- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Step 1: Install Filebeat
- Step 2: Configure Filebeat
- Step 3: Configure Filebeat to use Logstash
- Step 4: Load the index template in Elasticsearch
- Step 5: Set up the Kibana dashboards
- Step 6: Start Filebeat
- Step 7: View the sample Kibana dashboards
- Quick start: modules for common log formats
- Repositories for APT and YUM
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Set up index lifecycle management
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Enrich events with geoIP information
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Beats central management
- Modules
- Exported fields
- Alias fields
- Apache2 fields
- Auditd fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- elasticsearch fields
- haproxy fields
- Host fields
- Icinga fields
- IIS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- MySQL fields
- Nginx fields
- Osquery fields
- PostgreSQL fields
- Redis fields
- System fields
- Traefik fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Migrating from Logstash Forwarder to Filebeat
- Contributing to Beats
Nginx fields
editNginx fields
editModule for parsing the Nginx log files.
nginx fields
editFields from the Nginx log files.
access fields
editContains fields for the Nginx access logs.
-
nginx.access.remote_ip_list -
type: array
An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like
X-Forwarded-For. See also theremote_ipfield. -
nginx.access.remote_ip -
type: keyword
Client IP address. The first public IP address from the
remote_ip_listarray. If no public IP addresses are present, this field contains the first private IP address from theremote_ip_listarray. -
nginx.access.user_name -
type: keyword
The user name used when basic authentication is used.
-
nginx.access.method -
type: keyword
example: GET
The request HTTP method.
-
nginx.access.url -
type: keyword
The request HTTP URL.
-
nginx.access.http_version -
type: keyword
The HTTP version.
-
nginx.access.response_code -
type: long
The HTTP response code.
-
nginx.access.body_sent.bytes -
type: long
format: bytes
The number of bytes of the server response body.
-
nginx.access.referrer -
type: keyword
The HTTP referrer.
-
nginx.access.agent -
type: text
Contains the un-parsed user agent string. Only present if the user agent Elasticsearch plugin is not available or not used.
user_agent fields
editContains the parsed User agent field. Only present if the user agent Elasticsearch plugin is available and used.
-
nginx.access.user_agent.device -
type: keyword
The name of the physical device.
-
nginx.access.user_agent.major -
type: long
The major version of the user agent.
-
nginx.access.user_agent.minor -
type: long
The minor version of the user agent.
-
nginx.access.user_agent.patch -
type: keyword
The patch version of the user agent.
-
nginx.access.user_agent.name -
type: keyword
example: Chrome
The name of the user agent.
-
nginx.access.user_agent.os -
type: keyword
The name of the operating system.
-
nginx.access.user_agent.os_major -
type: long
The major version of the operating system.
-
nginx.access.user_agent.os_minor -
type: long
The minor version of the operating system.
-
nginx.access.user_agent.os_name -
type: keyword
The name of the operating system.
-
nginx.access.user_agent.original -
type: text
Original user agent value before parsing by ingest-user-agent plugin.
Field is not indexed.
geoip fields
editContains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
nginx.access.geoip.continent_name -
type: keyword
The name of the continent.
-
nginx.access.geoip.country_iso_code -
type: keyword
Country ISO code.
-
nginx.access.geoip.location -
type: geo_point
The longitude and latitude.
-
nginx.access.geoip.region_name -
type: keyword
The region name.
-
nginx.access.geoip.city_name -
type: keyword
The city name.
-
nginx.access.geoip.region_iso_code -
type: keyword
Region ISO code.
error fields
editContains fields for the Nginx error logs.
-
nginx.error.level -
type: keyword
Error level (e.g. error, critical).
-
nginx.error.pid -
type: long
Process identifier (PID).
-
nginx.error.tid -
type: long
Thread identifier.
-
nginx.error.connection_id -
type: long
Connection identifier.
-
nginx.error.message -
type: text
The error message