93 lines
2.3 KiB
YAML
93 lines
2.3 KiB
YAML
|
- name: socket
|
||
|
type: group
|
||
|
description: >
|
||
|
TCP sockets that are active.
|
||
|
release: ga
|
||
|
fields:
|
||
|
- name: direction
|
||
|
type: keyword
|
||
|
example: incoming
|
||
|
description: >
|
||
|
How the socket was initiated. Possible values are incoming, outgoing,
|
||
|
or listening.
|
||
|
|
||
|
- name: family
|
||
|
type: keyword
|
||
|
example: ipv4
|
||
|
description: >
|
||
|
Address family.
|
||
|
|
||
|
- name: local.ip
|
||
|
type: ip
|
||
|
example: 192.0.2.1 or 2001:0DB8:ABED:8536::1
|
||
|
description: >
|
||
|
Local IP address. This can be an IPv4 or IPv6 address.
|
||
|
|
||
|
- name: local.port
|
||
|
type: long
|
||
|
example: 22
|
||
|
description: >
|
||
|
Local port.
|
||
|
|
||
|
- name: remote.ip
|
||
|
type: ip
|
||
|
example: 192.0.2.1 or 2001:0DB8:ABED:8536::1
|
||
|
description: >
|
||
|
Remote IP address. This can be an IPv4 or IPv6 address.
|
||
|
|
||
|
- name: remote.port
|
||
|
type: long
|
||
|
example: 22
|
||
|
description: >
|
||
|
Remote port.
|
||
|
|
||
|
- name: remote.host
|
||
|
type: keyword
|
||
|
example: 76-211-117-36.nw.example.com.
|
||
|
description: >
|
||
|
PTR record associated with the remote IP. It is obtained via reverse
|
||
|
IP lookup.
|
||
|
|
||
|
- name: remote.etld_plus_one
|
||
|
type: keyword
|
||
|
example: example.com.
|
||
|
description: >
|
||
|
The effective top-level domain (eTLD) of the remote host plus one more
|
||
|
label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.".
|
||
|
The data for determining the eTLD comes from an embedded copy of the data
|
||
|
from http://publicsuffix.org.
|
||
|
|
||
|
- name: remote.host_error
|
||
|
type: keyword
|
||
|
description: >
|
||
|
Error describing the cause of the reverse lookup failure.
|
||
|
|
||
|
- name: process.pid
|
||
|
type: long
|
||
|
description: >
|
||
|
ID of the process that opened the socket.
|
||
|
|
||
|
- name: process.command
|
||
|
type: keyword
|
||
|
description: >
|
||
|
Name of the command (limited to 20 chars by the OS).
|
||
|
|
||
|
- name: process.cmdline
|
||
|
type: keyword
|
||
|
description: >
|
||
|
|
||
|
- name: process.exe
|
||
|
type: keyword
|
||
|
description: >
|
||
|
Absolute path to the executable.
|
||
|
|
||
|
- name: user.id
|
||
|
type: long
|
||
|
description: >
|
||
|
UID of the user running the process.
|
||
|
|
||
|
- name: user.name
|
||
|
type: keyword
|
||
|
description: >
|
||
|
Name of the user running the process.
|