System
Collect system logs and metrics from your servers with Elastic Agent.
Version | 1.60.5 (View all) |
Compatible Kibana version(s) | 8.13.0 or higher |
Supported Serverless project types | Security Observability |
Subscription level | Basic |
Level of support | Elastic |
The System integration allows you to monitor servers, personal computers, and more.
Use the System integration to collect metrics and logs from your machines. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue.
For example, if you wanted to be notified when less than 10% of the disk space is still available, you could install the System integration to send file system metrics to Elastic. Then, you could view real-time updates to disk space used on your system in Kibana's [Metrics System] Overview dashboard. You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is less than 10% of the total disk space.
Data streams
The System integration collects two types of data: logs and metrics.
Logs help you keep a record of events that happen on your machine. Log data streams collected by the System integration include application, system, and security events on machines running Windows and auth and syslog events on machines running macOS or Linux. See more details in the Logs reference.
Metrics give you insight into the state of the machine. Metric data streams collected by the System integration include CPU usage, load statistics, memory usage, information on network behavior, and more. See more details in the Metrics reference.
You can enable and disable individual data streams. If all data streams are disabled and the System integration is still enabled, Fleet uses the default data streams.
Requirements
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
Each data stream collects different kinds of metric data, which may require dedicated permissions to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the Metrics reference.
Setup
For step-by-step instructions on how to set up an integration, see the Getting started guide.
Troubleshooting
Note that certain data streams may access /proc
to gather process information,
and the resulting ptrace_may_access()
call by the kernel to check for
permissions can be blocked by
AppArmor and other LSM software, even though the System module doesn't use ptrace
directly.
In addition, when running inside a container the proc filesystem directory of the host
should be set using system.hostfs
setting to /hostfs
.
Windows Event ID clause limit
If you specify more than 22 query conditions (event IDs or event ID ranges), some versions of Windows will prevent the integration from reading the event log due to limits in the query system. If this occurs, a similar warning as shown below:
The specified query is invalid.
In some cases, the limit may be lower than 22 conditions. For instance, using a
mixture of ranges and single event IDs, along with an additional parameter such
as ignore older
, results in a limit of 21 conditions.
If you have more than 22 conditions, you can work around this Windows limitation
by using a drop_event processor to do the filtering after filebeat has received
the events from Windows. The filter shown below is equivalent to
event_id: 903, 1024, 2000-2004, 4624
but can be expanded beyond 22 event IDs.
- drop_event.when.not.or:
- equals.winlog.event_id: "903"
- equals.winlog.event_id: "1024"
- equals.winlog.event_id: "4624"
- range:
winlog.event_id.gte: 2000
winlog.event_id.lte: 2004
Logs reference
Application
The Windows application
data stream provides events from the Windows
Application
event log.
Supported operating systems
- Windows
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
winlog.channel | The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration. | keyword |
winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname . | keyword |
winlog.event_data | The event-specific data. This field is mutually exclusive with user_data . If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1 , param2 , and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
winlog.event_data.AuthenticationPackageName | keyword | |
winlog.event_data.Binary | keyword | |
winlog.event_data.BitlockerUserInputTime | keyword | |
winlog.event_data.BootMode | keyword | |
winlog.event_data.BootType | keyword | |
winlog.event_data.BuildVersion | keyword | |
winlog.event_data.Company | keyword | |
winlog.event_data.CorruptionActionState | keyword | |
winlog.event_data.CreationUtcTime | keyword | |
winlog.event_data.Description | keyword | |
winlog.event_data.Detail | keyword | |
winlog.event_data.DeviceName | keyword | |
winlog.event_data.DeviceNameLength | keyword | |
winlog.event_data.DeviceTime | keyword | |
winlog.event_data.DeviceVersionMajor | keyword | |
winlog.event_data.DeviceVersionMinor | keyword | |
winlog.event_data.DriveName | keyword | |
winlog.event_data.DriverName | keyword | |
winlog.event_data.DriverNameLength | keyword | |
winlog.event_data.DwordVal | keyword | |
winlog.event_data.EntryCount | keyword | |
winlog.event_data.ExtraInfo | keyword | |
winlog.event_data.FailureName | keyword | |
winlog.event_data.FailureNameLength | keyword | |
winlog.event_data.FileVersion | keyword | |
winlog.event_data.FinalStatus | keyword | |
winlog.event_data.Group | keyword | |
winlog.event_data.IdleImplementation | keyword | |
winlog.event_data.IdleStateCount | keyword | |
winlog.event_data.ImpersonationLevel | keyword | |
winlog.event_data.IntegrityLevel | keyword | |
winlog.event_data.IpAddress | keyword | |
winlog.event_data.IpPort | keyword | |
winlog.event_data.KeyLength | keyword | |
winlog.event_data.LastBootGood | keyword | |
winlog.event_data.LastShutdownGood | keyword | |
winlog.event_data.LmPackageName | keyword | |
winlog.event_data.LogonGuid | keyword | |
winlog.event_data.LogonId | keyword | |
winlog.event_data.LogonProcessName | keyword | |
winlog.event_data.LogonType | keyword | |
winlog.event_data.MajorVersion | keyword | |
