- Filebeat Reference: other versions:
- Filebeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- Multiline messages
- AWS CloudWatch
- AWS S3
- Azure Event Hub
- Azure Blob Storage
- Benchmark
- CEL
- Cloud Foundry
- CometD
- Container
- Entity Analytics
- ETW
- filestream
- GCP Pub/Sub
- Google Cloud Storage
- HTTP Endpoint
- HTTP JSON
- journald
- Kafka
- Log
- MQTT
- NetFlow
- Office 365 Management Activity API
- Redis
- Salesforce
- Stdin
- Streaming
- Syslog
- TCP
- UDP
- Unix
- winlog
- Modules
- General settings
- Project paths
- Config file loading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- cache
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- filebeat.reference.yml
- Inputs
- How to guides
- Override configuration settings
- Load the Elasticsearch index template
- Change the index name
- Load Kibana dashboards
- Load ingest pipelines
- Enrich events with geoIP information
- Deduplicate data
- Parse data using an ingest pipeline
- Use environment variables in the configuration
- Avoid YAML formatting problems
- Migrate
log
input configurations tofilestream
- Migrating from a Deprecated Filebeat Module
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- AWS Fargate module
- Azure module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- CrowdStrike module
- Cyberark PAS module
- Elasticsearch module
- Envoyproxy Module
- Fortinet module
- Google Cloud module
- Google Workspace module
- HAproxy module
- IBM MQ module
- Icinga module
- IIS module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- NATS module
- NetFlow module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- pensando module
- PostgreSQL module
- RabbitMQ module
- Redis module
- Salesforce module
- Santa module
- Snyk module
- Sophos module
- Suricata module
- System module
- Threat Intel module
- Traefik module
- Zeek (Bro) Module
- ZooKeeper module
- Zoom module
- Exported fields
- ActiveMQ fields
- Apache fields
- Auditd fields
- AWS fields
- AWS CloudWatch fields
- AWS Fargate fields
- Azure fields
- Beat fields
- Decode CEF processor fields fields
- CEF fields
- Checkpoint fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Crowdstrike fields
- CyberArk PAS fields
- Docker fields
- ECS fields
- Elasticsearch fields
- Envoyproxy fields
- Fortinet fields
- Google Cloud Platform (GCP) fields
- google_workspace fields
- HAProxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Juniper JUNOS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- Lumberjack fields
- Microsoft fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- MySQL Enterprise fields
- NATS fields
- NetFlow fields
- Nginx fields
- Office 365 fields
- Okta fields
- Oracle fields
- Osquery fields
- panw fields
- Pensando fields
- PostgreSQL fields
- Process fields
- RabbitMQ fields
- Redis fields
- s3 fields
- Salesforce fields
- Google Santa fields
- Snyk fields
- sophos fields
- Suricata fields
- System fields
- threatintel fields
- Traefik fields
- Windows ETW fields
- Zeek fields
- ZooKeeper fields
- Zoom fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Common problems
- Error extracting container id while using Kubernetes metadata
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
sophos Module
Module for parsing sophosxg syslog.
-
sophos.xg.action
-
Event Action
type: keyword
-
sophos.xg.activityname
-
Web policy activity that matched and caused the policy result.
type: keyword
-
sophos.xg.ap
-
Access Point Serial ID or LocalWifi0 or LocalWifi1.
type: keyword
-
sophos.xg.app_category
-
Name of the category under which application falls
type: keyword
-
sophos.xg.app_filter_policy_id
-
Application filter policy ID applied on the traffic
type: keyword
-
sophos.xg.app_is_cloud
-
Application is Cloud
type: keyword
-
sophos.xg.app_name
-
Application name
type: keyword
-
sophos.xg.app_resolved_by
-
Application is resolved by signature or synchronized application
type: keyword
-
sophos.xg.app_risk
-
Risk level assigned to the application
type: keyword
-
sophos.xg.app_technology
-
Technology of the application
type: keyword
-
sophos.xg.appfilter_policy_id
-
Application Filter policy applied on the traffic
type: integer
-
sophos.xg.application
-
Application name
type: keyword
-
sophos.xg.application_category
-
Application is resolved by signature or synchronized application
type: keyword
-
sophos.xg.application_filter_policy
-
Application Filter policy applied on the traffic
type: integer
-
sophos.xg.application_name
-
Application name
type: keyword
-
sophos.xg.application_risk
-
Risk level assigned to the application
type: keyword
-
sophos.xg.application_technology
-
Technology of the application
type: keyword
-
sophos.xg.appresolvedby
-
Technology of the application
type: keyword
-
sophos.xg.auth_client
-
Auth Client
type: keyword
-
sophos.xg.auth_mechanism
-
Auth mechanism
type: keyword
-
sophos.xg.av_policy_name
-
Malware scanning policy name which is applied on the traffic
type: keyword
-
sophos.xg.backup_mode
-
Backup mode
type: keyword
-
sophos.xg.branch_name
-
Branch Name
type: keyword
-
sophos.xg.category
-
IPS signature category.
