- Filebeat Reference: other versions:
- Filebeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- Modules
- General settings
- Project paths
- Config file loading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- script
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Load balancing
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- filebeat.reference.yml
- How to guides
- Override configuration settings
- Load the Elasticsearch index template
- Change the index name
- Load Kibana dashboards
- Load ingest pipelines
- Enrich events with geoIP information
- Deduplicate data
- Parse data using an ingest pipeline
- Use environment variables in the configuration
- Avoid YAML formatting problems
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- AWS Fargate module
- Azure module
- Barracuda module
- Bluecoat module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- Crowdstrike module
- Cyberark module
- Cyberark PAS module
- Cylance module
- Elasticsearch module
- Envoyproxy Module
- F5 module
- Fortinet module
- Google Cloud module
- Google Workspace module
- GSuite module
- HAproxy module
- IBM MQ module
- Icinga module
- IIS module
- Imperva module
- Infoblox module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- NATS module
- NetFlow module
- Netscout module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- pensando module
- PostgreSQL module
- Proofpoint module
- RabbitMQ module
- Radware module
- Redis module
- Santa module
- Snort module
- Snyk module
- Sonicwall module
- Sophos module
- Squid module
- Suricata module
- System module
- Threat Intel module
- Tomcat module
- Traefik module
- Zeek (Bro) Module
- ZooKeeper module
- Zoom module
- Zscaler module
- Exported fields
- ActiveMQ fields
- Apache fields
- Auditd fields
- AWS fields
- aws-cloudwatch fields
- AWS Fargate fields
- Azure fields
- Barracuda Web Application Firewall fields
- Beat fields
- Blue Coat Director fields
- Decode CEF processor fields fields
- CEF fields
- Checkpoint fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Crowdstrike fields
- Cyber-Ark fields
- CyberArk PAS fields
- CylanceProtect fields
- Docker fields
- ECS fields
- Elasticsearch fields
- Envoyproxy fields
- Big-IP Access Policy Manager fields
- Fortinet fields
- Google Cloud Platform (GCP) fields
- google_workspace fields
- gsuite fields
- HAProxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- Imperva SecureSphere fields
- Infoblox NIOS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Juniper JUNOS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- Microsoft fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- MySQL Enterprise fields
- NATS fields
- NetFlow fields
- Arbor Peakflow SP fields
- Nginx fields
- Office 365 fields
- Okta fields
- Oracle fields
- Osquery fields
- panw fields
- Pensando fields
- PostgreSQL fields
- Process fields
- Proofpoint Email Security fields
- RabbitMQ fields
- Radware DefensePro fields
- Redis fields
- s3 fields
- Google Santa fields
- Snort/Sourcefire fields
- Snyk fields
- Sonicwall-FW fields
- sophos fields
- Squid fields
- Suricata fields
- System fields
- threatintel fields
- Apache Tomcat fields
- Traefik fields
- Zeek fields
- ZooKeeper fields
- Zoom fields
- Zscaler NSS fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Common problems
- Error extracting container id while using Kubernetes metadata
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Contribute to Beats
Azure fields
editAzure fields
editAzure Module
azure
edit-
azure.subscription_id
-
Azure subscription ID
type: keyword
-
azure.correlation_id
-
Correlation ID
type: keyword
-
azure.tenant_id
-
tenant ID
type: keyword
resource
editResource
-
azure.resource.id
-
Resource ID
type: keyword
-
azure.resource.group
-
Resource group
type: keyword
-
azure.resource.provider
-
Resource type/namespace
type: keyword
-
azure.resource.namespace
-
Resource type/namespace
type: keyword
-
azure.resource.name
-
Name
type: keyword
-
azure.resource.authorization_rule
-
Authorization rule
type: keyword
activitylogs
editFields for Azure activity logs.
identity
editIdentity
claims_initiated_by_user
editClaims initiated by user
-
azure.activitylogs.identity.claims_initiated_by_user.name
-
Name
type: keyword
-
azure.activitylogs.identity.claims_initiated_by_user.givenname
-
Givenname
type: keyword
-
azure.activitylogs.identity.claims_initiated_by_user.surname
-
Surname
type: keyword
-
azure.activitylogs.identity.claims_initiated_by_user.fullname
-
Fullname
type: keyword
-
azure.activitylogs.identity.claims_initiated_by_user.schema
-
Schema
type: keyword
-
azure.activitylogs.identity.claims.*
-
Claims
type: object
authorization
editAuthorization
-
azure.activitylogs.identity.authorization.scope
-
Scope
type: keyword
-
azure.activitylogs.identity.authorization.action
-
Action
type: keyword
evidence
editEvidence
-
azure.activitylogs.identity.authorization.evidence.role_assignment_scope
-
Role assignment scope
type: keyword
-
azure.activitylogs.identity.authorization.evidence.role_definition_id
-
Role definition ID
type: keyword
-
azure.activitylogs.identity.authorization.evidence.role
-
Role
type: keyword
-
azure.activitylogs.identity.authorization.evidence.role_assignment_id
-
Role assignment ID
type: keyword
-
azure.activitylogs.identity.authorization.evidence.principal_id
-
Principal ID
type: keyword
-
azure.activitylogs.identity.authorization.evidence.principal_type
-
Principal type
type: keyword
-
azure.activitylogs.operation_name
-
Operation name
type: keyword
-
azure.activitylogs.result_type
-
Result type
type: keyword
-
azure.activitylogs.result_signature
-
Result signature
type: keyword
-
azure.activitylogs.category
-
Category
type: keyword
-
azure.activitylogs.event_category
-
Event Category
type: keyword
-
azure.activitylogs.properties
-
Properties
type: flattened
auditlogs
editFields for Azure audit logs.
