//// This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py //// [[exported-fields]] = Exported fields [partintro] -- This document describes the fields that are exported by Packetbeat. They are grouped in the following categories: * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> * <> -- [[exported-fields-amqp]] == AMQP fields AMQP specific event fields. *`amqp.reply-code`*:: + -- type: long example: 404 AMQP reply code to an error, similar to http reply-code -- *`amqp.reply-text`*:: + -- type: keyword Text explaining the error. -- *`amqp.class-id`*:: + -- type: long Failing method class. -- *`amqp.method-id`*:: + -- type: long Failing method ID. -- *`amqp.exchange`*:: + -- type: keyword Name of the exchange. -- *`amqp.exchange-type`*:: + -- type: keyword example: fanout Exchange type. -- *`amqp.passive`*:: + -- type: boolean If set, do not create exchange/queue. -- *`amqp.durable`*:: + -- type: boolean If set, request a durable exchange/queue. -- *`amqp.exclusive`*:: + -- type: boolean If set, request an exclusive queue. -- *`amqp.auto-delete`*:: + -- type: boolean If set, auto-delete queue when unused. -- *`amqp.no-wait`*:: + -- type: boolean If set, the server will not respond to the method. -- *`amqp.consumer-tag`*:: + -- Identifier for the consumer, valid within the current channel. -- *`amqp.delivery-tag`*:: + -- type: long The server-assigned and channel-specific delivery tag. -- *`amqp.message-count`*:: + -- type: long The number of messages in the queue, which will be zero for newly-declared queues. -- *`amqp.consumer-count`*:: + -- type: long The number of consumers of a queue. -- *`amqp.routing-key`*:: + -- type: keyword Message routing key. -- *`amqp.no-ack`*:: + -- type: boolean If set, the server does not expect acknowledgements for messages. -- *`amqp.no-local`*:: + -- type: boolean If set, the server will not send messages to the connection that published them. -- *`amqp.if-unused`*:: + -- type: boolean Delete only if unused. -- *`amqp.if-empty`*:: + -- type: boolean Delete only if empty. -- *`amqp.queue`*:: + -- type: keyword The queue name identifies the queue within the vhost. -- *`amqp.redelivered`*:: + -- type: boolean Indicates that the message has been previously delivered to this or another client. -- *`amqp.multiple`*:: + -- type: boolean Acknowledge multiple messages. -- *`amqp.arguments`*:: + -- type: object Optional additional arguments passed to some methods. Can be of various types. -- *`amqp.mandatory`*:: + -- type: boolean Indicates mandatory routing. -- *`amqp.immediate`*:: + -- type: boolean Request immediate delivery. -- *`amqp.content-type`*:: + -- type: keyword example: text/plain MIME content type. -- *`amqp.content-encoding`*:: + -- type: keyword MIME content encoding. -- *`amqp.headers`*:: + -- type: object Message header field table. -- *`amqp.delivery-mode`*:: + -- type: keyword Non-persistent (1) or persistent (2). -- *`amqp.priority`*:: + -- type: long Message priority, 0 to 9. -- *`amqp.correlation-id`*:: + -- type: keyword Application correlation identifier. -- *`amqp.reply-to`*:: + -- type: keyword Address to reply to. -- *`amqp.expiration`*:: + -- type: keyword Message expiration specification. -- *`amqp.message-id`*:: + -- type: keyword Application message identifier. -- *`amqp.timestamp`*:: + -- type: keyword Message timestamp. -- *`amqp.type`*:: + -- type: keyword Message type name. -- *`amqp.user-id`*:: + -- type: keyword Creating user id. -- *`amqp.app-id`*:: + -- type: keyword Creating application id. -- [[exported-fields-beat]] == Beat fields Contains common beat fields available in all event types. *`beat.name`*:: + -- The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file. -- *`beat.hostname`*:: + -- The hostname as returned by the operating system on which the Beat is running. -- *`beat.timezone`*:: + -- The timezone as returned by the operating system on which the Beat is running. -- *`beat.version`*:: + -- The version of the beat that generated this event. -- *`@timestamp`*:: + -- type: date example: August 26th 2016, 12:35:53.332 format: date required: True The timestamp when the event log record was generated. -- *`tags`*:: + -- Arbitrary tags that can be set per Beat and per transaction type. -- *`fields`*:: + -- type: object Contains user configurable fields. -- [float] == error fields Error fields containing additional info in case of errors. *`error.message`*:: + -- type: text Error message. -- *`error.code`*:: + -- type: long Error code. -- *`error.type`*:: + -- type: keyword Error type. -- [[exported-fields-cassandra]] == Cassandra fields Cassandra v4/3 specific event fields. [float] == cassandra fields Information about the Cassandra request and response. [float] == request fields Cassandra request. [float] == headers fields Cassandra request headers. *`cassandra.request.headers.version`*:: + -- type: long The version of the protocol. -- *`cassandra.request.headers.flags`*:: + -- type: keyword Flags applying to this frame. -- *`cassandra.request.headers.stream`*:: + -- type: keyword A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. -- *`cassandra.request.headers.op`*:: + -- type: keyword An operation type that distinguishes the actual message. -- *`cassandra.request.headers.length`*:: + -- type: long A integer representing the length of the body of the frame (a frame is limited to 256MB in length). -- *`cassandra.request.query`*:: + -- type: keyword The CQL query which client send to cassandra. -- [float] == response fields Cassandra response. [float] == headers fields Cassandra response headers, the structure is as same as request's header. *`cassandra.response.headers.version`*:: + -- type: long The version of the protocol. -- *`cassandra.response.headers.flags`*:: + -- type: keyword Flags applying to this frame. -- *`cassandra.response.headers.stream`*:: + -- type: keyword A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. -- *`cassandra.response.headers.op`*:: + -- type: keyword An operation type that distinguishes the actual message. -- *`cassandra.response.headers.length`*:: + -- type: long A integer representing the length of the body of the frame (a frame is limited to 256MB in length). -- [float] == result fields Details about the returned result. *`cassandra.response.result.type`*:: + -- type: keyword Cassandra result type. -- [float] == rows fields Details about the rows. *`cassandra.response.result.rows.num_rows`*:: + -- type: long Representing the number of rows present in this result. -- [float] == meta fields Composed of result metadata. *`cassandra.response.result.rows.meta.keyspace`*:: + -- type: keyword