq.log.pid`*::
+
--
The Erlang process id
type: keyword
example: <0.222.0>
--
[[exported-fields-redis]]
== Redis fields
Redis Module
[float]
=== redis
[float]
=== log
Redis log files
*`redis.log.role`*::
+
--
The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`.
type: keyword
--
*`redis.log.pid`*::
+
--
type: alias
alias to: process.pid
--
*`redis.log.level`*::
+
--
type: alias
alias to: log.level
--
*`redis.log.message`*::
+
--
type: alias
alias to: message
--
[float]
=== slowlog
Slow logs are retrieved from Redis via a network connection.
*`redis.slowlog.cmd`*::
+
--
The command executed.
type: keyword
--
*`redis.slowlog.duration.us`*::
+
--
How long it took to execute the command in microseconds.
type: long
--
*`redis.slowlog.id`*::
+
--
The ID of the query.
type: long
--
*`redis.slowlog.key`*::
+
--
The key on which the command was executed.
type: keyword
--
*`redis.slowlog.args`*::
+
--
The arguments with which the command was called.
type: keyword
--
[[exported-fields-s3]]
== s3 fields
S3 fields from s3 input.
*`bucket_name`*::
+
--
Name of the S3 bucket that this log retrieved from.
type: keyword
--
*`object_key`*::
+
--
Name of the S3 object that this log retrieved from.
type: keyword
--
[[exported-fields-santa]]
== Google Santa fields
Santa Module
[float]
=== santa
*`santa.action`*::
+
--
Action
type: keyword
example: EXEC
--
*`santa.decision`*::
+
--
Decision that santad took.
type: keyword
example: ALLOW
--
*`santa.reason`*::
+
--
Reason for the decsision.
type: keyword
example: CERT
--
*`santa.mode`*::
+
--
Operating mode of Santa.
type: keyword
example: M
--
[float]
=== disk
Fields for DISKAPPEAR actions.
*`santa.disk.volume`*::
+
--
The volume name.
--
*`santa.disk.bus`*::
+
--
The disk bus protocol.
--
*`santa.disk.serial`*::
+
--
The disk serial number.
--
*`santa.disk.bsdname`*::
+
--
The disk BSD name.
example: disk1s3
--
*`santa.disk.model`*::
+
--
The disk model.
example: APPLE SSD SM0512L
--
*`santa.disk.fs`*::
+
--
The disk volume kind (filesystem type).
example: apfs
--
*`santa.disk.mount`*::
+
--
The disk volume path.
--
*`certificate.common_name`*::
+
--
Common name from code signing certificate.
type: keyword
--
*`certificate.sha256`*::
+
--
SHA256 hash of code signing certificate.
type: keyword
--
[[exported-fields-suricata]]
== Suricata fields
Module for handling the EVE JSON logs produced by Suricata.
[float]
=== suricata
Fields from the Suricata EVE log file.
[float]
=== eve
Fields exported by the EVE JSON logs
*`suricata.eve.event_type`*::
+
--
type: keyword
--
*`suricata.eve.app_proto_orig`*::
+
--
type: keyword
--
*`suricata.eve.tcp.tcp_flags`*::
+
--
type: keyword
--
*`suricata.eve.tcp.psh`*::
+
--
type: boolean
--
*`suricata.eve.tcp.tcp_flags_tc`*::
+
--
type: keyword
--
*`suricata.eve.tcp.ack`*::
+
--
type: boolean
--
*`suricata.eve.tcp.syn`*::
+
--
type: boolean
--
*`suricata.eve.tcp.state`*::
+
--
type: keyword
--
*`suricata.eve.tcp.tcp_flags_ts`*::
+
--
type: keyword
--
*`suricata.eve.tcp.rst`*::
+
--
type: boolean
--
*`suricata.eve.tcp.fin`*::
+
--
type: boolean
--
*`suricata.eve.fileinfo.sha1`*::
+
--
type: keyword
--
*`suricata.eve.fileinfo.filename`*::
+
--
type: alias
alias to: file.path
--
*`suricata.eve.fileinfo.tx_id`*::
+
--
type: long
--
*`suricata.eve.fileinfo.state`*::
+
--
type: keyword
--
*`suricata.eve.fileinfo.stored`*::
+
--
type: boolean
--
*`suricata.eve.fileinfo.gaps`*::
+
--
type: boolean
--
*`suricata.eve.fileinfo.sha256`*::
+
--
type: keyword
--
*`suricata.eve.fileinfo.md5`*::
+
--
type: keyword
--
*`suricata.eve.fileinfo.size`*::
+
--
type: alias
alias to: file.size
--
*`suricata.eve.icmp_type`*::
+
--
type: long
--
*`suricata.eve.dest_port`*::
+
--
type: alias
alias to: destination.port
--
*`suricata.eve.src_port`*::
+
--
type: alias
alias to: source.port
--
*`suricata.eve.proto`*::
+
--
type: alias
alias to: network.transport
--
*`suricata.eve.pcap_cnt`*::
+
--
type: long
--
*`suricata.eve.src_ip`*::
+
--
type: alias
alias to: source.ip
--
*`suricata.eve.dns.type`*::
+
--
type: keyword
--
*`suricata.eve.dns.rrtype`*::
+
--
type: keyword
--
*`suricata.eve.dns.rrname`*::
+
--
type: keyword
--
*`suricata.eve.dns.rdata`*::
+
--
type: keyword
--
*`suricata.eve.dns.tx_id`*::
+
--
type: long
--
*`suricata.eve.dns.ttl`*::
+
--
type: long
--
*`suricata.eve.dns.rcode`*::
+
--
type: keyword
--
*`suricata.eve.dns.id`*::
+
--
type: long
--
*`suricata.eve.flow_id`*::
+
--
type: keyword
--
*`suricata.eve.email.status`*::
+
--
type: keyword
--
