WARNING: Version 6.1 of Packetbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
TLS fields
editTLS fields
editTLS-specific event fields.
tls.handshake_completed
edittype: boolean
Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.
tls.resumed
edittype: boolean
If the TLS session has been resumed from a previous session.
tls.resumption_method
edittype: keyword
If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.
tls.client_certificate_requested
edittype: boolean
Whether the server has requested the client to authenticate itself using a client certificate.
tls.client_hello.version
edittype: keyword
The version of the TLS protocol by which the client wishes to communicate during this session.
tls.client_hello.supported_ciphers
edittype: array
List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
tls.client_hello.supported_compression_methods
edittype: array
The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml
extensions fields
editThe hello extensions provided by the client.
tls.client_hello.extensions.server_name_indication
edittype: keyword
List of hostnames
tls.client_hello.extensions.application_layer_protocol_negotiation
edittype: keyword
List of application-layer protocols the client is willing to use.
tls.client_hello.extensions.session_ticket
edittype: keyword
Length of the session ticket, if provided, or an empty string to advertise support for tickets.
tls.server_hello.version
edittype: keyword
The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.
tls.server_hello.selected_cipher
edittype: keyword
The cipher suite selected by the server from the list provided by in the client hello.
tls.server_hello.selected_compression_method
edittype: keyword
The compression method selected by the server from the list provided in the client hello.
extensions fields
editThe hello extensions provided by the server.
tls.server_hello.extensions.application_layer_protocol_negotiation
edittype: array
Negotiated application layer protocol
tls.server_hello.extensions.session_ticket
edittype: keyword
Used to announce that a session ticket will be provided by the server. Always an empty string.
client_certificate fields
editCertificate provided by the client for authentication.
tls.client_certificate.version
edittype: long
X509 format version.
tls.client_certificate.serial_number
edittype: keyword
The certificate’s serial number.
tls.client_certificate.not_before
edittype: date
Date before which the certificate is not valid.
tls.client_certificate.not_after
edittype: date
Date after which the certificate expires.
tls.client_certificate.public_key_algorithm
edittype: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
tls.client_certificate.signature_algorithm
edittype: keyword
The algorithm used for the certificate’s signature.
tls.client_certificate.alternative_names
edittype: array
Subject Alternative Names for this certificate.
tls.client_certificate.raw
edittype: keyword
The raw certificate in PEM format.
subject fields
editSubject represented by this certificate.
tls.client_certificate.subject.country
edittype: keyword
Country code.
tls.client_certificate.subject.organization
edittype: keyword
Organization name.
tls.client_certificate.subject.organizational_unit
edittype: keyword
Unit within organization.
tls.client_certificate.subject.province
edittype: keyword
Province or region within country.
tls.client_certificate.subject.common_name
edittype: keyword
Name or host name identified by the certificate.
issuer fields
editEntity that issued and signed this certificate.
tls.client_certificate.issuer.country
edittype: keyword
Country code.
tls.client_certificate.issuer.organization
edittype: keyword
Organization name.
tls.client_certificate.issuer.organizational_unit
edittype: keyword
Unit within organization.
tls.client_certificate.issuer.province
edittype: keyword
Province or region within country.
tls.client_certificate.issuer.common_name
edittype: keyword
Name or host name identified by the certificate.
server_certificate fields
editCertificate provided by the server for authentication.
tls.server_certificate.version
edittype: long
X509 format version.
tls.server_certificate.serial_number
edittype: keyword
The certificate’s serial number.
tls.server_certificate.not_before
edittype: date
Date before which the certificate is not valid.
tls.server_certificate.not_after
edittype: date
Date after which the certificate expires.
tls.server_certificate.public_key_algorithm
edittype: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
tls.server_certificate.signature_algorithm
edittype: keyword
The algorithm used for the certificate’s signature.
tls.server_certificate.alternative_names
edittype: array
Subject Alternative Names for this certificate.
tls.server_certificate.raw
edittype: keyword
The raw certificate in PEM format.
subject fields
editSubject represented by this certificate.
tls.server_certificate.subject.country
edittype: keyword
Country code.
tls.server_certificate.subject.organization
edittype: keyword
Organization name.
tls.server_certificate.subject.organizational_unit
edittype: keyword
Unit within organization.
tls.server_certificate.subject.province
edittype: keyword
Province or region within country.
tls.server_certificate.subject.common_name
edittype: keyword
Name or host name identified by the certificate.
issuer fields
editEntity that issued and signed this certificate.
tls.server_certificate.issuer.country
edittype: keyword
Country code.
tls.server_certificate.issuer.organization
edittype: keyword
Organization name.
tls.server_certificate.issuer.organizational_unit
edittype: keyword
Unit within organization.
tls.server_certificate.issuer.province
edittype: keyword
Province or region within country.
tls.server_certificate.issuer.common_name
edittype: keyword
Name or host name identified by the certificate.
tls.server_certificate_chain
edittype: array
Chain of trust for the server certificate.
tls.client_certificate_chain
edittype: array
Chain of trust for the client certificate.
tls.alert_types
edittype: keyword
An array containing the TLS alert type for every alert received.