winlog.event_data.MaximumPerformancePercent | keyword | |
winlog.event_data.MemberName | keyword | |
winlog.event_data.MemberSid | keyword | |
winlog.event_data.MinimumPerformancePercent | keyword | |
winlog.event_data.MinimumThrottlePercent | keyword | |
winlog.event_data.MinorVersion | keyword | |
winlog.event_data.NewProcessId | keyword | |
winlog.event_data.NewProcessName | keyword | |
winlog.event_data.NewSchemeGuid | keyword | |
winlog.event_data.NewTime | keyword | |
winlog.event_data.NominalFrequency | keyword | |
winlog.event_data.Number | keyword | |
winlog.event_data.OldSchemeGuid | keyword | |
winlog.event_data.OldTime | keyword | |
winlog.event_data.OriginalFileName | keyword | |
winlog.event_data.Path | keyword | |
winlog.event_data.PerformanceImplementation | keyword | |
winlog.event_data.PreviousCreationUtcTime | keyword | |
winlog.event_data.PreviousTime | keyword | |
winlog.event_data.PrivilegeList | keyword | |
winlog.event_data.ProcessId | keyword | |
winlog.event_data.ProcessName | keyword | |
winlog.event_data.ProcessPath | keyword | |
winlog.event_data.ProcessPid | keyword | |
winlog.event_data.Product | keyword | |
winlog.event_data.PuaCount | keyword | |
winlog.event_data.PuaPolicyId | keyword | |
winlog.event_data.QfeVersion | keyword | |
winlog.event_data.Reason | keyword | |
winlog.event_data.SchemaVersion | keyword | |
winlog.event_data.ScriptBlockText | keyword | |
winlog.event_data.ServiceName | keyword | |
winlog.event_data.ServiceVersion | keyword | |
winlog.event_data.ShutdownActionType | keyword | |
winlog.event_data.ShutdownEventCode | keyword | |
winlog.event_data.ShutdownReason | keyword | |
winlog.event_data.Signature | keyword | |
winlog.event_data.SignatureStatus | keyword | |
winlog.event_data.Signed | keyword | |
winlog.event_data.StartTime | keyword | |
winlog.event_data.State | keyword | |
winlog.event_data.Status | keyword | |
winlog.event_data.StopTime | keyword | |
winlog.event_data.SubjectDomainName | keyword | |
winlog.event_data.SubjectLogonId | keyword | |
winlog.event_data.SubjectUserName | keyword | |
winlog.event_data.SubjectUserSid | keyword | |
winlog.event_data.TSId | keyword | |
winlog.event_data.TargetDomainName | keyword | |
winlog.event_data.TargetInfo | keyword | |
winlog.event_data.TargetLogonGuid | keyword | |
winlog.event_data.TargetLogonId | keyword | |
winlog.event_data.TargetServerName | keyword | |
winlog.event_data.TargetUserName | keyword | |
winlog.event_data.TargetUserSid | keyword | |
winlog.event_data.TerminalSessionId | keyword | |
winlog.event_data.TokenElevationType | keyword | |
winlog.event_data.TransmittedServices | keyword | |
winlog.event_data.UserSid | keyword | |
winlog.event_data.Version | keyword | |
winlog.event_data.Workstation | keyword | |
winlog.event_data.param1 | keyword | |
winlog.event_data.param2 | keyword | |
winlog.event_data.param3 | keyword | |
winlog.event_data.param4 | keyword | |
winlog.event_data.param5 | keyword | |
winlog.event_data.param6 | keyword | |
winlog.event_data.param7 | keyword | |
winlog.event_data.param8 | keyword | |
winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
winlog.keywords | The keywords are used to classify an event. | keyword |
winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
winlog.process.thread.id | long | |
winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier. | keyword |
winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the user.name , user.domain , and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
winlog.user.name | Name of the user associated with this event. | keyword |
winlog.user.type | The type of account associated with this event. | keyword |
winlog.user_data | The event specific data. This field is mutually exclusive with event_data . | object |
winlog.version | The version number of the event's definition. | long |
System
The Windows system
data stream provides events from the Windows System
event log.
Supported operating systems
- Windows
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
winlog.channel | The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration. | keyword |
winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname . | keyword |
winlog.event_data | The event-specific data. This field is mutually exclusive with user_data . If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1 , param2 , and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
winlog.event_data.AuthenticationPackageName | keyword | |
winlog.event_data.Binary | keyword | |
winlog.event_data.BitlockerUserInputTime | keyword | |
winlog.event_data.BootMode | keyword | |
winlog.event_data.BootType | keyword | |
winlog.event_data.BuildVersion | keyword | |
winlog.event_data.Company | keyword | |
winlog.event_data.CorruptionActionState | keyword | |
winlog.event_data.CreationUtcTime | keyword | |
winlog.event_data.Description | keyword | |
winlog.event_data.Detail | keyword | |
winlog.event_data.DeviceName | keyword | |
winlog.event_data.DeviceNameLength | keyword | |
winlog.event_data.DeviceTime | keyword | |
winlog.event_data.DeviceVersionMajor | keyword | |
winlog.event_data.DeviceVersionMinor | keyword | |
winlog.event_data.DriveName | keyword | |
winlog.event_data.DriverName | keyword | |
winlog.event_data.DriverNameLength | keyword | |
winlog.event_data.DwordVal | keyword | |
winlog.event_data.EntryCount | keyword | |
winlog.event_data.ExtraInfo | keyword | |
winlog.event_data.FailureName | keyword | |
winlog.event_data.FailureNameLength | keyword | |
winlog.event_data.FileVersion | keyword | |
winlog.event_data.FinalStatus | keyword | |
winlog.event_data.Group | keyword | |
winlog.event_data.IdleImplementation | keyword | |
winlog.event_data.IdleStateCount | keyword | |
winlog.event_data.ImpersonationLevel | keyword | |
winlog.event_data.IntegrityLevel | keyword | |
winlog.event_data.IpAddress | keyword | |
winlog.event_data.IpPort | keyword | |
winlog.event_data.KeyLength | keyword | |