*`suricata.eve.dest_ip`*::
+
--
type: alias
alias to: destination.ip
--
*`suricata.eve.icmp_code`*::
+
--
type: long
--
*`suricata.eve.http.status`*::
+
--
type: alias
alias to: http.response.status_code
--
*`suricata.eve.http.redirect`*::
+
--
type: keyword
--
*`suricata.eve.http.http_user_agent`*::
+
--
type: alias
alias to: user_agent.original
--
*`suricata.eve.http.protocol`*::
+
--
type: keyword
--
*`suricata.eve.http.http_refer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`suricata.eve.http.url`*::
+
--
type: alias
alias to: url.original
--
*`suricata.eve.http.hostname`*::
+
--
type: alias
alias to: url.domain
--
*`suricata.eve.http.length`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`suricata.eve.http.http_method`*::
+
--
type: alias
alias to: http.request.method
--
*`suricata.eve.http.http_content_type`*::
+
--
type: keyword
--
*`suricata.eve.timestamp`*::
+
--
type: alias
alias to: @timestamp
--
*`suricata.eve.in_iface`*::
+
--
type: keyword
--
*`suricata.eve.alert.category`*::
+
--
type: keyword
--
*`suricata.eve.alert.severity`*::
+
--
type: alias
alias to: event.severity
--
*`suricata.eve.alert.rev`*::
+
--
type: long
--
*`suricata.eve.alert.gid`*::
+
--
type: long
--
*`suricata.eve.alert.signature`*::
+
--
type: keyword
--
*`suricata.eve.alert.action`*::
+
--
type: alias
alias to: event.outcome
--
*`suricata.eve.alert.signature_id`*::
+
--
type: long
--
*`suricata.eve.ssh.client.proto_version`*::
+
--
type: keyword
--
*`suricata.eve.ssh.client.software_version`*::
+
--
type: keyword
--
*`suricata.eve.ssh.server.proto_version`*::
+
--
type: keyword
--
*`suricata.eve.ssh.server.software_version`*::
+
--
type: keyword
--
*`suricata.eve.stats.capture.kernel_packets`*::
+
--
type: long
--
*`suricata.eve.stats.capture.kernel_drops`*::
+
--
type: long
--
*`suricata.eve.stats.capture.kernel_ifdrops`*::
+
--
type: long
--
*`suricata.eve.stats.uptime`*::
+
--
type: long
--
*`suricata.eve.stats.detect.alert`*::
+
--
type: long
--
*`suricata.eve.stats.http.memcap`*::
+
--
type: long
--
*`suricata.eve.stats.http.memuse`*::
+
--
type: long
--
*`suricata.eve.stats.file_store.open_files`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.max_frag_hits`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.ipv4.timeouts`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.ipv4.fragments`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.ipv4.reassembled`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.ipv6.timeouts`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.ipv6.fragments`*::
+
--
type: long
--
*`suricata.eve.stats.defrag.ipv6.reassembled`*::
+
--
type: long
--
*`suricata.eve.stats.flow.tcp_reuse`*::
+
--
type: long
--
*`suricata.eve.stats.flow.udp`*::
+
--
type: long
--
*`suricata.eve.stats.flow.memcap`*::
+
--
type: long
--
*`suricata.eve.stats.flow.emerg_mode_entered`*::
+
--
type: long
--
*`suricata.eve.stats.flow.emerg_mode_over`*::
+
--
type: long
--
*`suricata.eve.stats.flow.tcp`*::
+
--
type: long
--
*`suricata.eve.stats.flow.icmpv6`*::
+
--
type: long
--
*`suricata.eve.stats.flow.icmpv4`*::
+
--
type: long
--
*`suricata.eve.stats.flow.spare`*::
+
--
type: long
--
*`suricata.eve.stats.flow.memuse`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.pseudo_failed`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.ssn_memcap_drop`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.insert_data_overlap_fail`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.sessions`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.pseudo`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.synack`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.insert_data_normal_fail`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.syn`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.memuse`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.invalid_checksum`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.segment_memcap_drop`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.overlap`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.insert_list_fail`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.rst`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.stream_depth_reached`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.reassembly_memuse`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.reassembly_gap`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.overlap_diff_data`*::
+
--
type: long
--
