youtubebeat/vendor/github.com/elastic/beats/auditbeat/docs/fields.asciidoc

3379 lines
30 KiB
Text

////
This file is generated! See _meta/fields.yml and scripts/generate_field_docs.py
////
[[exported-fields]]
= Exported fields
[partintro]
--
This document describes the fields that are exported by Auditbeat. They are
grouped in the following categories:
* <<exported-fields-auditd>>
* <<exported-fields-beat>>
* <<exported-fields-cloud>>
* <<exported-fields-common>>
* <<exported-fields-docker-processor>>
* <<exported-fields-file_integrity>>
* <<exported-fields-host-processor>>
* <<exported-fields-kubernetes-processor>>
--
[[exported-fields-auditd]]
== Auditd fields
These are the fields generated by the auditd module.
*`event.category`*::
+
--
type: keyword
example: audit-rule
The event's category is a value derived from the `record_type`.
--
*`event.type`*::
+
--
type: keyword
The audit record's type.
--
*`user.auid`*::
+
--
type: keyword
login user ID
--
*`user.uid`*::
+
--
type: keyword
user ID
--
*`user.euid`*::
+
--
type: keyword
effective user ID
--
*`user.fsuid`*::
+
--
type: keyword
file system user ID
--
*`user.suid`*::
+
--
type: keyword
sent user ID
--
*`user.gid`*::
+
--
type: keyword
group ID
--
*`user.egid`*::
+
--
type: keyword
effective group ID
--
*`user.sgid`*::
+
--
type: keyword
set group ID
--
*`user.fsgid`*::
+
--
type: keyword
file system group ID
--
[float]
== name_map fields
If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root).
*`user.name_map.auid`*::
+
--
type: keyword
login user name
--
*`user.name_map.uid`*::
+
--
type: keyword
user name
--
*`user.name_map.euid`*::
+
--
type: keyword
effective user name
--
*`user.name_map.fsuid`*::
+
--
type: keyword
file system user name
--
*`user.name_map.suid`*::
+
--
type: keyword
sent user name
--
*`user.name_map.gid`*::
+
--
type: keyword
group name
--
*`user.name_map.egid`*::
+
--
type: keyword
effective group name
--
*`user.name_map.sgid`*::
+
--
type: keyword
set group name
--
*`user.name_map.fsgid`*::
+
--
type: keyword
file system group name
--
[float]
== selinux fields
The SELinux identity of the actor.
*`user.selinux.user`*::
+
--
type: keyword
account submitted for authentication
--
*`user.selinux.role`*::
+
--
type: keyword
user's SELinux role
--
*`user.selinux.domain`*::
+
--
type: keyword
The actor's SELinux domain or type.
--
*`user.selinux.level`*::
+
--
type: keyword
example: s0
The actor's SELinux level.
--
*`user.selinux.category`*::
+
--
type: keyword
The actor's SELinux category or compartments.
--
[float]
== process fields
Process attributes.
*`process.pid`*::
+
--
type: keyword
Process ID.
--
*`process.ppid`*::
+
--
type: keyword
Parent process ID.
--
*`process.name`*::
+
--
type: keyword
Process name (comm).
--
*`process.title`*::
+
--
type: keyword
Process title or command line parameters (proctitle).
--
*`process.exe`*::
+
--
type: keyword
Absolute path of the executable.
--
*`process.cwd`*::
+
--
type: keyword
The current working directory.
--
*`process.args`*::
+
--
type: keyword
The process arguments as a list.
--
[float]
== source fields
Source that triggered the event.
*`source.ip`*::
+
--
type: ip
The remote address.
--
*`source.port`*::
+
--
type: keyword
The port number.
--
*`source.hostname`*::
+
--
type: keyword
Hostname of the source.
--
*`source.path`*::
+
--
type: keyword
This is the path associated with a unix socket.
--
[float]
== destination fields
Destination address that triggered the event.
*`destination.ip`*::
+
--
type: ip
The remote address.
--
*`destination.port`*::
+
--
type: keyword
The port number.
--
*`destination.hostname`*::
+
--
type: keyword
Hostname of the source.
--
*`destination.path`*::
+
--
type: keyword
This is the path associated with a unix socket.
