WARNING: Version 6.1 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
System fields
editSystem fields
editModule for parsing system log files.
system fields
editFields from the system log files.
auth fields
editFields from the Linux authorization logs.
system.auth.timestamp
editThe timestamp as read from the auth message.
system.auth.hostname
editThe hostname as read from the auth message.
system.auth.program
editThe process name as read from the auth message.
system.auth.pid
edittype: long
The PID of the process that sent the auth message.
system.auth.message
editThe message in the log line.
system.auth.user
editThe Unix user that this event refers to.
ssh fields
editFields specific to SSH login events.
system.auth.ssh.event
editThe SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
system.auth.ssh.method
editThe SSH authentication method. Can be one of "password" or "publickey".
system.auth.ssh.ip
edittype: ip
The client IP from where the login attempt was made.
system.auth.ssh.dropped_ip
edittype: ip
The client IP from SSH connections that are open and immediately dropped.
system.auth.ssh.port
edittype: long
The client port from where the login attempt was made.
system.auth.ssh.signature
editThe signature of the client public key.
geoip fields
editContains GeoIP information gathered based on the system.auth.ip
field. Only present if the GeoIP Elasticsearch plugin is available and used.
system.auth.ssh.geoip.continent_name
edittype: keyword
The name of the continent.
system.auth.ssh.geoip.city_name
edittype: keyword
The name of the city.
system.auth.ssh.geoip.region_name
edittype: keyword
The name of the region.
system.auth.ssh.geoip.country_iso_code
edittype: keyword
Country ISO code.
system.auth.ssh.geoip.location
edittype: geo_point
The longitude and latitude.
sudo fields
editFields specific to events created by the sudo
command.
system.auth.sudo.error
editexample: user NOT in sudoers
The error message in case the sudo command failed.
system.auth.sudo.tty
editThe TTY where the sudo command is executed.
system.auth.sudo.pwd
editThe current directory where the sudo command is executed.
system.auth.sudo.user
editexample: root
The target user to which the sudo command is switching.
system.auth.sudo.command
editThe command executed via sudo.
useradd fields
editFields specific to events created by the useradd
command.
system.auth.useradd.name
editThe user name being added.
system.auth.useradd.uid
edittype: long
The user ID.
system.auth.useradd.gid
edittype: long
The group ID.
system.auth.useradd.home
editThe home folder for the new user.
system.auth.useradd.shell
editThe default shell for the new user.
groupadd fields
editFields specific to events created by the groupadd
command.
system.auth.groupadd.name
editThe name of the new group.
system.auth.groupadd.gid
edittype: long
The ID of the new group.
syslog fields
editContains fields from the syslog system logs.
system.syslog.timestamp
editThe timestamp as read from the syslog message.
system.syslog.hostname
editThe hostname as read from the syslog message.
system.syslog.program
editThe process name as read from the syslog message.
system.syslog.pid
editThe PID of the process that sent the syslog message.
system.syslog.message
editThe message in the log line.