*`suricata.eve.stats.tcp.no_flow`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.avg_pkt_size`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.bytes`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.tcp`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.raw`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ppp`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.vlan_qinq`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.null`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ltnull.unsupported_type`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ltnull.pkt_too_small`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.invalid`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.gre`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ipv4`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ipv6`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.pkts`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ipv6_in_ipv6`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ipraw.invalid_ip_version`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.pppoe`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.udp`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.dce.pkt_too_small`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.vlan`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.sctp`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.max_pkt_size`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.teredo`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.mpls`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.sll`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.icmpv6`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.icmpv4`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.erspan`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ethernet`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ipv4_in_ipv6`*::
+
--
type: long
--
*`suricata.eve.stats.decoder.ieee8021ah`*::
+
--
type: long
--
*`suricata.eve.stats.dns.memcap_global`*::
+
--
type: long
--
*`suricata.eve.stats.dns.memcap_state`*::
+
--
type: long
--
*`suricata.eve.stats.dns.memuse`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.rows_busy`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.flows_timeout`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.flows_notimeout`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.rows_skipped`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.closed_pruned`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.new_pruned`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.flows_removed`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.bypassed_pruned`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.est_pruned`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.flows_timeout_inuse`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.flows_checked`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.rows_maxlen`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.rows_checked`*::
+
--
type: long
--
*`suricata.eve.stats.flow_mgr.rows_empty`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.tls`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.ftp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.http`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.failed_udp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.dns_udp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.dns_tcp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.smtp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.failed_tcp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.msn`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.ssh`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.imap`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.dcerpc_udp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.dcerpc_tcp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.flow.smb`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.tls`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.ftp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.http`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.dns_udp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.dns_tcp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.smtp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.ssh`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.dcerpc_udp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.dcerpc_tcp`*::
+
--
type: long
--
