920 lines
27 KiB
YAML
920 lines
27 KiB
YAML
- key: auditd
|
|
title: Auditd
|
|
description: These are the fields generated by the auditd module.
|
|
fields:
|
|
- name: event
|
|
type: group
|
|
fields:
|
|
- name: category
|
|
type: keyword
|
|
example: audit-rule
|
|
description: >
|
|
The event's category is a value derived from the `record_type`.
|
|
- name: type
|
|
type: keyword
|
|
description: The audit record's type.
|
|
|
|
- name: user
|
|
type: group
|
|
fields:
|
|
- name: auid
|
|
type: keyword
|
|
description: login user ID
|
|
- name: uid
|
|
type: keyword
|
|
description: user ID
|
|
- name: euid
|
|
type: keyword
|
|
description: effective user ID
|
|
- name: fsuid
|
|
type: keyword
|
|
description: file system user ID
|
|
- name: suid
|
|
type: keyword
|
|
description: sent user ID
|
|
- name: gid
|
|
type: keyword
|
|
description: group ID
|
|
- name: egid
|
|
type: keyword
|
|
description: effective group ID
|
|
- name: sgid
|
|
type: keyword
|
|
description: set group ID
|
|
- name: fsgid
|
|
type: keyword
|
|
description: file system group ID
|
|
- name: name_map
|
|
type: group
|
|
description: >
|
|
If `resolve_ids` is set to true in the configuration then `name_map`
|
|
will contain a mapping of uid field names to the resolved name
|
|
(e.g. auid -> root).
|
|
fields:
|
|
- name: auid
|
|
type: keyword
|
|
description: login user name
|
|
- name: uid
|
|
type: keyword
|
|
description: user name
|
|
- name: euid
|
|
type: keyword
|
|
description: effective user name
|
|
- name: fsuid
|
|
type: keyword
|
|
description: file system user name
|
|
- name: suid
|
|
type: keyword
|
|
description: sent user name
|
|
- name: gid
|
|
type: keyword
|
|
description: group name
|
|
- name: egid
|
|
type: keyword
|
|
description: effective group name
|
|
- name: sgid
|
|
type: keyword
|
|
description: set group name
|
|
- name: fsgid
|
|
type: keyword
|
|
description: file system group name
|
|
- name: selinux
|
|
type: group
|
|
description: The SELinux identity of the actor.
|
|
fields:
|
|
- name: user
|
|
type: keyword
|
|
description: account submitted for authentication
|
|
- name: role
|
|
type: keyword
|
|
description: user's SELinux role
|
|
- name: domain
|
|
type: keyword
|
|
description: The actor's SELinux domain or type.
|
|
- name: level
|
|
type: keyword
|
|
example: s0
|
|
description: The actor's SELinux level.
|
|
- name: category
|
|
type: keyword
|
|
description: The actor's SELinux category or compartments.
|
|
|
|
- name: process
|
|
type: group
|
|
description: Process attributes.
|
|
fields:
|
|
- name: pid
|
|
type: keyword
|
|
description: Process ID.
|
|
- name: ppid
|
|
type: keyword
|
|
description: Parent process ID.
|
|
- name: name
|
|
type: keyword
|
|
description: Process name (comm).
|
|
- name: title
|
|
type: keyword
|
|
description: Process title or command line parameters (proctitle).
|
|
- name: exe
|
|
type: keyword
|
|
description: Absolute path of the executable.
|
|
- name: cwd
|
|
type: keyword
|
|
description: The current working directory.
|
|
- name: args
|
|
type: keyword
|
|
description: The process arguments as a list.
|
|
|
|
- name: source
|
|
type: group
|
|
description: Source that triggered the event.
|
|
fields:
|
|
- name: ip
|
|
type: ip
|
|
description: The remote address.
|
|
- name: port
|
|
type: keyword
|
|
description: The port number.
|
|
- name: hostname
|
|
type: keyword
|
|
description: Hostname of the source.
|
|
- name: path
|
|
type: keyword
|
|
description: This is the path associated with a unix socket.
|
|
|
|
- name: destination
|
|
type: group
|
|
description: Destination address that triggered the event.
|
|
fields:
|
|
- name: ip
|
|
type: ip
|
|
description: The remote address.
|
|
- name: port
|
|
type: keyword
|
|
description: The port number.
|
|
- name: hostname
|
|
type: keyword
|
|
description: Hostname of the source.
|
|
- name: path
|
|
type: keyword
|
|
description: This is the path associated with a unix socket.
