youtubebeat/vendor/github.com/elastic/beats/auditbeat/docs/fields.asciidoc

////
This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py
////

[[exported-fields]]
= Exported fields

[partintro]

--
This document describes the fields that are exported by Auditbeat. They are
grouped in the following categories:

* <<exported-fields-auditd>>
* <<exported-fields-beat>>
* <<exported-fields-cloud>>
* <<exported-fields-common>>
* <<exported-fields-docker-processor>>
* <<exported-fields-file_integrity>>
* <<exported-fields-host-processor>>
* <<exported-fields-kubernetes-processor>>

--
[[exported-fields-auditd]]
== Auditd fields

These are the fields generated by the auditd module.



*`event.category`*::
+
--
type: keyword

example: audit-rule

The event's category is a value derived from the `record_type`.


--

*`event.type`*::
+
--
type: keyword

The audit record's type.

--


*`user.auid`*::
+
--
type: keyword

login user ID

--

*`user.uid`*::
+
--
type: keyword

user ID

--

*`user.euid`*::
+
--
type: keyword

effective user ID

--

*`user.fsuid`*::
+
--
type: keyword

file system user ID

--

*`user.suid`*::
+
--
type: keyword

sent user ID

--

*`user.gid`*::
+
--
type: keyword

group ID

--

*`user.egid`*::
+
--
type: keyword

effective group ID

--

*`user.sgid`*::
+
--
type: keyword

set group ID

--

*`user.fsgid`*::
+
--
type: keyword

file system group ID

--

[float]
== name_map fields

If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root).



*`user.name_map.auid`*::
+
--
type: keyword

login user name

--

*`user.name_map.uid`*::
+
--
type: keyword

user name

--

*`user.name_map.euid`*::
+
--
type: keyword

effective user name

--

*`user.name_map.fsuid`*::
+
--
type: keyword

file system user name

--

*`user.name_map.suid`*::
+
--
type: keyword

sent user name

--

*`user.name_map.gid`*::
+
--
type: keyword

group name

--

*`user.name_map.egid`*::
+
--
type: keyword

effective group name

--

*`user.name_map.sgid`*::
+
--
type: keyword

set group name

--

*`user.name_map.fsgid`*::
+
--
type: keyword

file system group name

--

[float]
== selinux fields

The SELinux identity of the actor.


*`user.selinux.user`*::
+
--
type: keyword

account submitted for authentication

--

*`user.selinux.role`*::
+
--
type: keyword

user's SELinux role

--

*`user.selinux.domain`*::
+
--
type: keyword

The actor's SELinux domain or type.

--

*`user.selinux.level`*::
+
--
type: keyword

example: s0

The actor's SELinux level.

--

*`user.selinux.category`*::
+
--
type: keyword

The actor's SELinux category or compartments.

--

[float]
== process fields

Process attributes.


*`process.pid`*::
+
--
type: keyword

Process ID.

--

*`process.ppid`*::
+
--
type: keyword

Parent process ID.

--

*`process.name`*::
+
--
type: keyword

Process name (comm).

--

*`process.title`*::
+
--
type: keyword

Process title or command line parameters (proctitle).

--

*`process.exe`*::
+
--
type: keyword

Absolute path of the executable.

--

*`process.cwd`*::
+
--
type: keyword

The current working directory.

--

*`process.args`*::
+
--
type: keyword

The process arguments as a list.

--

[float]
== source fields

Source that triggered the event.


*`source.ip`*::
+
--
type: ip

The remote address.

--

*`source.port`*::
+
--
type: keyword

The port number.

--

*`source.hostname`*::
+
--
type: keyword

Hostname of the source.

--

*`source.path`*::
+
--
type: keyword

This is the path associated with a unix socket.

--

[float]
== destination fields

Destination address that triggered the event.


*`destination.ip`*::
+
--
type: ip

The remote address.

--

*`destination.port`*::
+
--
type: keyword

The port number.

--

*`destination.hostname`*::
+
--
type: keyword

Hostname of the source.

--

*`destination.path`*::
+
--
type: keyword

This is the path associated with a unix socket.