*`suricata.eve.stats.app_layer.tx.smb`*::
+
--
type: long
--
*`suricata.eve.tls.notbefore`*::
+
--
type: date
--
*`suricata.eve.tls.issuerdn`*::
+
--
type: keyword
--
*`suricata.eve.tls.sni`*::
+
--
type: keyword
--
*`suricata.eve.tls.version`*::
+
--
type: keyword
--
*`suricata.eve.tls.session_resumed`*::
+
--
type: boolean
--
*`suricata.eve.tls.fingerprint`*::
+
--
type: keyword
--
*`suricata.eve.tls.serial`*::
+
--
type: keyword
--
*`suricata.eve.tls.notafter`*::
+
--
type: date
--
*`suricata.eve.tls.subject`*::
+
--
type: keyword
--
*`suricata.eve.app_proto_ts`*::
+
--
type: keyword
--
*`suricata.eve.flow.bytes_toclient`*::
+
--
type: alias
alias to: destination.bytes
--
*`suricata.eve.flow.start`*::
+
--
type: alias
alias to: event.start
--
*`suricata.eve.flow.pkts_toclient`*::
+
--
type: alias
alias to: destination.packets
--
*`suricata.eve.flow.age`*::
+
--
type: long
--
*`suricata.eve.flow.state`*::
+
--
type: keyword
--
*`suricata.eve.flow.bytes_toserver`*::
+
--
type: alias
alias to: source.bytes
--
*`suricata.eve.flow.reason`*::
+
--
type: keyword
--
*`suricata.eve.flow.pkts_toserver`*::
+
--
type: alias
alias to: source.packets
--
*`suricata.eve.flow.end`*::
+
--
type: date
--
*`suricata.eve.flow.alerted`*::
+
--
type: boolean
--
*`suricata.eve.app_proto`*::
+
--
type: alias
alias to: network.protocol
--
*`suricata.eve.tx_id`*::
+
--
type: long
--
*`suricata.eve.app_proto_tc`*::
+
--
type: keyword
--
*`suricata.eve.smtp.rcpt_to`*::
+
--
type: keyword
--
*`suricata.eve.smtp.mail_from`*::
+
--
type: keyword
--
*`suricata.eve.smtp.helo`*::
+
--
type: keyword
--
*`suricata.eve.app_proto_expected`*::
+
--
type: keyword
--
[[exported-fields-system]]
== System fields
Module for parsing system log files.
[float]
=== system
Fields from the system log files.
[float]
=== auth
Fields from the Linux authorization logs.
*`system.auth.timestamp`*::
+
--
type: alias
alias to: @timestamp
--
*`system.auth.hostname`*::
+
--
type: alias
alias to: host.hostname
--
*`system.auth.program`*::
+
--
type: alias
alias to: process.name
--
*`system.auth.pid`*::
+
--
type: alias
alias to: process.pid
--
*`system.auth.message`*::
+
--
type: alias
alias to: message
--
*`system.auth.user`*::
+
--
type: alias
alias to: user.name
--
*`system.auth.ssh.method`*::
+
--
The SSH authentication method. Can be one of "password" or "publickey".
--
*`system.auth.ssh.signature`*::
+
--
The signature of the client public key.
--
*`system.auth.ssh.dropped_ip`*::
+
--
The client IP from SSH connections that are open and immediately dropped.
type: ip
--
*`system.auth.ssh.event`*::
+
--
The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
example: Accepted
--
*`system.auth.ssh.ip`*::
+
--
type: alias
alias to: source.ip
--
*`system.auth.ssh.port`*::
+
--
type: alias
alias to: source.port
--
*`system.auth.ssh.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`system.auth.ssh.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`system.auth.ssh.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`system.auth.ssh.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`system.auth.ssh.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`system.auth.ssh.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[float]
=== sudo
Fields specific to events created by the `sudo` command.
*`system.auth.sudo.error`*::
+
--
The error message in case the sudo command failed.
example: user NOT in sudoers
--
*`system.auth.sudo.tty`*::
+
--
The TTY where the sudo command is executed.
--
*`system.auth.sudo.pwd`*::
+
--
The current directory where the sudo command is executed.
--
*`system.auth.sudo.user`*::
+
--
The target user to which the sudo command is switching.
example: root
--
*`system.auth.sudo.command`*::
+
--
The command executed via sudo.
--
[float]
=== useradd
Fields specific to events created by the `useradd` command.
*`system.auth.useradd.home`*::
+
--
The home folder for the new user.
--
*`system.auth.useradd.shell`*::
+
--
The default shell for the new user.
--
*`system.auth.useradd.name`*::
+
--
type: alias
alias to: user.name
--
*`system.auth.useradd.uid`*::
+
--
type: alias
alias to: user.id
--
*`system.auth.useradd.gid`*::
+
--
type: alias
alias to: group.id
--
[float]
=== groupadd
Fields specific to events created by the `groupadd` command.
*`system.auth.groupadd.name`*::
+
--
type: alias
alias to: group.name
--
*`system.auth.groupadd.gid`*::
+
--
type: alias
alias to: group.id
--
[float]
=== syslog
Contains fields from the syslog system logs.
