System fields

edit

Module for parsing system log files.

system fields

edit

Fields from the system log files.

auth fields

edit

Fields from the Linux authorization logs.

system.auth.timestamp

The timestamp as read from the auth message.

system.auth.hostname

The hostname as read from the auth message.

system.auth.program

The process name as read from the auth message.

system.auth.pid

type: long

The PID of the process that sent the auth message.

system.auth.message

type: text

The message in the log line.

system.auth.user

The Unix user that this event refers to.

ssh fields

edit

Fields specific to SSH login events.

system.auth.ssh.event

The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.

system.auth.ssh.method

The SSH authentication method. Can be one of "password" or "publickey".

system.auth.ssh.ip

type: ip

The client IP from where the login attempt was made.

system.auth.ssh.dropped_ip

type: ip

The client IP from SSH connections that are open and immediately dropped.

system.auth.ssh.port

type: long

The client port from where the login attempt was made.

system.auth.ssh.signature

The signature of the client public key.

geoip fields

edit

Contains GeoIP information gathered based on the system.auth.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

system.auth.ssh.geoip.continent_name

type: keyword

The name of the continent.

system.auth.ssh.geoip.city_name

type: keyword

The name of the city.

system.auth.ssh.geoip.region_name

type: keyword

The name of the region.

system.auth.ssh.geoip.country_iso_code

type: keyword

Country ISO code.

system.auth.ssh.geoip.location

type: geo_point

The longitude and latitude.

sudo fields

edit

Fields specific to events created by the sudo command.

system.auth.sudo.error

example: user NOT in sudoers

The error message in case the sudo command failed.

system.auth.sudo.tty

The TTY where the sudo command is executed.

system.auth.sudo.pwd

The current directory where the sudo command is executed.

system.auth.sudo.user

example: root

The target user to which the sudo command is switching.

system.auth.sudo.command

The command executed via sudo.

useradd fields

edit

Fields specific to events created by the useradd command.

system.auth.useradd.name

The user name being added.

system.auth.useradd.uid

type: long

The user ID.

system.auth.useradd.gid

type: long

The group ID.

system.auth.useradd.home

The home folder for the new user.

system.auth.useradd.shell

The default shell for the new user.

groupadd fields

edit

Fields specific to events created by the groupadd command.

system.auth.groupadd.name

The name of the new group.

system.auth.groupadd.gid

type: long

The ID of the new group.

syslog fields

edit

Contains fields from the syslog system logs.

system.syslog.timestamp

The timestamp as read from the syslog message.

system.syslog.hostname

The hostname as read from the syslog message.

system.syslog.program

The process name as read from the syslog message.

system.syslog.pid

The PID of the process that sent the syslog message.

system.syslog.message

type: text

The message in the log line.