System fields

edit

Module for parsing system log files.

system fields

edit

Fields from the system log files.

auth fields

edit

Fields from the Linux authorization logs.

system.auth.timestamp

edit

The timestamp as read from the auth message.

system.auth.hostname

edit

The hostname as read from the auth message.

system.auth.program

edit

The process name as read from the auth message.

system.auth.pid

edit

type: long

The PID of the process that sent the auth message.

system.auth.message

edit

The message in the log line.

system.auth.user

edit

The Unix user that this event refers to.

ssh fields

edit

Fields specific to SSH login events.

system.auth.ssh.event

edit

The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.

system.auth.ssh.method

edit

The SSH authentication method. Can be one of "password" or "publickey".

system.auth.ssh.ip

edit

type: ip

The client IP from where the login attempt was made.

system.auth.ssh.dropped_ip

edit

type: ip

The client IP from SSH connections that are open and immediately dropped.

system.auth.ssh.port

edit

type: long

The client port from where the login attempt was made.

system.auth.ssh.signature

edit

The signature of the client public key.

geoip fields

edit

Contains GeoIP information gathered based on the system.auth.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

system.auth.ssh.geoip.continent_name

edit

type: keyword

The name of the continent.

system.auth.ssh.geoip.city_name

edit

type: keyword

The name of the city.

system.auth.ssh.geoip.region_name

edit

type: keyword

The name of the region.

system.auth.ssh.geoip.country_iso_code

edit

type: keyword

Country ISO code.

system.auth.ssh.geoip.location

edit

type: geo_point

The longitude and latitude.

sudo fields

edit

Fields specific to events created by the sudo command.

system.auth.sudo.error

edit

example: user NOT in sudoers

The error message in case the sudo command failed.

system.auth.sudo.tty

edit

The TTY where the sudo command is executed.

system.auth.sudo.pwd

edit

The current directory where the sudo command is executed.

system.auth.sudo.user

edit

example: root

The target user to which the sudo command is switching.

system.auth.sudo.command

edit

The command executed via sudo.

useradd fields

edit

Fields specific to events created by the useradd command.

system.auth.useradd.name

edit

The user name being added.

system.auth.useradd.uid

edit

type: long

The user ID.

system.auth.useradd.gid

edit

type: long

The group ID.

system.auth.useradd.home

edit

The home folder for the new user.

system.auth.useradd.shell

edit

The default shell for the new user.

groupadd fields

edit

Fields specific to events created by the groupadd command.

system.auth.groupadd.name

edit

The name of the new group.

system.auth.groupadd.gid

edit

type: long

The ID of the new group.

syslog fields

edit

Contains fields from the syslog system logs.

system.syslog.timestamp

edit

The timestamp as read from the syslog message.

system.syslog.hostname

edit

The hostname as read from the syslog message.

system.syslog.program

edit

The process name as read from the syslog message.

system.syslog.pid

edit

The PID of the process that sent the syslog message.

system.syslog.message

edit

The message in the log line.