*`system.syslog.timestamp`*::
+
--
type: alias
alias to: @timestamp
--
*`system.syslog.hostname`*::
+
--
type: alias
alias to: host.hostname
--
*`system.syslog.program`*::
+
--
type: alias
alias to: process.name
--
*`system.syslog.pid`*::
+
--
type: alias
alias to: process.pid
--
*`system.syslog.message`*::
+
--
type: alias
alias to: message
--
[[exported-fields-traefik]]
== Traefik fields
Module for parsing the Traefik log files.
[float]
=== traefik
Fields from the Traefik log files.
[float]
=== access
Contains fields for the Traefik access logs.
*`traefik.access.user_identifier`*::
+
--
Is the RFC 1413 identity of the client
type: keyword
--
*`traefik.access.request_count`*::
+
--
The number of requests
type: long
--
*`traefik.access.frontend_name`*::
+
--
The name of the frontend used
type: keyword
--
*`traefik.access.backend_url`*::
+
--
The url of the backend where request is forwarded
type: keyword
--
*`traefik.access.body_sent.bytes`*::
+
--
type: alias
alias to: http.response.body.bytes
--
*`traefik.access.remote_ip`*::
+
--
type: alias
alias to: source.address
--
*`traefik.access.user_name`*::
+
--
type: alias
alias to: user.name
--
*`traefik.access.method`*::
+
--
type: alias
alias to: http.request.method
--
*`traefik.access.url`*::
+
--
type: alias
alias to: url.original
--
*`traefik.access.http_version`*::
+
--
type: alias
alias to: http.version
--
*`traefik.access.response_code`*::
+
--
type: alias
alias to: http.response.status_code
--
*`traefik.access.referrer`*::
+
--
type: alias
alias to: http.request.referrer
--
*`traefik.access.agent`*::
+
--
type: alias
alias to: user_agent.original
--
*`traefik.access.user_agent.device`*::
+
--
type: alias
alias to: user_agent.device.name
--
*`traefik.access.user_agent.name`*::
+
--
type: alias
alias to: user_agent.name
--
*`traefik.access.user_agent.os`*::
+
--
type: alias
alias to: user_agent.os.full_name
--
*`traefik.access.user_agent.os_name`*::
+
--
type: alias
alias to: user_agent.os.name
--
*`traefik.access.user_agent.original`*::
+
--
type: alias
alias to: user_agent.original
--
*`traefik.access.geoip.continent_name`*::
+
--
type: alias
alias to: source.geo.continent_name
--
*`traefik.access.geoip.country_iso_code`*::
+
--
type: alias
alias to: source.geo.country_iso_code
--
*`traefik.access.geoip.location`*::
+
--
type: alias
alias to: source.geo.location
--
*`traefik.access.geoip.region_name`*::
+
--
type: alias
alias to: source.geo.region_name
--
*`traefik.access.geoip.city_name`*::
+
--
type: alias
alias to: source.geo.city_name
--
*`traefik.access.geoip.region_iso_code`*::
+
--
type: alias
alias to: source.geo.region_iso_code
--
[[exported-fields-zeek]]
== Zeek fields
Module for handling logs produced by Zeek/Bro
[float]
=== zeek
Fields from Zeek/Bro logs after normalization
*`zeek.session_id`*::
+
--
A unique identifier of the session
type: keyword
--
*`zeek.connection.local_orig`*::
+
--
Indicates whether the session is originated locally
type: boolean
--
*`zeek.connection.local_resp`*::
+
--
Indicates whether the session is responded locally
type: boolean
--
*`zeek.connection.missed_bytes`*::
+
--
Missed bytes for the session
type: long
--
*`zeek.connection.state`*::
+
--
Flags indicating the state of the session
type: keyword
--
*`zeek.connection.history`*::
+
--
Flags indicating the history of the session
type: keyword
--
*`zeek.connection.orig_l2_addr`*::
+
--
Link-layer address of the originator, if available
type: keyword
--
*`zeek.connection.resp_l2_addr`*::
+
--
