Log file content fields

edit

Contains log file lines.

source

type: keyword

required: True

The file from which the line was read. This field contains the absolute path to the file. For example: /var/log/system.log.

offset

type: long

required: False

The file offset the reported line starts at.

message

type: text

required: True

The content of the line read from the log file.

stream

type: keyword

required: False

Log stream when reading container logs, can be stdout or stderr

prospector.type

[6.3] Deprecated in 6.3.

required: True

The input type from which the event was generated. This field is set to the value specified for the type option in the input section of the Filebeat config file. (DEPRECATED: see input.type)

input.type

required: True

The input type from which the event was generated. This field is set to the value specified for the type option in the input section of the Filebeat config file.

read_timestamp

In case the ingest pipeline parses the timestamp from the log contents, it stores the original @timestamp (representing the time when the log line was read) in this field.

fileset.module

The Filebeat module that generated this event.

fileset.name

The Filebeat fileset that generated this event.

event.dataset

The Filebeat dataset that generated this event.

event.sequence

type: long

required: False

The sequence number of this event.

syslog.facility

type: long

required: False

The facility extracted from the priority.

syslog.priority

type: long

required: False

The priority of the syslog event.

syslog.severity_label

type: keyword

required: False

The human readable severity.

syslog.facility_label

type: keyword

required: False

The human readable facility.

process.program

type: keyword

required: False

The name of the program.

process.pid

type: long

required: False

The pid of the process.

event.outcome

type: keyword

The outcome of the event. If the event describes an action, this fields contains the outcome of that action. Examples outcomes are success and failure. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution.

event.severity

type: long

required: False

The severity of the event.

service.name

type: keyword

Service name.

log.level

type: keyword

Logging level.

log.flags

This field contains the flags of the event.

log.source.address

type: keyword

Log source address.

log.file.path

type: keyword

Log source path.

log.original

type: keyword

Field is not indexed.

event.created

type: date

event.created contains the date on which the event was created. In case of log events this is when the log line was read by Filebeat. In comparison @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used.

event.duration

type: long

format: duration

Duration of the event in nanoseconds. If event.start and event.end are known this value should be the difference between the end and start time.

event.end

type: date

event.end contains the date when the event ended or when the activity was last observed.

event.type

type: keyword

A type given to this kind of event which can be used for grouping.

event.start

type: date

event.start contains the date when the event started or when the activity was first observed.

http.response.status_code

type: long

example: 404

HTTP response status_code.

http.response.elapsed_time

type: long

Elapsed time between request and response in milli seconds.

http.response.body.bytes

type: long

format: bytes

Size in bytes of the response body.

http.response.content_length

type: long

Content length of the HTTP response body.

http.request.method

type: keyword

Request method.

source_ecs.bytes

type: long

format: bytes

Bytes sent from the source to the destination.

source_ecs.ip

type: ip

IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.

source_ecs.mac

type: keyword

MAC address of the source.

source_ecs.packets

type: long

Packets sent from the client to the server.

source_ecs.port

type: long

Port of the source.

geo fields

edit

Geolocation for source.

source_ecs.geo.continent_name

type: keyword

Name of the continent.

source_ecs.geo.country_iso_code

type: keyword

Country ISO code.

source_ecs.geo.location

type: geo_point

Longitude and latitude.

source_ecs.geo.region_name

type: keyword

Region name.

source_ecs.geo.city_name

type: keyword

City name.

source_ecs.geo.region_iso_code

type: keyword

Region ISO code.

destination.bytes

type: long

format: bytes

Bytes sent from the destination to the source.

destination.domain

type: keyword

Destination domain.

destination.ip

type: ip

IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.

destination.mac

type: keyword

MAC address of the destination.

destination.packets

type: long

Packets sent from the destination to the source.

destination.port

type: long

Port of the destination.

geo fields

edit

Geolocation for destination.

destination.geo.continent_name

type: keyword

Name of the continent.

destination.geo.country_iso_code

type: keyword

Country ISO code.

destination.geo.location

type: geo_point

Longitude and latitude.

destination.geo.region_name

type: keyword

Region name.

destination.geo.city_name

type: keyword

City name.

destination.geo.region_iso_code

type: keyword

Region ISO code.

user_agent fields

edit

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.original

type: keyword

Unparsed version of the user_agent.

user_agent.device

type: keyword

Name of the physical device.

user_agent.version

type: keyword

Version of the physical device.

user_agent.major

type: long

Major version of the user agent.

user_agent.minor

type: long

Minor version of the user agent.

user_agent.patch

type: keyword

Patch version of the user agent.

user_agent.name

type: keyword

example: Chrome

Name of the user agent.

user_agent.os.name

type: keyword

Name of the operating system.

user_agent.os.full_name

type: keyword

Full name of the operating system (includes version).

user_agent.os.version

type: keyword

Version of the operating system.

user_agent.os.major

type: long

Major version of the operating system.

user_agent.os.minor

type: long

Minor version of the operating system.

url fields

edit

URL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as host.url.* for example. Keep the structure consistent whenever you use URL fields.

url.domain

type: keyword

Domain of the request, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the domain field.

url.hostname

type: keyword

Hostname of the request, such as "elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the hostname field.

url.path

type: keyword

Path of the request, such as "/search".

file fields

edit

File fields provide details about each file.

file.path

type: keyword

Path to the file.

file.size

type: long

File size in bytes (field is only added when type is file).

network fields

edit

The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event.

network.bytes

type: long

format: bytes

Total bytes transferred in both directions. If source.bytes and destination.bytes are known, network.bytes is their sum.

network.packets

type: long

Total packets transferred in both directions. If source.packets and destination.packets are known, network.packets is their sum.

network.protocol

type: keyword

L7 Network protocol name. ex. http, lumberjack, transport protocol. The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.

network.transport

type: keyword

Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.

network.type

type: keyword

In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See "Lowercase Capitalization" in the "Implementing ECS" section.

event.module

type: alias

alias to: fileset.module