//// This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py //// [[exported-fields]] = Exported fields [partintro] -- This document describes the fields that are exported by Auditbeat. They are grouped in the following categories: * <> * <> * <> * <> * <> * <> * <> * <> -- [[exported-fields-auditd]] == Auditd fields These are the fields generated by the auditd module. *`event.category`*:: + -- type: keyword example: audit-rule The event's category is a value derived from the `record_type`. -- *`event.type`*:: + -- type: keyword The audit record's type. -- *`user.auid`*:: + -- type: keyword login user ID -- *`user.uid`*:: + -- type: keyword user ID -- *`user.euid`*:: + -- type: keyword effective user ID -- *`user.fsuid`*:: + -- type: keyword file system user ID -- *`user.suid`*:: + -- type: keyword sent user ID -- *`user.gid`*:: + -- type: keyword group ID -- *`user.egid`*:: + -- type: keyword effective group ID -- *`user.sgid`*:: + -- type: keyword set group ID -- *`user.fsgid`*:: + -- type: keyword file system group ID -- [float] == name_map fields If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root). *`user.name_map.auid`*:: + -- type: keyword login user name -- *`user.name_map.uid`*:: + -- type: keyword user name -- *`user.name_map.euid`*:: + -- type: keyword effective user name -- *`user.name_map.fsuid`*:: + -- type: keyword file system user name -- *`user.name_map.suid`*:: + -- type: keyword sent user name -- *`user.name_map.gid`*:: + -- type: keyword group name -- *`user.name_map.egid`*:: + -- type: keyword effective group name -- *`user.name_map.sgid`*:: + -- type: keyword set group name -- *`user.name_map.fsgid`*:: + -- type: keyword file system group name -- [float] == selinux fields The SELinux identity of the actor. *`user.selinux.user`*:: + -- type: keyword account submitted for authentication -- *`user.selinux.role`*:: + -- type: keyword user's SELinux role -- *`user.selinux.domain`*:: + -- type: keyword The actor's SELinux domain or type. -- *`user.selinux.level`*:: + -- type: keyword example: s0 The actor's SELinux level. -- *`user.selinux.category`*:: + -- type: keyword The actor's SELinux category or compartments. -- [float] == process fields Process attributes. *`process.pid`*:: + -- type: keyword Process ID. -- *`process.ppid`*:: + -- type: keyword Parent process ID. -- *`process.name`*:: + -- type: keyword Process name (comm). -- *`process.title`*:: + -- type: keyword Process title or command line parameters (proctitle). -- *`process.exe`*:: + -- type: keyword Absolute path of the executable. -- *`process.cwd`*:: + -- type: keyword The current working directory. -- *`process.args`*:: + -- type: keyword The process arguments as a list. -- [float] == source fields Source that triggered the event. *`source.ip`*:: + -- type: ip The remote address. -- *`source.port`*:: + -- type: keyword The port number. -- *`source.hostname`*:: + -- type: keyword Hostname of the source. -- *`source.path`*:: + -- type: keyword This is the path associated with a unix socket. -- [float] == destination fields Destination address that triggered the event. *`destination.ip`*:: + -- type: ip The remote address. -- *`destination.port`*:: + -- type: keyword The port number. -- *`destination.hostname`*:: + -- type: keyword Hostname of the source. -- *`destination.path`*:: + -- type: keyword This is the path associated with a unix socket. -- *`network.direction`*:: + -- type: keyword Direction of the network traffic (`incoming` or `outgoing`). -- *`auditd.sequence`*:: + -- type: long The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover. -- *`auditd.session`*:: + -- type: keyword The session ID assigned to a login. All events related to a login session will have the same value. -- *`auditd.result`*:: + -- type: keyword example: success or fail The result of the audited operation (success/fail). -- [float] == actor fields The actor is the user that triggered the audit event. *`auditd.summary.actor.primary`*:: + -- type: keyword The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. -- *`auditd.summary.actor.secondary`*:: + -- type: