- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode CEF
- Decode CSV fields
- Decode JSON fields
- Decode Base64 fields
- Decompress gzip fields
- Community ID Network Flow Hash
- Convert
- Drop events
- Drop fields from events
- Extract array
- Keep fields from events
- Registered Domain
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Add Observer metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Script Processor
- Timestamp
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Beats central management
- Modules
- Modules overview
- Apache module
- Auditd module
- AWS module
- CEF module
- Cisco module
- Coredns Module
- Elasticsearch module
- Envoyproxy Module
- Google Cloud module
- haproxy module
- IBM MQ module
- Icinga module
- IIS module
- Iptables module
- Kafka module
- Kibana module
- Logstash module
- MongoDB module
- MSSQL module
- MySQL module
- nats module
- NetFlow module
- Nginx module
- Osquery module
- Palo Alto Networks module
- PostgreSQL module
- RabbitMQ module
- Redis module
- Santa module
- Suricata module
- System module
- Traefik module
- Zeek (Bro) Module
- Exported fields
- Apache fields
- Auditd fields
- AWS fields
- Beat fields
- Decode CEF processor fields fields
- CEF fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Docker fields
- ECS fields
- elasticsearch fields
- Envoyproxy fields
- Google Cloud fields
- haproxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- mssql fields
- MySQL fields
- nats fields
- NetFlow fields
- NetFlow fields
- Nginx fields
- Osquery fields
- panw fields
- PostgreSQL fields
- Process fields
- RabbitMQ fields
- Redis fields
- s3 fields
- Google Santa fields
- Suricata fields
- System fields
- Traefik fields
- Zeek fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Get help
- Debug
- Common problems
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Contributing to Beats
Zeek fields
editZeek fields
editModule for handling logs produced by Zeek/Bro
zeek
editFields from Zeek/Bro logs after normalization
-
zeek.session_id -
A unique identifier of the session
type: keyword
-
zeek.connection.local_orig -
Indicates whether the session is originated locally
type: boolean
-
zeek.connection.local_resp -
Indicates whether the session is responded locally
type: boolean
-
zeek.connection.missed_bytes -
Missed bytes for the session
type: long
-
zeek.connection.state -
Flags indicating the state of the session
type: keyword
-
zeek.connection.history -
Flags indicating the history of the session
type: keyword
-
zeek.connection.orig_l2_addr -
Link-layer address of the originator, if available
type: keyword
-
zeek.connection.resp_l2_addr -
Link-layer address of the responder, if available
type: keyword
-
zeek.connection.vlan -
VLAN identifier
type: integer
-
zeek.connection.inner_vlan -
VLAN identifier
type: integer
-
zeek.dns.trans_id -
DNS transaction identifier
type: keyword
-
zeek.dns.rtt -
Round trip time for the query and response
type: double
-
zeek.dns.query -
The domain name that is the subject of the DNS query
type: keyword
-
zeek.dns.qclass -
The QCLASS value specifying the class of the query
type: long
-
zeek.dns.qclass_name -
A descriptive name for the class of the query
type: keyword
-
zeek.dns.qtype -
A QTYPE value specifying the type of the query
type: long
-
zeek.dns.qtype_name -
A descriptive name for the type of the query
type: keyword
-
zeek.dns.rcode -
The response code value in DNS response messages
type: long
-
zeek.dns.rcode_name -
A descriptive name for the response code value
type: keyword
-
zeek.dns.AA -
The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section
type: boolean
-
zeek.dns.TC -
The Truncation bit specifies that the message was truncated
type: boolean
-
zeek.dns.RD -
The Recursion Desired bit in a request message indicates that the client wants recursive service for this query
type: boolean
-
zeek.dns.RA -
The Recursion Available bit in a response message indicates that the name server supports recursive queries.
