358 lines
9 KiB
YAML
358 lines
9 KiB
YAML
- key: log
|
|
title: Log file content
|
|
description: >
|
|
Contains log file lines.
|
|
fields:
|
|
- name: source
|
|
type: keyword
|
|
required: true
|
|
description: >
|
|
The file from which the line was read. This field contains the absolute path to the file.
|
|
For example: `/var/log/system.log`.
|
|
|
|
- name: offset
|
|
type: long
|
|
required: false
|
|
description: >
|
|
The file offset the reported line starts at.
|
|
|
|
- name: message
|
|
type: text
|
|
ignore_above: 0
|
|
required: true
|
|
description: >
|
|
The content of the line read from the log file.
|
|
|
|
- name: stream
|
|
type: keyword
|
|
required: false
|
|
description: >
|
|
Log stream when reading container logs, can be 'stdout' or 'stderr'
|
|
|
|
- name: prospector.type
|
|
required: true
|
|
deprecated: 6.3
|
|
description: >
|
|
The input type from which the event was generated. This field is set to the value specified
|
|
for the `type` option in the input section of the Filebeat config file. (DEPRECATED: see `input.type`)
|
|
|
|
- name: input.type
|
|
required: true
|
|
description: >
|
|
The input type from which the event was generated. This field is set to the value specified
|
|
for the `type` option in the input section of the Filebeat config file.
|
|
|
|
- name: read_timestamp
|
|
description: >
|
|
In case the ingest pipeline parses the timestamp from the log contents, it stores
|
|
the original `@timestamp` (representing the time when the log line was read) in this
|
|
field.
|
|
|
|
- name: fileset.module
|
|
description: >
|
|
The Filebeat module that generated this event.
|
|
|
|
- name: fileset.name
|
|
description: >
|
|
The Filebeat fileset that generated this event.
|
|
|
|
- name: syslog.facility
|
|
type: long
|
|
required: false
|
|
description: >
|
|
The facility extracted from the priority.
|
|
|
|
- name: syslog.priority
|
|
type: long
|
|
required: false
|
|
description: >
|
|
The priority of the syslog event.
|
|
|
|
- name: syslog.severity_label
|
|
type: keyword
|
|
required: false
|
|
description: >
|
|
The human readable severity.
|
|
|
|
- name: syslog.facility_label
|
|
type: keyword
|
|
required: false
|
|
description: >
|
|
The human readable facility.
|
|
|
|
- name: process.program
|
|
type: keyword
|
|
required: false
|
|
description: >
|
|
The name of the program.
|
|
|
|
- name: process.pid
|
|
type: long
|
|
required: false
|
|
description: >
|
|
The pid of the process.
|
|
|
|
- name: event.severity
|
|
type: long
|
|
required: false
|
|
description: >
|
|
The severity of the event.
|
|
|
|
- name: service.name
|
|
type: keyword
|
|
description: >
|
|
Service name.
|
|
|
|
- name: log.level
|
|
type: keyword
|
|
description: >
|
|
Logging level.
|
|
|
|
- name: log.flags
|
|
description: >
|
|
This field contains the flags of the event.
|
|
|
|
- name: event.created
|
|
type: date
|
|
description: >
|
|
event.created contains the date on which the event was created. In case of
|
|
log events this is when the log line was read by Filebeat. In comparison
|
|
@timestamp is the processed timestamp from the log line. If both are identical
|
|
only @timestamp should be used.
|
|
|
|
- name: event.type
|
|
type: keyword
|
|
description: >
|
|
A type given to this kind of event which can be used for grouping.
|
|
|
|
- name: http.response.status_code
|
|
type: long
|
|
description: >
|
|
HTTP response status_code.
|
|
example: 404
|
|
|
|
- name: http.response.elapsed_time
|
|
type: long
|
|
description: >
|
|
Elapsed time between request and response in milli seconds.
|
|
|
|
- name: http.response.content_length
|
|
type: long
|
|
description: >
|
|
Content length of the HTTP response body.
|
|
|
|
- name: http.request.method
|
|
type: keyword
|
|
description: >
|
|
Request method.
|
|
|
|
- name: source_ecs
|
|
type: group
|
|
fields:
|
|
- name: ip
|
|
type: ip
|
|
description: >
|
|
IP address of the source.
|
|
|
|
Can be one or multiple IPv4 or IPv6 addresses.
|
|
|
|
- name: port
|
|
type: long
|
|
description: >
|
|
Port of the source.