|
|
|
|
- name: network.direction
|
|
type: keyword
|
|
description: Direction of the network traffic (`incoming` or `outgoing`).
|
|
|
|
- name: auditd
|
|
type: group
|
|
fields:
|
|
- name: sequence
|
|
type: long
|
|
description: >
|
|
The sequence number of the event as assigned by the kernel. Sequence
|
|
numbers are stored as a uint32 in the kernel and can rollover.
|
|
- name: session
|
|
type: keyword
|
|
description: >
|
|
The session ID assigned to a login. All events related to a login
|
|
session will have the same value.
|
|
- name: result
|
|
type: keyword
|
|
example: success or fail
|
|
description: The result of the audited operation (success/fail).
|
|
|
|
- name: summary
|
|
type: group
|
|
fields:
|
|
- name: actor
|
|
type: group
|
|
description: The actor is the user that triggered the audit event.
|
|
fields:
|
|
- name: primary
|
|
type: keyword
|
|
description: >
|
|
The primary identity of the actor. This is the actor's original login
|
|
ID. It will not change even if the user changes to another account.
|
|
- name: secondary
|
|
type: keyword
|
|
description: The secondary identity of the actor. This is typically
|
|
the same as the primary, except for when the user has used `su`.
|
|
- name: object
|
|
type: group
|
|
description: >
|
|
This is the thing or object being acted upon in the event.
|
|
fields:
|
|
- name: type
|
|
type: keyword
|
|
description: >
|
|
A description of the what the "thing" is (e.g. file, socket,
|
|
user-session).
|
|
- name: primary
|
|
type: keyword
|
|
description: ""
|
|
- name: secondary
|
|
type: keyword
|
|
description: ""
|
|
- name: how
|
|
type: keyword
|
|
description: >
|
|
This describes how the action was performed. Usually this is the exe
|
|
or command that was being executed that triggered the event.
|
|
|
|
- name: paths
|
|
type: group
|
|
description: List of paths associated with the event.
|
|
fields:
|
|
- name: inode
|
|
type: keyword
|
|
description: inode number
|
|
- name: dev
|
|
type: keyword
|
|
description: device name as found in /dev
|
|
- name: obj_user
|
|
type: keyword
|
|
description: ""
|
|
- name: obj_role
|
|
type: keyword
|
|
description: ""
|
|
- name: obj_domain
|
|
type: keyword
|
|
description: ""
|
|
- name: obj_level
|
|
type: keyword
|
|
description: ""
|
|
- name: objtype
|
|
type: keyword
|
|
description: ""
|
|
- name: ouid
|
|
type: keyword
|
|
description: file owner user ID
|
|
- name: rdev
|
|
type: keyword
|
|
description: the device identifier (special files only)
|
|
- name: nametype
|
|
type: keyword
|
|
description: kind of file operation being referenced
|
|
- name: ogid
|
|
type: keyword
|
|
description: file owner group ID
|
|
- name: item
|
|
type: keyword
|
|
description: which item is being recorded
|
|
- name: mode
|
|
type: keyword
|
|
description: mode flags on a file
|
|
- name: name
|
|
type: keyword
|
|
description: file name in avcs
|
|
|
|
- name: data
|
|
type: group
|
|
description: The data from the audit messages.