Link-layer address of the responder, if available
type: keyword
--
*`zeek.connection.vlan`*::
+
--
VLAN identifier
type: integer
--
*`zeek.connection.inner_vlan`*::
+
--
VLAN identifier
type: integer
--
*`zeek.dns.trans_id`*::
+
--
DNS transaction identifier
type: keyword
--
*`zeek.dns.rtt`*::
+
--
Round trip time for the query and response
type: double
--
*`zeek.dns.query`*::
+
--
The domain name that is the subject of the DNS query
type: keyword
--
*`zeek.dns.qclass`*::
+
--
The QCLASS value specifying the class of the query
type: long
--
*`zeek.dns.qclass_name`*::
+
--
A descriptive name for the class of the query
type: keyword
--
*`zeek.dns.qtype`*::
+
--
A QTYPE value specifying the type of the query
type: long
--
*`zeek.dns.qtype_name`*::
+
--
A descriptive name for the type of the query
type: keyword
--
*`zeek.dns.rcode`*::
+
--
The response code value in DNS response messages
type: long
--
*`zeek.dns.rcode_name`*::
+
--
A descriptive name for the response code value
type: keyword
--
*`zeek.dns.AA`*::
+
--
The Authoritative Answer bit for response messages specifies that the responding
name server is an authority for the domain name in the question section
type: boolean
--
*`zeek.dns.TC`*::
+
--
The Truncation bit specifies that the message was truncated
type: boolean
--
*`zeek.dns.RD`*::
+
--
The Recursion Desired bit in a request message indicates that the client
wants recursive service for this query
type: boolean
--
*`zeek.dns.RA`*::
+
--
The Recursion Available bit in a response message indicates that the name
server supports recursive queries.
type: boolean
--
*`zeek.dns.answers`*::
+
--
The set of resource descriptions in the query answer
type: keyword
--
*`zeek.dns.TTLs`*::
+
--
The caching intervals of the associated RRs described by the answers field
type: double
--
*`zeek.dns.rejected`*::
+
--
Indicates whether the DNS query was rejected by the server
type: boolean
--
*`zeek.dns.total_answers`*::
+
--
The total number of resource records in the reply
type: integer
--
*`zeek.dns.total_replies`*::
+
--
The total number of resource records in the reply message
type: integer
--
*`zeek.dns.saw_query`*::
+
--
Whether the full DNS query has been seen
type: boolean
--
*`zeek.dns.saw_reply`*::
+
--
Whether the full DNS reply has been seen
type: boolean
--
*`zeek.http.trans_depth`*::
+
--
Represents the pipelined depth into the connection of this request/response transaction
type: integer
--
*`zeek.http.status_msg`*::
+
--
Status message returned by the server
type: keyword
--
*`zeek.http.info_code`*::
+
--
Last seen 1xx informational reply code returned by the server.
type: integer
--
*`zeek.http.info_msg`*::
+
--
Last seen 1xx informational reply message returned by the server.
type: keyword
--
*`zeek.http.tags`*::
+
--
A set of indicators of various attributes discovered and related to a particular
request/response pair.
type: keyword
--
*`zeek.http.password`*::
+
--
Password if basic-auth is performed for the request
type: keyword
--
*`zeek.http.captured_password`*::
+
--
Determines if the password will be captured for this request
type: boolean
--
*`zeek.http.proxied`*::
+
--
All of the headers that may indicate if the HTTP request was proxied
type: keyword
--
*`zeek.http.range_request`*::
+
--
Indicates if this request can assume 206 partial content in response
type: boolean
--
*`zeek.http.client_header_names`*::
+
--
The vector of HTTP header names sent by the client. No header values
are included here, just the header names.