keyword The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`. -- [float] == object fields This is the thing or object being acted upon in the event. *`auditd.summary.object.type`*:: + -- type: keyword A description of the what the "thing" is (e.g. file, socket, user-session). -- *`auditd.summary.object.primary`*:: + -- type: keyword -- *`auditd.summary.object.secondary`*:: + -- type: keyword -- *`auditd.summary.how`*:: + -- type: keyword This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. -- [float] == paths fields List of paths associated with the event. *`auditd.paths.inode`*:: + -- type: keyword inode number -- *`auditd.paths.dev`*:: + -- type: keyword device name as found in /dev -- *`auditd.paths.obj_user`*:: + -- type: keyword -- *`auditd.paths.obj_role`*:: + -- type: keyword -- *`auditd.paths.obj_domain`*:: + -- type: keyword -- *`auditd.paths.obj_level`*:: + -- type: keyword -- *`auditd.paths.objtype`*:: + -- type: keyword -- *`auditd.paths.ouid`*:: + -- type: keyword file owner user ID -- *`auditd.paths.rdev`*:: + -- type: keyword the device identifier (special files only) -- *`auditd.paths.nametype`*:: + -- type: keyword kind of file operation being referenced -- *`auditd.paths.ogid`*:: + -- type: keyword file owner group ID -- *`auditd.paths.item`*:: + -- type: keyword which item is being recorded -- *`auditd.paths.mode`*:: + -- type: keyword mode flags on a file -- *`auditd.paths.name`*:: + -- type: keyword file name in avcs -- [float] == data fields The data from the audit messages. *`auditd.data.action`*:: + -- type: keyword netfilter packet disposition -- *`auditd.data.minor`*:: + -- type: keyword device minor number -- *`auditd.data.acct`*:: + -- type: keyword a user's account name -- *`auditd.data.addr`*:: + -- type: keyword the remote address that the user is connecting from -- *`auditd.data.cipher`*:: + -- type: keyword name of crypto cipher selected -- *`auditd.data.id`*:: + -- type: keyword during account changes -- *`auditd.data.entries`*:: + -- type: keyword number of entries in the netfilter table -- *`auditd.data.kind`*:: + -- type: keyword server or client in crypto operation -- *`auditd.data.ksize`*:: + -- type: keyword key size for crypto operation -- *`auditd.data.spid`*:: + -- type: keyword sent process ID -- *`auditd.data.arch`*:: + -- type: keyword the elf architecture flags -- *`auditd.data.argc`*:: + -- type: keyword the number of arguments to an execve syscall -- *`auditd.data.major`*:: + -- type: keyword device major number -- *`auditd.data.unit`*:: + -- type: keyword systemd unit -- *`auditd.data.table`*:: + -- type: keyword netfilter table name -- *`auditd.data.terminal`*:: + -- type: keyword terminal name the user is running programs on -- *`auditd.data.grantors`*:: + -- type: keyword pam modules approving the action -- *`auditd.data.direction`*:: + -- type: keyword direction of crypto operation -- *`auditd.data.op`*:: + -- type: keyword the operation being performed that is audited -- *`auditd.data.tty`*:: + -- type: keyword tty udevice the user is running programs on -- *`auditd.data.syscall`*:: + -- type: keyword syscall number in effect when the event occurred -- *`auditd.data.data`*:: + -- type: keyword TTY text -- *`auditd.data.family`*:: + -- type: keyword netfilter protocol -- *`auditd.data.mac`*:: + -- type: keyword crypto MAC algorithm selected -- *`auditd.data.pfs`*:: + -- type: keyword perfect forward secrecy method -- *`auditd.data.items`*:: + -- type: keyword the number of path records in the event -- *`auditd.data.a0`*:: + -- type: keyword -- *`auditd.data.a1`*:: + -- type: keyword -- *`auditd.data.a2`*:: + -- type: keyword -- *`auditd.data.a3`*:: + -- type: keyword -- *`auditd.data.hostname`*:: + -- type: keyword the hostname that the user is connecting from -- *`auditd.data.lport`*:: + -- type: keyword local network port -- *`auditd.data.rport`*:: + -- type: keyword remote port number -- *`auditd.data.exit`*:: + -- type: keyword syscall exit code -- *`auditd.data.fp`*:: + -- type: keyword