This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
« Cloud provider metadata fields Docker fields »
Elastic Docs Journalbeat Reference [6.5] Exported fields

Common Journalbeat fields

edit

Common Journalbeat fields

edit

Contains common fields available in all event types.

read_timestamp

The time when Journalbeat read the journal entry.

coredump fields

edit

Fields used by systemd-coredump kernel helper.

coredump.unit

type: keyword

Annotations of messages containing coredumps from system units.

coredump.user_unit

type: keyword

Annotations of messages containing coredumps from user units.

journald fields

edit

Fields to log on behalf of a different program.

audit fields

edit

Audit fields of event.

journald.audit.loginuid

type: long

example: 1000

required: False

The login UID of the source process.

journald.audit.session

type: long

example: 3

required: False

The audit session of the source process.

journald.cmd

type: keyword

example: /lib/systemd/systemd --user

required: False

The command line of the process.

journald.name

type: keyword

example: /lib/systemd/systemd

required: False

Name of the executable.

journald.executable

type: keyword

example: /lib/systemd/systemd

required: False

Path to the the executable.

journald.pid

type: long

example: 1

required: False

The ID of the process which logged the message.

journald.gid

type: long

example: 1

required: False

The ID of the group which runs the process.

journald.uid

type: long

example: 1

required: False

The ID of the user which runs the process.

journald.capabilites

required: False

The effective capabilites of the process.

systemd fields

edit

Fields of systemd.

systemd.invocation_id

type: keyword

example: 8450f1672de646c88cd133aadd4f2d70

required: False

The invocation ID for the runtime cycle of the unit the message was generated in.

systemd.cgroup

type: keyword

example: /user.slice/user-1234.slice/session-2.scope

required: False

The control group path in the systemd hierarchy.

systemd.owner_uid

type: long

required: False

The owner UID of the systemd user unit or systemd session.

systemd.session

type: keyword

required: False

The ID of the systemd session.

systemd.slice

type: keyword

example: user-1234.slice

required: False

The systemd slice unit.

systemd.user_slice

type: keyword

required: False

The systemd user slice unit.

systemd.unit

type: keyword

example: nginx.service

required: False

The name of the systemd unit.

systemd.user_unit

type: keyword

example: user-1234.slice

required: False

The name of the systemd user unit.

systemd.transport

type: keyword

example: syslog

required: True

How the log message was received by journald.

host fields

edit

Fields of the host.

host.boot_id

type: text

example: dd8c974asdf01dbe2ef26d7fasdf264c9

required: False

The boot ID for the boot the log was generated in.

syslog fields

edit

Fields of the code generating the event.

syslog.priority

type: long

example: 1

required: False

The priority of the message. A syslog compatibility field.

syslog.facility

type: long

example: 1

required: False

The facility of the message. A syslog compatibility field.

syslog.identifier

type: text

example: su

required: False

The identifier of the message. A syslog compatibility field.

message

type: text

required: True

The logged message.

custom

type: nested

required: False

Arbitrary fields coming from processes.

« Cloud provider metadata fields Docker fields »