--

*`network.direction`*::
+
--
type: keyword

Direction of the network traffic (`incoming` or `outgoing`).

--


*`auditd.sequence`*::
+
--
type: long

The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.


--

*`auditd.session`*::
+
--
type: keyword

The session ID assigned to a login. All events related to a login session will have the same value.


--

*`auditd.result`*::
+
--
type: keyword

example: success or fail

The result of the audited operation (success/fail).

--


[float]
== actor fields

The actor is the user that triggered the audit event.


*`auditd.summary.actor.primary`*::
+
--
type: keyword

The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account.


--

*`auditd.summary.actor.secondary`*::
+
--
type: keyword

The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`.

--

[float]
== object fields

This is the thing or object being acted upon in the event.



*`auditd.summary.object.type`*::
+
--
type: keyword

A description of the what the "thing" is (e.g. file, socket, user-session).


--

*`auditd.summary.object.primary`*::
+
--
type: keyword



--

*`auditd.summary.object.secondary`*::
+
--
type: keyword



--

*`auditd.summary.how`*::
+
--
type: keyword

This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.


--

[float]
== paths fields

List of paths associated with the event.


*`auditd.paths.inode`*::
+
--
type: keyword

inode number

--

*`auditd.paths.dev`*::
+
--
type: keyword

device name as found in /dev

--

*`auditd.paths.obj_user`*::
+
--
type: keyword



--

*`auditd.paths.obj_role`*::
+
--
type: keyword



--

*`auditd.paths.obj_domain`*::
+
--
type: keyword



--

*`auditd.paths.obj_level`*::
+
--
type: keyword



--

*`auditd.paths.objtype`*::
+
--
type: keyword



--

*`auditd.paths.ouid`*::
+
--
type: keyword

file owner user ID

--

*`auditd.paths.rdev`*::
+
--
type: keyword

the device identifier (special files only)

--

*`auditd.paths.nametype`*::
+
--
type: keyword

kind of file operation being referenced

--

*`auditd.paths.ogid`*::
+
--
type: keyword

file owner group ID

--

*`auditd.paths.item`*::
+
--
type: keyword

which item is being recorded

--

*`auditd.paths.mode`*::
+
--
type: keyword

mode flags on a file

--

*`auditd.paths.name`*::
+
--
type: keyword

file name in avcs

--

[float]
== data fields

The data from the audit messages.