Only present after set Global_tables_spec, the keyspace name. -- *`cassandra.response.result.rows.meta.table`*:: + -- type: keyword Only present after set Global_tables_spec, the table name. -- *`cassandra.response.result.rows.meta.flags`*:: + -- type: keyword Provides information on the formatting of the remaining information. -- *`cassandra.response.result.rows.meta.col_count`*:: + -- type: long Representing the number of columns selected by the query that produced this result. -- *`cassandra.response.result.rows.meta.pkey_columns`*:: + -- type: long Representing the PK columns index and counts. -- *`cassandra.response.result.rows.meta.paging_state`*:: + -- type: keyword The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. -- *`cassandra.response.result.keyspace`*:: + -- type: keyword Indicating the name of the keyspace that has been set. -- [float] == schema_change fields The result to a schema_change message. *`cassandra.response.result.schema_change.change`*:: + -- type: keyword Representing the type of changed involved. -- *`cassandra.response.result.schema_change.keyspace`*:: + -- type: keyword This describes which keyspace has changed. -- *`cassandra.response.result.schema_change.table`*:: + -- type: keyword This describes which table has changed. -- *`cassandra.response.result.schema_change.object`*:: + -- type: keyword This describes the name of said affected object (either the table, user type, function, or aggregate name). -- *`cassandra.response.result.schema_change.target`*:: + -- type: keyword Target could be "FUNCTION" or "AGGREGATE", multiple arguments. -- *`cassandra.response.result.schema_change.name`*:: + -- type: keyword The function/aggregate name. -- *`cassandra.response.result.schema_change.args`*:: + -- type: keyword One string for each argument type (as CQL type). -- [float] == prepared fields The result to a PREPARE message. *`cassandra.response.result.prepared.prepared_id`*:: + -- type: keyword Representing the prepared query ID. -- [float] == req_meta fields This describes the request metadata. *`cassandra.response.result.prepared.req_meta.keyspace`*:: + -- type: keyword Only present after set Global_tables_spec, the keyspace name. -- *`cassandra.response.result.prepared.req_meta.table`*:: + -- type: keyword Only present after set Global_tables_spec, the table name. -- *`cassandra.response.result.prepared.req_meta.flags`*:: + -- type: keyword Provides information on the formatting of the remaining information. -- *`cassandra.response.result.prepared.req_meta.col_count`*:: + -- type: long Representing the number of columns selected by the query that produced this result. -- *`cassandra.response.result.prepared.req_meta.pkey_columns`*:: + -- type: long Representing the PK columns index and counts. -- *`cassandra.response.result.prepared.req_meta.paging_state`*:: + -- type: keyword The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. -- [float] == resp_meta fields This describes the metadata for the result set. *`cassandra.response.result.prepared.resp_meta.keyspace`*:: + -- type: keyword Only present after set Global_tables_spec, the keyspace name. -- *`cassandra.response.result.prepared.resp_meta.table`*:: + -- type: keyword Only present after set Global_tables_spec, the table name. -- *`cassandra.response.result.prepared.resp_meta.flags`*:: + -- type: keyword Provides information on the formatting of the remaining information. -- *`cassandra.response.result.prepared.resp_meta.col_count`*:: + -- type: long Representing the number of columns selected by the query that produced this result. -- *`cassandra.response.result.prepared.resp_meta.pkey_columns`*:: + -- type: long Representing the PK columns index and counts. -- *`cassandra.response.result.prepared.resp_meta.paging_state`*:: + -- type: keyword The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. -- *`cassandra.response.supported`*:: + -- type: object Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. -- [float] == authentication fields Indicates that the server requires authentication, and which authentication mechanism to use. *`cassandra.response.authentication.class`*:: + -- type: keyword Indicates the full class name of the IAuthenticator in use -- *`cassandra.response.warnings`*:: + -- type: keyword The text of the warnings, only occur when Warning flag was set. -- [float] == event fields Event pushed by the server. A client will only receive events for the types it has REGISTERed to. *`cassandra.response.event.type`*:: + -- type: keyword Representing the event type. -- *`cassandra.response.event.change`*:: + -- type: keyword The message corresponding respectively to the type of change followed by the address of the new/removed node. -- *`cassandra.response.event.host`*:: + -- type: keyword Representing the node ip. -- *`cassandra.response.event.port`*:: + -- type: long Representing the node port. -- [float] == schema_change fields The events details related to schema change. *`cassandra.response.event.schema_change.change`*:: + -- type: keyword Representing the type of changed involved. -- *`cassandra.response.event.schema_change.keyspace`*:: + -- type: keyword This describes which keyspace has changed. -- *`cassandra.response.event.schema_change.table`*:: + -- type: keyword This describes which table has changed. -- *`cassandra.response.event.schema_change.object`*:: + -- type: keyword This describes the name of said affected object (either the table, user type, function, or aggregate name). -- *`cassandra.response.event.schema_change.target`*:: + -- type: keyword Target could be "FUNCTION" or "AGGREGATE", multiple arguments. -- *`cassandra.response.event.schema_change.name`*:: + -- type: keyword The function/aggregate name. -- *`cassandra.response.event.schema_change.args`*:: + -- type: keyword One string for each argument type (as CQL type). -- [float] == error fields Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. *`cassandra.response.error.code`*:: + -- type: long The error code of the Cassandra response. -- *`cassandra.response.error.msg`*:: + -- type: keyword The error message of the Cassandra response. -- *`cassandra.response.error.type`*:: + -- type: keyword The error type of the Cassandra response. -- [float] == details fields The details of the error. *`cassandra.response.error.details.read_consistency`*:: + -- type: keyword Representing the consistency level of the query that triggered the exception. -- *`cassandra.response.error.details.required`*:: + -- type: long Representing the number of nodes that should be alive to respect consistency level. -- *`cassandra.response.error.details.alive`*:: + -- type: long Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). -- *`cassandra.response.error.details.received`*:: + -- type: long Representing the number of nodes having acknowledged the request. -- *`cassandra.response.error.details.blockfor`*:: + -- type: long Representing the number of replicas whose acknowledgement is required to achieve consistency level. -- *`cassandra.response.error.details.write_type`*:: + -- type: keyword Describe the type of the write that timed out. -- *`cassandra.response.error.details.data_present`*:: + -- type: boolean It means the replica that was asked for data had responded. -- *`cassandra.response.error.details.keyspace`*:: + -- type: keyword The keyspace of the failed function. -- *`cassandra.response.error.details.table`*:: + -- type: keyword The keyspace of the failed function. -- *`cassandra.response.error.details.stmt_id`*:: + -- type: keyword Representing the unknown ID. -- *`cassandra.response.error.details.num_failures`*:: + -- type: keyword Representing the number of nodes that experience a failure while executing the request. -- *`cassandra.response.error.details.function`*:: + -- type: keyword The name of the failed function. -- *`cassandra.response.error.details.arg_types`*:: + -- type: keyword One string for each argument type (as CQL type) of the failed function. -- [[exported-fields-cloud]] == Cloud provider metadata fields Metadata from cloud providers added by the add_cloud_metadata processor. *`meta.cloud.provider`*:: + -- example: ec2 Name of the cloud provider. Possible values are ec2, gce, or digitalocean. -- *`meta.cloud.instance_id`*:: + -- Instance ID of the host machine. -- *`meta.cloud.instance_name`*:: + -- Instance name of the host machine. -- *`meta.cloud.machine_type`*:: + -- example: t2.medium Machine type of the host machine. -- *`meta.cloud.availability_zone`*:: + -- example: us-east-1c Availability zone in which this host is running. -- *`meta.cloud.project_id`*:: + -- example: project-x Name of the project in Google Cloud. -- *`meta.cloud.region`*:: + -- Region in which this host is running. -- [[exported-fields-common]] == Common fields These fields contain data about the environment in which the transaction or flow was captured. *`server`*:: + -- The name of the server that served the transaction. -- *`client_server`*:: + -- The name of the server that initiated the transaction. -- *`service`*:: + -- The name of the logical service that served the transaction. -- *`client_service`*:: + -- The name of the logical service that initiated the transaction. -- *`ip`*:: + -- format: dotted notation. The IP address of the server that served the transaction. -- *`client_ip`*:: + -- format: dotted notation. The IP address of the server that initiated the transaction. -- *`real_ip`*:: + -- format: Dotted notation. If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`. Unless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients. -- [float] == client_geoip fields The GeoIP information of the client. *`client_geoip.location`*:: + -- type: geo_point example: {'lat': 51, 'lon': 9} The GeoIP location of the `client_ip` address. This field is available only if you define a https://www.elastic.co/guide/en/elasticsearch/plugins/master/using-ingest-geoip.html[GeoIP Processor] as a pipeline in the https://www.elastic.co/guide/en/elasticsearch/plugins/master/ingest-geoip.html[Ingest GeoIP processor plugin] or using Logstash. -- *`client_port`*:: + -- format: dotted notation. The layer 4 port of the process that initiated the transaction. -- *`transport`*:: + -- example: udp The transport protocol used for the transaction. If not specified, then tcp is assumed. -- *`type`*:: + -- required: True The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. -- *`port`*:: + -- format: dotted notation. The layer 4 port of the process that served the transaction. -- *`proc`*:: + -- The name of the process that served the transaction. -- *`cmdline`*:: + -- The command-line of the process that served the transaction. -- *`client_proc`*:: + -- The name of the process that initiated the transaction. -- *`client_cmdline`*:: + -- The command-line of the process that initiated the transaction. -- *`release`*:: + -- The software release of the service serving the transaction. This can be the commit id or a semantic version. -- [[exported-fields-dhcpv4]] == DHCPv4 fields DHCPv4 event fields *`dhcpv4.transaction_id`*:: + -- type: keyword Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. -- *`dhcpv4.seconds`*:: + -- type: long Number of seconds elapsed since client began address acquisition or renewal process. -- *`dhcpv4.flags`*:: + -- type: keyword Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. -- *`dhcpv4.client_ip`*:: + -- type: ip The current IP address of the client. -- *`dhcpv4.assigned_ip`*:: + -- type: ip The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. -- *`dhcpv4.server_ip`*:: + -- type: ip The IP address of the DHCP server that the client should use for the next step in the bootstrap process. -- *`dhcpv4.relay_ip`*:: + -- type: ip The relay IP address used by the client to contact the server (i.e. a DHCP relay server). -- *`dhcpv4.client_mac`*:: + -- type: keyword The client's MAC address (layer two). -- *`dhcpv4.server_name`*:: + -- type: keyword The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. -- *`dhcpv4.op_code`*:: + -- type: keyword example: bootreply The message op code (bootrequest or bootreply). -- *`dhcpv4.hops`*:: + -- type: long The number of hops the DHCP message went through. -- *`dhcpv4.hardware_type`*:: + -- type: keyword The type of hardware used for the local network (Ethernet, LocalTalk, etc). -- *`dhcpv4.option.message_type`*:: + -- type: keyword example: ack The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). -- *`dhcpv4.option.parameter_request_list`*:: + -- type: keyword This option is used by a DHCP client to request values for specified configuration parameters. -- *`dhcpv4.option.requested_ip_address`*:: + -- type: ip This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. -- *`dhcpv4.option.server_identifier`*:: + -- type: ip IP address of the individual DHCP server which handled this message. -- *`dhcpv4.option.broadcast_address`*:: + -- type: ip This option specifies the broadcast address in use on the client's subnet. -- *`dhcpv4.option.max_dhcp_message_size`*:: + -- type: long This option specifies the maximum length DHCP message that the client is willing to accept. -- *`dhcpv4.option.class_identifier`*:: + -- type: keyword This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client's hardware