- Filebeat Reference: other versions:
- Overview
- Get started
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- General settings
- Project paths
- Config file loading
- Output
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_observer_metadata
- add_process_metadata
- add_tags
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_json_fields
- decompress_gzip_field
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- registered_domain
- rename
- script
- timestamp
- truncate_fields
- Autodiscover
- Internal queue
- Load balancing
- Logging
- HTTP endpoint
- Regular expression support
- filebeat.reference.yml
- How to guides
- Beats central management
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- Azure module
- CEF module
- Cisco module
- CoreDNS module
- Elasticsearch module
- Envoyproxy Module
- Google Cloud module
- haproxy module
- IBM MQ module
- Icinga module
- IIS module
- Iptables module
- Kafka module
- Kibana module
- Logstash module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- nats module
- NetFlow module
- Nginx module
- Osquery module
- Palo Alto Networks module
- PostgreSQL module
- RabbitMQ module
- Redis module
- Santa module
- Suricata module
- System module
- Traefik module
- Zeek (Bro) Module
- Exported fields
- activemq fields
- Apache fields
- Auditd fields
- AWS fields
- Azure fields
- Beat fields
- Decode CEF processor fields fields
- CEF fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Docker fields
- ECS fields
- elasticsearch fields
- Envoyproxy fields
- Google Cloud fields
- haproxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- nats fields
- NetFlow fields
- NetFlow fields
- Nginx fields
- Osquery fields
- panw fields
- PostgreSQL fields
- Process fields
- RabbitMQ fields
- Redis fields
- s3 fields
- Google Santa fields
- Suricata fields
- System fields
- Traefik fields
- Zeek fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Common problems
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Contribute to Beats
Cisco fields
editCisco fields
editModule for handling Cisco network device logs.
cisco
editFields from Cisco logs.
asa
editFields for Cisco ASA Firewall.
-
cisco.asa.message_id -
The Cisco ASA message identifier.
type: keyword
-
cisco.asa.suffix -
Optional suffix after %ASA identifier.
type: keyword
example: session
-
cisco.asa.source_interface -
Source interface for the flow or event.
type: keyword
-
cisco.asa.destination_interface -
Destination interface for the flow or event.
type: keyword
-
cisco.asa.rule_name -
Name of the Access Control List rule that matched this event.
type: keyword
-
cisco.asa.source_username -
Name of the user that is the source for this event.
type: keyword
-
cisco.asa.destination_username -
Name of the user that is the destination for this event.
type: keyword
-
cisco.asa.mapped_source_ip -
The translated source IP address.
type: ip
-
cisco.asa.mapped_source_port -
The translated source port.
type: long
-
cisco.asa.mapped_destination_ip -
The translated destination IP address.
type: ip
-
cisco.asa.mapped_destination_port -
The translated destination port.
type: long
-
cisco.asa.threat_level -
Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
type: keyword
-
cisco.asa.threat_category -
Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
type: keyword
-
cisco.asa.connection_id -
Unique identifier for a flow.
type: keyword
-
cisco.asa.icmp_type -
ICMP type.
type: short
-
cisco.asa.icmp_code -
ICMP code.
type: short
ftd
editFields for Cisco Firepower Threat Defense Firewall.
-
cisco.ftd.message_id -
The Cisco FTD message identifier.
type: keyword
-
cisco.ftd.suffix -
Optional suffix after %FTD identifier.
type: keyword
example: session
-
cisco.ftd.source_interface -
Source interface for the flow or event.
type: keyword
-
cisco.ftd.destination_interface -
Destination interface for the flow or event.
type: keyword
-
cisco.ftd.rule_name -
Name of the Access Control List rule that matched this event.
type: keyword
-
cisco.ftd.source_username -
Name of the user that is the source for this event.
type: keyword
-
cisco.ftd.destination_username -
Name of the user that is the destination for this event.
type: keyword
-
cisco.ftd.mapped_source_ip -
The translated source IP address. Use ECS source.nat.ip.
type: ip
-
cisco.ftd.mapped_source_port -
The translated source port. Use ECS source.nat.port.
type: long
-
cisco.ftd.mapped_destination_ip -
The translated destination IP address. Use ECS destination.nat.ip.
type: ip
-
cisco.ftd.mapped_destination_port -
The translated destination port. Use ECS destination.nat.port.
type: long
-
cisco.ftd.threat_level -
Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high.
type: keyword
-
cisco.ftd.threat_category -
Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc.
type: keyword
-
cisco.ftd.connection_id -
Unique identifier for a flow.
type: keyword
-
cisco.ftd.icmp_type -
ICMP type.
type: short
-
cisco.ftd.icmp_code -
ICMP code.
type: short
-
cisco.ftd.security -
Raw fields for Security Events.
type: object
ios
editFields for Cisco IOS logs.
-
cisco.ios.access_list -
Name of the IP access list.
type: keyword
-
cisco.ios.facility -
The facility to which the message refers (for example, SNMP, SYS, and so forth). A facility can be a hardware device, a protocol, or a module of the system software. It denotes the source or the cause of the system message.
type: keyword
example: SEC