- Filebeat Reference: other versions:
- Filebeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- Modules
- General settings
- Project paths
- Config file loading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_json_fields
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- script
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Load balancing
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- filebeat.reference.yml
- How to guides
- Override configuration settings
- Load the Elasticsearch index template
- Change the index name
- Load Kibana dashboards
- Load ingest pipelines
- Enrich events with geoIP information
- Deduplicate data
- Parse data by using ingest node
- Use environment variables in the configuration
- Avoid YAML formatting problems
- Beats central management
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- Azure module
- Barracuda module
- Bluecoat module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- Crowdstrike module
- Cyberark module
- Cylance module
- Elasticsearch module
- Envoyproxy Module
- F5 module
- Fortinet module
- Google Cloud module
- Google Workspace module
- GSuite module
- haproxy module
- IBM MQ module
- Icinga module
- IIS module
- Imperva module
- Infoblox module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- nats module
- NetFlow module
- Netscout module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- PostgreSQL module
- Proofpoint module
- RabbitMQ module
- Radware module
- Redis module
- Santa module
- Snort module
- Snyk module
- Sonicwall module
- Sophos module
- Squid module
- Suricata module
- System module
- Tomcat module
- Traefik module
- Zeek (Bro) Module
- Zoom module
- Zscaler module
- Exported fields
- ActiveMQ fields
- Apache fields
- Auditd fields
- AWS fields
- aws-cloudwatch fields
- Azure fields
- Barracuda Web Application Firewall fields
- Beat fields
- Blue Coat Director fields
- Decode CEF processor fields fields
- CEF fields
- Checkpoint fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Crowdstrike fields
- Cyber-Ark fields
- CylanceProtect fields
- Docker fields
- ECS fields
- Elasticsearch fields
- Envoyproxy fields
- Big-IP Access Policy Manager fields
- Fortinet fields
- Google Cloud Platform (GCP) fields
- google_workspace fields
- gsuite fields
- HAProxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- Imperva SecureSphere fields
- Infoblox NIOS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Juniper JUNOS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- Microsoft fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- MySQL Enterprise fields
- NATS fields
- NetFlow fields
- Arbor Peakflow SP fields
- Nginx fields
- Office 365 fields
- Okta fields
- Oracle fields
- Osquery fields
- panw fields
- PostgreSQL fields
- Process fields
- Proofpoint Email Security fields
- RabbitMQ fields
- Radware DefensePro fields
- Redis fields
- s3 fields
- Google Santa fields
- Snort/Sourcefire fields
- Snyk fields
- Sonicwall-FW fields
- sophos fields
- Squid fields
- Suricata fields
- System fields
- Apache Tomcat fields
- Traefik fields
- Zeek fields
- Zoom fields
- Zscaler NSS fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Common problems
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Contribute to Beats
MySQL Enterprise fields
editMySQL Enterprise fields
editMySQL Enterprise Audit module
mysqlenterprise
editFields from MySQL Enterprise Logs
audit
editModule for parsing MySQL Enterprise Audit Logs
-
mysqlenterprise.audit.class
-
A string representing the event class. The class defines the type of event, when taken together with the event item that specifies the event subclass.
type: keyword
-
mysqlenterprise.audit.connection_id
-
An integer representing the client connection identifier. This is the same as the value returned by the CONNECTION_ID() function within the session.
type: keyword
-
mysqlenterprise.audit.id
-
An unsigned integer representing an event ID.
type: keyword
-
mysqlenterprise.audit.connection_data.connection_type
-
The security state of the connection to the server. Permitted values are tcp/ip (TCP/IP connection established without encryption), ssl (TCP/IP connection established with encryption), socket (Unix socket file connection), named_pipe (Windows named pipe connection), and shared_memory (Windows shared memory connection).
type: keyword
-
mysqlenterprise.audit.connection_data.status
-
An integer representing the command status: 0 for success, nonzero if an error occurred.
type: long
-
mysqlenterprise.audit.connection_data.db
-
A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
type: keyword
-
mysqlenterprise.audit.connection_data.connection_attributes
-
Connection attributes that might be passed by different MySQL Clients.
type: flattened
-
mysqlenterprise.audit.general_data.command
-
A string representing the type of instruction that generated the audit event, such as a command that the server received from a client.
type: keyword
-
mysqlenterprise.audit.general_data.sql_command
-
A string that indicates the SQL statement type.
type: keyword
-
mysqlenterprise.audit.general_data.query
-
A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
type: keyword
-
mysqlenterprise.audit.general_data.status
-
An integer representing the command status: 0 for success, nonzero if an error occurred. This is the same as the value of the mysql_errno() C API function.
type: long
-
mysqlenterprise.audit.login.user
-
A string representing the information indicating how a client connected to the server.
type: keyword
-
mysqlenterprise.audit.login.proxy
-
A string representing the proxy user. The value is empty if user proxying is not in effect.
type: keyword
-
mysqlenterprise.audit.shutdown_data.server_id
-
An integer representing the server ID. This is the same as the value of the server_id system variable.
type: keyword
-
mysqlenterprise.audit.startup_data.server_id
-
An integer representing the server ID. This is the same as the value of the server_id system variable.
type: keyword
-
mysqlenterprise.audit.startup_data.mysql_version
-
An integer representing the server ID. This is the same as the value of the server_id system variable.
type: keyword
-
mysqlenterprise.audit.table_access_data.db
-
A string representing a database name. For connection_data, it is the default database. For table_access_data, it is the table database.
type: keyword
-
mysqlenterprise.audit.table_access_data.table
-
A string representing a table name.
type: keyword
-
mysqlenterprise.audit.table_access_data.query
-
A string representing the text of an SQL statement. The value can be empty. Long values may be truncated. The string, like the audit log file itself, is written using UTF-8 (up to 4 bytes per character), so the value may be the result of conversion.
type: keyword
-
mysqlenterprise.audit.table_access_data.sql_command
-
A string that indicates the SQL statement type.
type: keyword
-
mysqlenterprise.audit.account.user
-
A string representing the user that the server authenticated the client as. This is the user name that the server uses for privilege checking.
type: keyword
-
mysqlenterprise.audit.account.host
-
A string representing the client host name.
type: keyword
-
mysqlenterprise.audit.login.os
-
A string representing the external user name used during the authentication process, as set by the plugin used to authenticate the client.
type: keyword
On this page