winlog.event_data.LastBootGood | keyword | |
winlog.event_data.LastShutdownGood | keyword | |
winlog.event_data.LmPackageName | keyword | |
winlog.event_data.LogonGuid | keyword | |
winlog.event_data.LogonId | keyword | |
winlog.event_data.LogonProcessName | keyword | |
winlog.event_data.LogonType | keyword | |
winlog.event_data.MajorVersion | keyword | |
winlog.event_data.MaximumPerformancePercent | keyword | |
winlog.event_data.MemberName | keyword | |
winlog.event_data.MemberSid | keyword | |
winlog.event_data.MinimumPerformancePercent | keyword | |
winlog.event_data.MinimumThrottlePercent | keyword | |
winlog.event_data.MinorVersion | keyword | |
winlog.event_data.NewProcessId | keyword | |
winlog.event_data.NewProcessName | keyword | |
winlog.event_data.NewSchemeGuid | keyword | |
winlog.event_data.NewTime | keyword | |
winlog.event_data.NominalFrequency | keyword | |
winlog.event_data.Number | keyword | |
winlog.event_data.OldSchemeGuid | keyword | |
winlog.event_data.OldTime | keyword | |
winlog.event_data.OriginalFileName | keyword | |
winlog.event_data.Path | keyword | |
winlog.event_data.PerformanceImplementation | keyword | |
winlog.event_data.PreviousCreationUtcTime | keyword | |
winlog.event_data.PreviousTime | keyword | |
winlog.event_data.PrivilegeList | keyword | |
winlog.event_data.ProcessId | keyword | |
winlog.event_data.ProcessName | keyword | |
winlog.event_data.ProcessPath | keyword | |
winlog.event_data.ProcessPid | keyword | |
winlog.event_data.Product | keyword | |
winlog.event_data.PuaCount | keyword | |
winlog.event_data.PuaPolicyId | keyword | |
winlog.event_data.QfeVersion | keyword | |
winlog.event_data.Reason | keyword | |
winlog.event_data.SchemaVersion | keyword | |
winlog.event_data.ScriptBlockText | keyword | |
winlog.event_data.ServiceName | keyword | |
winlog.event_data.ServiceVersion | keyword | |
winlog.event_data.ShutdownActionType | keyword | |
winlog.event_data.ShutdownEventCode | keyword | |
winlog.event_data.ShutdownReason | keyword | |
winlog.event_data.Signature | keyword | |
winlog.event_data.SignatureStatus | keyword | |
winlog.event_data.Signed | keyword | |
winlog.event_data.StartTime | keyword | |
winlog.event_data.State | keyword | |
winlog.event_data.Status | keyword | |
winlog.event_data.StopTime | keyword | |
winlog.event_data.SubjectDomainName | keyword | |
winlog.event_data.SubjectLogonId | keyword | |
winlog.event_data.SubjectUserName | keyword | |
winlog.event_data.SubjectUserSid | keyword | |
winlog.event_data.TSId | keyword | |
winlog.event_data.TargetDomainName | keyword | |
winlog.event_data.TargetInfo | keyword | |
winlog.event_data.TargetLogonGuid | keyword | |
winlog.event_data.TargetLogonId | keyword | |
winlog.event_data.TargetServerName | keyword | |
winlog.event_data.TargetUserName | keyword | |
winlog.event_data.TargetUserSid | keyword | |
winlog.event_data.TerminalSessionId | keyword | |
winlog.event_data.TokenElevationType | keyword | |
winlog.event_data.TransmittedServices | keyword | |
winlog.event_data.UserSid | keyword | |
winlog.event_data.Version | keyword | |
winlog.event_data.Workstation | keyword | |
winlog.event_data.param1 | keyword | |
winlog.event_data.param2 | keyword | |
winlog.event_data.param3 | keyword | |
winlog.event_data.param4 | keyword | |
winlog.event_data.param5 | keyword | |
winlog.event_data.param6 | keyword | |
winlog.event_data.param7 | keyword | |
winlog.event_data.param8 | keyword | |
winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
winlog.keywords | The keywords are used to classify an event. | keyword |
winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
winlog.process.thread.id | long | |
winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier. | keyword |
winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the user.name , user.domain , and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
winlog.user.name | Name of the user associated with this event. | keyword |
winlog.user.type | The type of account associated with this event. | keyword |
winlog.user_data | The event specific data. This field is mutually exclusive with event_data . | object |
winlog.version | The version number of the event's definition. | long |
Security
The Windows security
data stream provides events from the Windows
Security
event log.
Supported operating systems
- Windows
An example event for security
looks as following:
{
"@timestamp": "2019-11-07T10:37:04.226Z",
"agent": {
"ephemeral_id": "7b61ba2a-a1b9-4711-87d0-1b3aad5afb85",
"id": "a152fcd9-5b11-4ed3-9958-e3a95043132d",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.8.0"
},
"data_stream": {
"dataset": "system.security",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "a152fcd9-5b11-4ed3-9958-e3a95043132d",
"snapshot": false,
"version": "8.8.0"
},
"event": {
"action": "logging-service-shutdown",
"agent_id_status": "verified",
"category": [
"process"
],
"code": "1100",
"created": "2023-07-18T12:31:50.439Z",
"dataset": "system.security",
"ingested": "2023-07-18T12:31:51Z",
"kind": "event",
"original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1100</EventID><Version>0</Version><Level>4</Level><Task>103</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated SystemTime='2019-11-07T10:37:04.226092500Z'/><EventRecordID>14257</EventRecordID><Correlation/><Execution ProcessID='1144' ThreadID='4532'/><Channel>Security</Channel><Computer>WIN-41OB2LO92CR.wlbeat.local</Computer><Security/></System><UserData><ServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'></ServiceShutdown></UserData></Event>",
"outcome": "success",
"provider": "Microsoft-Windows-Eventlog",
"type": [
"end"
]
},
"host": {
"name": "WIN-41OB2LO92CR.wlbeat.local"
},
"input": {
"type": "httpjson"
},
"log": {
"level": "information"
},
"tags": [
"forwarded",
"preserve_original_event"
],
"winlog": {
"channel": "Security",
"computer_name": "WIN-41OB2LO92CR.wlbeat.local",
"event_id": "1100",
"keywords": [
"Audit Success"
],
"level": "information",