--
*`network.direction`*::
+
--
type: keyword
Direction of the network traffic (`incoming` or `outgoing`).
--
*`auditd.sequence`*::
+
--
type: long
The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover.
--
*`auditd.session`*::
+
--
type: keyword
The session ID assigned to a login. All events related to a login session will have the same value.
--
*`auditd.result`*::
+
--
type: keyword
example: success or fail
The result of the audited operation (success/fail).
--
[float]
== actor fields
The actor is the user that triggered the audit event.
*`auditd.summary.actor.primary`*::
+
--
type: keyword
The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account.
--
*`auditd.summary.actor.secondary`*::
+
--
type: keyword
The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`.
--
[float]
== object fields
This is the thing or object being acted upon in the event.
*`auditd.summary.object.type`*::
+
--
type: keyword
A description of the what the "thing" is (e.g. file, socket, user-session).
--
*`auditd.summary.object.primary`*::
+
--
type: keyword
--
*`auditd.summary.object.secondary`*::
+
--
type: keyword
--
*`auditd.summary.how`*::
+
--
type: keyword
This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event.
--
[float]
== paths fields
List of paths associated with the event.
*`auditd.paths.inode`*::
+
--
type: keyword
inode number
--
*`auditd.paths.dev`*::
+
--
type: keyword
device name as found in /dev
--
*`auditd.paths.obj_user`*::
+
--
type: keyword
--
*`auditd.paths.obj_role`*::
+
--
type: keyword
--
*`auditd.paths.obj_domain`*::
+
--
type: keyword
--
*`auditd.paths.obj_level`*::
+
--
type: keyword
--
*`auditd.paths.objtype`*::
+
--
type: keyword
--
*`auditd.paths.ouid`*::
+
--
type: keyword
file owner user ID
--
*`auditd.paths.rdev`*::
+
--
type: keyword
the device identifier (special files only)
--
*`auditd.paths.nametype`*::
+
--
type: keyword
kind of file operation being referenced
--
*`auditd.paths.ogid`*::
+
--
type: keyword
file owner group ID
--
*`auditd.paths.item`*::
+
--
type: keyword
which item is being recorded
--
*`auditd.paths.mode`*::
+
--
type: keyword
mode flags on a file
--
*`auditd.paths.name`*::
+
--
type: keyword
file name in avcs
--
[float]
== data fields
The data from the audit messages.
*`auditd.data.action`*::
+
--
type: keyword
netfilter packet disposition
--
*`auditd.data.minor`*::
+
--
type: keyword
device minor number
--
*`auditd.data.acct`*::
+
--
type: keyword
a user's account name
--
*`auditd.data.addr`*::
+
--
type: keyword
the remote address that the user is connecting from
--
*`auditd.data.cipher`*::
+
--
type: keyword
name of crypto cipher selected
--
*`auditd.data.id`*::
+
--
type: keyword
during account changes
--
*`auditd.data.entries`*::
+
--
type: keyword
number of entries in the netfilter table
--
*`auditd.data.kind`*::
+
--
type: keyword
server or client in crypto operation
--
*`auditd.data.ksize`*::
+
--
type: keyword
key size for crypto operation
--
*`auditd.data.spid`*::
+
--
type: keyword
sent process ID
--
*`auditd.data.arch`*::
+
--
type: keyword
the elf architecture flags
--
*`auditd.data.argc`*::
+
--
type: keyword
the number of arguments to an execve syscall
--
*`auditd.data.major`*::
+
--
type: keyword
device major number
--
*`auditd.data.unit`*::
+
--
type: keyword
systemd unit
--
*`auditd.data.table`*::
+
--
type: keyword
netfilter table name
--
*`auditd.data.terminal`*::
+
--
type: keyword
terminal name the user is running programs on
--
*`auditd.data.grantors`*::
+
--
type: keyword
pam modules approving the action
--
*`auditd.data.direction`*::