|
|
fields:
|
|
- name: action
|
|
type: keyword
|
|
description: netfilter packet disposition
|
|
- name: minor
|
|
type: keyword
|
|
description: device minor number
|
|
- name: acct
|
|
type: keyword
|
|
description: a user's account name
|
|
- name: addr
|
|
type: keyword
|
|
description: the remote address that the user is connecting from
|
|
- name: cipher
|
|
type: keyword
|
|
description: name of crypto cipher selected
|
|
- name: id
|
|
type: keyword
|
|
description: during account changes
|
|
- name: entries
|
|
type: keyword
|
|
description: number of entries in the netfilter table
|
|
- name: kind
|
|
type: keyword
|
|
description: server or client in crypto operation
|
|
- name: ksize
|
|
type: keyword
|
|
description: key size for crypto operation
|
|
- name: spid
|
|
type: keyword
|
|
description: sent process ID
|
|
- name: arch
|
|
type: keyword
|
|
description: the elf architecture flags
|
|
- name: argc
|
|
type: keyword
|
|
description: the number of arguments to an execve syscall
|
|
- name: major
|
|
type: keyword
|
|
description: device major number
|
|
- name: unit
|
|
type: keyword
|
|
description: systemd unit
|
|
- name: table
|
|
type: keyword
|
|
description: netfilter table name
|
|
- name: terminal
|
|
type: keyword
|
|
description: terminal name the user is running programs on
|
|
- name: grantors
|
|
type: keyword
|
|
description: pam modules approving the action
|
|
- name: direction
|
|
type: keyword
|
|
description: direction of crypto operation
|
|
- name: op
|
|
type: keyword
|
|
description: the operation being performed that is audited
|
|
- name: tty
|
|
type: keyword
|
|
description: tty udevice the user is running programs on
|
|
- name: syscall
|
|
type: keyword
|
|
description: syscall number in effect when the event occurred
|
|
- name: data
|
|
type: keyword
|
|
description: TTY text
|
|
- name: family
|
|
type: keyword
|
|
description: netfilter protocol
|
|
- name: mac
|
|
type: keyword
|
|
description: crypto MAC algorithm selected
|
|
- name: pfs
|
|
type: keyword
|
|
description: perfect forward secrecy method
|
|
- name: items
|
|
type: keyword
|
|
description: the number of path records in the event
|
|
- name: a0
|
|
type: keyword
|
|
description: ""
|
|
- name: a1
|
|
type: keyword
|
|
description: ""
|
|
- name: a2
|
|
type: keyword
|
|
description: ""
|
|
- name: a3
|
|
type: keyword
|
|
description: ""
|
|
- name: hostname
|
|
type: keyword
|
|
description: the hostname that the user is connecting from
|
|
- name: lport
|
|
type: keyword
|
|
description: local network port
|
|
- name: rport
|
|
type: keyword
|
|
description: remote port number
|
|
- name: exit
|
|
type: keyword
|
|
description: syscall exit code
|
|
- name: fp
|
|
type: keyword
|
|
description: crypto key finger print
|
|
- name: laddr
|
|
type: keyword
|
|
description: local network address
|
|
- name: sport
|
|
type: keyword
|
|
description: local port number
|
|
- name: capability
|
|
type: keyword
|
|
description: posix capabilities
|
|
- name: nargs
|
|
type: keyword
|
|
description: the number of arguments to a socket call
|
|
- name: new-enabled
|
|
type: keyword
|
|
description: new TTY audit enabled setting
|
|
- name: audit_backlog_limit
|
|
type: keyword
|
|
description: audit system's backlog queue size
|
|
- name: dir
|
|
type: keyword
|
|
description: directory name
|
|
- name: cap_pe
|
|
type: keyword
|
|
description: process effective capability map
|
|
- name: model
|
|
type: keyword
|
|
description: security model being used for virt
|
|
- name: new_pp
|
|
type: keyword
|
|
description: new process permitted capability map
|
|
- name: old-enabled
|
|
type: keyword
|
|
description: present TTY audit enabled setting
|
|
- name: oauid
|
|
type: keyword
|
|
description: object's login user ID
|
|
- name: old
|
|
type: keyword
|
|
description: old value
|
|
- name: banners
|
|
type: keyword
|
|
description: banners used on printed page
|
|
- name: feature
|
|
type: keyword
|
|
description: kernel feature being changed
|
|
- name: vm-ctx
|
|
type: keyword
|
|
description: the vm's context string
|
|
- name: opid
|
|
type: keyword
|
|
description: object's process ID
|
|
- name: seperms
|
|
type: keyword
|
|
description: SELinux permissions being used
|
|
- name: seresult
|
|
type: keyword
|
|
description: SELinux AVC decision granted/denied
|
|
- name: new-rng
|
|
type: keyword
|
|