crypto key finger print -- *`auditd.data.laddr`*:: + -- type: keyword local network address -- *`auditd.data.sport`*:: + -- type: keyword local port number -- *`auditd.data.capability`*:: + -- type: keyword posix capabilities -- *`auditd.data.nargs`*:: + -- type: keyword the number of arguments to a socket call -- *`auditd.data.new-enabled`*:: + -- type: keyword new TTY audit enabled setting -- *`auditd.data.audit_backlog_limit`*:: + -- type: keyword audit system's backlog queue size -- *`auditd.data.dir`*:: + -- type: keyword directory name -- *`auditd.data.cap_pe`*:: + -- type: keyword process effective capability map -- *`auditd.data.model`*:: + -- type: keyword security model being used for virt -- *`auditd.data.new_pp`*:: + -- type: keyword new process permitted capability map -- *`auditd.data.old-enabled`*:: + -- type: keyword present TTY audit enabled setting -- *`auditd.data.oauid`*:: + -- type: keyword object's login user ID -- *`auditd.data.old`*:: + -- type: keyword old value -- *`auditd.data.banners`*:: + -- type: keyword banners used on printed page -- *`auditd.data.feature`*:: + -- type: keyword kernel feature being changed -- *`auditd.data.vm-ctx`*:: + -- type: keyword the vm's context string -- *`auditd.data.opid`*:: + -- type: keyword object's process ID -- *`auditd.data.seperms`*:: + -- type: keyword SELinux permissions being used -- *`auditd.data.seresult`*:: + -- type: keyword SELinux AVC decision granted/denied -- *`auditd.data.new-rng`*:: + -- type: keyword device name of rng being added from a vm -- *`auditd.data.old-net`*:: + -- type: keyword present MAC address assigned to vm -- *`auditd.data.sigev_signo`*:: + -- type: keyword signal number -- *`auditd.data.ino`*:: + -- type: keyword inode number -- *`auditd.data.old_enforcing`*:: + -- type: keyword old MAC enforcement status -- *`auditd.data.old-vcpu`*:: + -- type: keyword present number of CPU cores -- *`auditd.data.range`*:: + -- type: keyword user's SE Linux range -- *`auditd.data.res`*:: + -- type: keyword result of the audited operation(success/fail) -- *`auditd.data.added`*:: + -- type: keyword number of new files detected -- *`auditd.data.fam`*:: + -- type: keyword socket address family -- *`auditd.data.nlnk-pid`*:: + -- type: keyword pid of netlink packet sender -- *`auditd.data.subj`*:: + -- type: keyword lspp subject's context string -- *`auditd.data.a[0-3]`*:: + -- type: keyword the arguments to a syscall -- *`auditd.data.cgroup`*:: + -- type: keyword path to cgroup in sysfs -- *`auditd.data.kernel`*:: + -- type: keyword kernel's version number -- *`auditd.data.ocomm`*:: + -- type: keyword object's command line name -- *`auditd.data.new-net`*:: + -- type: keyword MAC address being assigned to vm -- *`auditd.data.permissive`*:: + -- type: keyword SELinux is in permissive mode -- *`auditd.data.class`*:: + -- type: keyword resource class assigned to vm -- *`auditd.data.compat`*:: + -- type: keyword is_compat_task result -- *`auditd.data.fi`*:: + -- type: keyword file assigned inherited capability map -- *`auditd.data.changed`*:: + -- type: keyword number of changed files -- *`auditd.data.msg`*:: + -- type: keyword the payload of the audit record -- *`auditd.data.dport`*:: + -- type: keyword remote port number -- *`auditd.data.new-seuser`*:: + -- type: keyword new SELinux user -- *`auditd.data.invalid_context`*:: + -- type: keyword SELinux context -- *`auditd.data.dmac`*:: + -- type: keyword remote MAC address -- *`auditd.data.ipx-net`*:: + -- type: keyword IPX network number -- *`auditd.data.iuid`*:: + -- type: keyword ipc object's user ID -- *`auditd.data.macproto`*:: + -- type: keyword ethernet packet type ID field -- *`auditd.data.obj`*:: + -- type: keyword lspp object context string -- *`auditd.data.ipid`*:: + -- type: keyword IP datagram fragment identifier -- *`auditd.data.new-fs`*:: + -- type: keyword file system being added to vm -- *`auditd.data.vm-pid`*:: + -- type: keyword vm's process ID -- *`auditd.data.cap_pi`*:: + -- type: keyword process inherited capability map -- *`auditd.data.old-auid`*:: + -- type: keyword previous auid value -- *`auditd.data.oses`*:: + -- type: keyword object's session ID -- *`auditd.data.fd`*:: + -- type: keyword file descriptor number -- *`auditd.data.igid`*:: + -- type: keyword ipc object's group ID -- *`auditd.data.new-disk`*:: + -- type: keyword disk being added to vm -- *`auditd.data.parent`*:: + -- type: keyword the inode number of the parent file -- *`auditd.data.len`*:: + -- type: keyword length -- *`auditd.data.oflag`*:: + -- type: keyword open syscall flags -- *`auditd.data.uuid`*:: + -- type: keyword a UUID -- *`auditd.data.code`*:: + -- type: keyword seccomp action code -- *`auditd.data.nlnk-grp`*:: + -- type: keyword netlink group number -- *`auditd.data.cap_fp`*:: + -- type: keyword file permitted capability map -- *`auditd.data.new-mem`*:: + -- type: keyword new amount of memory in KB -- *`auditd.data.seperm`*:: + -- type: keyword SELinux permission being decided on -- *`auditd.data.enforcing`*:: + -- type: keyword new MAC enforcement status -- *`auditd.data.new-chardev`*:: + -- type: keyword new character device being assigned to vm -- *`auditd.data.old-rng`*:: + -- type: keyword device name of rng being removed from a vm -- *`auditd.data.outif`*:: + -- type: keyword out interface number -- *`auditd.data.cmd`*:: + -- type: keyword command being executed -- *`auditd.data.hook`*:: + -- type: keyword netfilter hook that packet came from -- *`auditd.data.new-level`*:: + -- type: keyword new run level -- *`auditd.data.sauid`*:: + -- type: keyword sent login user ID -- *`auditd.data.sig`*:: + -- type: keyword signal number -- *`auditd.data.audit_backlog_wait_time`*:: + -- type: keyword audit system's backlog wait time -- *`auditd.data.printer`*:: + -- type: keyword printer name -- *`auditd.data.old-mem`*:: + -- type: keyword present amount of memory in KB -- *`auditd.data.perm`*:: + -- type: keyword the file permission being used -- *`auditd.data.old_pi`*:: + -- type: keyword old process inherited capability map -- *`auditd.data.state`*:: + -- type: keyword audit daemon configuration resulting state -- *`auditd.data.format`*:: + -- type: keyword audit log's format -- *`auditd.data.new_gid`*:: + -- type: keyword new group ID being assigned -- *`auditd.data.tcontext`*:: + -- type: keyword the target's or object's context string -- *`auditd.data.maj`*:: + -- type: keyword device major number -- *`auditd.data.watch`*:: + -- type: keyword file name in a watch record -- *`auditd.data.device`*:: + -- type: keyword device name -- *`auditd.data.grp`*:: + -- type: keyword group name -- *`auditd.data.bool`*:: + -- type: keyword name of SELinux boolean -- *`auditd.data.icmp_type`*:: + -- type: keyword type of icmp message -- *`auditd.data.new_lock`*:: + -- type: keyword new value of feature lock -- *`auditd.data.old_prom`*:: + -- type: keyword network promiscuity flag -- *`auditd.data.acl`*:: + -- type: keyword access mode of resource assigned to vm -- *`auditd.data.ip`*:: + -- type: keyword network address of a printer -- *`auditd.data.new_pi`*:: + -- type: keyword new process inherited capability map -- *`auditd.data.default-context`*:: + -- type: keyword default MAC context -- *`auditd.data.inode_gid`*:: + -- type: keyword group ID of the inode's owner -- *`auditd.data.new-log_passwd`*:: + -- type: keyword new value for TTY password logging -- *`auditd.data.new_pe`*:: + -- type: keyword new process effective capability map -- *`auditd.data.selected-context`*:: + -- type: keyword new MAC context assigned to session -- *`auditd.data.cap_fver`*:: + -- type: keyword file system capabilities version number -- *`auditd.data.file`*:: + -- type: keyword file name -- *`auditd.data.net`*:: + -- type: keyword network MAC address -- *`auditd.data.virt`*:: + -- type: keyword kind of virtualization being referenced -- *`auditd.data.cap_pp`*:: + -- type: keyword process permitted capability map -- *`auditd.data.old-range`*:: + -- type: keyword present SELinux range -- *`auditd.data.resrc`*:: + -- type: keyword resource being assigned -- *`auditd.data.new-range`*:: + -- type: keyword new