- key: common title: "Common Journalbeat" description: > Contains common fields available in all event types. fields: - name: read_timestamp description: > The time when Journalbeat read the journal entry. - name: coredump type: group description: > Fields used by systemd-coredump kernel helper. fields: - name: unit type: keyword description: > Annotations of messages containing coredumps from system units. - name: user_unit type: keyword description: > Annotations of messages containing coredumps from user units. - name: journald type: group description: > Fields provided by journald. fields: - name: object type: group description: > Fields to log on behalf of a different program. fields: - name: audit type: group description: > Audit fields of event. fields: - name: login_uid type: long required: false example: 1000 description: > The login UID of the object process. - name: session type: long required: false example: 3 description: > The audit session of the object process. - name: cmd type: keyword required: false example: "/lib/systemd/systemd --user" description: > The command line of the process. - name: name type: keyword required: false example: "/lib/systemd/systemd" description: > Name of the executable. - name: executable type: keyword required: false description: > Path to the the executable. example: "/lib/systemd/systemd" - name: uid type: long required: false description: > UID of the object process. - name: gid type: long required: false description: > GID of the object process. - name: pid type: long required: false description: > PID of the object process. - name: systemd type: group description: > Systemd fields of event. fields: - name: owner_uid type: long required: false description: > The UID of the owner. - name: session type: keyword required: false description: > The ID of the systemd session. - name: unit type: keyword required: false description: > The name of the systemd unit. - name: user_unit type: keyword required: false description: > The name of the systemd user unit. - name: kernel type: group description: > Fields to log on behalf of a different program. fields: - name: device type: keyword required: false description: > The kernel device name. - name: subsystem type: keyword required: false description: > The kernel subsystem name. - name: device_symlinks type: text required: false description: > Additional symlink names pointing to the device node in /dev. - name: device_node_path type: text required: false description: > The device node path of this device in /dev. - name: device_name type: text required: false description: > The kernel device name as it shows up in the device tree below /sys. - name: code type: group description: > Fields of the code generating the event. fields: - name: file type: text required: false example: "../src/core/manager.c" description: > The name of the source file where the log is generated. - name: function type: text required: false example: "job_log_status_message" description: > The name of the function which generated the log message. - name: line type: long required: false example: 123 description: > The line number of the code which generated the log message. - name: process type: group description: > Fields to log on behalf of a different program. fields: - name: audit type: group description: > Audit fields of event. fields: - name: loginuid type: long required: false example: 1000 description: > The login UID of the source process. - name: session type: long required: false example: 3 description: > The audit session of the source process. - name: cmd type: keyword required: false example: "/lib/systemd/systemd --user" description: > The command line of the process. - name: name type: keyword required: false example: "/lib/systemd/systemd" description: > Name of the executable. - name: executable type: keyword required: false description: > Path to the the executable. example: "/lib/systemd/systemd" - name: pid type: long required: false example: 1 description: > The ID of the process which logged the message. - name: gid type: long required: false example: 1 description: > The ID of the group which runs the process. - name: uid type: long required: false example: 1 description: > The ID of the user which runs the process. - name: capabilites required: false description: > The effective capabilites of the process. - name: systemd type: group description: > Fields of systemd. fields: - name: invocation_id type: keyword required: false example: "8450f1672de646c88cd133aadd4f2d70" description: > The invocation ID for the runtime cycle of the unit the message was generated in. - name: cgroup type: keyword required: false example: "/user.slice/user-1234.slice/session-2.scope" description: > The control group path in the systemd hierarchy. - name: owner_uid type: long required: false description: > The owner UID of the systemd user unit or systemd session. - name: session type: keyword required: false description: > The ID of the systemd session. - name: slice type: keyword required: false example: "user-1234.slice" description: > The systemd slice unit. - name: user_slice type: keyword required: false description: > The systemd user slice unit. - name: unit type: keyword required: false example: "nginx.service" description: > The name of the systemd unit. - name: user_unit type: keyword required: false example: "user-1234.slice" description: > The name of the systemd user unit. - name: transport type: keyword required: true example: "syslog" description: > How the log message was received by journald. - name: host type: group description: > Fields of the host. fields: - name: boot_id type: text required: false example: "dd8c974asdf01dbe2ef26d7fasdf264c9" description: > The boot ID for the boot the log was generated in. - name: syslog type: group description: > Fields of the code generating the event. fields: - name: priority type: long required: false example: 1 description: > The priority of the message. A syslog compatibility field. - name: facility type: long required: false example: 1 description: > The facility of the message. A syslog compatibility field. - name: identifier type: text required: false example: "su" description: > The identifier of the message. A syslog compatibility field. - name: message type: text required: true description: > The logged message. - name: custom type: nested required: false description: > Arbitrary fields coming from processes.