description: device name of rng being added from a vm
|
|
- name: old-net
|
|
type: keyword
|
|
description: present MAC address assigned to vm
|
|
- name: sigev_signo
|
|
type: keyword
|
|
description: signal number
|
|
- name: ino
|
|
type: keyword
|
|
description: inode number
|
|
- name: old_enforcing
|
|
type: keyword
|
|
description: old MAC enforcement status
|
|
- name: old-vcpu
|
|
type: keyword
|
|
description: present number of CPU cores
|
|
- name: range
|
|
type: keyword
|
|
description: user's SE Linux range
|
|
- name: res
|
|
type: keyword
|
|
description: result of the audited operation(success/fail)
|
|
- name: added
|
|
type: keyword
|
|
description: number of new files detected
|
|
- name: fam
|
|
type: keyword
|
|
description: socket address family
|
|
- name: nlnk-pid
|
|
type: keyword
|
|
description: pid of netlink packet sender
|
|
- name: subj
|
|
type: keyword
|
|
description: lspp subject's context string
|
|
- name: a[0-3]
|
|
type: keyword
|
|
description: the arguments to a syscall
|
|
- name: cgroup
|
|
type: keyword
|
|
description: path to cgroup in sysfs
|
|
- name: kernel
|
|
type: keyword
|
|
description: kernel's version number
|
|
- name: ocomm
|
|
type: keyword
|
|
description: object's command line name
|
|
- name: new-net
|
|
type: keyword
|
|
description: MAC address being assigned to vm
|
|
- name: permissive
|
|
type: keyword
|
|
description: SELinux is in permissive mode
|
|
- name: class
|
|
type: keyword
|
|
description: resource class assigned to vm
|
|
- name: compat
|
|
type: keyword
|
|
description: is_compat_task result
|
|
- name: fi
|
|
type: keyword
|
|
description: file assigned inherited capability map
|
|
- name: changed
|
|
type: keyword
|
|
description: number of changed files
|
|
- name: msg
|
|
type: keyword
|
|
description: the payload of the audit record
|
|
- name: dport
|
|
type: keyword
|
|
description: remote port number
|
|
- name: new-seuser
|
|
type: keyword
|
|
description: new SELinux user
|
|
- name: invalid_context
|
|
type: keyword
|
|
description: SELinux context
|
|
- name: dmac
|
|
type: keyword
|
|
description: remote MAC address
|
|
- name: ipx-net
|
|
type: keyword
|
|
description: IPX network number
|
|
- name: iuid
|
|
type: keyword
|
|
description: ipc object's user ID
|
|
- name: macproto
|
|
type: keyword
|
|
description: ethernet packet type ID field
|
|
- name: obj
|
|
type: keyword
|
|
description: lspp object context string
|
|
- name: ipid
|
|
type: keyword
|
|
description: IP datagram fragment identifier
|
|
- name: new-fs
|
|
type: keyword
|
|
description: file system being added to vm
|
|
- name: vm-pid
|
|
type: keyword
|
|
description: vm's process ID
|
|
- name: cap_pi
|
|
type: keyword
|
|
description: process inherited capability map
|
|
- name: old-auid
|
|
type: keyword
|
|
description: previous auid value
|
|
- name: oses
|
|
type: keyword
|
|
description: object's session ID
|
|
- name: fd
|
|
type: keyword
|
|
description: file descriptor number
|
|
- name: igid
|
|
type: keyword
|
|
description: ipc object's group ID
|
|
- name: new-disk
|
|
type: keyword
|
|
description: disk being added to vm
|
|
- name: parent
|
|
type: keyword
|
|
description: the inode number of the parent file
|
|
- name: len
|
|
type: keyword
|
|
description: length
|
|
- name: oflag
|
|
type: keyword
|
|
description: open syscall flags
|
|
- name: uuid
|
|
type: keyword
|
|
description: a UUID
|
|
- name: code
|
|
type: keyword
|
|
description: seccomp action code
|
|
- name: nlnk-grp
|
|
type: keyword
|
|
description: netlink group number
|
|
- name: cap_fp
|
|
type: keyword
|
|
description: file permitted capability map
|
|
- name: new-mem
|
|
type: keyword
|
|
description: new amount of memory in KB
|
|
- name: seperm
|
|
type: keyword
|
|
description: SELinux permission being decided on
|
|
- name: enforcing
|
|
type: keyword
|
|
description: new MAC enforcement status
|
|
- name: new-chardev
|
|
type: keyword
|
|
description: new character device being assigned to vm
|
|
- name: old-rng
|
|
type: keyword
|
|
description: device name of rng being removed from a vm
|
|
- name: outif
|
|
type: keyword
|
|
description: out interface number
|
|
- name: cmd
|
|
type: keyword
|
|
description: command being executed
|
|
- name: hook
|
|
type: keyword
|
|
description: netfilter hook that packet came from
|
|
- name: new-level
|
|
type: keyword
|
|
