NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
Log file content fields
editLog file content fields
editContains log file lines.
-
source
-
type: keyword
required: True
The file from which the line was read. This field contains the absolute path to the file. For example:
/var/log/system.log
. -
offset
-
type: long
required: False
The file offset the reported line starts at.
-
message
-
type: text
required: True
The content of the line read from the log file.
-
stream
-
type: keyword
required: False
Log stream when reading container logs, can be stdout or stderr
-
prospector.type
-
[6.3] Deprecated in 6.3.
required: True
The input type from which the event was generated. This field is set to the value specified for the
type
option in the input section of the Filebeat config file. (DEPRECATED: seeinput.type
) -
input.type
-
required: True
The input type from which the event was generated. This field is set to the value specified for the
type
option in the input section of the Filebeat config file. -
read_timestamp
-
In case the ingest pipeline parses the timestamp from the log contents, it stores the original
@timestamp
(representing the time when the log line was read) in this field. -
fileset.module
-
The Filebeat module that generated this event.
-
fileset.name
-
The Filebeat fileset that generated this event.
-
event.dataset
-
The Filebeat dataset that generated this event.
-
event.sequence
-
type: long
required: False
The sequence number of this event.
-
syslog.facility
-
type: long
required: False
The facility extracted from the priority.
-
syslog.priority
-
type: long
required: False
The priority of the syslog event.
-
syslog.severity_label
-
type: keyword
required: False
The human readable severity.
-
syslog.facility_label
-
type: keyword
required: False
The human readable facility.
-
process.program
-
type: keyword
required: False
The name of the program.
-
process.pid
-
type: long
required: False
The pid of the process.
-
event.outcome
-
type: keyword
The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are
success
andfailure
. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. -
event.severity
-
type: long
required: False
The severity of the event.
-
service.name
-
type: keyword
Service name.
-
log.level
-
type: keyword
Logging level.
-
log.flags
-
This field contains the flags of the event.
-
log.source.address
-
type: keyword
Log source address.
-
log.file.path
-
type: keyword
Log source path.
-
log.original
-
type: keyword
Field is not indexed.
-
event.created
-
type: date
event.created contains the date on which the event was created. In case of log events this is when the log line was read by Filebeat. In comparison @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used.
-
event.duration
-
type: long
format: duration
Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.
-
event.end
-
type: date
event.end contains the date when the event ended or when the activity was last observed.
-
event.type
-
type: keyword
A type given to this kind of event which can be used for grouping.
-
event.start
-
type: date
event.start contains the date when the event started or when the activity was first observed.
-
http.response.status_code
-
type: long
example: 404
HTTP response status_code.
-
http.response.elapsed_time
-
type: long
Elapsed time between request and response in milli seconds.
-
http.response.body.bytes
-
type: long
format: bytes
Size in bytes of the response body.
-
http.response.content_length
-
type: long
Content length of the HTTP response body.
-
http.request.method
-
type: keyword
Request method.
-
source_ecs.bytes
-
type: long
format: bytes
Bytes sent from the source to the destination.
-
source_ecs.ip
-
type: ip
IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.
-
source_ecs.mac
-
type: keyword
MAC address of the source.
-
source_ecs.packets
-
type: long
Packets sent from the client to the server.
-
source_ecs.port
-
type: long
Port of the source.
geo fields
editGeolocation for source.
-
source_ecs.geo.continent_name
-
type: keyword
Name of the continent.
-
source_ecs.geo.country_iso_code
-
type: keyword
Country ISO code.
-
source_ecs.geo.location
-
type: geo_point
Longitude and latitude.
-
source_ecs.geo.region_name
-
type: keyword
Region name.
-
source_ecs.geo.city_name
-
type: keyword
City name.
-
source_ecs.geo.region_iso_code
-
type: keyword
Region ISO code.
-
destination.bytes
-
type: long
format: bytes
Bytes sent from the destination to the source.
-
destination.domain
-
type: keyword
Destination domain.
-
destination.ip
-
type: ip
IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.
-
destination.mac
-
type: keyword
MAC address of the destination.
-
destination.packets
-
type: long
Packets sent from the destination to the source.
-
destination.port
-
type: long
Port of the destination.
geo fields
editGeolocation for destination.
-
destination.geo.continent_name
-
type: keyword
Name of the continent.
-
destination.geo.country_iso_code
-
type: keyword
Country ISO code.
-
destination.geo.location
-
type: geo_point
Longitude and latitude.
-
destination.geo.region_name
-
type: keyword
Region name.
-
destination.geo.city_name
-
type: keyword
City name.
-
destination.geo.region_iso_code
-
type: keyword
Region ISO code.
user_agent fields
editThe user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
-
user_agent.original
-
type: keyword
Unparsed version of the user_agent.
-
user_agent.device
-
type: keyword
Name of the physical device.
-
user_agent.version
-
type: keyword
Version of the physical device.
-
user_agent.major
-
type: long
Major version of the user agent.
-
user_agent.minor
-
type: long
Minor version of the user agent.
-
user_agent.patch
-
type: keyword
Patch version of the user agent.
-
user_agent.name
-
type: keyword
example: Chrome
Name of the user agent.
-
user_agent.os.name
-
type: keyword
Name of the operating system.
-
user_agent.os.full_name
-
type: keyword
Full name of the operating system (includes version).
-
user_agent.os.version
-
type: keyword
Version of the operating system.
-
user_agent.os.major
-
type: long
Major version of the operating system.
-
user_agent.os.minor
-
type: long
Minor version of the operating system.
url fields
editURL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as host.url.*
for example. Keep the structure consistent whenever you use URL fields.
-
url.domain
-
type: keyword
Domain of the request, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the
domain
field. -
url.hostname
-
type: keyword
Hostname of the request, such as "elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the
hostname
field. -
url.path
-
type: keyword
Path of the request, such as "/search".
file fields
editFile fields provide details about each file.
-
file.path
-
type: keyword
Path to the file.
-
file.size
-
type: long
File size in bytes (field is only added when
type
isfile
).
network fields
editThe network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.
-
network.bytes
-
type: long
format: bytes
Total bytes transferred in both directions. If
source.bytes
anddestination.bytes
are known,network.bytes
is their sum. -
network.packets
-
type: long
Total packets transferred in both directions. If
source.packets
anddestination.packets
are known,network.packets
is their sum. -
network.protocol
-
type: keyword
L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
-
network.transport
-
type: keyword
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
-
network.type
-
type: keyword
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.
-
event.module
-
type: alias
alias to: fileset.module