type: keyword
--
*`zeek.http.server_header_names`*::
+
--
The vector of HTTP header names sent by the server. No header values
are included here, just the header names
type: keyword
--
*`zeek.http.orig_fuids`*::
+
--
An ordered vector of file unique IDs from the originator
type: keyword
--
*`zeek.http.orig_mime_types`*::
+
--
An ordered vector of mime types from the originator
type: keyword
--
*`zeek.http.orig_filenames`*::
+
--
An ordered vector of filenames from the originator
type: keyword
--
*`zeek.http.resp_fuids`*::
+
--
An ordered vector of file unique IDs from the responder
type: keyword
--
*`zeek.http.resp_mime_types`*::
+
--
An ordered vector of mime types from the responder
type: keyword
--
*`zeek.http.resp_filenames`*::
+
--
An ordered vector of filenames from the responder
type: keyword
--
*`zeek.http.orig_mime_depth`*::
+
--
Current number of MIME entities in the HTTP request message body
type: integer
--
*`zeek.http.resp_mime_depth`*::
+
--
Current number of MIME entities in the HTTP response message body
type: integer
--
*`zeek.files.fuid`*::
+
--
A file unique identifier
type: keyword
--
*`zeek.files.tx_host`*::
+
--
The host that transferred the file
type: ip
--
*`zeek.files.rx_host`*::
+
--
The host that received the file
type: ip
--
*`zeek.files.session_ids`*::
+
--
The sessions that have this file
type: keyword
--
*`zeek.files.source`*::
+
--
An identification of the source of the file data. E.g. it may be a network protocol
over which it was transferred, or a local file path which was read, or some other
input source
type: keyword
--
*`zeek.files.depth`*::
+
--
A value to represent the depth of this file in relation to its source. In SMTP, it
is the depth of the MIME attachment on the message. In HTTP, it is the depth of the
request within the TCP connection
type: long
--
*`zeek.files.analyzers`*::
+
--
A set of analysis types done during the file analysis
type: keyword
--
*`zeek.files.mime_type`*::
+
--
Mime type of the file
type: keyword
--
*`zeek.files.filename`*::
+
--
Name of the file if available
type: keyword
--
*`zeek.files.local_orig`*::
+
--
If the source of this file is a network connection, this field indicates if the data
originated from the local network or not
type: boolean
--
*`zeek.files.is_orig`*::
+
--
If the source of this file is a network connection, this field indicates if the file is
being sent by the originator of the connection or the responder
type: boolean
--
*`zeek.files.duration`*::
+
--
The duration the file was analyzed for. Not the duration of the session.
type: double
--
*`zeek.files.seen_bytes`*::
+
--
Number of bytes provided to the file analysis engine for the file
type: long
--
*`zeek.files.total_bytes`*::
+
--
Total number of bytes that are supposed to comprise the full file
type: long
--
*`zeek.files.missing_bytes`*::
+
--
The number of bytes in the file stream that were completely missed during the process
of analysis
type: long
--
*`zeek.files.overflow_bytes`*::
+
--
The number of bytes in the file stream that were not delivered to stream file analyzers.
This could be overlapping bytes or bytes that couldn't be reassembled
type: long
--
*`zeek.files.timedout`*::
+
--
Whether the file analysis timed out at least once for the file
type: boolean
--
*`zeek.files.parent_fuid`*::
+
--
Identifier associated with a container file from which this one was extracted as part of
the file analysis
type: keyword
--
*`zeek.files.md5`*::
+
--
An MD5 digest of the file contents
type: keyword
--
*`zeek.files.sha1`*::
+
--
A SHA1 digest of the file contents
type: keyword
--
*`zeek.files.sha256`*::
+
--
A SHA256 digest of the file contents.
type: keyword
--
*`zeek.files.extracted`*::
+
--
Local filename of extracted file
type: keyword
--
*`zeek.files.extracted_cutoff`*::
+
--
Indicate whether the file being extracted was cut off hence not extracted completely
type: boolean
--
*`zeek.files.extracted_size`*::
+
--
The number of bytes extracted to disk
type: long
--
*`zeek.files.entropy`*::
+
--
The information density of the contents of the file
type: double
--
*`zeek.ssl.version`*::
+
--
SSL/TLS version that was logged
type: keyword
--
*`zeek.ssl.cipher`*::
+
--
SSL/TLS cipher suite that was logged
type: keyword
--
*`zeek.ssl.curve`*::
+
--
Elliptic curve that was logged when using ECDH/ECDHE
type: keyword
--
*`zeek.ssl.server_name`*::
+
--
Value of the Server Name Indicator SSL/TLS extension. It indicates the server name
that the client was requesting
type: keyword
--
*`zeek.ssl.resumed`*::
+
--
Flag to indicate if the session was resumed reusing the key material exchanged in an
earlier connection
type: boolean
--
*`zeek.ssl.next_protocol`*::
+
--
