322 lines
9.9 KiB
YAML
322 lines
9.9 KiB
YAML
|
- key: common
|
||
|
|
title: "Common Journalbeat"
|
||
|
|
description: >
|
||
|
|
Contains common fields available in all event types.
|
||
|
|
fields:
|
||
|
|
- name: read_timestamp
|
||
|
|
description: >
|
||
|
|
The time when Journalbeat read the journal entry.
|
||
|
|
- name: coredump
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields used by systemd-coredump kernel helper.
|
||
|
|
fields:
|
||
|
|
- name: unit
|
||
|
|
type: keyword
|
||
|
|
description: >
|
||
|
|
Annotations of messages containing coredumps from system units.
|
||
|
|
- name: user_unit
|
||
|
|
type: keyword
|
||
|
|
description: >
|
||
|
|
Annotations of messages containing coredumps from user units.
|
||
|
|
- name: journald
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields provided by journald.
|
||
|
|
fields:
|
||
|
|
- name: object
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields to log on behalf of a different program.
|
||
|
|
fields:
|
||
|
|
- name: audit
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Audit fields of event.
|
||
|
|
fields:
|
||
|
|
- name: login_uid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1000
|
||
|
|
description: >
|
||
|
|
The login UID of the object process.
|
||
|
|
- name: session
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 3
|
||
|
|
description: >
|
||
|
|
The audit session of the object process.
|
||
|
|
- name: cmd
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "/lib/systemd/systemd --user"
|
||
|
|
description: >
|
||
|
|
The command line of the process.
|
||
|
|
- name: name
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "/lib/systemd/systemd"
|
||
|
|
description: >
|
||
|
|
Name of the executable.
|
||
|
|
- name: executable
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
Path to the the executable.
|
||
|
|
example: "/lib/systemd/systemd"
|
||
|
|
- name: uid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
UID of the object process.
|
||
|
|
- name: gid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
GID of the object process.
|
||
|
|
- name: pid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
PID of the object process.
|
||
|
|
- name: systemd
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Systemd fields of event.
|
||
|
|
fields:
|
||
|
|
- name: owner_uid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The UID of the owner.
|
||
|
|
- name: session
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The ID of the systemd session.
|
||
|
|
- name: unit
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The name of the systemd unit.
|
||
|
|
- name: user_unit
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The name of the systemd user unit.
|
||
|
|
- name: kernel
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields to log on behalf of a different program.
|
||
|
|
fields:
|
||
|
|
- name: device
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The kernel device name.
|
||
|
|
- name: subsystem
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The kernel subsystem name.
|
||
|
|
- name: device_symlinks
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
Additional symlink names pointing to the device node in /dev.
|
||
|
|
- name: device_node_path
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The device node path of this device in /dev.
|
||
|
|
- name: device_name
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The kernel device name as it shows up in the device tree below /sys.
|
||
|
|
- name: code
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields of the code generating the event.
|
||
|
|
fields:
|
||
|
|
- name: file
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
example: "../src/core/manager.c"
|
||
|
|
description: >
|
||
|
|
The name of the source file where the log is generated.
|
||
|
|
- name: function
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
example: "job_log_status_message"
|
||
|
|
description: >
|
||
|
|
The name of the function which generated the log message.
|
||
|
|
- name: line
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 123
|
||
|
|
description: >
|
||
|
|
The line number of the code which generated the log message.
|
||
|
|
- name: process
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields to log on behalf of a different program.
|
||
|
|
fields:
|
||
|
|
- name: audit
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Audit fields of event.
|
||
|
|
fields:
|
||
|
|
- name: loginuid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1000
|
||
|
|
description: >
|
||
|
|
The login UID of the source process.
|
||
|
|
- name: session
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 3
|
||
|
|
description: >
|
||
|
|
The audit session of the source process.
|
||
|
|
- name: cmd
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "/lib/systemd/systemd --user"
|
||
|
|
description: >
|
||
|
|
The command line of the process.
|
||
|
|
- name: name
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "/lib/systemd/systemd"
|
||
|
|
description: >
|
||
|
|
Name of the executable.
|
||
|
|
- name: executable
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
Path to the the executable.
|
||
|
|
example: "/lib/systemd/systemd"
|
||
|
|
- name: pid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1
|
||
|
|
description: >
|
||
|
|
The ID of the process which logged the message.
|
||
|
|
- name: gid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1
|
||
|
|
description: >
|
||
|
|
The ID of the group which runs the process.
|
||
|
|
- name: uid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1
|
||
|
|
description: >
|
||
|
|
The ID of the user which runs the process.
|
||
|
|
- name: capabilites
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The effective capabilites of the process.
|
||
|
|
- name: systemd
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields of systemd.
|
||
|
|
fields:
|
||
|
|
- name: invocation_id
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "8450f1672de646c88cd133aadd4f2d70"
|
||
|
|
description: >
|
||
|
|
The invocation ID for the runtime cycle of the unit the message was generated in.
|
||
|
|
- name: cgroup
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "/user.slice/user-1234.slice/session-2.scope"
|
||
|
|
description: >
|
||
|
|
The control group path in the systemd hierarchy.
|
||
|
|
- name: owner_uid
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The owner UID of the systemd user unit or systemd session.
|
||
|
|
- name: session
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The ID of the systemd session.
|
||
|
|
- name: slice
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "user-1234.slice"
|
||
|
|
description: >
|
||
|
|
The systemd slice unit.
|
||
|
|
- name: user_slice
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
The systemd user slice unit.
|
||
|
|
- name: unit
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "nginx.service"
|
||
|
|
description: >
|
||
|
|
The name of the systemd unit.
|
||
|
|
- name: user_unit
|
||
|
|
type: keyword
|
||
|
|
required: false
|
||
|
|
example: "user-1234.slice"
|
||
|
|
description: >
|
||
|
|
The name of the systemd user unit.
|
||
|
|
- name: transport
|
||
|
|
type: keyword
|
||
|
|
required: true
|
||
|
|
example: "syslog"
|
||
|
|
description: >
|
||
|
|
How the log message was received by journald.
|
||
|
|
- name: host
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields of the host.
|
||
|
|
fields:
|
||
|
|
- name: boot_id
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
example: "dd8c974asdf01dbe2ef26d7fasdf264c9"
|
||
|
|
description: >
|
||
|
|
The boot ID for the boot the log was generated in.
|
||
|
|
- name: syslog
|
||
|
|
type: group
|
||
|
|
description: >
|
||
|
|
Fields of the code generating the event.
|
||
|
|
fields:
|
||
|
|
- name: priority
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1
|
||
|
|
description: >
|
||
|
|
The priority of the message. A syslog compatibility field.
|
||
|
|
- name: facility
|
||
|
|
type: long
|
||
|
|
required: false
|
||
|
|
example: 1
|
||
|
|
description: >
|
||
|
|
The facility of the message. A syslog compatibility field.
|
||
|
|
- name: identifier
|
||
|
|
type: text
|
||
|
|
required: false
|
||
|
|
example: "su"
|
||
|
|
description: >
|
||
|
|
The identifier of the message. A syslog compatibility field.
|
||
|
|
- name: message
|
||
|
|
type: text
|
||
|
|
required: true
|
||
|
|
description: >
|
||
|
|
The logged message.
|
||
|
|
- name: custom
|
||
|
|
type: nested
|
||
|
|
required: false
|
||
|
|
description: >
|
||
|
|
Arbitrary fields coming from processes.
|