*`auditd.data.action`*::
+
--
type: keyword

netfilter packet disposition

--

*`auditd.data.minor`*::
+
--
type: keyword

device minor number

--

*`auditd.data.acct`*::
+
--
type: keyword

a user's account name

--

*`auditd.data.addr`*::
+
--
type: keyword

the remote address that the user is connecting from

--

*`auditd.data.cipher`*::
+
--
type: keyword

name of crypto cipher selected

--

*`auditd.data.id`*::
+
--
type: keyword

during account changes

--

*`auditd.data.entries`*::
+
--
type: keyword

number of entries in the netfilter table

--

*`auditd.data.kind`*::
+
--
type: keyword

server or client in crypto operation

--

*`auditd.data.ksize`*::
+
--
type: keyword

key size for crypto operation

--

*`auditd.data.spid`*::
+
--
type: keyword

sent process ID

--

*`auditd.data.arch`*::
+
--
type: keyword

the elf architecture flags

--

*`auditd.data.argc`*::
+
--
type: keyword

the number of arguments to an execve syscall

--

*`auditd.data.major`*::
+
--
type: keyword

device major number

--

*`auditd.data.unit`*::
+
--
type: keyword

systemd unit

--

*`auditd.data.table`*::
+
--
type: keyword

netfilter table name

--

*`auditd.data.terminal`*::
+
--
type: keyword

terminal name the user is running programs on

--

*`auditd.data.grantors`*::
+
--
type: keyword

pam modules approving the action

--

*`auditd.data.direction`*::
+
--
type: keyword

direction of crypto operation

--

*`auditd.data.op`*::
+
--
type: keyword

the operation being performed that is audited

--

*`auditd.data.tty`*::
+
--
type: keyword

tty udevice the user is running programs on

--

*`auditd.data.syscall`*::
+
--
type: keyword

syscall number in effect when the event occurred

--

*`auditd.data.data`*::
+
--
type: keyword

TTY text

--

*`auditd.data.family`*::
+
--
type: keyword

netfilter protocol

--

*`auditd.data.mac`*::
+
--
type: keyword

crypto MAC algorithm selected

--

*`auditd.data.pfs`*::
+
--
type: keyword

perfect forward secrecy method

--

*`auditd.data.items`*::
+
--
type: keyword

the number of path records in the event

--

*`auditd.data.a0`*::
+
--
type: keyword



--

*`auditd.data.a1`*::
+
--
type: keyword



--

*`auditd.data.a2`*::
+
--
type: keyword



--

*`auditd.data.a3`*::
+
--
type: keyword



--

*`auditd.data.hostname`*::
+
--
type: keyword

the hostname that the user is connecting from

--

*`auditd.data.lport`*::
+
--
type: keyword

local network port

--

*`auditd.data.rport`*::
+
--
type: keyword

remote port number

--

*`auditd.data.exit`*::
+
--
type: keyword

syscall exit code

--

*`auditd.data.fp`*::
+
--
type: keyword

crypto key finger print

--

*`auditd.data.laddr`*::
+
--
type: keyword

local network address

--

*`auditd.data.sport`*::
+
--
type: keyword

local port number

--

*`auditd.data.capability`*::
+
--
type: keyword

posix capabilities

--

*`auditd.data.nargs`*::
+
--
type: keyword

the number of arguments to a socket call

--

*`auditd.data.new-enabled`*::
+
--
type: keyword

new TTY audit enabled setting

--

*`auditd.data.audit_backlog_limit`*::
+
--
type: keyword

audit system's backlog queue size

--

*`auditd.data.dir`*::
+
--
type: keyword

directory name

--

*`auditd.data.cap_pe`*::
+
--
type: keyword

process effective capability map

--

*`auditd.data.model`*::
+
--
type: keyword

security model being used for virt

--

*`auditd.data.new_pp`*::
+
--
type: keyword

new process permitted capability map

--

*`auditd.data.old-enabled`*::
+
--
type: keyword

present TTY audit enabled setting

--

*`auditd.data.oauid`*::
+
--
type: keyword

object's login user ID

--

*`auditd.data.old`*::
+
--
type: keyword

old value

--

*`auditd.data.banners`*::
+
--
type: keyword

banners used on printed page

--

*`auditd.data.feature`*::
+
--
type: keyword

kernel feature being changed

--

*`auditd.data.vm-ctx`*::
+
--
type: keyword

the vm's context string

--

*`auditd.data.opid`*::
+
--
type: keyword

object's process ID

--

*`auditd.data.seperms`*::
+
--
type: keyword

SELinux permissions being used

--

*`auditd.data.seresult`*::
+
--
type: keyword

SELinux AVC decision granted/denied

--

*`auditd.data.new-rng`*::
+
--
type: keyword

device name of rng being added from a vm

--

*`auditd.data.old-net`*::
+
--
type: keyword

present MAC address assigned to vm

--

*`auditd.data.sigev_signo`*::
+
--
type: keyword

signal number

--

*`auditd.data.ino`*::
+
--
type: keyword

inode number

--

*`auditd.data.old_enforcing`*::
+
--
type: keyword

old MAC enforcement status

--

*`auditd.data.old-vcpu`*::
+
--
type: keyword

present number of CPU cores

--

*`auditd.data.range`*::
+
--
type: keyword

user's SE Linux range

--

*`auditd.data.res`*::
+
--
type: keyword

result of the audited operation(success/fail)