SELinux range -- *`auditd.data.obj_gid`*:: + -- type: keyword group ID of object -- *`auditd.data.proto`*:: + -- type: keyword network protocol -- *`auditd.data.old-disk`*:: + -- type: keyword disk being removed from vm -- *`auditd.data.audit_failure`*:: + -- type: keyword audit system's failure mode -- *`auditd.data.inif`*:: + -- type: keyword in interface number -- *`auditd.data.vm`*:: + -- type: keyword virtual machine name -- *`auditd.data.flags`*:: + -- type: keyword mmap syscall flags -- *`auditd.data.nlnk-fam`*:: + -- type: keyword netlink protocol number -- *`auditd.data.old-fs`*:: + -- type: keyword file system being removed from vm -- *`auditd.data.old-ses`*:: + -- type: keyword previous ses value -- *`auditd.data.seqno`*:: + -- type: keyword sequence number -- *`auditd.data.fver`*:: + -- type: keyword file system capabilities version number -- *`auditd.data.qbytes`*:: + -- type: keyword ipc objects quantity of bytes -- *`auditd.data.seuser`*:: + -- type: keyword user's SE Linux user acct -- *`auditd.data.cap_fe`*:: + -- type: keyword file assigned effective capability map -- *`auditd.data.new-vcpu`*:: + -- type: keyword new number of CPU cores -- *`auditd.data.old-level`*:: + -- type: keyword old run level -- *`auditd.data.old_pp`*:: + -- type: keyword old process permitted capability map -- *`auditd.data.daddr`*:: + -- type: keyword remote IP address -- *`auditd.data.old-role`*:: + -- type: keyword present SELinux role -- *`auditd.data.ioctlcmd`*:: + -- type: keyword The request argument to the ioctl syscall -- *`auditd.data.smac`*:: + -- type: keyword local MAC address -- *`auditd.data.apparmor`*:: + -- type: keyword apparmor event information -- *`auditd.data.fe`*:: + -- type: keyword file assigned effective capability map -- *`auditd.data.perm_mask`*:: + -- type: keyword file permission mask that triggered a watch event -- *`auditd.data.ses`*:: + -- type: keyword login session ID -- *`auditd.data.cap_fi`*:: + -- type: keyword file inherited capability map -- *`auditd.data.obj_uid`*:: + -- type: keyword user ID of object -- *`auditd.data.reason`*:: + -- type: keyword text string denoting a reason for the action -- *`auditd.data.list`*:: + -- type: keyword the audit system's filter list number -- *`auditd.data.old_lock`*:: + -- type: keyword present value of feature lock -- *`auditd.data.bus`*:: + -- type: keyword name of subsystem bus a vm resource belongs to -- *`auditd.data.old_pe`*:: + -- type: keyword old process effective capability map -- *`auditd.data.new-role`*:: + -- type: keyword new SELinux role -- *`auditd.data.prom`*:: + -- type: keyword network promiscuity flag -- *`auditd.data.uri`*:: + -- type: keyword URI pointing to a printer -- *`auditd.data.audit_enabled`*:: + -- type: keyword audit systems's enable/disable status -- *`auditd.data.old-log_passwd`*:: + -- type: keyword present value for TTY password logging -- *`auditd.data.old-seuser`*:: + -- type: keyword present SELinux user -- *`auditd.data.per`*:: + -- type: keyword linux personality -- *`auditd.data.scontext`*:: + -- type: keyword the subject's context string -- *`auditd.data.tclass`*:: + -- type: keyword target's object classification -- *`auditd.data.ver`*:: + -- type: keyword audit daemon's version number -- *`auditd.data.new`*:: + -- type: keyword value being set in feature -- *`auditd.data.val`*:: + -- type: keyword generic value associated with the operation -- *`auditd.data.img-ctx`*:: + -- type: keyword the vm's disk image context string -- *`auditd.data.old-chardev`*:: + -- type: keyword present character device assigned to vm -- *`auditd.data.old_val`*:: + -- type: keyword current value of SELinux boolean -- *`auditd.data.success`*:: + -- type: keyword whether the syscall was successful or not -- *`auditd.data.inode_uid`*:: + -- type: keyword user ID of the inode's owner -- *`auditd.data.removed`*:: + -- type: keyword number of deleted files -- *`auditd.data.socket.port`*:: + -- type: keyword The port number. -- *`auditd.data.socket.saddr`*:: + -- type: keyword The raw socket address