This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
NOTE: This You are looking at documentation for an older release. For the latest information, see the current release documentation.
Common Journalbeat fields
editCommon Journalbeat fields
editContains common fields available in all event types.
-
read_timestamp -
The time when Journalbeat read the journal entry.
coredump fields
editFields used by systemd-coredump kernel helper.
-
coredump.unit -
type: keyword
Annotations of messages containing coredumps from system units.
-
coredump.user_unit -
type: keyword
Annotations of messages containing coredumps from user units.
journald fields
editFields provided by journald.
object fields
editFields to log on behalf of a different program.
audit fields
editAudit fields of event.
-
journald.object.audit.login_uid -
type: long
example: 1000
required: False
The login UID of the object process.
-
journald.object.audit.session -
type: long
example: 3
required: False
The audit session of the object process.
-
journald.object.cmd -
type: keyword
example: /lib/systemd/systemd --user
required: False
The command line of the process.
-
journald.object.name -
type: keyword
example: /lib/systemd/systemd
required: False
Name of the executable.
-
journald.object.executable -
type: keyword
example: /lib/systemd/systemd
required: False
Path to the the executable.
-
journald.object.uid -
type: long
required: False
UID of the object process.
-
journald.object.gid -
type: long
required: False
GID of the object process.
-
journald.object.pid -
type: long
required: False
PID of the object process.
systemd fields
editSystemd fields of event.
-
journald.object.systemd.owner_uid -
type: long
required: False
The UID of the owner.
-
journald.object.systemd.session -
type: keyword
required: False
The ID of the systemd session.
-
journald.object.systemd.unit -
type: keyword
required: False
The name of the systemd unit.
-
journald.object.systemd.user_unit -
type: keyword
required: False
The name of the systemd user unit.
kernel fields
editFields to log on behalf of a different program.
-
journald.kernel.device -
type: keyword
required: False
The kernel device name.
-
journald.kernel.subsystem -
type: keyword
required: False
The kernel subsystem name.
-
journald.kernel.device_symlinks -
type: text
required: False
Additional symlink names pointing to the device node in /dev.
-
journald.kernel.device_node_path -
type: text
required: False
The device node path of this device in /dev.
-
journald.kernel.device_name -
type: text
required: False
The kernel device name as it shows up in the device tree below /sys.
code fields
editFields of the code generating the event.
-
journald.code.file -
type: text
example: ../src/core/manager.c
required: False
The name of the source file where the log is generated.
-
journald.code.function -
type: text
example: job_log_status_message
required: False
The name of the function which generated the log message.
-
journald.code.line -
type: long
example: 123
required: False
The line number of the code which generated the log message.
process fields
editFields to log on behalf of a different program.
audit fields
editAudit fields of event.
-
journald.process.audit.loginuid -
type: long
example: 1000
required: False
The login UID of the source process.
-
journald.process.audit.session -
type: long
example: 3
required: False
The audit session of the source process.
-
journald.process.cmd -
type: keyword
example: /lib/systemd/systemd --user
required: False
The command line of the process.
-
journald.process.name -
type: keyword
example: /lib/systemd/systemd
required: False
Name of the executable.
-
journald.process.executable -
type: keyword
example: /lib/systemd/systemd
required: False
Path to the the executable.
-
journald.process.pid -
type: long
example: 1
required: False
The ID of the process which logged the message.
-
journald.process.gid -
type: long
example: 1
required: False
The ID of the group which runs the process.
-
journald.process.uid -
type: long
example: 1
required: False
The ID of the user which runs the process.
-
journald.process.capabilites -
required: False
The effective capabilites of the process.
systemd fields
editFields of systemd.
-
systemd.invocation_id -
type: keyword
example: 8450f1672de646c88cd133aadd4f2d70
required: False
The invocation ID for the runtime cycle of the unit the message was generated in.
-
systemd.cgroup -
type: keyword
example: /user.slice/user-1234.slice/session-2.scope
required: False
The control group path in the systemd hierarchy.
-
systemd.owner_uid -
type: long
required: False
The owner UID of the systemd user unit or systemd session.
-
systemd.session -
type: keyword
required: False
The ID of the systemd session.
-
systemd.slice -
type: keyword
example: user-1234.slice
required: False
The systemd slice unit.
-
systemd.user_slice -
type: keyword
required: False
The systemd user slice unit.
-
systemd.unit -
type: keyword
example: nginx.service
required: False
The name of the systemd unit.
-
systemd.user_unit -
type: keyword
example: user-1234.slice
required: False
The name of the systemd user unit.
-
systemd.transport -
type: keyword
example: syslog
required: True
How the log message was received by journald.
host fields
editFields of the host.
-
host.boot_id -
type: text
example: dd8c974asdf01dbe2ef26d7fasdf264c9
required: False
The boot ID for the boot the log was generated in.
syslog fields
editFields of the code generating the event.
-
syslog.priority -
type: long
example: 1
required: False
The priority of the message. A syslog compatibility field.
-
syslog.facility -
type: long
example: 1
required: False
The facility of the message. A syslog compatibility field.
-
syslog.identifier -
type: text
example: su
required: False
The identifier of the message. A syslog compatibility field.
-
message -
type: text
required: True
The logged message.
-
custom -
type: nested
required: False
Arbitrary fields coming from processes.