WARNING: Version 6.1 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
System fieldsedit
Module for parsing system log files.
system fieldsedit
Fields from the system log files.
auth fieldsedit
Fields from the Linux authorization logs.
system.auth.timestamp
edit
The timestamp as read from the auth message.
system.auth.hostname
edit
The hostname as read from the auth message.
system.auth.program
edit
The process name as read from the auth message.
system.auth.pid
edit
type: long
The PID of the process that sent the auth message.
system.auth.message
edit
The message in the log line.
system.auth.user
edit
The Unix user that this event refers to.
ssh fieldsedit
Fields specific to SSH login events.
system.auth.ssh.event
edit
The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
system.auth.ssh.method
edit
The SSH authentication method. Can be one of "password" or "publickey".
system.auth.ssh.ip
edit
type: ip
The client IP from where the login attempt was made.
system.auth.ssh.dropped_ip
edit
type: ip
The client IP from SSH connections that are open and immediately dropped.
system.auth.ssh.port
edit
type: long
The client port from where the login attempt was made.
system.auth.ssh.signature
edit
The signature of the client public key.
geoip fieldsedit
Contains GeoIP information gathered based on the system.auth.ip
field. Only present if the GeoIP Elasticsearch plugin is available and used.
system.auth.ssh.geoip.continent_name
edit
type: keyword
The name of the continent.
system.auth.ssh.geoip.city_name
edit
type: keyword
The name of the city.
system.auth.ssh.geoip.region_name
edit
type: keyword
The name of the region.
system.auth.ssh.geoip.country_iso_code
edit
type: keyword
Country ISO code.
system.auth.ssh.geoip.location
edit
type: geo_point
The longitude and latitude.
sudo fieldsedit
Fields specific to events created by the sudo
command.
system.auth.sudo.error
edit
example: user NOT in sudoers
The error message in case the sudo command failed.
system.auth.sudo.tty
edit
The TTY where the sudo command is executed.
system.auth.sudo.pwd
edit
The current directory where the sudo command is executed.
system.auth.sudo.user
edit
example: root
The target user to which the sudo command is switching.
system.auth.sudo.command
edit
The command executed via sudo.
useradd fieldsedit
Fields specific to events created by the useradd
command.
system.auth.useradd.name
edit
The user name being added.
system.auth.useradd.uid
edit
type: long
The user ID.
system.auth.useradd.gid
edit
type: long
The group ID.
system.auth.useradd.home
edit
The home folder for the new user.
system.auth.useradd.shell
edit
The default shell for the new user.
groupadd fieldsedit
Fields specific to events created by the groupadd
command.
system.auth.groupadd.name
edit
The name of the new group.
system.auth.groupadd.gid
edit
type: long
The ID of the new group.
syslog fieldsedit
Contains fields from the syslog system logs.
system.syslog.timestamp
edit
The timestamp as read from the syslog message.
system.syslog.hostname
edit
The hostname as read from the syslog message.
system.syslog.program
edit
The process name as read from the syslog message.
system.syslog.pid
edit
The PID of the process that sent the syslog message.
system.syslog.message
edit
The message in the log line.