configuration. -- *`dhcpv4.option.domain_name`*:: + -- type: keyword This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. -- *`dhcpv4.option.dns_servers`*:: + -- type: ip The domain name server option specifies a list of Domain Name System servers available to the client. -- *`dhcpv4.option.vendor_identifying_options`*:: + -- type: object A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. -- *`dhcpv4.option.subnet_mask`*:: + -- type: ip The subnet mask that the client should use on the currnet network. -- *`dhcpv4.option.utc_time_offset_sec`*:: + -- type: long The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). -- *`dhcpv4.option.router`*:: + -- type: ip The router option specifies a list of IP addresses for routers on the client's subnet. -- *`dhcpv4.option.time_servers`*:: + -- type: ip The time server option specifies a list of RFC 868 time servers available to the client. -- *`dhcpv4.option.ntp_servers`*:: + -- type: ip This option specifies a list of IP addresses indicating NTP servers available to the client. -- *`dhcpv4.option.hostname`*:: + -- type: keyword This option specifies the name of the client. -- *`dhcpv4.option.ip_address_lease_time_sec`*:: + -- type: long This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. -- *`dhcpv4.option.message`*:: + -- type: text This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. -- *`dhcpv4.option.renewal_time_sec`*:: + -- type: long This option specifies the time interval from address assignment until the client transitions to the RENEWING state. -- *`dhcpv4.option.rebinding_time_sec`*:: + -- type: long This option specifies the time interval from address assignment until the client transitions to the REBINDING state. -- *`dhcpv4.option.boot_file_name`*:: + -- type: keyword This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. -- [[exported-fields-dns]] == DNS fields DNS-specific event fields. *`dns.id`*:: + -- type: long The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. -- *`dns.op_code`*:: + -- example: QUERY The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. -- *`dns.flags.authoritative`*:: + -- type: boolean A DNS flag specifying that the responding server is an authority for the domain name used in the question. -- *`dns.flags.recursion_available`*:: + -- type: boolean A DNS flag specifying whether recursive query support is available in the name server. -- *`dns.flags.recursion_desired`*:: + -- type: boolean A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. -- *`dns.flags.authentic_data`*:: + -- type: boolean A DNS flag specifying that the recursive server considers the response authentic. -- *`dns.flags.checking_disabled`*:: + -- type: boolean A DNS flag specifying that the client disables the server signature validation of the query. -- *`dns.flags.truncated_response`*:: + -- type: boolean A DNS flag specifying that only the first 512 bytes of the reply were returned. -- *`dns.response_code`*:: + -- example: NOERROR The DNS status code. -- *`dns.question.name`*:: + -- example: www.google.com. The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \t, \r, and \n respectively. -- *`dns.question.type`*:: + -- example: AAAA The type of records being queried. -- *`dns.question.class`*:: + -- example: IN The class of of records being queried. -- *`dns.question.etld_plus_one`*:: + -- example: amazon.co.uk. The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. -- *`dns.answers`*:: + -- type: object An array containing a dictionary about each answer section returned by the server. -- *`dns.answers_count`*:: + -- type: long The number of resource records contained in the `dns.answers` field. -- *`dns.answers.name`*:: + -- example: example.com. The domain name to which this resource record pertains. -- *`dns.answers.type`*:: + -- example: MX The type of data contained in this resource record. -- *`dns.answers.class`*:: + -- example: IN The class of DNS data contained in this resource record. -- *`dns.answers.ttl`*:: + -- type: long The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. -- *`dns.answers.data`*:: + -- The data describing the resource. The meaning of this data depends on the type and class of the resource record. -- *`dns.authorities`*:: + -- type: object An array containing a dictionary for each authority section from the answer. -- *`dns.authorities_count`*:: + -- type: long The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. -- *`dns.authorities.name`*:: + -- example: example.com. The domain name to which this resource record pertains. -- *`dns.authorities.type`*:: + -- example: NS The type of data contained in this resource record. -- *`dns.authorities.class`*:: + -- example: IN The class of DNS data contained in this resource record. -- *`dns.additionals`*:: + -- type: object An array containing a dictionary for each additional section from the answer. -- *`dns.additionals_count`*:: + -- type: long The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. -- *`dns.additionals.name`*:: + -- example: example.com. The domain name to which this resource record pertains. -- *`dns.additionals.type`*:: + -- example: NS The type of data contained in this resource record. -- *`dns.additionals.class`*:: + -- example: IN The class of DNS data contained in this resource record. -- *`dns.additionals.ttl`*:: + -- type: long The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. -- *`dns.additionals.data`*:: + -- The data describing the resource. The meaning of this data depends on the type and class of the resource record. -- *`dns.opt.version`*:: + -- example: 0 The EDNS version. -- *`dns.opt.do`*:: + -- type: boolean If set, the transaction uses DNSSEC. -- *`dns.opt.ext_rcode`*:: + -- example: BADVERS Extended response code field. -- *`dns.opt.udp_size`*:: + -- type: long Requestor's UDP payload size (in bytes). -- [[exported-fields-docker-processor]] == Docker fields Docker stats collected from Docker. *`docker.container.id`*:: + -- type: keyword Unique container id. -- *`docker.container.image`*:: + -- type: keyword Name of the image the container was built on. -- *`docker.container.name`*:: + -- type: keyword Container name. -- *`docker.container.labels`*:: + -- type: object Image labels. -- [[exported-fields-flows_event]] == Flow Event fields These fields contain data about the flow itself. *`start_time`*:: + -- type: date example: 2015-01-24 14:06:05.071000 format: YYYY-MM-DDTHH:MM:SS.milliZ required: True The time, the first packet for the flow has been seen. -- *`last_time`*:: + -- type: date example: 2015-01-24 14:06:05.071000 format: YYYY-MM-DDTHH:MM:SS.milliZ required: True The