"opcode": "Info",
"outcome": "success",
"process": {
"pid": 1144,
"thread": {
"id": 4532
}
},
"provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
"provider_name": "Microsoft-Windows-Eventlog",
"record_id": "14257",
"time_created": "2019-11-07T10:37:04.226Z"
}
}
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Type of Filebeat input. | keyword |
process.executable | Absolute path to the process executable. | keyword |
process.executable.caseless | Multi-field of process.executable . | keyword |
process.executable.text | Multi-field of process.executable . | match_only_text |
process.name | Process name. Sometimes called program name or similar. | keyword |
process.name.caseless | Multi-field of process.name . | keyword |
process.name.text | Multi-field of process.name . | match_only_text |
winlog.activity_id | A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. | keyword |
winlog.api | The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. | keyword |
winlog.channel | The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration. | keyword |
winlog.computerObject.domain | keyword | |
winlog.computerObject.id | keyword | |
winlog.computerObject.name | keyword | |
winlog.computer_name | The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname . | keyword |
winlog.event_data | The event-specific data. This field is mutually exclusive with user_data . If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1 , param2 , and so on, because event log parameters are unnamed in earlier versions of Windows. | object |
winlog.event_data.AccessGranted | keyword | |
winlog.event_data.AccessList | keyword | |
winlog.event_data.AccessListDescription | keyword | |
winlog.event_data.AccessMask | keyword | |
winlog.event_data.AccessMaskDescription | keyword | |
winlog.event_data.AccessReason | keyword | |
winlog.event_data.AccessRemoved | keyword | |
winlog.event_data.AccountDomain | keyword | |
winlog.event_data.AccountExpires | keyword | |
winlog.event_data.AccountName | keyword | |
winlog.event_data.AllowedToDelegateTo | keyword | |
winlog.event_data.Application | keyword | |
winlog.event_data.AttributeValue | keyword | |
winlog.event_data.AttributeValue.wildcard | Multi-field of winlog.event_data.AttributeValue . | wildcard |
winlog.event_data.AuditPolicyChanges | keyword | |
winlog.event_data.AuditPolicyChangesDescription | keyword | |
winlog.event_data.AuditSourceName | keyword | |
winlog.event_data.AuthenticationPackageName | keyword | |
winlog.event_data.Binary | keyword | |
winlog.event_data.BitlockerUserInputTime | keyword | |
winlog.event_data.BootMode | keyword | |
winlog.event_data.BootType | keyword | |
winlog.event_data.BuildVersion | keyword | |
winlog.event_data.CallerProcessId | keyword | |
winlog.event_data.CallerProcessName | keyword | |
winlog.event_data.Category | keyword | |
winlog.event_data.CategoryId | keyword | |
winlog.event_data.ClientAddress | keyword | |
winlog.event_data.ClientName | keyword | |
winlog.event_data.ClientProcessId | keyword | |
winlog.event_data.CommandLine | keyword | |
winlog.event_data.Company | keyword | |
winlog.event_data.ComputerAccountChange | keyword | |
winlog.event_data.CorruptionActionState | keyword | |
winlog.event_data.CountOfCredentialsReturned | keyword | |
winlog.event_data.CrashOnAuditFailValue | keyword | |
winlog.event_data.CreationUtcTime | keyword | |
winlog.event_data.CurrentProfile | keyword | |
winlog.event_data.Description | keyword | |
winlog.event_data.DestAddress | keyword | |
winlog.event_data.DestPort | keyword | |
winlog.event_data.Detail | keyword | |
winlog.event_data.DeviceName | keyword | |
winlog.event_data.DeviceNameLength | keyword | |
winlog.event_data.DeviceTime | keyword | |
winlog.event_data.DeviceVersionMajor | keyword | |
winlog.event_data.DeviceVersionMinor | keyword | |
winlog.event_data.Direction | keyword | |
winlog.event_data.DisplayName | keyword | |
winlog.event_data.DnsHostName | keyword | |
winlog.event_data.DomainBehaviorVersion | keyword | |
winlog.event_data.DomainName | keyword | |
winlog.event_data.DomainPolicyChanged | keyword | |
winlog.event_data.DomainSid | keyword | |
winlog.event_data.DriveName | keyword | |
winlog.event_data.DriverName | keyword | |
winlog.event_data.DriverNameLength | keyword | |
winlog.event_data.Dummy | keyword | |
winlog.event_data.DwordVal | keyword | |
winlog.event_data.EnabledPrivilegeList | keyword | |
winlog.event_data.EntryCount | keyword | |
winlog.event_data.EventSourceId | keyword | |
winlog.event_data.ExtraInfo | keyword | |
winlog.event_data.FailureName | keyword | |
winlog.event_data.FailureNameLength | keyword | |
winlog.event_data.FailureReason | keyword | |
winlog.event_data.FileVersion | keyword | |
winlog.event_data.FilterOrigin | keyword | |
winlog.event_data.FilterRTID | keyword | |
winlog.event_data.FinalStatus | keyword | |
winlog.event_data.Flags | keyword | |
winlog.event_data.Group | keyword | |
winlog.event_data.GroupTypeChange | keyword | |
winlog.event_data.HandleId | keyword | |
winlog.event_data.HasRemoteDynamicKeywordAddress | keyword | |
winlog.event_data.HomeDirectory | keyword | |
winlog.event_data.HomePath | keyword | |
winlog.event_data.Identity | keyword | |
winlog.event_data.IdleImplementation | keyword | |
winlog.event_data.IdleStateCount | keyword | |
winlog.event_data.ImpersonationLevel | keyword | |
winlog.event_data.IntegrityLevel | keyword | |
winlog.event_data.InterfaceIndex | keyword | |
winlog.event_data.IpAddress | keyword | |
winlog.event_data.IpPort | keyword | |
winlog.event_data.IsLoopback | keyword | |
winlog.event_data.KerberosPolicyChange | keyword | |
winlog.event_data.KeyLength | keyword | |
winlog.event_data.LastBootGood | keyword | |
winlog.event_data.LastShutdownGood | keyword | |
winlog.event_data.LayerName | keyword | |
winlog.event_data.LayerNameDescription | keyword | |
winlog.event_data.LayerRTID | keyword | |
winlog.event_data.LmPackageName | keyword | |