type: boolean
-
zeek.dns.answers -
The set of resource descriptions in the query answer
type: keyword
-
zeek.dns.TTLs -
The caching intervals of the associated RRs described by the answers field
type: double
-
zeek.dns.rejected -
Indicates whether the DNS query was rejected by the server
type: boolean
-
zeek.dns.total_answers -
The total number of resource records in the reply
type: integer
-
zeek.dns.total_replies -
The total number of resource records in the reply message
type: integer
-
zeek.dns.saw_query -
Whether the full DNS query has been seen
type: boolean
-
zeek.dns.saw_reply -
Whether the full DNS reply has been seen
type: boolean
-
zeek.http.trans_depth -
Represents the pipelined depth into the connection of this request/response transaction
type: integer
-
zeek.http.status_msg -
Status message returned by the server
type: keyword
-
zeek.http.info_code -
Last seen 1xx informational reply code returned by the server.
type: integer
-
zeek.http.info_msg -
Last seen 1xx informational reply message returned by the server.
type: keyword
-
zeek.http.tags -
A set of indicators of various attributes discovered and related to a particular request/response pair.
type: keyword
-
zeek.http.password -
Password if basic-auth is performed for the request
type: keyword
-
zeek.http.captured_password -
Determines if the password will be captured for this request
type: boolean
-
zeek.http.proxied -
All of the headers that may indicate if the HTTP request was proxied
type: keyword
-
zeek.http.range_request -
Indicates if this request can assume 206 partial content in response
type: boolean
-
zeek.http.client_header_names -
The vector of HTTP header names sent by the client. No header values are included here, just the header names.
type: keyword
-
zeek.http.server_header_names -
The vector of HTTP header names sent by the server. No header values are included here, just the header names
type: keyword
-
zeek.http.orig_fuids -
An ordered vector of file unique IDs from the originator
type: keyword
-
zeek.http.orig_mime_types -
An ordered vector of mime types from the originator
type: keyword
-
zeek.http.orig_filenames -
An ordered vector of filenames from the originator
type: keyword
-
zeek.http.resp_fuids -
An ordered vector of file unique IDs from the responder
type: keyword
-
zeek.http.resp_mime_types -
An ordered vector of mime types from the responder
type: keyword
-
zeek.http.resp_filenames -
An ordered vector of filenames from the responder
type: keyword
-
zeek.http.orig_mime_depth -
Current number of MIME entities in the HTTP request message body
type: integer
-
zeek.http.resp_mime_depth -
Current number of MIME entities in the HTTP response message body
type: integer
-
zeek.files.fuid -
A file unique identifier
type: keyword
-
zeek.files.tx_host -
The host that transferred the file
type: ip
-
zeek.files.rx_host -
The host that received the file
type: ip
-
zeek.files.session_ids -
The sessions that have this file
type: keyword
-
zeek.files.source -
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source
type: keyword
-
zeek.files.depth -
A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection
type: long
-
zeek.files.analyzers -
A set of analysis types done during the file analysis
type: keyword
-
zeek.files.mime_type -
Mime type of the file
type: keyword
-
zeek.files.filename -
Name of the file if available
type: keyword
-
zeek.files.local_orig -
If the source of this file is a network connection, this field indicates if the data originated from the local network or not
type: boolean
-
zeek.files.is_orig -
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder
type: boolean
-
zeek.files.duration -
The duration the file was analyzed for. Not the duration of the session.
type: double
-
zeek.files.seen_bytes -
Number of bytes provided to the file analysis engine for the file
type: long
-
zeek.files.total_bytes -
Total number of bytes that are supposed to comprise the full file
type: long
-
zeek.files.missing_bytes -
The number of bytes in the file stream that were completely missed during the process of analysis
type: long
-
zeek.files.overflow_bytes -
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled
type: long
-
zeek.files.timedout -
Whether the file analysis timed out at least once for the file
type: boolean
-
zeek.files.parent_fuid -
Identifier associated with a container file from which this one was extracted as part of the file analysis
type: keyword
-
zeek.files.md5 -
An MD5 digest of the file contents
type: keyword
-
zeek.files.sha1 -
A SHA1 digest of the file contents
type: keyword
-
zeek.files.sha256 -
A SHA256 digest of the file contents.