Next protocol the server chose using the application layer next protocol extension
type: keyword
--
*`zeek.ssl.established`*::
+
--
Flag to indicate if this ssl session has been established successfully
type: boolean
--
*`zeek.ssl.cert_chain`*::
+
--
Chain of certificates offered by the server to validate its complete signing chain
type: keyword
--
*`zeek.ssl.cert_chain_fuids`*::
+
--
An ordered vector of certificate file identifiers for the certificates offered by the server
type: keyword
--
*`zeek.ssl.client_cert_chain`*::
+
--
Chain of certificates offered by the client to validate its complete signing chain
type: keyword
--
*`zeek.ssl.client_cert_chain_fuids`*::
+
--
An ordered vector of certificate file identifiers for the certificates offered by the client
type: keyword
--
*`zeek.ssl.issuer`*::
+
--
Subject of the signer of the X.509 certificate offered by the server
type: keyword
--
*`zeek.ssl.client_issuer`*::
+
--
Subject of the X.509 certificate offered by the client
type: keyword
--
*`zeek.ssl.validation_status`*::
+
--
Result of certificate validation for this connection
type: keyword
--
*`zeek.ssl.validation_code`*::
+
--
Result of certificate validation for this connection, given as OpenSSL validation code
type: keyword
--
*`zeek.ssl.subject`*::
+
--
Subject of the X.509 certificate offered by the server
type: keyword
--
*`zeek.ssl.client_subject`*::
+
--
Subject of the X.509 certificate offered by the client
type: keyword
--
*`zeek.ssl.last_alert`*::
+
--
Last alert that was seen during the connection
type: keyword
--
*`zeek.notice.connection_id`*::
+
--
Identifier of the related connection session
type: keyword
--
*`zeek.notice.icmp_id`*::
+
--
Identifier of the related ICMP session
type: keyword
--
*`zeek.notice.file.id`*::
+
--
An identifier associated with a single file that is related to this notice
type: keyword
--
*`zeek.notice.file.parent_id`*::
+
--
Identifier associated with a container file from which this one was extracted
type: keyword
--
*`zeek.notice.file.source`*::
+
--
An identification of the source of the file data. E.g. it may be a network protocol
over which it was transferred, or a local file path which was read, or some other
input source
type: keyword
--
*`zeek.notice.file.mime_type`*::
+
--
A mime type if the notice is related to a file
type: keyword
--
*`zeek.notice.file.is_orig`*::
+
--
If the source of this file is a network connection, this field indicates if the file is
being sent by the originator of the connection or the responder
type: boolean
--
*`zeek.notice.file.seen_bytes`*::
+
--
Number of bytes provided to the file analysis engine for the file
type: long
--
*`zeek.fnotice.file.total_bytes`*::
+
--
Total number of bytes that are supposed to comprise the full file
type: long
--
*`zeek.notice.file.missing_bytes`*::
+
--
The number of bytes in the file stream that were completely missed during the process
of analysis
type: long
--
*`zeek.notice.file.overflow_bytes`*::
+
--
The number of bytes in the file stream that were not delivered to stream file analyzers.
This could be overlapping bytes or bytes that couldn't be reassembled
type: long
--
*`zeek.notice.fuid`*::
+
--
A file unique ID if this notice is related to a file
type: keyword
--
*`zeek.notice.note`*::
+
--
The type of the notice
type: keyword
--
*`zeek.notice.msg`*::
+
--
The human readable message for the notice.
type: keyword
--
*`zeek.notice.sub`*::
+
--
The human readable sub-message
type: keyword
--
*`zeek.notice.n`*::
+
--
Associated count, or a status code
type: long
--
*`zeek.notice.peer_name`*::
+
--
Name of remote peer that raised this notice
type: keyword
--
*`zeek.notice.peer_descr`*::
+
--
Textual description for the peer that raised this notice
type: text
--
*`zeek.notice.actions`*::
+
--
The actions which have been applied to this notice
type: keyword
--
*`zeek.notice.email_body_sections`*::
+
--
By adding chunks of text into this element, other scripts can expand on notices
that are being emailed
type: text
--
*`zeek.notice.email_delay_tokens`*::
+
--
Adding a string token to this set will cause the built-in emailing functionality
to delay sending the email either the token has been removed or the email
has been delayed for the specified time duration
type: keyword
--
*`zeek.notice.identifier`*::
+
--
This field is provided when a notice is generated for the purpose of deduplicating notices
type: keyword
--
*`zeek.notice.suppress_for`*::
+
--
This field indicates the length of time that this unique notice should be suppressed
type: double
--
*`zeek.notice.dropped`*::
+
--
Indicate if the source IP address was dropped and denied network access
type: boolean
--
Reference in New Issue View Git Blame Copy Permalink