winlog.event_data.LogonGuid | keyword | |
winlog.event_data.LogonHours | keyword | |
winlog.event_data.LogonID | keyword | |
winlog.event_data.LogonId | keyword | |
winlog.event_data.LogonProcessName | keyword | |
winlog.event_data.LogonType | keyword | |
winlog.event_data.MachineAccountQuota | keyword | |
winlog.event_data.MajorVersion | keyword | |
winlog.event_data.MandatoryLabel | keyword | |
winlog.event_data.MaximumPerformancePercent | keyword | |
winlog.event_data.MemberName | keyword | |
winlog.event_data.MemberSid | keyword | |
winlog.event_data.MinimumPerformancePercent | keyword | |
winlog.event_data.MinimumThrottlePercent | keyword | |
winlog.event_data.MinorVersion | keyword | |
winlog.event_data.MixedDomainMode | keyword | |
winlog.event_data.NewProcessId | keyword | |
winlog.event_data.NewProcessName | keyword | |
winlog.event_data.NewSchemeGuid | keyword | |
winlog.event_data.NewSd | keyword | |
winlog.event_data.NewSdDacl0 | keyword | |
winlog.event_data.NewSdDacl1 | keyword | |
winlog.event_data.NewSdDacl2 | keyword | |
winlog.event_data.NewSdSacl0 | keyword | |
winlog.event_data.NewSdSacl1 | keyword | |
winlog.event_data.NewSdSacl2 | keyword | |
winlog.event_data.NewTargetUserName | keyword | |
winlog.event_data.NewTime | keyword | |
winlog.event_data.NewUACList | keyword | |
winlog.event_data.NewUacValue | keyword | |
winlog.event_data.NominalFrequency | keyword | |
winlog.event_data.Number | keyword | |
winlog.event_data.ObjectName | keyword | |
winlog.event_data.ObjectServer | keyword | |
winlog.event_data.ObjectType | keyword | |
winlog.event_data.OemInformation | keyword | |
winlog.event_data.OldSchemeGuid | keyword | |
winlog.event_data.OldSd | keyword | |
winlog.event_data.OldSdDacl0 | keyword | |
winlog.event_data.OldSdDacl1 | keyword | |
winlog.event_data.OldSdDacl2 | keyword | |
winlog.event_data.OldSdSacl0 | keyword | |
winlog.event_data.OldSdSacl1 | keyword | |
winlog.event_data.OldSdSacl2 | keyword | |
winlog.event_data.OldTargetUserName | keyword | |
winlog.event_data.OldTime | keyword | |
winlog.event_data.OldUacValue | keyword | |
winlog.event_data.OriginalFileName | keyword | |
winlog.event_data.OriginalProfile | keyword | |
winlog.event_data.PackageName | keyword | |
winlog.event_data.ParentProcessName | keyword | |
winlog.event_data.PasswordHistoryLength | keyword | |
winlog.event_data.PasswordLastSet | keyword | |
winlog.event_data.Path | keyword | |
winlog.event_data.PerformanceImplementation | keyword | |
winlog.event_data.PreAuthType | keyword | |
winlog.event_data.PreviousCreationUtcTime | keyword | |
winlog.event_data.PreviousTime | keyword | |
winlog.event_data.PrimaryGroupId | keyword | |
winlog.event_data.PrivilegeList | keyword | |
winlog.event_data.ProcessCreationTime | keyword | |
winlog.event_data.ProcessID | keyword | |
winlog.event_data.ProcessId | keyword | |
winlog.event_data.ProcessName | keyword | |
winlog.event_data.ProcessPath | keyword | |
winlog.event_data.ProcessPid | keyword | |
winlog.event_data.Product | keyword | |
winlog.event_data.ProfilePath | keyword | |
winlog.event_data.Protocol | keyword | |
winlog.event_data.PuaCount | keyword | |
winlog.event_data.PuaPolicyId | keyword | |
winlog.event_data.QfeVersion | keyword | |
winlog.event_data.ReadOperation | keyword | |
winlog.event_data.Reason | keyword | |
winlog.event_data.RelativeTargetName | keyword | |
winlog.event_data.RemoteMachineDescription | keyword | |
winlog.event_data.RemoteMachineID | keyword | |
winlog.event_data.RemoteUserDescription | keyword | |
winlog.event_data.RemoteUserID | keyword | |
winlog.event_data.Resource | keyword | |
winlog.event_data.ResourceAttributes | keyword | |
winlog.event_data.ReturnCode | keyword | |
winlog.event_data.SamAccountName | keyword | |
winlog.event_data.Schema | keyword | |
winlog.event_data.SchemaFriendlyName | keyword | |
winlog.event_data.SchemaVersion | keyword | |
winlog.event_data.ScriptBlockText | keyword | |
winlog.event_data.ScriptPath | keyword | |
winlog.event_data.SearchString | keyword | |
winlog.event_data.Service | keyword | |
winlog.event_data.ServiceAccount | keyword | |
winlog.event_data.ServiceFileName | keyword | |
winlog.event_data.ServiceName | keyword | |
winlog.event_data.ServicePrincipalNames | keyword | |
winlog.event_data.ServiceSid | keyword | |
winlog.event_data.ServiceStartType | keyword | |
winlog.event_data.ServiceType | keyword | |
winlog.event_data.ServiceVersion | keyword | |
winlog.event_data.SessionName | keyword | |
winlog.event_data.ShareLocalPath | keyword | |
winlog.event_data.ShareName | keyword | |
winlog.event_data.ShutdownActionType | keyword | |
winlog.event_data.ShutdownEventCode | keyword | |
winlog.event_data.ShutdownReason | keyword | |
winlog.event_data.SidFilteringEnabled | keyword | |
winlog.event_data.SidHistory | keyword | |
winlog.event_data.Signature | keyword | |
winlog.event_data.SignatureStatus | keyword | |
winlog.event_data.Signed | keyword | |
winlog.event_data.SourceAddress | keyword | |
winlog.event_data.SourcePort | keyword | |
winlog.event_data.StartTime | keyword | |
winlog.event_data.State | keyword | |
winlog.event_data.Status | keyword | |
winlog.event_data.StatusDescription | keyword | |
winlog.event_data.StopTime | keyword | |
winlog.event_data.SubCategory | keyword | |
winlog.event_data.SubCategoryGuid | keyword | |
winlog.event_data.SubCategoryId | keyword | |
winlog.event_data.SubStatus | keyword | |
winlog.event_data.SubcategoryGuid | keyword | |
winlog.event_data.SubcategoryId | keyword | |
winlog.event_data.SubjectDomainName | keyword | |
winlog.event_data.SubjectLogonId | keyword | |
winlog.event_data.SubjectUserName | keyword | |
winlog.event_data.SubjectUserSid | keyword | |
winlog.event_data.TSId | keyword | |
winlog.event_data.TargetDomainName | keyword | |
winlog.event_data.TargetInfo | keyword | |
winlog.event_data.TargetLogonGuid | keyword | |
winlog.event_data.TargetLogonId | keyword | |
winlog.event_data.TargetName | keyword | |
