- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Step 1: Install Filebeat
- Step 2: Configure Filebeat
- Step 3: Configure Filebeat to use Logstash
- Step 4: Load the index template in Elasticsearch
- Step 5: Set up the Kibana dashboards
- Step 6: Start Filebeat
- Step 7: View the sample Kibana dashboards
- Quick start: modules for common log formats
- Repositories for APT and YUM
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- filebeat.reference.yml
- Modules
- Exported fields
- Apache2 fields
- Auditd fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- Host fields
- Icinga fields
- IIS fields
- Kafka fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- MySQL fields
- Nginx fields
- Osquery fields
- PostgreSQL fields
- Redis fields
- System fields
- Traefik fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Migrating from Logstash Forwarder to Filebeat
- Contributing to Beats
System fields
editSystem fields
editModule for parsing system log files.
system fields
editFields from the system log files.
auth fields
editFields from the Linux authorization logs.
-
system.auth.timestamp -
The timestamp as read from the auth message.
-
system.auth.hostname -
The hostname as read from the auth message.
-
system.auth.program -
The process name as read from the auth message.
-
system.auth.pid -
type: long
The PID of the process that sent the auth message.
-
system.auth.message -
type: text
The message in the log line.
-
system.auth.user -
The Unix user that this event refers to.
ssh fields
editFields specific to SSH login events.
-
system.auth.ssh.event -
The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
-
system.auth.ssh.method -
The SSH authentication method. Can be one of "password" or "publickey".
-
system.auth.ssh.ip -
type: ip
The client IP from where the login attempt was made.
-
system.auth.ssh.dropped_ip -
type: ip
The client IP from SSH connections that are open and immediately dropped.
-
system.auth.ssh.port -
type: long
The client port from where the login attempt was made.
-
system.auth.ssh.signature -
The signature of the client public key.
geoip fields
editContains GeoIP information gathered based on the system.auth.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
system.auth.ssh.geoip.continent_name -
type: keyword
The name of the continent.
-
system.auth.ssh.geoip.city_name -
type: keyword
The name of the city.
-
system.auth.ssh.geoip.region_name -
type: keyword
The name of the region.
-
system.auth.ssh.geoip.country_iso_code -
type: keyword
Country ISO code.
-
system.auth.ssh.geoip.location -
type: geo_point
The longitude and latitude.
sudo fields
editFields specific to events created by the sudo command.
-
system.auth.sudo.error -
example: user NOT in sudoers
The error message in case the sudo command failed.
-
system.auth.sudo.tty -
The TTY where the sudo command is executed.
-
system.auth.sudo.pwd -
The current directory where the sudo command is executed.
-
system.auth.sudo.user -
example: root
The target user to which the sudo command is switching.
-
system.auth.sudo.command -
The command executed via sudo.
useradd fields
editFields specific to events created by the useradd command.
-
system.auth.useradd.name -
The user name being added.
-
system.auth.useradd.uid -
type: long
The user ID.
-
system.auth.useradd.gid -
type: long
The group ID.
-
system.auth.useradd.home -
The home folder for the new user.
-
system.auth.useradd.shell -
The default shell for the new user.
groupadd fields
editFields specific to events created by the groupadd command.
-
system.auth.groupadd.name -
The name of the new group.
-
system.auth.groupadd.gid -
type: long
The ID of the new group.
syslog fields
editContains fields from the syslog system logs.
-
system.syslog.timestamp -
The timestamp as read from the syslog message.
-
system.syslog.hostname -
The hostname as read from the syslog message.
-
system.syslog.program -
The process name as read from the syslog message.
-
system.syslog.pid -
The PID of the process that sent the syslog message.
-
system.syslog.message -
type: text
The message in the log line.
On this page