-
azure.auditlogs.category
-
The category of the operation. Currently, Audit is the only supported value.
type: keyword
-
azure.auditlogs.operation_name
-
The operation name
type: keyword
-
azure.auditlogs.operation_version
-
The operation version
type: keyword
-
azure.auditlogs.identity
-
Identity
type: keyword
-
azure.auditlogs.tenant_id
-
Tenant ID
type: keyword
-
azure.auditlogs.result_signature
-
Result signature
type: keyword
properties
editThe audit log properties
-
azure.auditlogs.properties.result
-
Log result
type: keyword
-
azure.auditlogs.properties.activity_display_name
-
Activity display name
type: keyword
-
azure.auditlogs.properties.result_reason
-
Reason for the log result
type: keyword
-
azure.auditlogs.properties.correlation_id
-
Correlation ID
type: keyword
-
azure.auditlogs.properties.logged_by_service
-
Logged by service
type: keyword
-
azure.auditlogs.properties.operation_type
-
Operation type
type: keyword
-
azure.auditlogs.properties.id
-
ID
type: keyword
-
azure.auditlogs.properties.activity_datetime
-
Activity timestamp
type: date
-
azure.auditlogs.properties.category
-
category
type: keyword
target_resources.*
editTarget resources
-
azure.auditlogs.properties.target_resources.*.display_name
-
Display name
type: keyword
-
azure.auditlogs.properties.target_resources.*.id
-
ID
type: keyword
-
azure.auditlogs.properties.target_resources.*.type
-
Type
type: keyword
-
azure.auditlogs.properties.target_resources.*.ip_address
-
ip Address
type: keyword
-
azure.auditlogs.properties.target_resources.*.user_principal_name
-
User principal name
type: keyword
modified_properties.*
editModified properties
-
azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value
-
New value
type: keyword
-
azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name
-
Display value
type: keyword
-
azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value
-
Old value
type: keyword
initiated_by
editInformation regarding the initiator
app
editApp
-
azure.auditlogs.properties.initiated_by.app.servicePrincipalName
-
Service principal name
type: keyword
-
azure.auditlogs.properties.initiated_by.app.displayName
-
Display name
type: keyword
-
azure.auditlogs.properties.initiated_by.app.appId
-
App ID
type: keyword
-
azure.auditlogs.properties.initiated_by.app.servicePrincipalId
-
Service principal ID
type: keyword
user
editUser
-
azure.auditlogs.properties.initiated_by.user.userPrincipalName
-
User principal name
type: keyword
-
azure.auditlogs.properties.initiated_by.user.displayName
-
Display name
type: keyword
-
azure.auditlogs.properties.initiated_by.user.id
-
ID
type: keyword
-
azure.auditlogs.properties.initiated_by.user.ipAddress
-
ip Address
type: keyword
platformlogs
editFields for Azure platform logs.
-
azure.platformlogs.operation_name
-
Operation name
type: keyword
-
azure.platformlogs.result_type
-
Result type
type: keyword
-
azure.platformlogs.result_signature
-
Result signature
type: keyword
-
azure.platformlogs.category
-
Category
type: keyword
-
azure.platformlogs.event_category
-
Event Category
type: keyword
-
azure.platformlogs.status
-
Status
type: keyword
-
azure.platformlogs.ccpNamespace
-
ccpNamespace
type: keyword
-
azure.platformlogs.Cloud
-
Cloud
type: keyword
-
azure.platformlogs.Environment
-
Environment
type: keyword
-
azure.platformlogs.EventTimeString
-
EventTimeString
type: keyword
-
azure.platformlogs.Caller
-
Caller
type: keyword
-
azure.platformlogs.ScaleUnit
-
ScaleUnit
type: keyword
-
azure.platformlogs.ActivityId
-
ActivityId
type: keyword
-
azure.platformlogs.properties
-
Event inner properties
type: flattened
signinlogs
editFields for Azure sign-in logs.