time, the most recent processed packet for the flow has been seen. -- *`final`*:: + -- Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. -- *`flow_id`*:: + -- Internal flow id based on connection meta data and address. -- *`vlan`*:: + -- Innermost VLAN address used in network packets. -- *`outer_vlan`*:: + -- Second innermost VLAN address used in network packets. -- [float] == source fields Properties of the source host *`source.mac`*:: + -- Source MAC address as indicated by first packet seen for the current flow. -- *`source.ip`*:: + -- Innermost IPv4 source address as indicated by first packet seen for the current flow. -- *`source.ip_location`*:: + -- type: geo_point example: 40.715, -74.011 The GeoIP location of the `ip_source` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`source.outer_ip`*:: + -- Second innermost IPv4 source address as indicated by first packet seen for the current flow. -- *`source.outer_ip_location`*:: + -- type: geo_point example: 40.715, -74.011 The GeoIP location of the `outer_ip_source` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`source.ipv6`*:: + -- Innermost IPv6 source address as indicated by first packet seen for the current flow. -- *`source.ipv6_location`*:: + -- type: geo_point example: 60.715, -76.011 The GeoIP location of the `ipv6_source` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`source.outer_ipv6`*:: + -- Second innermost IPv6 source address as indicated by first packet seen for the current flow. -- *`source.outer_ipv6_location`*:: + -- type: geo_point example: 60.715, -76.011 The GeoIP location of the `outer_ipv6_source` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`source.port`*:: + -- Source port number as indicated by first packet seen for the current flow. -- [float] == stats fields Object with source to destination flow measurements. *`source.stats.net_packets_total`*:: + -- type: long Total number of packets -- *`source.stats.net_bytes_total`*:: + -- type: long Total number of bytes -- [float] == dest fields Properties of the destination host *`dest.mac`*:: + -- Destination MAC address as indicated by first packet seen for the current flow. -- *`dest.ip`*:: + -- Innermost IPv4 destination address as indicated by first packet seen for the current flow. -- *`dest.ip_location`*:: + -- type: geo_point example: 40.715, -74.011 The GeoIP location of the `ip_dest` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`dest.outer_ip`*:: + -- Second innermost IPv4 destination address as indicated by first packet seen for the current flow. -- *`dest.outer_ip_location`*:: + -- type: geo_point example: 40.715, -74.011 The GeoIP location of the `outer_ip_dest` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`dest.ipv6`*:: + -- Innermost IPv6 destination address as indicated by first packet seen for the current flow. -- *`dest.ipv6_location`*:: + -- type: geo_point example: 60.715, -76.011 The GeoIP location of the `ipv6_dest` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`dest.outer_ipv6`*:: + -- Second innermost IPv6 destination address as indicated by first packet seen for the current flow. -- *`dest.outer_ipv6_location`*:: + -- type: geo_point example: 60.715, -76.011 The GeoIP location of the `outer_ipv6_dest` IP address. The field is a string containing the latitude and longitude separated by a comma. -- *`dest.port`*:: + -- Destination port number as indicated by first packet seen for the current flow. -- [float] == stats fields Object with destination to source flow measurements. *`dest.stats.net_packets_total`*:: + -- type: long Total number of packets -- *`dest.stats.net_bytes_total`*:: + -- type: long Total number of bytes -- *`icmp_id`*:: + -- ICMP id used in ICMP based flow. -- *`connection_id`*:: + -- optional TCP connection id -- [[exported-fields-host-processor]] == Host fields Info collected for the host machine. *`host.name`*:: + -- type: keyword Hostname. -- *`host.id`*:: + -- type: keyword Unique host id. -- *`host.architecture`*:: + -- type: keyword Host architecture (e.g. x86_64, arm, ppc, mips). -- *`host.os.platform`*:: + -- type: keyword OS platform (e.g. centos, ubuntu, windows). -- *`host.os.version`*:: + -- type: keyword OS version. -- *`host.os.family`*:: + -- type: keyword OS family (e.g. redhat, debian, freebsd, windows). -- *`host.ip`*:: + -- type: ip List of IP-addresses. -- *`host.mac`*:: + -- type: keyword List of hardware-addresses, usually MAC-addresses. -- [[exported-fields-http]] == HTTP fields HTTP-specific event fields. [float] == http fields Information about the HTTP request and response. [float] == request fields HTTP request *`http.request.params`*:: + -- The query parameters or form values. The query parameters are available in the Request-URI and the form values are set in the HTTP body when the content-type is set to `x-www-form-urlencoded`. -- *`http.request.headers`*:: + -- type: object A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. -- *`http.request.body`*:: + -- type: text The body of the HTTP request. -- [float] == response fields HTTP response *`http.response.code`*:: + -- example: 404 The HTTP status code. -- *`http.response.phrase`*:: + -- example: Not found. The HTTP status phrase. -- *`http.response.headers`*:: + -- type: object A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. -- *`http.response.body`*:: + -- type: text The body of the HTTP response. -- [[exported-fields-icmp]] == ICMP fields ICMP specific event fields. *`icmp.version`*:: + -- The version of the ICMP protocol. -- *`icmp.request.message`*:: + -- type: keyword A human readable form of the request. -- *`icmp.request.type`*:: + -- type: long The request type. -- *`icmp.request.code`*:: + -- type: long The request code. -- *`icmp.response.message`*:: + -- type: keyword A human readable form of the response. -- *`icmp.response.type`*:: + -- type: long The response type. -- *`icmp.response.code`*:: + -- type: long The response code. -- [[exported-fields-kubernetes-processor]] == Kubernetes fields Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- type: keyword Kubernetes pod name -- *`kubernetes.pod.uid`*:: + -- type: keyword Kubernetes Pod UID -- *`kubernetes.namespace`*:: + -- type: keyword Kubernetes namespace -- *`kubernetes.node.name`*:: + -- type: keyword Kubernetes node name -- *`kubernetes.labels`*:: + -- type: object Kubernetes labels map -- *`kubernetes.annotations`*:: + -- type: object Kubernetes annotations map -- *`kubernetes.container.name`*:: + -- type: keyword Kubernetes container name -- *`kubernetes.container.image`*:: + -- type: keyword Kubernetes container image -- [[exported-fields-memcache]] == Memcache