type: keyword
-
zeek.files.extracted -
Local filename of extracted file
type: keyword
-
zeek.files.extracted_cutoff -
Indicate whether the file being extracted was cut off hence not extracted completely
type: boolean
-
zeek.files.extracted_size -
The number of bytes extracted to disk
type: long
-
zeek.files.entropy -
The information density of the contents of the file
type: double
-
zeek.ssl.version -
SSL/TLS version that was logged
type: keyword
-
zeek.ssl.cipher -
SSL/TLS cipher suite that was logged
type: keyword
-
zeek.ssl.curve -
Elliptic curve that was logged when using ECDH/ECDHE
type: keyword
-
zeek.ssl.server_name -
Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting
type: keyword
-
zeek.ssl.resumed -
Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection
type: boolean
-
zeek.ssl.next_protocol -
Next protocol the server chose using the application layer next protocol extension
type: keyword
-
zeek.ssl.established -
Flag to indicate if this ssl session has been established successfully
type: boolean
-
zeek.ssl.cert_chain -
Chain of certificates offered by the server to validate its complete signing chain
type: keyword
-
zeek.ssl.cert_chain_fuids -
An ordered vector of certificate file identifiers for the certificates offered by the server
type: keyword
-
zeek.ssl.client_cert_chain -
Chain of certificates offered by the client to validate its complete signing chain
type: keyword
-
zeek.ssl.client_cert_chain_fuids -
An ordered vector of certificate file identifiers for the certificates offered by the client
type: keyword
-
zeek.ssl.issuer -
Subject of the signer of the X.509 certificate offered by the server
type: keyword
-
zeek.ssl.client_issuer -
Subject of the X.509 certificate offered by the client
type: keyword
-
zeek.ssl.validation_status -
Result of certificate validation for this connection
type: keyword
-
zeek.ssl.validation_code -
Result of certificate validation for this connection, given as OpenSSL validation code
type: keyword
-
zeek.ssl.subject -
Subject of the X.509 certificate offered by the server
type: keyword
-
zeek.ssl.client_subject -
Subject of the X.509 certificate offered by the client
type: keyword
-
zeek.ssl.last_alert -
Last alert that was seen during the connection
type: keyword
-
zeek.notice.connection_id -
Identifier of the related connection session
type: keyword
-
zeek.notice.icmp_id -
Identifier of the related ICMP session
type: keyword
-
zeek.notice.file.id -
An identifier associated with a single file that is related to this notice
type: keyword
-
zeek.notice.file.parent_id -
Identifier associated with a container file from which this one was extracted
type: keyword
-
zeek.notice.file.source -
An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source
type: keyword
-
zeek.notice.file.mime_type -
A mime type if the notice is related to a file
type: keyword
-
zeek.notice.file.is_orig -
If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder
type: boolean
-
zeek.notice.file.seen_bytes -
Number of bytes provided to the file analysis engine for the file
type: long
-
zeek.fnotice.file.total_bytes -
Total number of bytes that are supposed to comprise the full file
type: long
-
zeek.notice.file.missing_bytes -
The number of bytes in the file stream that were completely missed during the process of analysis
type: long
-
zeek.notice.file.overflow_bytes -
The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn’t be reassembled
type: long
-
zeek.notice.fuid -
A file unique ID if this notice is related to a file
type: keyword
-
zeek.notice.note -
The type of the notice
type: keyword
-
zeek.notice.msg -
The human readable message for the notice.
type: keyword
-
zeek.notice.sub -
The human readable sub-message
type: keyword
-
zeek.notice.n -
Associated count, or a status code
type: long
-
zeek.notice.peer_name -
Name of remote peer that raised this notice
type: keyword
-
zeek.notice.peer_descr -
Textual description for the peer that raised this notice
type: text
-
zeek.notice.actions -
The actions which have been applied to this notice
type: keyword
-
zeek.notice.email_body_sections -
By adding chunks of text into this element, other scripts can expand on notices that are being emailed
type: text
-
zeek.notice.email_delay_tokens -
Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration
type: keyword
-
zeek.notice.identifier -
This field is provided when a notice is generated for the purpose of deduplicating notices
type: keyword
-
zeek.notice.suppress_for -
This field indicates the length of time that this unique notice should be suppressed
type: double
-
zeek.notice.dropped -
Indicate if the source IP address was dropped and denied network access
type: boolean
On this page