WARNING: Version 6.1 of Filebeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Redis fields Traefik fields »

› ›

System fields

System fields

Module for parsing system log files.

system fields

Fields from the system log files.

auth fields

Fields from the Linux authorization logs.

`system.auth.timestamp`

The timestamp as read from the auth message.

`system.auth.hostname`

The hostname as read from the auth message.

`system.auth.program`

The process name as read from the auth message.

`system.auth.pid`

type: long

The PID of the process that sent the auth message.

`system.auth.message`

The message in the log line.

`system.auth.user`

The Unix user that this event refers to.

ssh fields

Fields specific to SSH login events.

`system.auth.ssh.event`

The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.

`system.auth.ssh.method`

The SSH authentication method. Can be one of "password" or "publickey".

`system.auth.ssh.ip`

type: ip

The client IP from where the login attempt was made.

`system.auth.ssh.dropped_ip`

type: ip

The client IP from SSH connections that are open and immediately dropped.

`system.auth.ssh.port`

type: long

The client port from where the login attempt was made.

`system.auth.ssh.signature`

The signature of the client public key.

geoip fields

Contains GeoIP information gathered based on the system.auth.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

`system.auth.ssh.geoip.continent_name`

type: keyword

The name of the continent.

`system.auth.ssh.geoip.city_name`

type: keyword

The name of the city.

`system.auth.ssh.geoip.region_name`

type: keyword

The name of the region.

`system.auth.ssh.geoip.country_iso_code`

type: keyword

Country ISO code.

`system.auth.ssh.geoip.location`

type: geo_point

The longitude and latitude.

sudo fields

Fields specific to events created by the sudo command.

`system.auth.sudo.error`

example: user NOT in sudoers

The error message in case the sudo command failed.

`system.auth.sudo.tty`

The TTY where the sudo command is executed.

`system.auth.sudo.pwd`

The current directory where the sudo command is executed.

`system.auth.sudo.user`

example: root

The target user to which the sudo command is switching.

`system.auth.sudo.command`

The command executed via sudo.

useradd fields

Fields specific to events created by the useradd command.

`system.auth.useradd.name`

The user name being added.

`system.auth.useradd.uid`

type: long

The user ID.

`system.auth.useradd.gid`

type: long

The group ID.

`system.auth.useradd.home`

The home folder for the new user.

`system.auth.useradd.shell`

The default shell for the new user.

groupadd fields

Fields specific to events created by the groupadd command.

`system.auth.groupadd.name`

The name of the new group.

`system.auth.groupadd.gid`

type: long

The ID of the new group.

syslog fields

Contains fields from the syslog system logs.

`system.syslog.timestamp`

The timestamp as read from the syslog message.

`system.syslog.hostname`

The hostname as read from the syslog message.

`system.syslog.program`

The process name as read from the syslog message.

`system.syslog.pid`

The PID of the process that sent the syslog message.

`system.syslog.message`

The message in the log line.

« Redis fields Traefik fields »