+
--
type: keyword
direction of crypto operation
--
*`auditd.data.op`*::
+
--
type: keyword
the operation being performed that is audited
--
*`auditd.data.tty`*::
+
--
type: keyword
tty udevice the user is running programs on
--
*`auditd.data.syscall`*::
+
--
type: keyword
syscall number in effect when the event occurred
--
*`auditd.data.data`*::
+
--
type: keyword
TTY text
--
*`auditd.data.family`*::
+
--
type: keyword
netfilter protocol
--
*`auditd.data.mac`*::
+
--
type: keyword
crypto MAC algorithm selected
--
*`auditd.data.pfs`*::
+
--
type: keyword
perfect forward secrecy method
--
*`auditd.data.items`*::
+
--
type: keyword
the number of path records in the event
--
*`auditd.data.a0`*::
+
--
type: keyword
--
*`auditd.data.a1`*::
+
--
type: keyword
--
*`auditd.data.a2`*::
+
--
type: keyword
--
*`auditd.data.a3`*::
+
--
type: keyword
--
*`auditd.data.hostname`*::
+
--
type: keyword
the hostname that the user is connecting from
--
*`auditd.data.lport`*::
+
--
type: keyword
local network port
--
*`auditd.data.rport`*::
+
--
type: keyword
remote port number
--
*`auditd.data.exit`*::
+
--
type: keyword
syscall exit code
--
*`auditd.data.fp`*::
+
--
type: keyword
crypto key finger print
--
*`auditd.data.laddr`*::
+
--
type: keyword
local network address
--
*`auditd.data.sport`*::
+
--
type: keyword
local port number
--
*`auditd.data.capability`*::
+
--
type: keyword
posix capabilities
--
*`auditd.data.nargs`*::
+
--
type: keyword
the number of arguments to a socket call
--
*`auditd.data.new-enabled`*::
+
--
type: keyword
new TTY audit enabled setting
--
*`auditd.data.audit_backlog_limit`*::
+
--
type: keyword
audit system's backlog queue size
--
*`auditd.data.dir`*::
+
--
type: keyword
directory name
--
*`auditd.data.cap_pe`*::
+
--
type: keyword
process effective capability map
--
*`auditd.data.model`*::
+
--
type: keyword
security model being used for virt
--
*`auditd.data.new_pp`*::
+
--
type: keyword
new process permitted capability map
--
*`auditd.data.old-enabled`*::
+
--
type: keyword
present TTY audit enabled setting
--
*`auditd.data.oauid`*::
+
--
type: keyword
object's login user ID
--
*`auditd.data.old`*::
+
--
type: keyword
old value
--
*`auditd.data.banners`*::
+
--
type: keyword
banners used on printed page
--
*`auditd.data.feature`*::
+
--
type: keyword
kernel feature being changed
--
*`auditd.data.vm-ctx`*::
+
--
type: keyword
the vm's context string
--
*`auditd.data.opid`*::
+
--
type: keyword
object's process ID
--
*`auditd.data.seperms`*::
+
--
type: keyword
SELinux permissions being used
--
*`auditd.data.seresult`*::
+
--
type: keyword
SELinux AVC decision granted/denied
--
*`auditd.data.new-rng`*::
+
--
type: keyword
device name of rng being added from a vm
--
*`auditd.data.old-net`*::
+
--
type: keyword
present MAC address assigned to vm
--
*`auditd.data.sigev_signo`*::
+
--
type: keyword
signal number
--
*`auditd.data.ino`*::
+
--
type: keyword
inode number
--
*`auditd.data.old_enforcing`*::
+
--
type: keyword
old MAC enforcement status
--
*`auditd.data.old-vcpu`*::
+
--
type: keyword
present number of CPU cores
--
*`auditd.data.range`*::
+
--
type: keyword
user's SE Linux range
--
*`auditd.data.res`*::
+
--
type: keyword
result of the audited operation(success/fail)
--
*`auditd.data.added`*::
+
--
type: keyword
number of new files detected
--
*`auditd.data.fam`*::
+
--
type: keyword
socket address family
--
*`auditd.data.nlnk-pid`*::
+
--
type: keyword
pid of netlink packet sender
--
*`auditd.data.subj`*::
+
--
type: keyword
lspp subject's context string
--
*`auditd.data.a[0-3]`*::