--

*`auditd.data.added`*::
+
--
type: keyword

number of new files detected

--

*`auditd.data.fam`*::
+
--
type: keyword

socket address family

--

*`auditd.data.nlnk-pid`*::
+
--
type: keyword

pid of netlink packet sender

--

*`auditd.data.subj`*::
+
--
type: keyword

lspp subject's context string

--

*`auditd.data.a[0-3]`*::
+
--
type: keyword

the arguments to a syscall

--

*`auditd.data.cgroup`*::
+
--
type: keyword

path to cgroup in sysfs

--

*`auditd.data.kernel`*::
+
--
type: keyword

kernel's version number

--

*`auditd.data.ocomm`*::
+
--
type: keyword

object's command line name

--

*`auditd.data.new-net`*::
+
--
type: keyword

MAC address being assigned to vm

--

*`auditd.data.permissive`*::
+
--
type: keyword

SELinux is in permissive mode

--

*`auditd.data.class`*::
+
--
type: keyword

resource class assigned to vm

--

*`auditd.data.compat`*::
+
--
type: keyword

is_compat_task result

--

*`auditd.data.fi`*::
+
--
type: keyword

file assigned inherited capability map

--

*`auditd.data.changed`*::
+
--
type: keyword

number of changed files

--

*`auditd.data.msg`*::
+
--
type: keyword

the payload of the audit record

--

*`auditd.data.dport`*::
+
--
type: keyword

remote port number

--

*`auditd.data.new-seuser`*::
+
--
type: keyword

new SELinux user

--

*`auditd.data.invalid_context`*::
+
--
type: keyword

SELinux context

--

*`auditd.data.dmac`*::
+
--
type: keyword

remote MAC address

--

*`auditd.data.ipx-net`*::
+
--
type: keyword

IPX network number

--

*`auditd.data.iuid`*::
+
--
type: keyword

ipc object's user ID

--

*`auditd.data.macproto`*::
+
--
type: keyword

ethernet packet type ID field

--

*`auditd.data.obj`*::
+
--
type: keyword

lspp object context string

--

*`auditd.data.ipid`*::
+
--
type: keyword

IP datagram fragment identifier

--

*`auditd.data.new-fs`*::
+
--
type: keyword

file system being added to vm

--

*`auditd.data.vm-pid`*::
+
--
type: keyword

vm's process ID

--

*`auditd.data.cap_pi`*::
+
--
type: keyword

process inherited capability map

--

*`auditd.data.old-auid`*::
+
--
type: keyword

previous auid value

--

*`auditd.data.oses`*::
+
--
type: keyword

object's session ID

--

*`auditd.data.fd`*::
+
--
type: keyword

file descriptor number

--

*`auditd.data.igid`*::
+
--
type: keyword

ipc object's group ID

--

*`auditd.data.new-disk`*::
+
--
type: keyword

disk being added to vm

--

*`auditd.data.parent`*::
+
--
type: keyword

the inode number of the parent file

--

*`auditd.data.len`*::
+
--
type: keyword

length

--

*`auditd.data.oflag`*::
+
--
type: keyword

open syscall flags

--

*`auditd.data.uuid`*::
+
--
type: keyword

a UUID

--

*`auditd.data.code`*::
+
--
type: keyword

seccomp action code

--

*`auditd.data.nlnk-grp`*::
+
--
type: keyword

netlink group number

--

*`auditd.data.cap_fp`*::
+
--
type: keyword

file permitted capability map

--

*`auditd.data.new-mem`*::
+
--
type: keyword

new amount of memory in KB

--

*`auditd.data.seperm`*::
+
--
type: keyword

SELinux permission being decided on

--

*`auditd.data.enforcing`*::
+
--
type: keyword

new MAC enforcement status

--

*`auditd.data.new-chardev`*::
+
--
type: keyword

new character device being assigned to vm

--

*`auditd.data.old-rng`*::
+
--
type: keyword

device name of rng being removed from a vm

--

*`auditd.data.outif`*::
+
--
type: keyword

out interface number

--

*`auditd.data.cmd`*::
+
--
type: keyword

command being executed

--

*`auditd.data.hook`*::
+
--
type: keyword

netfilter hook that packet came from

--

*`auditd.data.new-level`*::
+
--
type: keyword

new run level

--

*`auditd.data.sauid`*::
+
--
type: keyword

sent login user ID

--

*`auditd.data.sig`*::
+
--
type: keyword

signal number

--

*`auditd.data.audit_backlog_wait_time`*::
+
--