type: keyword
-
sophos.xg.category_type
-
Type of category under which website falls
type: keyword
-
sophos.xg.classification
-
Signature classification
type: keyword
-
sophos.xg.client_host_name
-
Client host name
type: keyword
-
sophos.xg.client_physical_address
-
Client physical address
type: keyword
-
sophos.xg.clients_conn_ssid
-
Number of client connected to the SSID.
type: long
-
sophos.xg.collisions
-
collisions
type: long
-
sophos.xg.con_event
-
Event Start/Stop
type: keyword
-
sophos.xg.con_id
-
Unique identifier of connection
type: integer
-
sophos.xg.configuration
-
Configuration
type: float
-
sophos.xg.conn_id
-
Unique identifier of connection
type: integer
-
sophos.xg.connectionname
-
Connectionname
type: keyword
-
sophos.xg.connectiontype
-
Connectiontype
type: keyword
-
sophos.xg.connevent
-
Event on which this log is generated
type: keyword
-
sophos.xg.connid
-
Connection ID
type: keyword
-
sophos.xg.content_type
-
Type of the content
type: keyword
-
sophos.xg.contenttype
-
Type of the content
type: keyword
-
sophos.xg.context_match
-
Context Match
type: keyword
-
sophos.xg.context_prefix
-
Content Prefix
type: keyword
-
sophos.xg.context_suffix
-
Context Suffix
type: keyword
-
sophos.xg.cookie
-
cookie
type: keyword
-
sophos.xg.date
-
Date (yyyy-mm-dd) when the event occurred
type: date
-
sophos.xg.destinationip
-
Original destination IP address of traffic
type: ip
-
sophos.xg.device
-
device
type: keyword
-
sophos.xg.device_id
-
Serial number of the device
type: keyword
-
sophos.xg.device_model
-
Model number of the device
type: keyword
-
sophos.xg.device_name
-
Model number of the device
type: keyword
-
sophos.xg.dictionary_name
-
Dictionary Name
type: keyword
-
sophos.xg.dir_disp
-
TPacket direction. Possible values:“org”, “reply”, “”
type: keyword
-
sophos.xg.direction
-
Direction
type: keyword
-
sophos.xg.domainname
-
Domain from which virus was downloaded
type: keyword
-
sophos.xg.download_file_name
-
Download file name
type: keyword
-
sophos.xg.download_file_type
-
Download file type
type: keyword
-
sophos.xg.dst_country_code
-
Code of the country to which the destination IP belongs
type: keyword
-
sophos.xg.dst_domainname
-
Receiver domain name
type: keyword
-
sophos.xg.dst_ip
-
Original destination IP address of traffic
type: ip
-
sophos.xg.dst_port
-
Original destination port of TCP and UDP traffic
type: integer
-
sophos.xg.dst_zone_type
-
Type of destination zone
type: keyword
-
sophos.xg.dstdomain
-
Destination Domain
type: keyword
-
sophos.xg.duration
-
Durability of traffic (seconds)
type: long
-
sophos.xg.email_subject
-
Email Subject
type: keyword
-
sophos.xg.ep_uuid
-
Endpoint UUID
type: keyword
-
sophos.xg.ether_type
-
ethernet frame type
type: keyword
-
sophos.xg.eventid
-
ATP Evenet ID
type: keyword
-
sophos.xg.eventtime
-
Event time
type: date
-
sophos.xg.eventtype
-
ATP event type
type: keyword
-
sophos.xg.exceptions
-
List of the checks excluded by web exceptions.