+
--
type: keyword
the arguments to a syscall
--
*`auditd.data.cgroup`*::
+
--
type: keyword
path to cgroup in sysfs
--
*`auditd.data.kernel`*::
+
--
type: keyword
kernel's version number
--
*`auditd.data.ocomm`*::
+
--
type: keyword
object's command line name
--
*`auditd.data.new-net`*::
+
--
type: keyword
MAC address being assigned to vm
--
*`auditd.data.permissive`*::
+
--
type: keyword
SELinux is in permissive mode
--
*`auditd.data.class`*::
+
--
type: keyword
resource class assigned to vm
--
*`auditd.data.compat`*::
+
--
type: keyword
is_compat_task result
--
*`auditd.data.fi`*::
+
--
type: keyword
file assigned inherited capability map
--
*`auditd.data.changed`*::
+
--
type: keyword
number of changed files
--
*`auditd.data.msg`*::
+
--
type: keyword
the payload of the audit record
--
*`auditd.data.dport`*::
+
--
type: keyword
remote port number
--
*`auditd.data.new-seuser`*::
+
--
type: keyword
new SELinux user
--
*`auditd.data.invalid_context`*::
+
--
type: keyword
SELinux context
--
*`auditd.data.dmac`*::
+
--
type: keyword
remote MAC address
--
*`auditd.data.ipx-net`*::
+
--
type: keyword
IPX network number
--
*`auditd.data.iuid`*::
+
--
type: keyword
ipc object's user ID
--
*`auditd.data.macproto`*::
+
--
type: keyword
ethernet packet type ID field
--
*`auditd.data.obj`*::
+
--
type: keyword
lspp object context string
--
*`auditd.data.ipid`*::
+
--
type: keyword
IP datagram fragment identifier
--
*`auditd.data.new-fs`*::
+
--
type: keyword
file system being added to vm
--
*`auditd.data.vm-pid`*::
+
--
type: keyword
vm's process ID
--
*`auditd.data.cap_pi`*::
+
--
type: keyword
process inherited capability map
--
*`auditd.data.old-auid`*::
+
--
type: keyword
previous auid value
--
*`auditd.data.oses`*::
+
--
type: keyword
object's session ID
--
*`auditd.data.fd`*::
+
--
type: keyword
file descriptor number
--
*`auditd.data.igid`*::
+
--
type: keyword
ipc object's group ID
--
*`auditd.data.new-disk`*::
+
--
type: keyword
disk being added to vm
--
*`auditd.data.parent`*::
+
--
type: keyword
the inode number of the parent file
--
*`auditd.data.len`*::
+
--
type: keyword
length
--
*`auditd.data.oflag`*::
+
--
type: keyword
open syscall flags
--
*`auditd.data.uuid`*::
+
--
type: keyword
a UUID
--
*`auditd.data.code`*::
+
--
type: keyword
seccomp action code
--
*`auditd.data.nlnk-grp`*::
+
--
type: keyword
netlink group number
--
*`auditd.data.cap_fp`*::
+
--
type: keyword
file permitted capability map
--
*`auditd.data.new-mem`*::
+
--
type: keyword
new amount of memory in KB
--
*`auditd.data.seperm`*::
+
--
type: keyword
SELinux permission being decided on
--
*`auditd.data.enforcing`*::
+
--
type: keyword
new MAC enforcement status
--
*`auditd.data.new-chardev`*::
+
--
type: keyword
new character device being assigned to vm
--
*`auditd.data.old-rng`*::
+
--
type: keyword
device name of rng being removed from a vm
--
*`auditd.data.outif`*::
+
--
type: keyword
out interface number
--
*`auditd.data.cmd`*::
+
--
type: keyword
command being executed
--
*`auditd.data.hook`*::
+
--
type: keyword
netfilter hook that packet came from
--
*`auditd.data.new-level`*::
+
--
type: keyword
new run level
--
*`auditd.data.sauid`*::
+
--
type: keyword
sent login user ID
--
*`auditd.data.sig`*::
+
--
type: keyword
signal number
--
*`auditd.data.audit_backlog_wait_time`*::
+
--
type: keyword
audit system's backlog wait time
--
*`auditd.data.printer`*::
+
--
type: keyword
printer name
--
*`auditd.data.old-mem`*::
+
--
type: keyword
present amount of memory in KB
--
*`auditd.data.perm`*::
+
--
type: keyword