type: keyword

audit system's backlog wait time

--

*`auditd.data.printer`*::
+
--
type: keyword

printer name

--

*`auditd.data.old-mem`*::
+
--
type: keyword

present amount of memory in KB

--

*`auditd.data.perm`*::
+
--
type: keyword

the file permission being used

--

*`auditd.data.old_pi`*::
+
--
type: keyword

old process inherited capability map

--

*`auditd.data.state`*::
+
--
type: keyword

audit daemon configuration resulting state

--

*`auditd.data.format`*::
+
--
type: keyword

audit log's format

--

*`auditd.data.new_gid`*::
+
--
type: keyword

new group ID being assigned

--

*`auditd.data.tcontext`*::
+
--
type: keyword

the target's or object's context string

--

*`auditd.data.maj`*::
+
--
type: keyword

device major number

--

*`auditd.data.watch`*::
+
--
type: keyword

file name in a watch record

--

*`auditd.data.device`*::
+
--
type: keyword

device name

--

*`auditd.data.grp`*::
+
--
type: keyword

group name

--

*`auditd.data.bool`*::
+
--
type: keyword

name of SELinux boolean

--

*`auditd.data.icmp_type`*::
+
--
type: keyword

type of icmp message

--

*`auditd.data.new_lock`*::
+
--
type: keyword

new value of feature lock

--

*`auditd.data.old_prom`*::
+
--
type: keyword

network promiscuity flag

--

*`auditd.data.acl`*::
+
--
type: keyword

access mode of resource assigned to vm

--

*`auditd.data.ip`*::
+
--
type: keyword

network address of a printer

--

*`auditd.data.new_pi`*::
+
--
type: keyword

new process inherited capability map

--

*`auditd.data.default-context`*::
+
--
type: keyword

default MAC context

--

*`auditd.data.inode_gid`*::
+
--
type: keyword

group ID of the inode's owner

--

*`auditd.data.new-log_passwd`*::
+
--
type: keyword

new value for TTY password logging

--

*`auditd.data.new_pe`*::
+
--
type: keyword

new process effective capability map

--

*`auditd.data.selected-context`*::
+
--
type: keyword

new MAC context assigned to session

--

*`auditd.data.cap_fver`*::
+
--
type: keyword

file system capabilities version number

--

*`auditd.data.file`*::
+
--
type: keyword

file name

--

*`auditd.data.net`*::
+
--
type: keyword

network MAC address

--

*`auditd.data.virt`*::
+
--
type: keyword

kind of virtualization being referenced

--

*`auditd.data.cap_pp`*::
+
--
type: keyword

process permitted capability map

--

*`auditd.data.old-range`*::
+
--
type: keyword

present SELinux range

--

*`auditd.data.resrc`*::
+
--
type: keyword

resource being assigned

--

*`auditd.data.new-range`*::
+
--
type: keyword

new SELinux range

--

*`auditd.data.obj_gid`*::
+
--
type: keyword

group ID of object

--

*`auditd.data.proto`*::
+
--
type: keyword

network protocol

--

*`auditd.data.old-disk`*::
+
--
type: keyword

disk being removed from vm

--

*`auditd.data.audit_failure`*::
+
--
type: keyword

audit system's failure mode

--

*`auditd.data.inif`*::
+
--
type: keyword

in interface number

--

*`auditd.data.vm`*::
+
--
type: keyword

virtual machine name

--

*`auditd.data.flags`*::
+
--
type: keyword

mmap syscall flags

--

*`auditd.data.nlnk-fam`*::
+
--
type: keyword

netlink protocol number

--

*`auditd.data.old-fs`*::
+
--
type: keyword

file system being removed from vm

--

*`auditd.data.old-ses`*::
+
--
type: keyword

previous ses value

--

*`auditd.data.seqno`*::
+
--
type: keyword

sequence number

--

*`auditd.data.fver`*::
+
--
type: keyword

file system capabilities version number

--

*`auditd.data.qbytes`*::
+
--
type: keyword

ipc objects quantity of bytes

--

*`auditd.data.seuser`*::
+
--
type: keyword

user's SE Linux user acct

--

*`auditd.data.cap_fe`*::
+
--
type: keyword

file assigned effective capability map

--

*`auditd.data.new-vcpu`*::
+
--
type: keyword

new number of CPU cores

--

*`auditd.data.old-level`*::
+