winlog.event_data.TargetServerName | keyword | |
winlog.event_data.TargetSid | keyword | |
winlog.event_data.TargetUserName | keyword | |
winlog.event_data.TargetUserSid | keyword | |
winlog.event_data.TdoAttributes | keyword | |
winlog.event_data.TdoDirection | keyword | |
winlog.event_data.TdoType | keyword | |
winlog.event_data.TerminalSessionId | keyword | |
winlog.event_data.TicketEncryptionType | keyword | |
winlog.event_data.TicketEncryptionTypeDescription | keyword | |
winlog.event_data.TicketOptions | keyword | |
winlog.event_data.TicketOptionsDescription | keyword | |
winlog.event_data.TokenElevationType | keyword | |
winlog.event_data.TransmittedServices | keyword | |
winlog.event_data.Type | keyword | |
winlog.event_data.UserAccountControl | keyword | |
winlog.event_data.UserParameters | keyword | |
winlog.event_data.UserPrincipalName | keyword | |
winlog.event_data.UserSid | keyword | |
winlog.event_data.UserWorkstations | keyword | |
winlog.event_data.Version | keyword | |
winlog.event_data.Workstation | keyword | |
winlog.event_data.WorkstationName | keyword | |
winlog.event_data.param1 | keyword | |
winlog.event_data.param2 | keyword | |
winlog.event_data.param3 | keyword | |
winlog.event_data.param4 | keyword | |
winlog.event_data.param5 | keyword | |
winlog.event_data.param6 | keyword | |
winlog.event_data.param7 | keyword | |
winlog.event_data.param8 | keyword | |
winlog.event_id | The event identifier. The value is specific to the source of the event. | keyword |
winlog.keywords | The keywords are used to classify an event. | keyword |
winlog.level | The event severity. Levels are Critical, Error, Warning and Information, Verbose | keyword |
winlog.logon.failure.reason | The reason the logon failed. | keyword |
winlog.logon.failure.status | The reason the logon failed. This is textual description based on the value of the hexadecimal Status field. | keyword |
winlog.logon.failure.sub_status | Additional information about the logon failure. This is a textual description based on the value of the hexidecimal SubStatus field. | keyword |
winlog.logon.id | Logon ID that can be used to associate this logon with other events related to the same logon session. | keyword |
winlog.logon.type | Logon type name. This is the descriptive version of the winlog.event_data.LogonType ordinal. This is an enrichment added by the Security module. | keyword |
winlog.opcode | The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. | keyword |
winlog.outcome | Success or Failure of the event. | keyword |
winlog.process.pid | The process_id of the Client Server Runtime Process. | long |
winlog.process.thread.id | long | |
winlog.provider_guid | A globally unique identifier that identifies the provider that logged the event. | keyword |
winlog.provider_name | The source of the event log record (the application or service that logged the record). | keyword |
winlog.record_id | The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. | keyword |
winlog.related_activity_id | A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier. | keyword |
winlog.task | The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. | keyword |
winlog.time_created | Time event was created | date |
winlog.trustAttribute | keyword | |
winlog.trustDirection | keyword | |
winlog.trustType | keyword | |
winlog.user.domain | The domain that the account associated with this event is a member of. | keyword |
winlog.user.identifier | The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the user.name , user.domain , and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. | keyword |
winlog.user.name | Name of the user associated with this event. | keyword |
winlog.user.type | The type of account associated with this event. | keyword |
winlog.user_data | The event specific data. This field is mutually exclusive with event_data . | object |
winlog.user_data.BackupPath | keyword | |
winlog.user_data.Channel | keyword | |
winlog.user_data.SubjectDomainName | keyword | |
winlog.user_data.SubjectLogonId | keyword | |
winlog.user_data.SubjectUserName | keyword | |
winlog.user_data.SubjectUserSid | keyword | |
winlog.user_data.xml_name | keyword | |
winlog.version | The version number of the event's definition. | long |
Auth
The auth
data stream provides auth logs.
Supported operating systems
- macOS prior to 10.8
- Linux
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
system.auth.ssh.dropped_ip | The client IP from SSH connections that are open and immediately dropped. | ip |
system.auth.ssh.event | The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) | keyword |
system.auth.ssh.method | The SSH authentication method. Can be one of "password" or "publickey". | keyword |
system.auth.ssh.signature | The signature of the client public key. | keyword |
system.auth.sudo.command | The command executed via sudo. | keyword |
system.auth.sudo.error | The error message in case the sudo command failed. | keyword |
system.auth.sudo.pwd | The current directory where the sudo command is executed. | keyword |
system.auth.sudo.tty | The TTY where the sudo command is executed. | keyword |
system.auth.sudo.user | The target user to which the sudo command is switching. | keyword |
system.auth.syslog.version | keyword | |
system.auth.useradd.home | The home folder for the new user. | keyword |
system.auth.useradd.shell | The default shell for the new user. | keyword |
version | Operating system version as a raw string. | keyword |
syslog
The syslog
data stream provides system logs.
Supported operating systems
- macOS
- Linux
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
cloud.image.id | Image ID for the cloud instance. | keyword |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword |
host.containerized | If the host is a container. | boolean |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
Metrics reference
Core
The System core
data stream provides usage statistics for each CPU core.