description: new run level
|
|
- name: sauid
|
|
type: keyword
|
|
description: sent login user ID
|
|
- name: sig
|
|
type: keyword
|
|
description: signal number
|
|
- name: audit_backlog_wait_time
|
|
type: keyword
|
|
description: audit system's backlog wait time
|
|
- name: printer
|
|
type: keyword
|
|
description: printer name
|
|
- name: old-mem
|
|
type: keyword
|
|
description: present amount of memory in KB
|
|
- name: perm
|
|
type: keyword
|
|
description: the file permission being used
|
|
- name: old_pi
|
|
type: keyword
|
|
description: old process inherited capability map
|
|
- name: state
|
|
type: keyword
|
|
description: audit daemon configuration resulting state
|
|
- name: format
|
|
type: keyword
|
|
description: audit log's format
|
|
- name: new_gid
|
|
type: keyword
|
|
description: new group ID being assigned
|
|
- name: tcontext
|
|
type: keyword
|
|
description: the target's or object's context string
|
|
- name: maj
|
|
type: keyword
|
|
description: device major number
|
|
- name: watch
|
|
type: keyword
|
|
description: file name in a watch record
|
|
- name: device
|
|
type: keyword
|
|
description: device name
|
|
- name: grp
|
|
type: keyword
|
|
description: group name
|
|
- name: bool
|
|
type: keyword
|
|
description: name of SELinux boolean
|
|
- name: icmp_type
|
|
type: keyword
|
|
description: type of icmp message
|
|
- name: new_lock
|
|
type: keyword
|
|
description: new value of feature lock
|
|
- name: old_prom
|
|
type: keyword
|
|
description: network promiscuity flag
|
|
- name: acl
|
|
type: keyword
|
|
description: access mode of resource assigned to vm
|
|
- name: ip
|
|
type: keyword
|
|
description: network address of a printer
|
|
- name: new_pi
|
|
type: keyword
|
|
description: new process inherited capability map
|
|
- name: default-context
|
|
type: keyword
|
|
description: default MAC context
|
|
- name: inode_gid
|
|
type: keyword
|
|
description: group ID of the inode's owner
|
|
- name: new-log_passwd
|
|
type: keyword
|
|
description: new value for TTY password logging
|
|
- name: new_pe
|
|
type: keyword
|
|
description: new process effective capability map
|
|
- name: selected-context
|
|
type: keyword
|
|
description: new MAC context assigned to session
|
|
- name: cap_fver
|
|
type: keyword
|
|
description: file system capabilities version number
|
|
- name: file
|
|
type: keyword
|
|
description: file name
|
|
- name: net
|
|
type: keyword
|
|
description: network MAC address
|
|
- name: virt
|
|
type: keyword
|
|
description: kind of virtualization being referenced
|
|
- name: cap_pp
|
|
type: keyword
|
|
description: process permitted capability map
|
|
- name: old-range
|
|
type: keyword
|
|
description: present SELinux range
|
|
- name: resrc
|
|
type: keyword
|
|
description: resource being assigned
|
|
- name: new-range
|
|
type: keyword
|
|
description: new SELinux range
|
|
- name: obj_gid
|
|
type: keyword
|
|
description: group ID of object
|
|
- name: proto
|
|
type: keyword
|
|
description: network protocol
|
|
- name: old-disk
|
|
type: keyword
|
|
description: disk being removed from vm
|
|
- name: audit_failure
|
|
type: keyword
|
|
description: audit system's failure mode
|
|
- name: inif
|
|
type: keyword
|
|
description: in interface number
|
|
- name: vm
|
|
type: keyword
|
|
description: virtual machine name
|
|
- name: flags
|
|
type: keyword
|
|
description: mmap syscall flags
|
|
- name: nlnk-fam
|
|
type: keyword
|
|
description: netlink protocol number
|
|
- name: old-fs
|
|
type: keyword
|
|
description: file system being removed from vm
|
|
- name: old-ses
|
|
type: keyword
|
|
description: previous ses value
|
|
- name: seqno
|
|
type: keyword
|
|
description: sequence number
|
|
- name: fver
|
|
type: keyword
|
|
description: file system capabilities version number
|
|
- name: qbytes
|
|
type: keyword
|
|
description: ipc objects quantity of bytes
|
|
- name: seuser
|
|
type: keyword
|
|
description: user's SE Linux user acct
|
|
- name: cap_fe
|
|
type: keyword
|
|
description: file assigned effective capability map
|
|
- name: new-vcpu
|
|
type: keyword
|
|
description: new number of CPU cores
|
|
- name: old-level
|
|
type: keyword
|
|
description: old run level
|
|
- name: old_pp
|
|
type: keyword
|
|
description: old process permitted capability map
|
|
- name: daddr
|
|
type: keyword
|
|
description: remote IP address
|
|
- name: old-role