--
type: keyword

old run level

--

*`auditd.data.old_pp`*::
+
--
type: keyword

old process permitted capability map

--

*`auditd.data.daddr`*::
+
--
type: keyword

remote IP address

--

*`auditd.data.old-role`*::
+
--
type: keyword

present SELinux role

--

*`auditd.data.ioctlcmd`*::
+
--
type: keyword

The request argument to the ioctl syscall

--

*`auditd.data.smac`*::
+
--
type: keyword

local MAC address

--

*`auditd.data.apparmor`*::
+
--
type: keyword

apparmor event information

--

*`auditd.data.fe`*::
+
--
type: keyword

file assigned effective capability map

--

*`auditd.data.perm_mask`*::
+
--
type: keyword

file permission mask that triggered a watch event

--

*`auditd.data.ses`*::
+
--
type: keyword

login session ID

--

*`auditd.data.cap_fi`*::
+
--
type: keyword

file inherited capability map

--

*`auditd.data.obj_uid`*::
+
--
type: keyword

user ID of object

--

*`auditd.data.reason`*::
+
--
type: keyword

text string denoting a reason for the action

--

*`auditd.data.list`*::
+
--
type: keyword

the audit system's filter list number

--

*`auditd.data.old_lock`*::
+
--
type: keyword

present value of feature lock

--

*`auditd.data.bus`*::
+
--
type: keyword

name of subsystem bus a vm resource belongs to

--

*`auditd.data.old_pe`*::
+
--
type: keyword

old process effective capability map

--

*`auditd.data.new-role`*::
+
--
type: keyword

new SELinux role

--

*`auditd.data.prom`*::
+
--
type: keyword

network promiscuity flag

--

*`auditd.data.uri`*::
+
--
type: keyword

URI pointing to a printer

--

*`auditd.data.audit_enabled`*::
+
--
type: keyword

audit systems's enable/disable status

--

*`auditd.data.old-log_passwd`*::
+
--
type: keyword

present value for TTY password logging

--

*`auditd.data.old-seuser`*::
+
--
type: keyword

present SELinux user

--

*`auditd.data.per`*::
+
--
type: keyword

linux personality

--

*`auditd.data.scontext`*::
+
--
type: keyword

the subject's context string

--

*`auditd.data.tclass`*::
+
--
type: keyword

target's object classification

--

*`auditd.data.ver`*::
+
--
type: keyword

audit daemon's version number

--

*`auditd.data.new`*::
+
--
type: keyword

value being set in feature

--

*`auditd.data.val`*::
+
--
type: keyword

generic value associated with the operation

--

*`auditd.data.img-ctx`*::
+
--
type: keyword

the vm's disk image context string

--

*`auditd.data.old-chardev`*::
+
--
type: keyword

present character device assigned to vm

--

*`auditd.data.old_val`*::
+
--
type: keyword

current value of SELinux boolean

--

*`auditd.data.success`*::
+
--
type: keyword

whether the syscall was successful or not

--

*`auditd.data.inode_uid`*::
+
--
type: keyword

user ID of the inode's owner

--

*`auditd.data.removed`*::
+
--
type: keyword

number of deleted files

--


*`auditd.data.socket.port`*::
+
--
type: keyword

The port number.

--

*`auditd.data.socket.saddr`*::
+
--
type: keyword

The raw socket address structure.

--

*`auditd.data.socket.addr`*::
+
--
type: keyword

The remote address.

--

*`auditd.data.socket.family`*::
+
--
type: keyword

example: unix

The socket family (unix, ipv4, ipv6, netlink).

--

*`auditd.data.socket.path`*::
+
--
type: keyword

This is the path associated with a unix socket.

--

*`auditd.messages`*::
+
--
type: text

An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config.


--

*`auditd.warnings`*::
+
--
type: keyword

The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.


--

[float]
== geoip fields

The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.



*`geoip.continent_name`*::
+
--
type: keyword

The name of the continent.


--

*`geoip.city_name`*::
+
--
type: keyword

The name of the city.


--

*`geoip.region_name`*::
+
--
type: keyword

The name of the region.