Supported operating systems
- FreeBSD
- Linux
- macOS
- OpenBSD
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.core.id | CPU Core number. | keyword | ||
system.core.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge |
system.core.idle.ticks | The amount of CPU time spent idle. | long | counter | |
system.core.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge |
system.core.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | counter | |
system.core.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge |
system.core.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | counter | |
system.core.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge |
system.core.nice.ticks | The amount of CPU time spent on low-priority processes. | long | counter | |
system.core.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge |
system.core.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | counter | |
system.core.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge |
system.core.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | counter | |
system.core.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge |
system.core.system.ticks | The amount of CPU time spent in kernel space. | long | counter | |
system.core.user.pct | The percentage of CPU time spent in user space. | scaled_float | percent | gauge |
system.core.user.ticks | The amount of CPU time spent in user space. | long | counter |
CPU
The System cpu
data stream provides CPU statistics.
Supported operating systems
- FreeBSD
- Linux
- macOS
- OpenBSD
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.cpu.pct | Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | percent | gauge |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.cpu.cores | The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of 100% \* cores . The normalized percentages already take this value into account and have a maximum value of 100%. | long | gauge | |
system.cpu.idle.norm.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge |
system.cpu.idle.pct | The percentage of CPU time spent idle. | scaled_float | percent | gauge |
system.cpu.idle.ticks | The amount of CPU time spent idle. | long | counter | |
system.cpu.iowait.norm.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge |
system.cpu.iowait.pct | The percentage of CPU time spent in wait (on disk). | scaled_float | percent | gauge |
system.cpu.iowait.ticks | The amount of CPU time spent in wait (on disk). | long | counter | |
system.cpu.irq.norm.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge |
system.cpu.irq.pct | The percentage of CPU time spent servicing and handling hardware interrupts. | scaled_float | percent | gauge |
system.cpu.irq.ticks | The amount of CPU time spent servicing and handling hardware interrupts. | long | counter | |
system.cpu.nice.norm.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge |
system.cpu.nice.pct | The percentage of CPU time spent on low-priority processes. | scaled_float | percent | gauge |
system.cpu.nice.ticks | The amount of CPU time spent on low-priority processes. | long | counter | |
system.cpu.softirq.norm.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge |
system.cpu.softirq.pct | The percentage of CPU time spent servicing and handling software interrupts. | scaled_float | percent | gauge |
system.cpu.softirq.ticks | The amount of CPU time spent servicing and handling software interrupts. | long | counter | |
system.cpu.steal.norm.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge |
system.cpu.steal.pct | The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | scaled_float | percent | gauge |
system.cpu.steal.ticks | The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. | long | counter | |
system.cpu.system.norm.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge |
system.cpu.system.pct | The percentage of CPU time spent in kernel space. | scaled_float | percent | gauge |
system.cpu.system.ticks | The amount of CPU time spent in kernel space. | long | counter | |
system.cpu.total.norm.pct | The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. | scaled_float | percent | gauge |
system.cpu.total.pct | The percentage of CPU time spent in states other than Idle and IOWait. | scaled_float | percent | gauge |
system.cpu.user.norm.pct | The percentage of CPU time spent in user space. | scaled_float | percent | gauge |
system.cpu.user.pct | The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the system.cpu.user.pct will be 180%. | scaled_float | percent | gauge |
system.cpu.user.ticks | The amount of CPU time spent in user space. | long | counter |
Disk IO
The System diskio
data stream provides disk IO metrics collected from the
operating system. One event is created for each disk mounted on the system.
Note: For retrieving Linux-specific disk I/O metrics, use the Linux integration.
Supported operating systems
- Linux
- macOS (requires 10.10+)
- Windows
- FreeBSD (amd64)
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.disk.read.bytes | The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection. | long | byte | gauge |
host.disk.write.bytes | The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection. | long | byte | gauge |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.diskio.io.time | The total amount of time in milliseconds spent doing I/Os. | long | counter | |
system.diskio.name | The disk name. | keyword | ||
system.diskio.read.bytes | The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. | long | byte | counter |
system.diskio.read.count | The total number of reads completed successfully. | long | counter | |
system.diskio.read.time | The total amount of time in milliseconds spent by all reads. | long | counter | |
system.diskio.serial_number | The disk's serial number. This may not be provided by all operating systems. | keyword | ||
system.diskio.write.bytes | The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. | long | byte | counter |
system.diskio.write.count | The total number of writes completed successfully. | long | counter | |
system.diskio.write.time | The total amount of time in milliseconds spent by all writes. | long | counter |
Filesystem
The System filesystem
data stream provides file system statistics. For each file
system, one document is provided.
Supported operating systems
- FreeBSD
- Linux
- macOS
- OpenBSD
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.filesystem.available | The disk space available to an unprivileged user in bytes. | long | byte | gauge |
system.filesystem.device_name | The disk name. For example: /dev/disk1 | keyword | ||
system.filesystem.files | The total number of file nodes in the file system. | long | gauge | |
system.filesystem.free | The disk space available in bytes. | long | byte | gauge |
system.filesystem.free_files | The number of free file nodes in the file system. | long | gauge | |
system.filesystem.mount_point | The mounting point. For example: / | keyword | ||
system.filesystem.total | The total disk space in bytes. | long | byte | gauge |
system.filesystem.type | The disk type. For example: ext4 | keyword | ||
system.filesystem.used.bytes | The used disk space in bytes. | long | byte | gauge |
system.filesystem.used.pct | The percentage of used disk space. | scaled_float | percent | gauge |
Fsstat
The System fsstat
data stream provides overall file system statistics.
Supported operating systems
- FreeBSD
- Linux
- macOS
- OpenBSD
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.fsstat.count | Number of file systems found. | long | gauge | |
system.fsstat.total_files | Total number of files. | long | gauge | |
system.fsstat.total_size.free | Total free space. | long | byte | gauge |
system.fsstat.total_size.total | Total space (used plus free). | long | byte | gauge |
system.fsstat.total_size.used | Total used space. | long | byte | gauge |
Load
The System load
data stream provides load statistics.
