- Filebeat Reference: other versions:
- Filebeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- Modules
- General settings
- Project paths
- Config file loading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- rate_limit
- registered_domain
- rename
- script
- timestamp
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Load balancing
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- filebeat.reference.yml
- How to guides
- Override configuration settings
- Load the Elasticsearch index template
- Change the index name
- Load Kibana dashboards
- Load ingest pipelines
- Enrich events with geoIP information
- Deduplicate data
- Parse data using an ingest pipeline
- Use environment variables in the configuration
- Avoid YAML formatting problems
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- AWS Fargate module
- Azure module
- Barracuda module
- Bluecoat module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- Crowdstrike module
- Cyberark module
- Cyberark PAS module
- Cylance module
- Elasticsearch module
- Envoyproxy Module
- F5 module
- Fortinet module
- Google Cloud module
- Google Workspace module
- GSuite module
- HAproxy module
- IBM MQ module
- Icinga module
- IIS module
- Imperva module
- Infoblox module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- NATS module
- NetFlow module
- Netscout module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- pensando module
- PostgreSQL module
- Proofpoint module
- RabbitMQ module
- Radware module
- Redis module
- Santa module
- Snort module
- Snyk module
- Sonicwall module
- Sophos module
- Squid module
- Suricata module
- System module
- Threat Intel module
- Tomcat module
- Traefik module
- Zeek (Bro) Module
- ZooKeeper module
- Zoom module
- Zscaler module
- Exported fields
- ActiveMQ fields
- Apache fields
- Auditd fields
- AWS fields
- aws-cloudwatch fields
- AWS Fargate fields
- Azure fields
- Barracuda Web Application Firewall fields
- Beat fields
- Blue Coat Director fields
- Decode CEF processor fields fields
- CEF fields
- Checkpoint fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Crowdstrike fields
- Cyber-Ark fields
- CyberArk PAS fields
- CylanceProtect fields
- Docker fields
- ECS fields
- Elasticsearch fields
- Envoyproxy fields
- Big-IP Access Policy Manager fields
- Fortinet fields
- Google Cloud Platform (GCP) fields
- google_workspace fields
- gsuite fields
- HAProxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- Imperva SecureSphere fields
- Infoblox NIOS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Juniper JUNOS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- Microsoft fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- MySQL Enterprise fields
- NATS fields
- NetFlow fields
- Arbor Peakflow SP fields
- Nginx fields
- Office 365 fields
- Okta fields
- Oracle fields
- Osquery fields
- panw fields
- Pensando fields
- PostgreSQL fields
- Process fields
- Proofpoint Email Security fields
- RabbitMQ fields
- Radware DefensePro fields
- Redis fields
- s3 fields
- Google Santa fields
- Snort/Sourcefire fields
- Snyk fields
- Sonicwall-FW fields
- sophos fields
- Squid fields
- Suricata fields
- System fields
- threatintel fields
- Apache Tomcat fields
- Traefik fields
- Zeek fields
- ZooKeeper fields
- Zoom fields
- Zscaler NSS fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Common problems
- Error extracting container id while using Kubernetes metadata
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- Contribute to Beats
panw fields
editpanw fields
editModule for Palo Alto Networks (PAN-OS)
panw
editFields from the panw module.
panos
editFields for the Palo Alto Networks PAN-OS logs.
-
panw.panos.ruleset
-
Name of the rule that matched this session.
type: keyword
source
editFields to extend the top-level source object.
-
panw.panos.source.zone
-
Source zone for this session.
type: keyword
-
panw.panos.source.interface
-
Source interface for this session.
type: keyword
nat
editPost-NAT source address, if source NAT is performed.
-
panw.panos.source.nat.ip
-
Post-NAT source IP.
type: ip
-
panw.panos.source.nat.port
-
Post-NAT source port.
type: long
destination
editFields to extend the top-level destination object.
-
panw.panos.destination.zone
-
Destination zone for this session.
type: keyword
-
panw.panos.destination.interface
-
Destination interface for this session.
type: keyword
nat
editPost-NAT destination address, if destination NAT is performed.
-
panw.panos.destination.nat.ip
-
Post-NAT destination IP.
type: ip
-
panw.panos.destination.nat.port
-
Post-NAT destination port.
type: long
-
panw.panos.endreason
-
The reason a session terminated.
type: keyword
network
editFields to extend the top-level network object.