type: keyword
-
sophos.xg.execution_path
-
ATP execution path
type: keyword
-
sophos.xg.extra
-
extra
type: keyword
-
sophos.xg.file_name
-
Filename
type: keyword
-
sophos.xg.file_path
-
File path
type: keyword
-
sophos.xg.file_size
-
File Size
type: integer
-
sophos.xg.filename
-
File name associated with the event
type: keyword
-
sophos.xg.filepath
-
Path of the file containing virus
type: keyword
-
sophos.xg.filesize
-
Size of the file that contained virus
type: integer
-
sophos.xg.free
-
free
type: integer
-
sophos.xg.from_email_address
-
Sender email address
type: keyword
-
sophos.xg.ftp_direction
-
Direction of FTP transfer: Upload or Download
type: keyword
-
sophos.xg.ftp_url
-
FTP URL from which virus was downloaded
type: keyword
-
sophos.xg.ftpcommand
-
FTP command used when virus was found
type: keyword
-
sophos.xg.fw_rule_id
-
Firewall Rule ID which is applied on the traffic
type: integer
-
sophos.xg.fw_rule_type
-
Firewall rule type which is applied on the traffic
type: keyword
-
sophos.xg.hb_health
-
Heartbeat status
type: keyword
-
sophos.xg.hb_status
-
Heartbeat status
type: keyword
-
sophos.xg.host
-
Host
type: keyword
-
sophos.xg.http_category
-
HTTP Category
type: keyword
-
sophos.xg.http_category_type
-
HTTP Category Type
type: keyword
-
sophos.xg.httpresponsecode
-
code of HTTP response
type: long
-
sophos.xg.iap
-
Internet Access policy ID applied on the traffic
type: keyword
-
sophos.xg.icmp_code
-
ICMP code of ICMP traffic
type: keyword
-
sophos.xg.icmp_type
-
ICMP type of ICMP traffic
type: keyword
-
sophos.xg.idle_cpu
-
idle ##
type: float
-
sophos.xg.idp_policy_id
-
IPS policy ID which is applied on the traffic
type: integer
-
sophos.xg.idp_policy_name
-
IPS policy name i.e. IPS policy name which is applied on the traffic
type: keyword
-
sophos.xg.in_interface
-
Interface for incoming traffic, e.g., Port A
type: keyword
-
sophos.xg.interface
-
interface
type: keyword
-
sophos.xg.ipaddress
-
Ipaddress
type: keyword
-
sophos.xg.ips_policy_id
-
IPS policy ID applied on the traffic
type: integer
-
sophos.xg.lease_time
-
Lease Time
type: keyword
-
sophos.xg.localgateway
-
Localgateway
type: keyword
-
sophos.xg.localnetwork
-
Localnetwork
type: keyword
-
sophos.xg.log_component
-
Component responsible for logging e.g. Firewall rule
type: keyword
-
sophos.xg.log_id
-
Unique 12 characters code (0101011)
type: keyword
-
sophos.xg.log_subtype
-
Sub type of event
type: keyword
-
sophos.xg.log_type
-
Type of event e.g. firewall event
type: keyword
-
sophos.xg.log_version
-
Log Version
type: keyword
-
sophos.xg.login_user
-
ATP login user
type: keyword
-
sophos.xg.mailid
-
mailid
type: keyword
-
sophos.xg.mailsize
-
mailsize
type: integer
-
sophos.xg.message
-
Message
type: keyword
-
sophos.xg.mode
-
Mode
type: keyword
-
sophos.xg.nat_rule_id
-
NAT Rule ID
type: keyword
-
sophos.xg.newversion
-
Newversion
type: keyword
-
sophos.xg.oldversion
-
Oldversion
type: keyword
-
sophos.xg.out_interface
-
Interface for outgoing traffic, e.g., Port B
type: keyword
-
sophos.xg.override_authorizer
-
Override authorizer
type: keyword
-
sophos.xg.override_name
-
Override name
type: keyword
-
sophos.xg.override_token
-
Override token
type: keyword
-
sophos.xg.phpsessid
-
PHP session ID
type: keyword
-
sophos.xg.platform
-
Platform of the traffic.