-
azure.signinlogs.operation_name
-
The operation name
type: keyword
-
azure.signinlogs.operation_version
-
The operation version
type: keyword
-
azure.signinlogs.tenant_id
-
Tenant ID
type: keyword
-
azure.signinlogs.result_signature
-
Result signature
type: keyword
-
azure.signinlogs.result_description
-
Result description
type: keyword
-
azure.signinlogs.result_type
-
Result type
type: keyword
-
azure.signinlogs.identity
-
Identity
type: keyword
-
azure.signinlogs.category
-
Category
type: keyword
-
azure.signinlogs.properties.id
-
Unique ID representing the sign-in activity.
type: keyword
-
azure.signinlogs.properties.created_at
-
Date and time (UTC) the sign-in was initiated.
type: date
-
azure.signinlogs.properties.user_display_name
-
User display name
type: keyword
-
azure.signinlogs.properties.correlation_id
-
Correlation ID
type: keyword
-
azure.signinlogs.properties.user_principal_name
-
User principal name
type: keyword
-
azure.signinlogs.properties.user_id
-
User ID
type: keyword
-
azure.signinlogs.properties.app_id
-
App ID
type: keyword
-
azure.signinlogs.properties.app_display_name
-
App display name
type: keyword
-
azure.signinlogs.properties.autonomous_system_number
-
Autonomous system number.
type: long
-
azure.signinlogs.properties.client_app_used
-
Client app used
type: keyword
-
azure.signinlogs.properties.conditional_access_status
-
Conditional access status
type: keyword
-
azure.signinlogs.properties.original_request_id
-
Original request ID
type: keyword
-
azure.signinlogs.properties.is_interactive
-
Is interactive
type: boolean
-
azure.signinlogs.properties.token_issuer_name
-
Token issuer name
type: keyword
-
azure.signinlogs.properties.token_issuer_type
-
Token issuer type
type: keyword
-
azure.signinlogs.properties.processing_time_ms
-
Processing time in milliseconds
type: float
-
azure.signinlogs.properties.risk_detail
-
Risk detail
type: keyword
-
azure.signinlogs.properties.risk_level_aggregated
-
Risk level aggregated
type: keyword
-
azure.signinlogs.properties.risk_level_during_signin
-
Risk level during signIn
type: keyword
-
azure.signinlogs.properties.risk_state
-
Risk state
type: keyword
-
azure.signinlogs.properties.resource_display_name
-
Resource display name
type: keyword
-
azure.signinlogs.properties.status.error_code
-
Error code
type: long
-
azure.signinlogs.properties.device_detail.device_id
-
Device ID
type: keyword
-
azure.signinlogs.properties.device_detail.operating_system
-
Operating system
type: keyword
-
azure.signinlogs.properties.device_detail.browser
-
Browser
type: keyword
-
azure.signinlogs.properties.device_detail.display_name
-
Display name
type: keyword
-
azure.signinlogs.properties.device_detail.trust_type
-
Trust type
type: keyword
-
azure.signinlogs.properties.applied_conditional_access_policies
-
A list of conditional access policies that are triggered by the corresponding sign-in activity.
type: array
-
azure.signinlogs.properties.authentication_details
-
The result of the authentication attempt and additional details on the authentication method.
type: array
-
azure.signinlogs.properties.authentication_processing_details
-
Additional authentication processing details, such as the agent name in case of PTA/PHS or Server/farm name in case of federated authentication.
type: flattened
-
azure.signinlogs.properties.authentication_requirement
-
This holds the highest level of authentication needed through all the sign-in steps, for sign-in to succeed.
type: keyword
-
azure.signinlogs.properties.authentication_requirement_policies
-
Set of CA policies that apply to this sign-in, each as CA: policy name, and/or MFA: Per-user
type: keyword
-
azure.signinlogs.properties.flagged_for_review
-
type: boolean
-
azure.signinlogs.properties.home_tenant_id
-
type: keyword
-
azure.signinlogs.properties.network_location_details
-
The network location details including the type of network used and its names.
type: array
-
azure.signinlogs.properties.resource_id
-
The identifier of the resource that the user signed in to.
type: keyword
-
azure.signinlogs.properties.resource_tenant_id
-
type: keyword
-
azure.signinlogs.properties.risk_event_types
-
The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
type: keyword
-
azure.signinlogs.properties.risk_event_types_v2
-
The list of risk event types associated with the sign-in. Possible values: unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic, or unknownFutureValue.
type: keyword
-
azure.signinlogs.properties.service_principal_name
-
The application name used for sign-in. This field is populated when you are signing in using an application.
type: keyword
-
azure.signinlogs.properties.user_type
-
type: keyword
-
azure.signinlogs.properties.service_principal_id
-
The application identifier used for sign-in. This field is populated when you are signing in using an application.
type: keyword
-
azure.signinlogs.properties.cross_tenant_access_type
-
type: keyword
-
azure.signinlogs.properties.is_tenant_restricted
-
type: boolean
-
azure.signinlogs.properties.sso_extension_version
-
type: keyword
On this page