-
panw.panos.network.pcap_id
-
Packet capture ID for a threat.
type: keyword
-
panw.panos.network.nat.community_id
-
Community ID flow-hash for the NAT 5-tuple.
type: keyword
file
editFields to extend the top-level file object.
-
panw.panos.file.hash
-
Binary hash for a threat file sent to be analyzed by the WildFire service.
type: keyword
url
editFields to extend the top-level url object.
-
panw.panos.url.category
-
For threat URLs, it’s the URL category. For WildFire, the verdict on the file and is either malicious, grayware, or benign.
type: keyword
-
panw.panos.flow_id
-
Internal numeric identifier for each session.
type: keyword
-
panw.panos.sequence_number
-
Log entry identifier that is incremented sequentially. Unique for each log type.
type: long
-
panw.panos.threat.resource
-
URL or file name for a threat.
type: keyword
-
panw.panos.threat.id
-
Palo Alto Networks identifier for the threat.
type: keyword
-
panw.panos.threat.name
-
Palo Alto Networks name for the threat.
type: keyword
-
panw.panos.action
-
Action taken for the session.
type: keyword
-
panw.panos.type
-
Specifies the type of the log
-
panw.panos.sub_type
-
Specifies the sub type of the log
-
panw.panos.virtual_sys
-
Virtual system instance
type: keyword
-
panw.panos.client_os_ver
-
The client device’s OS version.
type: keyword
-
panw.panos.client_os
-
The client device’s OS version.
type: keyword
-
panw.panos.client_ver
-
The client’s GlobalProtect app version.
type: keyword
-
panw.panos.stage
-
A string showing the stage of the connection
type: keyword
example: before-login
-
panw.panos.actionflags
-
A bit field indicating if the log was forwarded to Panorama.
type: keyword
-
panw.panos.error
-
A string showing that error that has occurred in any event.
type: keyword
-
panw.panos.error_code
-
An integer associated with any errors that occurred.
type: integer
-
panw.panos.repeatcnt
-
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred.
type: integer
-
panw.panos.serial_number
-
The serial number of the user’s machine or device.
type: keyword
-
panw.panos.auth_method
-
A string showing the authentication type
type: keyword
example: LDAP
-
panw.panos.datasource
-
Source from which mapping information is collected.
type: keyword
-
panw.panos.datasourcetype
-
Mechanism used to identify the IP/User mappings within a data source.
type: keyword
-
panw.panos.datasourcename
-
User-ID source that sends the IP (Port)-User Mapping.
type: keyword
-
panw.panos.factorno
-
Indicates the use of primary authentication (1) or additional factors (2, 3).
type: integer
-
panw.panos.factortype
-
Vendor used to authenticate a user when Multi Factor authentication is present.
type: keyword
-
panw.panos.factorcompletiontime
-
Time the authentication was completed.
type: date
-
panw.panos.ugflags
-
Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found.
type: keyword
device_group_hierarchy
editA sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
-
panw.panos.device_group_hierarchy.level_1
-
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
type: keyword
-
panw.panos.device_group_hierarchy.level_2
-
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
type: keyword
-
panw.panos.device_group_hierarchy.level_3
-
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
type: keyword
-
panw.panos.device_group_hierarchy.level_4
-
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12.
type: keyword
-
panw.panos.timeout
-
Timeout after which the IP/User Mappings are cleared.
type: integer
-
panw.panos.vsys_id
-
A unique identifier for a virtual system on a Palo Alto Networks firewall.
type: keyword
-
panw.panos.vsys_name
-
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
type: keyword
-
panw.panos.description
-
Additional information for any event that has occurred.
type: keyword
-
panw.panos.tunnel_type
-
The type of tunnel (either SSLVPN or IPSec).
type: keyword
-
panw.panos.connect_method
-
A string showing the how the GlobalProtect app connects to Gateway
type: keyword
-
panw.panos.matchname
-
Name of the HIP object or profile.
type: keyword
-
panw.panos.matchtype
-
Whether the hip field represents a HIP object or a HIP profile.
type: keyword
-
panw.panos.priority
-
The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
type: keyword
-
panw.panos.response_time
-
The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
type: keyword
-
panw.panos.attempted_gateways
-
The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority
type: keyword
-
panw.panos.gateway
-
The name of the gateway that is specified on the portal configuration.
type: keyword
-
panw.panos.selection_type
-
The connection method that is selected to connect to the gateway.
type: keyword