the file permission being used
--
*`auditd.data.old_pi`*::
+
--
type: keyword
old process inherited capability map
--
*`auditd.data.state`*::
+
--
type: keyword
audit daemon configuration resulting state
--
*`auditd.data.format`*::
+
--
type: keyword
audit log's format
--
*`auditd.data.new_gid`*::
+
--
type: keyword
new group ID being assigned
--
*`auditd.data.tcontext`*::
+
--
type: keyword
the target's or object's context string
--
*`auditd.data.maj`*::
+
--
type: keyword
device major number
--
*`auditd.data.watch`*::
+
--
type: keyword
file name in a watch record
--
*`auditd.data.device`*::
+
--
type: keyword
device name
--
*`auditd.data.grp`*::
+
--
type: keyword
group name
--
*`auditd.data.bool`*::
+
--
type: keyword
name of SELinux boolean
--
*`auditd.data.icmp_type`*::
+
--
type: keyword
type of icmp message
--
*`auditd.data.new_lock`*::
+
--
type: keyword
new value of feature lock
--
*`auditd.data.old_prom`*::
+
--
type: keyword
network promiscuity flag
--
*`auditd.data.acl`*::
+
--
type: keyword
access mode of resource assigned to vm
--
*`auditd.data.ip`*::
+
--
type: keyword
network address of a printer
--
*`auditd.data.new_pi`*::
+
--
type: keyword
new process inherited capability map
--
*`auditd.data.default-context`*::
+
--
type: keyword
default MAC context
--
*`auditd.data.inode_gid`*::
+
--
type: keyword
group ID of the inode's owner
--
*`auditd.data.new-log_passwd`*::
+
--
type: keyword
new value for TTY password logging
--
*`auditd.data.new_pe`*::
+
--
type: keyword
new process effective capability map
--
*`auditd.data.selected-context`*::
+
--
type: keyword
new MAC context assigned to session
--
*`auditd.data.cap_fver`*::
+
--
type: keyword
file system capabilities version number
--
*`auditd.data.file`*::
+
--
type: keyword
file name
--
*`auditd.data.net`*::
+
--
type: keyword
network MAC address
--
*`auditd.data.virt`*::
+
--
type: keyword
kind of virtualization being referenced
--
*`auditd.data.cap_pp`*::
+
--
type: keyword
process permitted capability map
--
*`auditd.data.old-range`*::
+
--
type: keyword
present SELinux range
--
*`auditd.data.resrc`*::
+
--
type: keyword
resource being assigned
--
*`auditd.data.new-range`*::
+
--
type: keyword
new SELinux range
--
*`auditd.data.obj_gid`*::
+
--
type: keyword
group ID of object
--
*`auditd.data.proto`*::
+
--
type: keyword
network protocol
--
*`auditd.data.old-disk`*::
+
--
type: keyword
disk being removed from vm
--
*`auditd.data.audit_failure`*::
+
--
type: keyword
audit system's failure mode
--
*`auditd.data.inif`*::
+
--
type: keyword
in interface number
--
*`auditd.data.vm`*::
+
--
type: keyword
virtual machine name
--
*`auditd.data.flags`*::
+
--
type: keyword
mmap syscall flags
--
*`auditd.data.nlnk-fam`*::
+
--
type: keyword
netlink protocol number
--
*`auditd.data.old-fs`*::
+
--
type: keyword
file system being removed from vm
--
*`auditd.data.old-ses`*::
+
--
type: keyword
previous ses value
--
*`auditd.data.seqno`*::
+
--
type: keyword
sequence number
--
*`auditd.data.fver`*::
+
--
type: keyword
file system capabilities version number
--
*`auditd.data.qbytes`*::
+
--
type: keyword
ipc objects quantity of bytes
--
*`auditd.data.seuser`*::
+
--
type: keyword
user's SE Linux user acct
--
*`auditd.data.cap_fe`*::
+
--
type: keyword
file assigned effective capability map
--
*`auditd.data.new-vcpu`*::
+
--
type: keyword
new number of CPU cores
--
*`auditd.data.old-level`*::
+
--
type: keyword
old run level
--
*`auditd.data.old_pp`*::
+
--
type: keyword
old process permitted capability map
--
*`auditd.data.daddr`*::
+
--
type: keyword