fields Memcached-specific event fields *`memcache.protocol_type`*:: + -- type: keyword The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. -- *`memcache.request.line`*:: + -- type: keyword The raw command line for unknown commands ONLY. -- *`memcache.request.command`*:: + -- type: keyword The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. -- *`memcache.response.command`*:: + -- type: keyword Either the text based protocol response message type or the name of the originating request if binary protocol is used. -- *`memcache.request.type`*:: + -- type: keyword The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". -- *`memcache.response.type`*:: + -- type: keyword The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). -- *`memcache.response.error_msg`*:: + -- type: keyword The optional error message in the memcache response (text based protocol only). -- *`memcache.request.opcode`*:: + -- type: keyword The binary protocol message opcode name. -- *`memcache.response.opcode`*:: + -- type: keyword The binary protocol message opcode name. -- *`memcache.request.opcode_value`*:: + -- type: long The binary protocol message opcode value. -- *`memcache.response.opcode_value`*:: + -- type: long The binary protocol message opcode value. -- *`memcache.request.opaque`*:: + -- type: long The binary protocol opaque header value used for correlating request with response messages. -- *`memcache.response.opaque`*:: + -- type: long The binary protocol opaque header value used for correlating request with response messages. -- *`memcache.request.vbucket`*:: + -- type: long The vbucket index sent in the binary message. -- *`memcache.response.status`*:: + -- type: keyword The textual representation of the response error code (binary protocol only). -- *`memcache.response.status_code`*:: + -- type: long The status code value returned in the response (binary protocol only). -- *`memcache.request.keys`*:: + -- type: array The list of keys sent in the store or load commands. -- *`memcache.response.keys`*:: + -- type: array The list of keys returned for the load command (if present). -- *`memcache.request.count_values`*:: + -- type: long The number of values found in the memcache request message. If the command does not send any data, this field is missing. -- *`memcache.response.count_values`*:: + -- type: long The number of values found in the memcache response message. If the command does not send any data, this field is missing. -- *`memcache.request.values`*:: + -- type: array The list of base64 encoded values sent with the request (if present). -- *`memcache.response.values`*:: + -- type: array The list of base64 encoded values sent with the response (if present). -- *`memcache.request.bytes`*:: + -- type: long format: bytes The byte count of the values being transferred. -- *`memcache.response.bytes`*:: + -- type: long format: bytes The byte count of the values being transferred. -- *`memcache.request.delta`*:: + -- type: long The counter increment/decrement delta value. -- *`memcache.request.initial`*:: + -- type: long The counter increment/decrement initial value parameter (binary protocol only). -- *`memcache.request.verbosity`*:: + -- type: long The value of the memcache "verbosity" command. -- *`memcache.request.raw_args`*:: + -- type: keyword The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. -- *`memcache.request.source_class`*:: + -- type: long The source class id in 'slab reassign' command. -- *`memcache.request.dest_class`*:: + -- type: long The destination class id in 'slab reassign' command. -- *`memcache.request.automove`*:: + -- type: keyword The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. -- *`memcache.request.flags`*:: + -- type: long The memcache command flags sent in the request (if present). -- *`memcache.response.flags`*:: + -- type: long The memcache message flags sent in the response (if present). -- *`memcache.request.exptime`*:: + -- type: long The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). -- *`memcache.request.sleep_us`*:: + -- type: long The sleep setting in microseconds for the 'lru_crawler sleep' command. -- *`memcache.response.value`*:: + -- type: long The counter value returned by a counter operation. -- *`memcache.request.noreply`*:: + -- type: boolean Set to true if noreply was set in the request. The `memcache.response` field will be missing. -- *`memcache.request.quiet`*:: + -- type: boolean Set to true if the binary protocol message is to be treated as a quiet message. -- *`memcache.request.cas_unique`*:: + -- type: long The CAS (compare-and-swap) identifier if present. -- *`memcache.response.cas_unique`*:: + -- type: long The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). -- *`memcache.response.stats`*:: + -- type: array The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". -- *`memcache.response.version`*:: + -- type: keyword The returned memcache version string. -- [[exported-fields-mongodb]] == MongoDb fields MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, `query` and `resource`) apply to MongoDB events as well. *`mongodb.error`*:: + -- If the MongoDB request has resulted in an error, this field contains the error message returned by the server. -- *`mongodb.fullCollectionName`*:: + -- The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar. -- *`mongodb.numberToSkip`*:: + -- type: long Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. -- *`mongodb.numberToReturn`*:: + -- type: long The requested maximum number of documents to be returned. -- *`mongodb.numberReturned`*:: + -- type: long The number of documents in the reply. -- *`mongodb.startingFrom`*:: + -- Where in the cursor this reply is starting. -- *`mongodb.query`*:: + -- A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot. -- *`mongodb.returnFieldsSelector`*:: + -- A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1. -- *`mongodb.selector`*:: + -- A BSON document that specifies the query for selecting the document to update or delete. -- *`mongodb.update`*:: + -- A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual. -- *`mongodb.cursorId`*:: + -- The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database. -- [float] == rpc fields OncRPC specific event fields. *`rpc.xid`*:: + -- RPC message transaction identifier. -- *`rpc.call_size`*:: + -- type: long RPC call size with argument. -- *`rpc.reply_size`*:: + -- type: long RPC reply size with argument. -- *`rpc.status`*:: + -- RPC message reply status. -- *`rpc.time`*:: + -- type: long RPC message processing time. -- *`rpc.time_str`*:: + -- RPC message processing time in human readable