|
|
type: keyword
|
|
description: present SELinux role
|
|
- name: ioctlcmd
|
|
type: keyword
|
|
description: The request argument to the ioctl syscall
|
|
- name: smac
|
|
type: keyword
|
|
description: local MAC address
|
|
- name: apparmor
|
|
type: keyword
|
|
description: apparmor event information
|
|
- name: fe
|
|
type: keyword
|
|
description: file assigned effective capability map
|
|
- name: perm_mask
|
|
type: keyword
|
|
description: file permission mask that triggered a watch event
|
|
- name: ses
|
|
type: keyword
|
|
description: login session ID
|
|
- name: cap_fi
|
|
type: keyword
|
|
description: file inherited capability map
|
|
- name: obj_uid
|
|
type: keyword
|
|
description: user ID of object
|
|
- name: reason
|
|
type: keyword
|
|
description: text string denoting a reason for the action
|
|
- name: list
|
|
type: keyword
|
|
description: the audit system's filter list number
|
|
- name: old_lock
|
|
type: keyword
|
|
description: present value of feature lock
|
|
- name: bus
|
|
type: keyword
|
|
description: name of subsystem bus a vm resource belongs to
|
|
- name: old_pe
|
|
type: keyword
|
|
description: old process effective capability map
|
|
- name: new-role
|
|
type: keyword
|
|
description: new SELinux role
|
|
- name: prom
|
|
type: keyword
|
|
description: network promiscuity flag
|
|
- name: uri
|
|
type: keyword
|
|
description: URI pointing to a printer
|
|
- name: audit_enabled
|
|
type: keyword
|
|
description: audit systems's enable/disable status
|
|
- name: old-log_passwd
|
|
type: keyword
|
|
description: present value for TTY password logging
|
|
- name: old-seuser
|
|
type: keyword
|
|
description: present SELinux user
|
|
- name: per
|
|
type: keyword
|
|
description: linux personality
|
|
- name: scontext
|
|
type: keyword
|
|
description: the subject's context string
|
|
- name: tclass
|
|
type: keyword
|
|
description: target's object classification
|
|
- name: ver
|
|
type: keyword
|
|
description: audit daemon's version number
|
|
- name: new
|
|
type: keyword
|
|
description: value being set in feature
|
|
- name: val
|
|
type: keyword
|
|
description: generic value associated with the operation
|
|
- name: img-ctx
|
|
type: keyword
|
|
description: the vm's disk image context string
|
|
- name: old-chardev
|
|
type: keyword
|
|
description: present character device assigned to vm
|
|
- name: old_val
|
|
type: keyword
|
|
description: current value of SELinux boolean
|
|
- name: success
|
|
type: keyword
|
|
description: whether the syscall was successful or not
|
|
- name: inode_uid
|
|
type: keyword
|
|
description: user ID of the inode's owner
|
|
- name: removed
|
|
type: keyword
|
|
description: number of deleted files
|
|
- name: socket
|
|
type: group
|
|
fields:
|
|
- name: port
|
|
type: keyword
|
|
description: The port number.
|
|
- name: saddr
|
|
type: keyword
|
|
description: The raw socket address structure.
|
|
- name: addr
|
|
type: keyword
|
|
description: The remote address.
|
|
- name: family
|
|
type: keyword
|
|
example: unix
|
|
description: The socket family (unix, ipv4, ipv6, netlink).
|
|
- name: path
|
|
type: keyword
|
|
description: This is the path associated with a unix socket.
|
|
- name: messages
|
|
type: text
|
|
description: >
|
|
An ordered list of the raw messages received from the kernel that
|
|
were used to construct this document. This field is present if an error
|
|
occurred processing the data or if `include_raw_message` is set
|
|
in the config.
|
|
- name: warnings
|
|
type: keyword
|
|
description: >
|
|
The warnings generated by the Beat during the construction of the event.
|
|
These are disabled by default and are used for development and debug
|
|
purposes only.
|
|
|
|
- name: geoip
|
|
type: group
|
|
description: >
|
|
The geoip fields are defined as a convenience in case you decide to
|
|
enrich the data using a geoip filter in Logstash or Ingest Node.
|
|
fields:
|
|
- name: continent_name
|
|
type: keyword
|
|
description: >
|
|
The name of the continent.
|
|
- name: city_name
|
|
type: keyword
|
|
description: >
|
|
The name of the city.
|
|
- name: region_name
|
|
type: keyword
|
|
description: >
|
|
The name of the region.
|
|
- name: country_iso_code
|
|
type: keyword
|
|
description: >
|
|
Country ISO code.
|
|
- name: location
|
|
type: geo_point
|
|
description: >
|
|
The longitude and latitude.
|