--

*`geoip.country_iso_code`*::
+
--
type: keyword

Country ISO code.


--

*`geoip.location`*::
+
--
type: geo_point

The longitude and latitude.


--

[[exported-fields-beat]]
== Beat fields

Contains common beat fields available in all event types.



*`beat.name`*::
+
--
The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file.


--

*`beat.hostname`*::
+
--
The hostname as returned by the operating system on which the Beat is running.


--

*`beat.timezone`*::
+
--
The timezone as returned by the operating system on which the Beat is running.


--

*`beat.version`*::
+
--
The version of the beat that generated this event.


--

*`@timestamp`*::
+
--
type: date

example: August 26th 2016, 12:35:53.332

format: date

required: True

The timestamp when the event log record was generated.


--

*`tags`*::
+
--
Arbitrary tags that can be set per Beat and per transaction type.


--

*`fields`*::
+
--
type: object

Contains user configurable fields.


--

[float]
== error fields

Error fields containing additional info in case of errors.



*`error.message`*::
+
--
type: text

Error message.


--

*`error.code`*::
+
--
type: long

Error code.


--

*`error.type`*::
+
--
type: keyword

Error type.


--

[[exported-fields-cloud]]
== Cloud provider metadata fields

Metadata from cloud providers added by the add_cloud_metadata processor.



*`meta.cloud.provider`*::
+
--
example: ec2

Name of the cloud provider. Possible values are ec2, gce, or digitalocean.


--

*`meta.cloud.instance_id`*::
+
--
Instance ID of the host machine.


--

*`meta.cloud.instance_name`*::
+
--
Instance name of the host machine.


--

*`meta.cloud.machine_type`*::
+
--
example: t2.medium

Machine type of the host machine.


--

*`meta.cloud.availability_zone`*::
+
--
example: us-east-1c

Availability zone in which this host is running.


--

*`meta.cloud.project_id`*::
+
--
example: project-x

Name of the project in Google Cloud.


--

*`meta.cloud.region`*::
+
--
Region in which this host is running.


--

[[exported-fields-common]]
== Common fields

Contains common fields available in all event types.



*`event.module`*::
+
--
The name of the module that generated the event.


--

*`event.action`*::
+
--
type: keyword

example: logged-in

Action describes the change that triggered the event.
For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.


--

[float]
== file fields

File attributes.


*`file.path`*::
+
--
type: text

The path to the file.

*`file.path.raw`*::
+
--
type: keyword

The path to the file. This is a non-analyzed field that is useful for aggregations.


--

--

*`file.target_path`*::
+
--
type: keyword

The target path for symlinks.

--

*`file.type`*::
+
--
type: keyword

The file type (file, dir, or symlink).

--

*`file.device`*::
+
--
type: keyword

The device.

--

*`file.inode`*::
+
--
type: keyword

The inode representing the file in the filesystem.

--

*`file.uid`*::
+
--
type: keyword

The user ID (UID) or security identifier (SID) of the file owner.


--

*`file.owner`*::
+
--
type: keyword

The file owner's username.

--

*`file.gid`*::
+
--
type: keyword

The primary group ID (GID) of the file.

--

*`file.group`*::
+
--
type: keyword

The primary group name of the file.

--

*`file.mode`*::
+
--
type: keyword

example: 416

The mode of the file in octal representation.

--

*`file.setuid`*::
+
--
type: boolean

example: True

Set if the file has the `setuid` bit set. Omitted otherwise.

--

*`file.setgid`*::
+
--
type: boolean

example: True

Set if the file has the `setgid` bit set. Omitted otherwise.

--

*`file.size`*::
+
--
type: long

The file size in bytes (field is only added when `type` is `file`).

--

*`file.mtime`*::
+
--
type: date

The last modified time of the file (time when content was modified).

--

*`file.ctime`*::
+
--
type: date

The last change time of the file (time when metadata was changed).

--

*`file.origin`*::
+
--
type: text

An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.


*`file.origin.raw`*::
+
--
type: keyword

This is a non-analyzed field that is useful for aggregations on the origin data.


--

--

[float]
== selinux fields

The SELinux identity of the file.