form. -- *`rpc.auth_flavor`*:: + -- RPC authentication flavor. -- *`rpc.cred.uid`*:: + -- type: long RPC caller's user id, in case of auth-unix. -- *`rpc.cred.gid`*:: + -- type: long RPC caller's group id, in case of auth-unix. -- *`rpc.cred.gids`*:: + -- RPC caller's secondary group ids, in case of auth-unix. -- *`rpc.cred.stamp`*:: + -- type: long Arbitrary ID which the caller machine may generate. -- *`rpc.cred.machinename`*:: + -- The name of the caller's machine. -- [[exported-fields-mysql]] == MySQL fields MySQL-specific event fields. *`mysql.iserror`*:: + -- type: boolean If the MySQL query returns an error, this field is set to true. -- *`mysql.affected_rows`*:: + -- type: long If the MySQL command is successful, this field contains the affected number of rows of the last statement. -- *`mysql.insert_id`*:: + -- If the INSERT query is successful, this field contains the id of the newly inserted row. -- *`mysql.num_fields`*:: + -- If the SELECT query is successful, this field is set to the number of fields returned. -- *`mysql.num_rows`*:: + -- If the SELECT query is successful, this field is set to the number of rows returned. -- *`mysql.query`*:: + -- The row mysql query as read from the transaction's request. -- *`mysql.error_code`*:: + -- type: long The error code returned by MySQL. -- *`mysql.error_message`*:: + -- The error info message returned by MySQL. -- [[exported-fields-nfs]] == NFS fields NFS v4/3 specific event fields. *`nfs.version`*:: + -- type: long NFS protocol version number. -- *`nfs.minor_version`*:: + -- type: long NFS protocol minor version number. -- *`nfs.tag`*:: + -- NFS v4 COMPOUND operation tag. -- *`nfs.opcode`*:: + -- NFS operation name, or main operation name, in case of COMPOUND calls. -- *`nfs.status`*:: + -- NFS operation reply status. -- [[exported-fields-pgsql]] == PostgreSQL fields PostgreSQL-specific event fields. *`pgsql.query`*:: + -- The row pgsql query as read from the transaction's request. -- *`pgsql.iserror`*:: + -- type: boolean If the PgSQL query returns an error, this field is set to true. -- *`pgsql.error_code`*:: + -- type: long The PostgreSQL error code. -- *`pgsql.error_message`*:: + -- The PostgreSQL error message. -- *`pgsql.error_severity`*:: + -- The PostgreSQL error severity. -- *`pgsql.num_fields`*:: + -- If the SELECT query if successful, this field is set to the number of fields returned. -- *`pgsql.num_rows`*:: + -- If the SELECT query if successful, this field is set to the number of rows returned. -- [[exported-fields-raw]] == Raw fields These fields contain the raw transaction data. *`request`*:: + -- type: text For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. -- *`response`*:: + -- type: text For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. -- [[exported-fields-redis]] == Redis fields Redis-specific event fields. *`redis.return_value`*:: + -- The return value of the Redis command in a human readable format. -- *`redis.error`*:: + -- If the Redis command has resulted in an error, this field contains the error message returned by the Redis server. -- [[exported-fields-thrift]] == Thrift-RPC fields Thrift-RPC specific event fields. *`thrift.params`*:: + -- The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used. -- *`thrift.service`*:: + -- The name of the Thrift-RPC service as defined in the IDL files. -- *`thrift.return_value`*:: + -- The value returned by the Thrift-RPC call. This is encoded in a human readable format. -- *`thrift.exceptions`*:: + -- If the call resulted in exceptions, this field contains the exceptions in a human readable format. -- [[exported-fields-tls]] == TLS fields TLS-specific event fields. *`tls.handshake_completed`*:: + -- type: boolean Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode. -- *`tls.resumed`*:: + -- type: boolean If the TLS session has been resumed from a previous session. -- *`tls.resumption_method`*:: + -- type: keyword If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. -- *`tls.client_certificate_requested`*:: + -- type: boolean Whether the server has requested the client to authenticate itself using a client certificate. -- *`tls.client_hello.version`*:: + -- type: keyword The version of the TLS protocol by which the client wishes to communicate during this session. -- *`tls.client_hello.supported_ciphers`*:: + -- type: array List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 -- *`tls.client_hello.supported_compression_methods`*:: + -- type: array The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml -- [float] == extensions fields The hello extensions provided by the client. *`tls.client_hello.extensions.server_name_indication`*:: + -- type: keyword List of hostnames -- *`tls.client_hello.extensions.application_layer_protocol_negotiation`*:: + -- type: keyword List of application-layer protocols the client is willing to use. -- *`tls.client_hello.extensions.session_ticket`*:: + -- type: keyword Length of the session ticket, if provided, or an empty string to advertise support for tickets. -- *`tls.server_hello.version`*:: + -- type: keyword The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. -- *`tls.server_hello.selected_cipher`*:: + -- type: keyword The cipher suite selected by the server from the list provided by in the client hello. -- *`tls.server_hello.selected_compression_method`*:: + -- type: keyword The compression method selected by the server from the list provided in the client hello. -- [float] == extensions fields The hello extensions provided by the server. *`tls.server_hello.extensions.application_layer_protocol_negotiation`*:: + -- type: array Negotiated application layer protocol -- *`tls.server_hello.extensions.session_ticket`*:: + -- type: keyword Used to announce that a session ticket will be provided by the server. Always an empty string. -- [float] == client_certificate fields Certificate provided by the client for authentication. *`tls.client_certificate.version`*:: + -- type: long X509 format version. -- *`tls.client_certificate.serial_number`*:: + -- type: keyword The certificate's serial number. -- *`tls.client_certificate.not_before`*:: + -- type: date Date before which the certificate is not valid. -- *`tls.client_certificate.not_after`*:: + -- type: date Date after which the certificate expires. -- *`tls.client_certificate.public_key_algorithm`*:: + -- type: keyword The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. -- *`tls.client_certificate.public_key_size`*:: + -- type: long Size of the public key. -- *`tls.client_certificate.signature_algorithm`*:: + -- type: keyword The algorithm used for the certificate's