structure. -- *`auditd.data.socket.addr`*:: + -- type: keyword The remote address. -- *`auditd.data.socket.family`*:: + -- type: keyword example: unix The socket family (unix, ipv4, ipv6, netlink). -- *`auditd.data.socket.path`*:: + -- type: keyword This is the path associated with a unix socket. -- *`auditd.messages`*:: + -- type: text An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config. -- *`auditd.warnings`*:: + -- type: keyword The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. -- [float] == geoip fields The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node. *`geoip.continent_name`*:: + -- type: keyword The name of the continent. -- *`geoip.city_name`*:: + -- type: keyword The name of the city. -- *`geoip.region_name`*:: + -- type: keyword The name of the region. -- *`geoip.country_iso_code`*:: + -- type: keyword Country ISO code. -- *`geoip.location`*:: + -- type: geo_point The longitude and latitude. -- [[exported-fields-beat]] == Beat fields Contains common beat fields available in all event types. *`beat.name`*:: + -- The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file. -- *`beat.hostname`*:: + -- The hostname as returned by the operating system on which the Beat is running. -- *`beat.timezone`*:: + -- The timezone as returned by the operating system on which the Beat is running. -- *`beat.version`*:: + -- The version of the beat that generated this event. -- *`@timestamp`*:: + -- type: date example: August 26th 2016, 12:35:53.332 format: date required: True The timestamp when the event log record was generated. -- *`tags`*:: + -- Arbitrary tags that can be set per Beat and per transaction type. -- *`fields`*:: + -- type: object Contains user configurable fields. -- [float] == error fields Error fields containing additional info in case of errors. *`error.message`*:: + -- type: text Error message. -- *`error.code`*:: + -- type: long Error code. -- *`error.type`*:: + -- type: keyword Error type. -- [[exported-fields-cloud]] == Cloud provider metadata fields Metadata from cloud providers added by the add_cloud_metadata processor. *`meta.cloud.provider`*:: + -- example: ec2 Name of the cloud provider. Possible values are ec2, gce, or digitalocean. -- *`meta.cloud.instance_id`*:: + -- Instance ID of the host machine. -- *`meta.cloud.instance_name`*:: + -- Instance name of the host machine. -- *`meta.cloud.machine_type`*:: + -- example: t2.medium Machine type of the host machine. -- *`meta.cloud.availability_zone`*:: + -- example: us-east-1c Availability zone in which this host is running. -- *`meta.cloud.project_id`*:: + -- example: project-x Name of the project in Google Cloud. -- *`meta.cloud.region`*:: + -- Region in which this host is running. -- [[exported-fields-common]] == Common fields Contains common fields available in all event types. *`event.module`*:: + -- The name of the module that generated the event. -- *`event.action`*:: + -- type: keyword example: logged-in Action describes the change that triggered the event. For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change. -- [float] == file fields File attributes. *`file.path`*:: + -- type: text The path to the file. *`file.path.raw`*:: + -- type: keyword The path to the file. This is a non-analyzed field that is useful for aggregations. -- -- *`file.target_path`*:: + -- type: keyword The target path for symlinks. -- *`file.type`*:: + -- type: keyword The file type (file, dir, or symlink). -- *`file.device`*:: + -- type: keyword The device. -- *`file.inode`*:: + -- type: keyword The inode representing the file in the filesystem. -- *`file.uid`*:: + -- type: keyword The user ID (UID) or security identifier (SID) of the file owner. -- *`file.owner`*:: + -- type: keyword The file owner's username. -- *`file.gid`*:: + -- type: keyword The primary group ID (GID) of the file. -- *`file.group`*:: + -- type: keyword The primary group name of the file. -- *`file.mode`*:: + -- type: keyword example: 416 The mode of the file in octal representation. -- *`file.setuid`*:: + -- type: boolean example: True Set if the file has the `setuid` bit set. Omitted otherwise. -- *`file.setgid`*:: + -- type: boolean example: True Set if the file has the `setgid` bit set. Omitted otherwise. -- *`file.size`*:: + -- type: long The file size in bytes (field is only added when `type` is `file`). -- *`file.mtime`*:: + -- type: date The last modified time of the file (time when content was modified). -- *`file.ctime`*:: + -- type: date The last change time of the file (time when metadata was changed). -- *`file.origin`*:: + -- type: text An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available. *`file.origin.raw`*:: + -- type: keyword This is a non-analyzed field that is useful for aggregations on the origin data. -- -- [float] == selinux fields The SELinux identity of the file. *`file.selinux.user`*:: + -- type: keyword The owner of the object. -- *`file.selinux.role`*:: + -- type: keyword The object's SELinux role. -- *`file.selinux.domain`*:: + -- type: keyword The object's SELinux domain or type. -- *`file.selinux.level`*:: + -- type: keyword example: s0 The object's SELinux level. -- [[exported-fields-docker-processor]] == Docker fields Docker stats collected from Docker. *`docker.container.id`*:: + -- type: keyword Unique container id. -- *`docker.container.image`*:: + -- type: keyword Name of the image the container was built on. -- *`docker.container.name`*:: + -- type: keyword Container name. -- *`docker.container.labels`*:: + -- type: object Image labels. -- [[exported-fields-file_integrity]] == File Integrity fields These are the fields generated by the file_integrity module. [float] == hash fields Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values. *`hash.blake2b_256`*:: + -- type: keyword BLAKE2b-256 hash of the file. -- *`hash.blake2b_384`*:: + -- type: keyword BLAKE2b-384 hash of the file. -- *`hash.blake2b_512`*:: + -- type: keyword BLAKE2b-512 hash of the file. -- *`hash.md5`*:: + -- type: keyword MD5 hash of the file. -- *`hash.sha1`*:: + -- type: keyword SHA1 hash of the file. -- *`hash.sha224`*:: + -- type: keyword SHA224 hash of the file. -- *`hash.sha256`*:: + -- type: keyword SHA256 hash of the file. -- *`hash.sha384`*:: + -- type: keyword SHA384 hash of the file. -- *`hash.sha3_224`*:: + -- type: keyword SHA3_224 hash of the file. -- *`hash.sha3_256`*:: + -- type: keyword SHA3_256 hash of the file. -- *`hash.sha3_384`*:: + -- type: keyword SHA3_384 hash of the file. -- *`hash.sha3_512`*:: + -- type: keyword SHA3_512 hash of the file. -- *`hash.sha512`*:: + -- type: keyword SHA512 hash of the file. -- *`hash.sha512_224`*:: + -- type: keyword SHA512/224 hash of the file. -- *`hash.sha512_256`*:: + -- type: keyword SHA512/256 hash of the file. -- *`hash.xxh64`*:: + -- type: keyword XX64 hash of the file. -- [[exported-fields-host-processor]] == Host fields Info collected for the host machine. *`host.name`*:: + -- type: keyword Hostname. -- *`host.id`*:: + -- type: keyword Unique host id. -- *`host.architecture`*:: + -- type: keyword Host architecture (e.g. x86_64, arm, ppc, mips). -- *`host.os.platform`*:: + -- type: keyword OS platform (e.g. centos, ubuntu, windows). -- *`host.os.version`*:: + -- type: keyword OS version. -- *`host.os.family`*:: + -- type: keyword OS family (e.g. redhat, debian, freebsd, windows). -- *`host.ip`*:: + -- type: ip List of IP-addresses. -- *`host.mac`*:: + -- type: keyword List of hardware-addresses, usually MAC-addresses. -- [[exported-fields-kubernetes-processor]] == Kubernetes fields Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- type: keyword Kubernetes pod name -- *`kubernetes.pod.uid`*:: + -- type: keyword Kubernetes Pod UID -- *`kubernetes.namespace`*:: + -- type: keyword Kubernetes namespace -- *`kubernetes.node.name`*:: + -- type: keyword Kubernetes node name -- *`kubernetes.labels`*:: + -- type: object Kubernetes labels map -- *`kubernetes.annotations`*:: + -- type: object Kubernetes annotations map -- *`kubernetes.container.name`*:: + -- type: keyword Kubernetes container name -- *`kubernetes.container.image`*:: + -- type: keyword Kubernetes container image --