System fields
editSystem fields
editModule for parsing system log files.
system fields
editFields from the system log files.
auth fields
editFields from the Linux authorization logs.
-
system.auth.timestamp
-
The timestamp as read from the auth message.
-
system.auth.hostname
-
The hostname as read from the auth message.
-
system.auth.program
-
The process name as read from the auth message.
-
system.auth.pid
-
type: long
The PID of the process that sent the auth message.
-
system.auth.message
-
type: text
The message in the log line.
-
system.auth.user
-
The Unix user that this event refers to.
ssh fields
editFields specific to SSH login events.
-
system.auth.ssh.event
-
The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
-
system.auth.ssh.method
-
The SSH authentication method. Can be one of "password" or "publickey".
-
system.auth.ssh.ip
-
type: ip
The client IP from where the login attempt was made.
-
system.auth.ssh.dropped_ip
-
type: ip
The client IP from SSH connections that are open and immediately dropped.
-
system.auth.ssh.port
-
type: long
The client port from where the login attempt was made.
-
system.auth.ssh.signature
-
The signature of the client public key.
geoip fields
editContains GeoIP information gathered based on the system.auth.ip
field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
system.auth.ssh.geoip.continent_name
-
type: keyword
The name of the continent.
-
system.auth.ssh.geoip.city_name
-
type: keyword
The name of the city.
-
system.auth.ssh.geoip.region_name
-
type: keyword
The name of the region.
-
system.auth.ssh.geoip.country_iso_code
-
type: keyword
Country ISO code.
-
system.auth.ssh.geoip.location
-
type: geo_point
The longitude and latitude.
sudo fields
editFields specific to events created by the sudo
command.
-
system.auth.sudo.error
-
example: user NOT in sudoers
The error message in case the sudo command failed.
-
system.auth.sudo.tty
-
The TTY where the sudo command is executed.
-
system.auth.sudo.pwd
-
The current directory where the sudo command is executed.
-
system.auth.sudo.user
-
example: root
The target user to which the sudo command is switching.
-
system.auth.sudo.command
-
The command executed via sudo.
useradd fields
editFields specific to events created by the useradd
command.
-
system.auth.useradd.name
-
The user name being added.
-
system.auth.useradd.uid
-
type: long
The user ID.
-
system.auth.useradd.gid
-
type: long
The group ID.
-
system.auth.useradd.home
-
The home folder for the new user.
-
system.auth.useradd.shell
-
The default shell for the new user.
groupadd fields
editFields specific to events created by the groupadd
command.
-
system.auth.groupadd.name
-
The name of the new group.
-
system.auth.groupadd.gid
-
type: long
The ID of the new group.
syslog fields
editContains fields from the syslog system logs.
-
system.syslog.timestamp
-
The timestamp as read from the syslog message.
-
system.syslog.hostname
-
The hostname as read from the syslog message.
-
system.syslog.program
-
The process name as read from the syslog message.
-
system.syslog.pid
-
The PID of the process that sent the syslog message.
-
system.syslog.message
-
type: text
The message in the log line.