youtubebeat/vendor/github.com/elastic/beats/winlogbeat/docs/fields.asciidoc

////
This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py
////

[[exported-fields]]
= Exported fields

[partintro]

--
This document describes the fields that are exported by Winlogbeat. They are
grouped in the following categories:

* <<exported-fields-beat>>
* <<exported-fields-cloud>>
* <<exported-fields-common>>
* <<exported-fields-docker-processor>>
* <<exported-fields-eventlog>>
* <<exported-fields-host-processor>>
* <<exported-fields-kubernetes-processor>>

--
[[exported-fields-beat]]
== Beat fields

Contains common beat fields available in all event types.



*`beat.name`*::
+
--
The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file.


--

*`beat.hostname`*::
+
--
The hostname as returned by the operating system on which the Beat is running.


--

*`beat.timezone`*::
+
--
The timezone as returned by the operating system on which the Beat is running.


--

*`beat.version`*::
+
--
The version of the beat that generated this event.


--

*`@timestamp`*::
+
--
type: date

example: August 26th 2016, 12:35:53.332

format: date

required: True

The timestamp when the event log record was generated.


--

*`tags`*::
+
--
Arbitrary tags that can be set per Beat and per transaction type.


--

*`fields`*::
+
--
type: object

Contains user configurable fields.


--

[float]
== error fields

Error fields containing additional info in case of errors.



*`error.message`*::
+
--
type: text

Error message.


--

*`error.code`*::
+
--
type: long

Error code.


--

*`error.type`*::
+
--
type: keyword

Error type.


--

[[exported-fields-cloud]]
== Cloud provider metadata fields

Metadata from cloud providers added by the add_cloud_metadata processor.



*`meta.cloud.provider`*::
+
--
example: ec2

Name of the cloud provider. Possible values are ec2, gce, or digitalocean.


--

*`meta.cloud.instance_id`*::
+
--
Instance ID of the host machine.


--

*`meta.cloud.instance_name`*::
+
--
Instance name of the host machine.


--

*`meta.cloud.machine_type`*::
+
--
example: t2.medium

Machine type of the host machine.


--

*`meta.cloud.availability_zone`*::
+
--
example: us-east-1c

Availability zone in which this host is running.


--

*`meta.cloud.project_id`*::
+
--
example: project-x

Name of the project in Google Cloud.


--

*`meta.cloud.region`*::
+
--
Region in which this host is running.


--

[[exported-fields-common]]
== Common Winlogbeat fields

Contains common fields available in all event types.



*`type`*::
+
--
required: True

The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API.
The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.


--

[[exported-fields-docker-processor]]
== Docker fields

Docker stats collected from Docker.




*`docker.container.id`*::
+
--
type: keyword

Unique container id.


--

*`docker.container.image`*::
+
--
type: keyword

Name of the image the container was built on.


--

*`docker.container.name`*::
+
--
type: keyword

Container name.


--

*`docker.container.labels`*::
+
--
type: object

Image labels.


--

[[exported-fields-eventlog]]
== Event log record fields

Contains data from a Windows event log record.



*`activity_id`*::
+
--
type: keyword

required: False

A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.


--

*`computer_name`*::
+
--
type: keyword

required: True

The name of the computer that generated the record. When using Windows event forwarding, this name can differ from the `beat.hostname`.


--

*`event_data`*::
+
--
type: object

required: False

The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows.


--

*`event_id`*::
+
--
type: long

required: True

The event identifier. The value is specific to the source of the event.


--

*`keywords`*::
+
--
type: keyword

required: False

The keywords are used to classify an event.


--

*`log_name`*::
+
--
type: keyword

required: True

The name of the event log from which this record was read. This value is one of the names from the `event_logs` collection in the configuration.


--

*`level`*::
+
--
type: keyword

required: False

The level of the event. There are five levels of events that can be logged: Success, Information, Warning, Error, Audit Success, and Audit Failure.


--

*`message`*::
+
--
type: text

required: False

The message from the event log record.


--

*`message_error`*::
+
--
type: keyword

required: False

The error that occurred while reading and formatting the message from the log.


--

*`record_number`*::
+
--
type: keyword

required: True

The record number of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.


--

*`related_activity_id`*::
+
--
type: keyword

required: False

A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier.


--

*`opcode`*::
+
--
type: keyword

required: False

The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.


--

*`provider_guid`*::
+
--
type: keyword

required: False

A globally unique identifier that identifies the provider that logged the event.


--

*`process_id`*::
+
--
type: long

required: False

The process_id identifies the process that generated the event.


--

*`source_name`*::
+
--
type: keyword

required: True

The source of the event log record (the application or service that logged the record).


--

*`task`*::
+
--
type: keyword

required: False

The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.


--

*`thread_id`*::
+
--
type: long

required: False

The thread_id identifies the thread that generated the event.


--

*`user_data`*::
+
--
type: object

required: False

The event specific data. This field is mutually exclusive with `event_data`.


--

*`user.identifier`*::
+
--
type: keyword

example: S-1-5-21-3541430928-2051711210-1391384369-1001

required: False

The Windows security identifier (SID) of the account associated with this event.

If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.


--

*`user.name`*::
+
--
type: keyword

required: False

The name of the account associated with this event.


--

*`user.domain`*::
+
--
type: keyword

required: False

The domain that the account associated with this event is a member of.


--

*`user.type`*::
+
--
type: keyword

required: False

The type of account associated with this event.


--

*`version`*::
+
--
type: long

required: False

The version number of the event's definition.

--

*`xml`*::
+
--
type: text

required: False

The raw XML representation of the event obtained from Windows. This field is only available on operating systems supporting the Windows Event Log API (Microsoft Windows Vista and newer). This field is not included by default and must be enabled by setting `include_xml: true` as a configuration option for an individual event log.

The XML representation of the event is useful for troubleshooting purposes. The data in the fields reported by Winlogbeat can be compared to the data in the XML to diagnose problems.


--

[[exported-fields-host-processor]]
== Host fields

Info collected for the host machine.




*`host.name`*::
+
--
type: keyword

Hostname.


--

*`host.id`*::
+
--
type: keyword

Unique host id.


--

*`host.architecture`*::
+
--
type: keyword

Host architecture (e.g. x86_64, arm, ppc, mips).


--

*`host.os.platform`*::
+
--
type: keyword

OS platform (e.g. centos, ubuntu, windows).


--

*`host.os.version`*::
+
--
type: keyword

OS version.


--

*`host.os.family`*::
+
--
type: keyword

OS family (e.g. redhat, debian, freebsd, windows).


--

*`host.ip`*::
+
--
type: ip

List of IP-addresses.


--

*`host.mac`*::
+
--
type: keyword

List of hardware-addresses, usually MAC-addresses.


--

[[exported-fields-kubernetes-processor]]
== Kubernetes fields

Kubernetes metadata added by the kubernetes processor




*`kubernetes.pod.name`*::
+
--
type: keyword

Kubernetes pod name


--

*`kubernetes.pod.uid`*::
+
--
type: keyword

Kubernetes Pod UID


--

*`kubernetes.namespace`*::
+
--
type: keyword

Kubernetes namespace


--

*`kubernetes.node.name`*::
+
--
type: keyword

Kubernetes node name


--

*`kubernetes.labels`*::
+
--
type: object

Kubernetes labels map


--

*`kubernetes.annotations`*::
+
--
type: object

Kubernetes annotations map


--

*`kubernetes.container.name`*::
+
--
type: keyword

Kubernetes container name


--

*`kubernetes.container.image`*::
+
--
type: keyword

Kubernetes container image


--