type: keyword
-
sophos.xg.policy_type
-
Policy type applied to the traffic
type: keyword
-
sophos.xg.priority
-
Severity level of traffic
type: keyword
-
sophos.xg.protocol
-
Protocol number of traffic
type: keyword
-
sophos.xg.qualifier
-
Qualifier
type: keyword
-
sophos.xg.quarantine
-
Path and filename of the file quarantined
type: keyword
-
sophos.xg.quarantine_reason
-
Quarantine reason
type: keyword
-
sophos.xg.querystring
-
querystring
type: keyword
-
sophos.xg.raw_data
-
Raw data
type: keyword
-
sophos.xg.received_pkts
-
Total number of packets received
type: long
-
sophos.xg.receiveddrops
-
received drops
type: long
-
sophos.xg.receivederrors
-
received errors
type: keyword
-
sophos.xg.receivedkbits
-
received kbits
type: long
-
sophos.xg.recv_bytes
-
Total number of bytes received
type: long
-
sophos.xg.red_id
-
RED ID
type: keyword
-
sophos.xg.referer
-
Referer
type: keyword
-
sophos.xg.remote_ip
-
Remote IP
type: ip
-
sophos.xg.remotenetwork
-
remotenetwork
type: keyword
-
sophos.xg.reported_host
-
Reported Host
type: keyword
-
sophos.xg.reported_ip
-
Reported IP
type: keyword
-
sophos.xg.reports
-
Reports
type: float
-
sophos.xg.rule_priority
-
Priority of IPS policy
type: keyword
-
sophos.xg.sent_bytes
-
Total number of bytes sent
type: long
-
sophos.xg.sent_pkts
-
Total number of packets sent
type: long
-
sophos.xg.server
-
Server
type: keyword
-
sophos.xg.sessionid
-
Sessionid
type: keyword
-
sophos.xg.sha1sum
-
SHA1 checksum of the item being analyzed
type: keyword
-
sophos.xg.signature
-
Signature
type: float
-
sophos.xg.signature_id
-
Signature ID
type: keyword
-
sophos.xg.signature_msg
-
Signature messsage
type: keyword
-
sophos.xg.site_category
-
Site Category
type: keyword
-
sophos.xg.source
-
Source
type: keyword
-
sophos.xg.sourceip
-
Original source IP address of traffic
type: ip
-
sophos.xg.spamaction
-
Spam Action
type: keyword
-
sophos.xg.sqli
-
related SQLI caught by the WAF
type: keyword
-
sophos.xg.src_country_code
-
Code of the country to which the source IP belongs
type: keyword
-
sophos.xg.src_domainname
-
Sender domain name
type: keyword
-
sophos.xg.src_ip
-
Original source IP address of traffic
type: ip
-
sophos.xg.src_mac
-
Original source MAC address of traffic
type: keyword
-
sophos.xg.src_port
-
Original source port of TCP and UDP traffic
type: integer
-
sophos.xg.src_zone_type
-
Type of source zone
type: keyword
-
sophos.xg.ssid
-
Configured SSID name.
type: keyword
-
sophos.xg.start_time
-
Start time
type: date
-
sophos.xg.starttime
-
Starttime
type: date
-
sophos.xg.status
-
Ultimate status of traffic – Allowed or Denied
type: keyword
-
sophos.xg.status_code
-
Status code
type: keyword
-
sophos.xg.subject
-
Email subject
type: keyword
-
sophos.xg.syslog_server_name
-
Syslog server name.
type: keyword
-
sophos.xg.system_cpu
-
system
type: float
-
sophos.xg.target
-
Platform of the traffic.
type: keyword
-
sophos.xg.temp
-
Temp
type: float
-
sophos.xg.threatname
-
ATP threatname
type: keyword
-
sophos.xg.timestamp
-
timestamp
type: date
-
sophos.xg.timezone
-
Time (hh:mm:ss) when the event occurred
type: keyword
-
sophos.xg.to_email_address
-
Receipeint email address
type: keyword
-
sophos.xg.total_memory
-
Total Memory
type: integer
-
sophos.xg.trans_dst_ip
-
Translated destination IP address for outgoing traffic
type: ip
-
sophos.xg.trans_dst_port
-
Translated destination port for outgoing traffic
type: integer
-
sophos.xg.trans_src_ip
-
Translated source IP address for outgoing traffic
type: ip
-
sophos.xg.trans_src_port
-
Translated source port for outgoing traffic
type: integer
-
sophos.xg.transaction_id
-
Transaction ID
type: keyword
-
sophos.xg.transactionid
-
Transaction ID of the AV scan.
type: keyword
-
sophos.xg.transmitteddrops
-
transmitted drops
type: long
-
sophos.xg.transmittederrors
-
transmitted errors
type: keyword
-
sophos.xg.transmittedkbits
-
transmitted kbits
type: long
-
sophos.xg.unit
-
unit
type: keyword
-
sophos.xg.updatedip
-
updatedip
type: ip
-
sophos.xg.upload_file_name
-
Upload file name
type: keyword
-
sophos.xg.upload_file_type
-
Upload file type
type: keyword
-
sophos.xg.url
-
URL from which virus was downloaded
type: keyword
-
sophos.xg.used
-
used
type: integer
-
sophos.xg.used_quota
-
Used Quota
type: keyword
-
sophos.xg.user
-
User
type: keyword
-
sophos.xg.user_cpu
-
system
type: float
-
sophos.xg.user_gp
-
Group name to which the user belongs.
type: keyword
-
sophos.xg.user_group
-
Group name to which the user belongs
type: keyword
-
sophos.xg.user_name
-
user_name
type: keyword
-
sophos.xg.users
-
Number of users from System Health / Live User events.
type: long
-
sophos.xg.vconn_id
-
Connection ID of the master connection
type: integer
-
sophos.xg.virus
-
virus name
type: keyword
-
sophos.xg.web_policy_id
-
Web policy ID
type: keyword
-
sophos.xg.website
-
Website
type: keyword
-
sophos.xg.xss
-
related XSS caught by the WAF
type: keyword
On this page