- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Step 1: Install Filebeat
- Step 2: Configure Filebeat
- Step 3: Configure Filebeat to use Logstash
- Step 4: Load the index template in Elasticsearch
- Step 5: Set up the Kibana dashboards
- Step 6: Start Filebeat
- Step 7: View the sample Kibana dashboards
- Quick start: modules for common log formats
- Repositories for APT and YUM
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Modules
- Exported fields
- Apache2 fields
- Auditd fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- elasticsearch fields
- Host fields
- Icinga fields
- IIS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- MySQL fields
- Nginx fields
- Osquery fields
- PostgreSQL fields
- Redis fields
- System fields
- Traefik fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Migrating from Logstash Forwarder to Filebeat
- Contributing to Beats
Log file content fields
editLog file content fields
editContains log file lines.
-
source -
type: keyword
required: True
The file from which the line was read. This field contains the absolute path to the file. For example:
/var/log/system.log. -
offset -
type: long
required: False
The file offset the reported line starts at.
-
message -
type: text
required: True
The content of the line read from the log file.
-
stream -
type: keyword
required: False
Log stream when reading container logs, can be stdout or stderr
-
prospector.type -
required: True
The input type from which the event was generated. This field is set to the value specified for the
typeoption in the input section of the Filebeat config file. (DEPRECATED: seeinput.type) -
input.type -
required: True
The input type from which the event was generated. This field is set to the value specified for the
typeoption in the input section of the Filebeat config file. -
read_timestamp -
In case the ingest pipeline parses the timestamp from the log contents, it stores the original
@timestamp(representing the time when the log line was read) in this field. -
fileset.module -
The Filebeat module that generated this event.
-
fileset.name -
The Filebeat fileset that generated this event.
-
syslog.facility -
type: long
required: False
The facility extracted from the priority.
-
syslog.priority -
type: long
required: False
The priority of the syslog event.
-
syslog.severity_label -
type: keyword
required: False
The human readable severity.
-
syslog.facility_label -
type: keyword
required: False
The human readable facility.
-
process.program -
type: keyword
required: False
The name of the program.
-
process.pid -
type: long
required: False
The pid of the process.
-
event.severity -
type: long
required: False
The severity of the event.
-
service.name -
type: keyword
Service name.
-
log.level -
type: keyword
Logging level.
-
event.created -
type: date
event.created contains the date on which the event was created. In case of log events this is when the log line was read by Filebeat. In comparison @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used.
-
http.response.status_code -
type: long
example: 404
HTTP response status_code.
-
http.response.elapsed_time -
type: long
Elapsed time between request and response in milli seconds.
-
http.response.content_length -
type: long
Content length of the HTTP response body.
-
http.request.method -
type: keyword
Request method.