NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
System fields
editSystem fields
editModule for parsing system log files.
system fields
editFields from the system log files.
auth fields
editFields from the Linux authorization logs.
-
system.auth.timestamp
-
The timestamp as read from the auth message.
-
system.auth.hostname
-
The hostname as read from the auth message.
-
system.auth.program
-
The process name as read from the auth message.
-
system.auth.pid
-
type: long
The PID of the process that sent the auth message.
-
system.auth.message
-
type: text
The message in the log line.
-
system.auth.user
-
The Unix user that this event refers to.
ssh fields
editFields specific to SSH login events.
-
system.auth.ssh.event
-
The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
-
system.auth.ssh.method
-
The SSH authentication method. Can be one of "password" or "publickey".
-
system.auth.ssh.ip
-
type: ip
The client IP from where the login attempt was made.
-
system.auth.ssh.dropped_ip
-
type: ip
The client IP from SSH connections that are open and immediately dropped.
-
system.auth.ssh.port
-
type: long
The client port from where the login attempt was made.
-
system.auth.ssh.signature
-
The signature of the client public key.
geoip fields
editContains GeoIP information gathered based on the system.auth.ip
field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
system.auth.ssh.geoip.continent_name
-
type: keyword
The name of the continent.
-
system.auth.ssh.geoip.city_name
-
type: keyword
The name of the city.
-
system.auth.ssh.geoip.region_name
-
type: keyword
The name of the region.
-
system.auth.ssh.geoip.country_iso_code
-
type: keyword
Country ISO code.
-
system.auth.ssh.geoip.location
-
type: geo_point
The longitude and latitude.
-
system.auth.ssh.geoip.region_iso_code
-
type: keyword
Region ISO code.
sudo fields
editFields specific to events created by the sudo
command.
-
system.auth.sudo.error
-
example: user NOT in sudoers
The error message in case the sudo command failed.
-
system.auth.sudo.tty
-
The TTY where the sudo command is executed.
-
system.auth.sudo.pwd
-
The current directory where the sudo command is executed.
-
system.auth.sudo.user
-
example: root
The target user to which the sudo command is switching.
-
system.auth.sudo.command
-
The command executed via sudo.
useradd fields
editFields specific to events created by the useradd
command.
-
system.auth.useradd.name
-
The user name being added.
-
system.auth.useradd.uid
-
type: long
The user ID.
-
system.auth.useradd.gid
-
type: long
The group ID.
-
system.auth.useradd.home
-
The home folder for the new user.
-
system.auth.useradd.shell
-
The default shell for the new user.
groupadd fields
editFields specific to events created by the groupadd
command.
-
system.auth.groupadd.name
-
The name of the new group.
-
system.auth.groupadd.gid
-
type: long
The ID of the new group.
syslog fields
editContains fields from the syslog system logs.
-
system.syslog.timestamp
-
The timestamp as read from the syslog message.
-
system.syslog.hostname
-
The hostname as read from the syslog message.
-
system.syslog.program
-
The process name as read from the syslog message.
-
system.syslog.pid
-
The PID of the process that sent the syslog message.
-
system.syslog.message
-
type: text
The message in the log line.