signature. -- *`tls.client_certificate.alternative_names`*:: + -- type: array Subject Alternative Names for this certificate. -- *`tls.client_certificate.raw`*:: + -- type: keyword The raw certificate in PEM format. -- [float] == subject fields Subject represented by this certificate. *`tls.client_certificate.subject.country`*:: + -- type: keyword Country code. -- *`tls.client_certificate.subject.organization`*:: + -- type: keyword Organization name. -- *`tls.client_certificate.subject.organizational_unit`*:: + -- type: keyword Unit within organization. -- *`tls.client_certificate.subject.province`*:: + -- type: keyword Province or region within country. -- *`tls.client_certificate.subject.common_name`*:: + -- type: keyword Name or host name identified by the certificate. -- [float] == issuer fields Entity that issued and signed this certificate. *`tls.client_certificate.issuer.country`*:: + -- type: keyword Country code. -- *`tls.client_certificate.issuer.organization`*:: + -- type: keyword Organization name. -- *`tls.client_certificate.issuer.organizational_unit`*:: + -- type: keyword Unit within organization. -- *`tls.client_certificate.issuer.province`*:: + -- type: keyword Province or region within country. -- *`tls.client_certificate.issuer.common_name`*:: + -- type: keyword Name or host name identified by the certificate. -- [float] == server_certificate fields Certificate provided by the server for authentication. *`tls.server_certificate.version`*:: + -- type: long X509 format version. -- *`tls.server_certificate.serial_number`*:: + -- type: keyword The certificate's serial number. -- *`tls.server_certificate.not_before`*:: + -- type: date Date before which the certificate is not valid. -- *`tls.server_certificate.not_after`*:: + -- type: date Date after which the certificate expires. -- *`tls.server_certificate.public_key_algorithm`*:: + -- type: keyword The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. -- *`tls.server_certificate.public_key_size`*:: + -- type: long Size of the public key. -- *`tls.server_certificate.signature_algorithm`*:: + -- type: keyword The algorithm used for the certificate's signature. -- *`tls.server_certificate.alternative_names`*:: + -- type: array Subject Alternative Names for this certificate. -- *`tls.server_certificate.raw`*:: + -- type: keyword The raw certificate in PEM format. -- [float] == subject fields Subject represented by this certificate. *`tls.server_certificate.subject.country`*:: + -- type: keyword Country code. -- *`tls.server_certificate.subject.organization`*:: + -- type: keyword Organization name. -- *`tls.server_certificate.subject.organizational_unit`*:: + -- type: keyword Unit within organization. -- *`tls.server_certificate.subject.province`*:: + -- type: keyword Province or region within country. -- *`tls.server_certificate.subject.common_name`*:: + -- type: keyword Name or host name identified by the certificate. -- [float] == issuer fields Entity that issued and signed this certificate. *`tls.server_certificate.issuer.country`*:: + -- type: keyword Country code. -- *`tls.server_certificate.issuer.organization`*:: + -- type: keyword Organization name. -- *`tls.server_certificate.issuer.organizational_unit`*:: + -- type: keyword Unit within organization. -- *`tls.server_certificate.issuer.province`*:: + -- type: keyword Province or region within country. -- *`tls.server_certificate.issuer.common_name`*:: + -- type: keyword Name or host name identified by the certificate. -- *`tls.server_certificate_chain`*:: + -- type: array Chain of trust for the server certificate. -- *`tls.client_certificate_chain`*:: + -- type: array Chain of trust for the client certificate. -- *`tls.alert_types`*:: + -- type: keyword An array containing the TLS alert type for every alert received. -- [float] == fingerprints fields Fingerprints for this TLS session. [float] == ja3 fields JA3 TLS client fingerprint *`tls.fingerprints.ja3.hash`*:: + -- type: keyword The JA3 fingerprint hash for the client side. -- *`tls.fingerprints.ja3.str`*:: + -- type: keyword The JA3 string used to calculate the hash. -- [[exported-fields-trans_event]] == Transaction Event fields These fields contain data about the transaction itself. *`direction`*:: + -- required: True Indicates whether the transaction is inbound (emitted by server) or outbound (emitted by the client). Values can be in or out. No defaults. -- *`status`*:: + -- required: True The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. -- *`method`*:: + -- The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on). -- *`resource`*:: + -- The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is `/users/1`, the resource is `/users`. For databases, the resource is typically the table name. The field is not filled for all transaction types. -- *`path`*:: + -- required: True The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. -- *`query`*:: + -- type: keyword The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. -- *`params`*:: + -- type: text The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. -- *`notes`*:: + -- Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting. -- [[exported-fields-trans_measurements]] == Measurements (Transactions) fields These fields contain measurements related to the transaction. *`responsetime`*:: + -- type: long The wall clock time it took to complete the transaction. The precision is in milliseconds. -- *`cpu_time`*:: + -- type: long The CPU time it took to complete the transaction. -- *`bytes_in`*:: + -- type: long format: bytes The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers. -- *`bytes_out`*:: + -- type: long format: bytes The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers. -- *`dnstime`*:: + -- type: long The time it takes to query the name server for a given request. This is typically used for RUM (real-user-monitoring) but can also have values for server-to-server communication when DNS is used for service discovery. The precision is in microseconds. -- *`connecttime`*:: + -- type: long The time it takes for the TCP connection to be established for the given transaction. The precision is in microseconds. -- *`loadtime`*:: + -- type: long The time it takes for the content to be loaded. This is typically used for RUM (real-user-monitoring) but it can make sense in other cases as well. The precision is in microseconds. -- *`domloadtime`*:: + -- type: long In RUM (real-user-monitoring), the total time it takes for the DOM to be loaded. In terms of the W3 Navigation Timing API, this is the difference between `domContentLoadedEnd` and `domContentLoadedStart`. --