remote IP address
--
*`auditd.data.old-role`*::
+
--
type: keyword
present SELinux role
--
*`auditd.data.ioctlcmd`*::
+
--
type: keyword
The request argument to the ioctl syscall
--
*`auditd.data.smac`*::
+
--
type: keyword
local MAC address
--
*`auditd.data.apparmor`*::
+
--
type: keyword
apparmor event information
--
*`auditd.data.fe`*::
+
--
type: keyword
file assigned effective capability map
--
*`auditd.data.perm_mask`*::
+
--
type: keyword
file permission mask that triggered a watch event
--
*`auditd.data.ses`*::
+
--
type: keyword
login session ID
--
*`auditd.data.cap_fi`*::
+
--
type: keyword
file inherited capability map
--
*`auditd.data.obj_uid`*::
+
--
type: keyword
user ID of object
--
*`auditd.data.reason`*::
+
--
type: keyword
text string denoting a reason for the action
--
*`auditd.data.list`*::
+
--
type: keyword
the audit system's filter list number
--
*`auditd.data.old_lock`*::
+
--
type: keyword
present value of feature lock
--
*`auditd.data.bus`*::
+
--
type: keyword
name of subsystem bus a vm resource belongs to
--
*`auditd.data.old_pe`*::
+
--
type: keyword
old process effective capability map
--
*`auditd.data.new-role`*::
+
--
type: keyword
new SELinux role
--
*`auditd.data.prom`*::
+
--
type: keyword
network promiscuity flag
--
*`auditd.data.uri`*::
+
--
type: keyword
URI pointing to a printer
--
*`auditd.data.audit_enabled`*::
+
--
type: keyword
audit systems's enable/disable status
--
*`auditd.data.old-log_passwd`*::
+
--
type: keyword
present value for TTY password logging
--
*`auditd.data.old-seuser`*::
+
--
type: keyword
present SELinux user
--
*`auditd.data.per`*::
+
--
type: keyword
linux personality
--
*`auditd.data.scontext`*::
+
--
type: keyword
the subject's context string
--
*`auditd.data.tclass`*::
+
--
type: keyword
target's object classification
--
*`auditd.data.ver`*::
+
--
type: keyword
audit daemon's version number
--
*`auditd.data.new`*::
+
--
type: keyword
value being set in feature
--
*`auditd.data.val`*::
+
--
type: keyword
generic value associated with the operation
--
*`auditd.data.img-ctx`*::
+
--
type: keyword
the vm's disk image context string
--
*`auditd.data.old-chardev`*::
+
--
type: keyword
present character device assigned to vm
--
*`auditd.data.old_val`*::
+
--
type: keyword
current value of SELinux boolean
--
*`auditd.data.success`*::
+
--
type: keyword
whether the syscall was successful or not
--
*`auditd.data.inode_uid`*::
+
--
type: keyword
user ID of the inode's owner
--
*`auditd.data.removed`*::
+
--
type: keyword
number of deleted files
--
*`auditd.data.socket.port`*::
+
--
type: keyword
The port number.
--
*`auditd.data.socket.saddr`*::
+
--
type: keyword
The raw socket address structure.
--
*`auditd.data.socket.addr`*::
+
--
type: keyword
The remote address.
--
*`auditd.data.socket.family`*::
+
--
type: keyword
example: unix
The socket family (unix, ipv4, ipv6, netlink).
--
*`auditd.data.socket.path`*::
+
--
type: keyword
This is the path associated with a unix socket.
--
*`auditd.messages`*::
+
--
type: text
An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config.
--
*`auditd.warnings`*::
+
--
type: keyword
The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only.
--
[float]
== geoip fields
The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node.
*`geoip.continent_name`*::
+
--
type: keyword
The name of the continent.
--
*`geoip.city_name`*::
+
--
type: keyword
The name of the city.
--
*`geoip.region_name`*::
+
--
type: keyword
The name of the region.
--
*`geoip.country_iso_code`*::
+
--
type: keyword
Country ISO code.