|
|
|
|
- name: geo
|
|
type: group
|
|
description:
|
|
Geolocation for source.
|
|
fields:
|
|
- name: continent_name
|
|
type: keyword
|
|
description: >
|
|
Name of the continent.
|
|
|
|
- name: country_iso_code
|
|
type: keyword
|
|
description: >
|
|
Country ISO code.
|
|
|
|
- name: location
|
|
type: geo_point
|
|
description: >
|
|
Longitude and latitude.
|
|
|
|
- name: region_name
|
|
type: keyword
|
|
description: >
|
|
Region name.
|
|
|
|
- name: city_name
|
|
type: keyword
|
|
description: >
|
|
City name.
|
|
|
|
- name: region_iso_code
|
|
type: keyword
|
|
description: >
|
|
Region ISO code.
|
|
|
|
- name: destination
|
|
type: group
|
|
fields:
|
|
- name: ip
|
|
type: ip
|
|
description: >
|
|
IP address of the destination.
|
|
|
|
Can be one or multiple IPv4 or IPv6 addresses.
|
|
|
|
- name: port
|
|
type: long
|
|
description: >
|
|
Port of the destination.
|
|
|
|
- name: geo
|
|
type: group
|
|
description:
|
|
Geolocation for destination.
|
|
fields:
|
|
- name: continent_name
|
|
type: keyword
|
|
description: >
|
|
Name of the continent.
|
|
|
|
- name: country_iso_code
|
|
type: keyword
|
|
description: >
|
|
Country ISO code.
|
|
|
|
- name: location
|
|
type: geo_point
|
|
description: >
|
|
Longitude and latitude.
|
|
|
|
- name: region_name
|
|
type: keyword
|
|
description: >
|
|
Region name.
|
|
|
|
- name: city_name
|
|
type: keyword
|
|
description: >
|
|
City name.
|
|
|
|
- name: region_iso_code
|
|
type: keyword
|
|
description: >
|
|
Region ISO code.
|
|
|
|
- name: user_agent
|
|
title: User agent
|
|
description: >
|
|
The user_agent fields normally come from a browser request. They often
|
|
show up in web service logs coming from the parsed user agent string.
|
|
type: group
|
|
fields:
|
|
- name: original
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Unparsed version of the user_agent.
|
|
|
|
- name: device
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Name of the physical device.
|
|
|
|
- name: version
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Version of the physical device.
|
|
|
|
- name: major
|
|
level: extended
|
|
type: long
|
|
description: >
|
|
Major version of the user agent.
|
|
|
|
- name: minor
|
|
level: extended
|
|
type: long
|
|
description: >
|
|
Minor version of the user agent.
|
|
|
|
- name: patch
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Patch version of the user agent.
|
|
|
|
- name: name
|
|
level: extended
|
|
type: keyword
|
|
example: Chrome
|
|
description: >
|
|
Name of the user agent.
|
|
|
|
- name: os.name
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Name of the operating system.
|
|
|
|
- name: os.full_name
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Full name of the operating system (includes version).
|
|
|
|
- name: os.version
|
|
level: extended
|
|
type: keyword
|
|
description: >
|
|
Version of the operating system.
|
|
|
|
- name: os.major
|
|
level: extended
|
|
type: long
|
|
description: >
|
|
Major version of the operating system.
|
|
|
|
- name: os.minor
|
|
level: extended
|
|
type: long
|
|
description: >
|
|
Minor version of the operating system.
|
|
|
|
- name: url
|
|
description: >
|
|
URL fields provide a complete URL, with scheme, host, and path. The URL
|
|
object can be reused in other prefixes, such as `host.url.*` for
|
|
example. Keep the structure consistent whenever you use URL fields.
|
|
|
|
type: group
|
|
fields:
|
|
- name: hostname
|
|
type: keyword
|
|
description: >
|
|
Hostname of the request, such as "elastic.co".
|
|
In some cases a URL may refer to an IP and/or port directly, without a
|
|
domain name. In this case, the IP address would go to the `hostname` field.
|
|
|
|
- name: file
|
|
description: >
|
|
File fields provide details about each file.
|
|
|
|
type: group
|
|
fields:
|
|
- name: path
|
|
level: extended
|
|
type: keyword
|
|
description: Path to the file.
|
|
|
|
- name: size
|
|
type: long
|
|
description: File size in bytes (field is only added when `type` is
|
|
`file`).
|