*`file.selinux.user`*::
+
--
type: keyword

The owner of the object.

--

*`file.selinux.role`*::
+
--
type: keyword

The object's SELinux role.

--

*`file.selinux.domain`*::
+
--
type: keyword

The object's SELinux domain or type.

--

*`file.selinux.level`*::
+
--
type: keyword

example: s0

The object's SELinux level.

--

[[exported-fields-docker-processor]]
== Docker fields

Docker stats collected from Docker.




*`docker.container.id`*::
+
--
type: keyword

Unique container id.


--

*`docker.container.image`*::
+
--
type: keyword

Name of the image the container was built on.


--

*`docker.container.name`*::
+
--
type: keyword

Container name.


--

*`docker.container.labels`*::
+
--
type: object

Image labels.


--

[[exported-fields-file_integrity]]
== File Integrity fields

These are the fields generated by the file_integrity module.


[float]
== hash fields

Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.



*`hash.blake2b_256`*::
+
--
type: keyword

BLAKE2b-256 hash of the file.

--

*`hash.blake2b_384`*::
+
--
type: keyword

BLAKE2b-384 hash of the file.

--

*`hash.blake2b_512`*::
+
--
type: keyword

BLAKE2b-512 hash of the file.

--

*`hash.md5`*::
+
--
type: keyword

MD5 hash of the file.

--

*`hash.sha1`*::
+
--
type: keyword

SHA1 hash of the file.

--

*`hash.sha224`*::
+
--
type: keyword

SHA224 hash of the file.

--

*`hash.sha256`*::
+
--
type: keyword

SHA256 hash of the file.

--

*`hash.sha384`*::
+
--
type: keyword

SHA384 hash of the file.

--

*`hash.sha3_224`*::
+
--
type: keyword

SHA3_224 hash of the file.

--

*`hash.sha3_256`*::
+
--
type: keyword

SHA3_256 hash of the file.

--

*`hash.sha3_384`*::
+
--
type: keyword

SHA3_384 hash of the file.

--

*`hash.sha3_512`*::
+
--
type: keyword

SHA3_512 hash of the file.

--

*`hash.sha512`*::
+
--
type: keyword

SHA512 hash of the file.

--

*`hash.sha512_224`*::
+
--
type: keyword

SHA512/224 hash of the file.

--

*`hash.sha512_256`*::
+
--
type: keyword

SHA512/256 hash of the file.

--

*`hash.xxh64`*::
+
--
type: keyword

XX64 hash of the file.

--

[[exported-fields-host-processor]]
== Host fields

Info collected for the host machine.




*`host.name`*::
+
--
type: keyword

Hostname.


--

*`host.id`*::
+
--
type: keyword

Unique host id.


--

*`host.architecture`*::
+
--
type: keyword

Host architecture (e.g. x86_64, arm, ppc, mips).


--

*`host.os.platform`*::
+
--
type: keyword

OS platform (e.g. centos, ubuntu, windows).


--

*`host.os.version`*::
+
--
type: keyword

OS version.


--

*`host.os.family`*::
+
--
type: keyword

OS family (e.g. redhat, debian, freebsd, windows).


--

*`host.ip`*::
+
--
type: ip

List of IP-addresses.


--

*`host.mac`*::
+
--
type: keyword

List of hardware-addresses, usually MAC-addresses.


--

[[exported-fields-kubernetes-processor]]
== Kubernetes fields

Kubernetes metadata added by the kubernetes processor




*`kubernetes.pod.name`*::
+
--
type: keyword

Kubernetes pod name


--

*`kubernetes.pod.uid`*::
+
--
type: keyword

Kubernetes Pod UID


--

*`kubernetes.namespace`*::
+
--
type: keyword

Kubernetes namespace


--

*`kubernetes.node.name`*::
+
--
type: keyword

Kubernetes node name


--

*`kubernetes.labels`*::
+
--
type: object

Kubernetes labels map


--

*`kubernetes.annotations`*::
+
--
type: object

Kubernetes annotations map


--

*`kubernetes.container.name`*::
+
--
type: keyword

Kubernetes container name


--

*`kubernetes.container.image`*::
+
--
type: keyword

Kubernetes container image


--