--
*`geoip.location`*::
+
--
type: geo_point
The longitude and latitude.
--
[[exported-fields-beat]]
== Beat fields
Contains common beat fields available in all event types.
*`beat.name`*::
+
--
The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the `name` option in the configuration file.
--
*`beat.hostname`*::
+
--
The hostname as returned by the operating system on which the Beat is running.
--
*`beat.timezone`*::
+
--
The timezone as returned by the operating system on which the Beat is running.
--
*`beat.version`*::
+
--
The version of the beat that generated this event.
--
*`@timestamp`*::
+
--
type: date
example: August 26th 2016, 12:35:53.332
format: date
required: True
The timestamp when the event log record was generated.
--
*`tags`*::
+
--
Arbitrary tags that can be set per Beat and per transaction type.
--
*`fields`*::
+
--
type: object
Contains user configurable fields.
--
[float]
== error fields
Error fields containing additional info in case of errors.
*`error.message`*::
+
--
type: text
Error message.
--
*`error.code`*::
+
--
type: long
Error code.
--
*`error.type`*::
+
--
type: keyword
Error type.
--
[[exported-fields-cloud]]
== Cloud provider metadata fields
Metadata from cloud providers added by the add_cloud_metadata processor.
*`meta.cloud.provider`*::
+
--
example: ec2
Name of the cloud provider. Possible values are ec2, gce, or digitalocean.
--
*`meta.cloud.instance_id`*::
+
--
Instance ID of the host machine.
--
*`meta.cloud.instance_name`*::
+
--
Instance name of the host machine.
--
*`meta.cloud.machine_type`*::
+
--
example: t2.medium
Machine type of the host machine.
--
*`meta.cloud.availability_zone`*::
+
--
example: us-east-1c
Availability zone in which this host is running.
--
*`meta.cloud.project_id`*::
+
--
example: project-x
Name of the project in Google Cloud.
--
*`meta.cloud.region`*::
+
--
Region in which this host is running.
--
[[exported-fields-common]]
== Common fields
Contains common fields available in all event types.
*`event.module`*::
+
--
The name of the module that generated the event.
--
*`event.action`*::
+
--
type: keyword
example: logged-in
Action describes the change that triggered the event.
For the file integrity module the possible values are: attributes_modified, created, deleted, updated, moved, and config_change.
--
[float]
== file fields
File attributes.
*`file.path`*::
+
--
type: text
The path to the file.
*`file.path.raw`*::
+
--
type: keyword
The path to the file. This is a non-analyzed field that is useful for aggregations.
--
--
*`file.target_path`*::
+
--
type: keyword
The target path for symlinks.
--
*`file.type`*::
+
--
type: keyword
The file type (file, dir, or symlink).
--
*`file.device`*::
+
--
type: keyword
The device.
--
*`file.inode`*::
+
--
type: keyword
The inode representing the file in the filesystem.
--
*`file.uid`*::
+
--
type: keyword
The user ID (UID) or security identifier (SID) of the file owner.
--
*`file.owner`*::
+
--
type: keyword
The file owner's username.
--
*`file.gid`*::
+
--
type: keyword
The primary group ID (GID) of the file.
--
*`file.group`*::
+
--
type: keyword
The primary group name of the file.
--
*`file.mode`*::
+
--
type: keyword
example: 416
The mode of the file in octal representation.
--
*`file.setuid`*::
+
--
type: boolean
example: True
Set if the file has the `setuid` bit set. Omitted otherwise.
--
*`file.setgid`*::
+
--
type: boolean
example: True
Set if the file has the `setgid` bit set. Omitted otherwise.
--
*`file.size`*::
+
--
type: long
The file size in bytes (field is only added when `type` is `file`).
--
*`file.mtime`*::
+
--
type: date
The last modified time of the file (time when content was modified).
--
*`file.ctime`*::
+
--
type: date
The last change time of the file (time when metadata was changed).
--
*`file.origin`*::
+
--
type: text
An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available.
*`file.origin.raw`*::
+
--
type: keyword
This is a non-analyzed field that is useful for aggregations on the origin data.
--
--
[float]
== selinux fields
The SELinux identity of the file.
