IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« HTTP Fields Network Fields »
Elastic Docs Elastic Common Schema (ECS) Reference [1.4] ECS Field Reference

Log Fields

edit

Log Fields

edit

Details about the event’s logging mechanism or logging transport.

The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under log.syslog.*.

The details specific to your event source are typically not logged under log.*, but rather in event.* or in other ECS fields.

Log Field Details

edit
Field Description Level

log.level

Original log level of the log event.

If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity).

Some examples are warn, err, i, informational.

type: keyword

example: error

core

log.logger

The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.

type: keyword

example: org.elasticsearch.bootstrap.Bootstrap

core

log.origin.file.line

The line number of the file containing the source code which originated the log event.

type: integer

example: 42

extended

log.origin.file.name

The name of the file containing the source code which originated the log event. Note that this is not the name of the log file.

type: keyword

example: Bootstrap.java

extended

log.origin.function

The name of the function or method which originated the log event.

type: keyword

example: init

extended

log.original

This is the original log message and contains the full log message before splitting it up in multiple parts.

In contrast to the message field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.

This field is not indexed and doc_values are disabled so it can’t be queried but the value can be retrieved from _source.

type: keyword

example: Sep 19 08:26:10 localhost My log

core

log.syslog

The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.

type: object

extended

log.syslog.facility.code

The Syslog numeric facility of the log event, if available.

According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.

type: long

example: 23

extended

log.syslog.facility.name

The Syslog text-based facility of the log event, if available.

type: keyword

example: local7

extended

log.syslog.priority

Syslog numeric priority of the event, if available.

According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.

type: long

example: 135

extended

log.syslog.severity.code

The Syslog numeric severity of the log event, if available.

If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to event.severity. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity.

type: long

example: 3

extended

log.syslog.severity.name

The Syslog numeric severity of the log event, if available.

If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to log.level. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level.

type: keyword

example: Error

extended
« HTTP Fields Network Fields »