*`file.selinux.user`*::
+
--
type: keyword
The owner of the object.
--
*`file.selinux.role`*::
+
--
type: keyword
The object's SELinux role.
--
*`file.selinux.domain`*::
+
--
type: keyword
The object's SELinux domain or type.
--
*`file.selinux.level`*::
+
--
type: keyword
example: s0
The object's SELinux level.
--
[[exported-fields-docker-processor]]
== Docker fields
Docker stats collected from Docker.
*`docker.container.id`*::
+
--
type: keyword
Unique container id.
--
*`docker.container.image`*::
+
--
type: keyword
Name of the image the container was built on.
--
*`docker.container.name`*::
+
--
type: keyword
Container name.
--
*`docker.container.labels`*::
+
--
type: object
Image labels.
--
[[exported-fields-file_integrity]]
== File Integrity fields
These are the fields generated by the file_integrity module.
[float]
== hash fields
Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values.
*`hash.blake2b_256`*::
+
--
type: keyword
BLAKE2b-256 hash of the file.
--
*`hash.blake2b_384`*::
+
--
type: keyword
BLAKE2b-384 hash of the file.
--
*`hash.blake2b_512`*::
+
--
type: keyword
BLAKE2b-512 hash of the file.
--
*`hash.md5`*::
+
--
type: keyword
MD5 hash of the file.
--
*`hash.sha1`*::
+
--
type: keyword
SHA1 hash of the file.
--
*`hash.sha224`*::
+
--
type: keyword
SHA224 hash of the file.
--
*`hash.sha256`*::
+
--
type: keyword
SHA256 hash of the file.
--
*`hash.sha384`*::
+
--
type: keyword
SHA384 hash of the file.
--
*`hash.sha3_224`*::
+
--
type: keyword
SHA3_224 hash of the file.
--
*`hash.sha3_256`*::
+
--
type: keyword
SHA3_256 hash of the file.
--
*`hash.sha3_384`*::
+
--
type: keyword
SHA3_384 hash of the file.
--
*`hash.sha3_512`*::
+
--
type: keyword
SHA3_512 hash of the file.
--
*`hash.sha512`*::
+
--
type: keyword
SHA512 hash of the file.
--
*`hash.sha512_224`*::
+
--
type: keyword
SHA512/224 hash of the file.
--
*`hash.sha512_256`*::
+
--
type: keyword
SHA512/256 hash of the file.
--
*`hash.xxh64`*::
+
--
type: keyword
XX64 hash of the file.
--
[[exported-fields-host-processor]]
== Host fields
Info collected for the host machine.
*`host.name`*::
+
--
type: keyword
Hostname.
--
*`host.id`*::
+
--
type: keyword
Unique host id.
--
*`host.architecture`*::
+
--
type: keyword
Host architecture (e.g. x86_64, arm, ppc, mips).
--
*`host.os.platform`*::
+
--
type: keyword
OS platform (e.g. centos, ubuntu, windows).
--
*`host.os.version`*::
+
--
type: keyword
OS version.
--
*`host.os.family`*::
+
--
type: keyword
OS family (e.g. redhat, debian, freebsd, windows).
--
*`host.ip`*::
+
--
type: ip
List of IP-addresses.
--
*`host.mac`*::
+
--
type: keyword
List of hardware-addresses, usually MAC-addresses.
--
[[exported-fields-kubernetes-processor]]
== Kubernetes fields
Kubernetes metadata added by the kubernetes processor
*`kubernetes.pod.name`*::
+
--
type: keyword
Kubernetes pod name
--
*`kubernetes.pod.uid`*::
+
--
type: keyword
Kubernetes Pod UID
--
*`kubernetes.namespace`*::
+
--
type: keyword
Kubernetes namespace
--
*`kubernetes.node.name`*::
+
--
type: keyword
Kubernetes node name
--
*`kubernetes.labels`*::
+
--
type: object
Kubernetes labels map
--
*`kubernetes.annotations`*::
+
--
type: object
Kubernetes annotations map
--
*`kubernetes.container.name`*::
+
--
type: keyword
Kubernetes container name
--
*`kubernetes.container.image`*::
+
--
type: keyword
Kubernetes container image
--