Supported operating systems
- FreeBSD
- Linux
- macOS
- OpenBSD
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Metric Type |
---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
cloud.image.id | Image ID for the cloud instance. | keyword | |
cloud.instance.id | Instance ID of the host machine. | keyword | |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
cloud.region | Region in which this host, resource, or service is located. | keyword | |
container.id | Unique container id. | keyword | |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | |
host.containerized | If the host is a container. | boolean | |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | |
host.os.build | OS build information. | keyword | |
host.os.codename | OS codename, if any. | keyword | |
system.load.1 | Load average for the last minute. | scaled_float | gauge |
system.load.15 | Load average for the last 15 minutes. | scaled_float | gauge |
system.load.5 | Load average for the last 5 minutes. | scaled_float | gauge |
system.load.cores | The number of CPU cores present on the host. | long | gauge |
system.load.norm.1 | Load for the last minute divided by the number of cores. | scaled_float | gauge |
system.load.norm.15 | Load for the last 15 minutes divided by the number of cores. | scaled_float | gauge |
system.load.norm.5 | Load for the last 5 minutes divided by the number of cores. | scaled_float | gauge |
Memory
The System memory
data stream provides memory statistics.
Note: For retrieving Linux-specific memory metrics, use the Linux integration.
Supported operating systems
- FreeBSD
- Linux
- macOS
- OpenBSD
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.memory.actual.free | Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to system.memory.free . | long | byte | gauge |
system.memory.actual.used.bytes | Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check system.actual.free . | long | byte | gauge |
system.memory.actual.used.pct | The percentage of actual used memory. | scaled_float | percent | gauge |
system.memory.free | The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). | long | byte | gauge |
system.memory.swap.free | Available swap memory. | long | byte | gauge |
system.memory.swap.total | Total swap memory. | long | byte | gauge |
system.memory.swap.used.bytes | Used swap memory. | long | byte | gauge |
system.memory.swap.used.pct | The percentage of used swap memory. | scaled_float | percent | gauge |
system.memory.total | Total memory. | long | byte | gauge |
system.memory.used.bytes | Used memory. | long | byte | gauge |
system.memory.used.pct | The percentage of used memory. | scaled_float | percent | gauge |
Network
The System network
data stream provides network IO metrics collected from the
operating system. One event is created for each network interface.
Supported operating systems
- FreeBSD
- Linux
- macOS
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.network.in.bytes | The number of bytes received on all network interfaces by the host in a given period of time. | long | byte | counter |
host.network.in.packets | The number of packets received on all network interfaces by the host in a given period of time. | long | counter | |
host.network.out.bytes | The number of bytes sent out on all network interfaces by the host in a given period of time. | long | byte | counter |
host.network.out.packets | The number of packets sent out on all network interfaces by the host in a given period of time. | long | counter | |
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.network.in.bytes | The number of bytes received. | long | byte | counter |
system.network.in.dropped | The number of incoming packets that were dropped. | long | counter | |
system.network.in.errors | The number of errors while receiving. | long | counter | |
system.network.in.packets | The number or packets received. | long | counter | |
system.network.name | The network interface name. | keyword | ||
system.network.out.bytes | The number of bytes sent. | long | byte | counter |
system.network.out.dropped | The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. | long | counter | |
system.network.out.errors | The number of errors while sending. | long | counter | |
system.network.out.packets | The number of packets sent. | long | counter |
Process
The System process
data stream provides process statistics. One document is
provided for each process.
Supported operating systems
- FreeBSD
- Linux
- macOS
- Windows
Permissions
Process execution data should be available for an authorized user. If running as less privileged user, it may not be able to read process data belonging to other users.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
host.os.version | Operating system version as a raw string. | keyword | ||
process.cpu.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1. | scaled_float | ||
process.cpu.start_time | The time when the process was started. | date | ||
process.memory.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | ||
process.pid | Process id. | long | ||
process.state | The process state. For example: "running". | keyword | ||
system.process.cgroup.blkio.id | ID of the cgroup. | keyword | ||
system.process.cgroup.blkio.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | ||
system.process.cgroup.blkio.total.bytes | Total number of bytes transferred to and from all block devices by processes in the cgroup. | long | counter | |
system.process.cgroup.blkio.total.ios | Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. | long | counter | |
system.process.cgroup.cgroups_version | The version of cgroups reported for the process | long | ||
system.process.cgroup.cpu.cfs.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. | long | gauge | |
system.process.cgroup.cpu.cfs.quota.us | Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). | long | gauge | |
system.process.cgroup.cpu.cfs.shares | An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. | long | gauge | |
system.process.cgroup.cpu.id | ID of the cgroup. | keyword | ||
system.process.cgroup.cpu.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | ||
system.process.cgroup.cpu.pressure.full.10.pct | Pressure over 10 seconds | float | gauge | |
system.process.cgroup.cpu.pressure.full.300.pct | Pressure over 300 seconds | float | gauge | |
system.process.cgroup.cpu.pressure.full.60.pct | Pressure over 60 seconds | float | gauge | |
system.process.cgroup.cpu.pressure.full.total | total Full pressure time | long | counter | |
system.process.cgroup.cpu.pressure.some.10.pct | Pressure over 10 seconds | float | gauge | |
system.process.cgroup.cpu.pressure.some.300.pct | Pressure over 300 seconds | float | gauge | |
system.process.cgroup.cpu.pressure.some.60.pct | Pressure over 60 seconds | float | gauge | |
system.process.cgroup.cpu.pressure.some.total | total Some pressure time | long | counter | |
system.process.cgroup.cpu.rt.period.us | Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. | long | gauge | |
system.process.cgroup.cpu.rt.runtime.us | Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. | long | gauge | |
system.process.cgroup.cpu.stats.periods | Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. | long | counter | |
system.process.cgroup.cpu.stats.system.norm.pct | cgroups v2 normalized system time | float | gauge | |
system.process.cgroup.cpu.stats.system.ns | cgroups v2 system time in nanoseconds | long | counter | |
system.process.cgroup.cpu.stats.system.pct | cgroups v2 system time | float | gauge | |
system.process.cgroup.cpu.stats.throttled.ns | The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. | long | counter | |
system.process.cgroup.cpu.stats.throttled.periods | Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). | long | counter | |
system.process.cgroup.cpu.stats.throttled.us | The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2 | long | counter | |
system.process.cgroup.cpu.stats.usage.norm.pct | cgroups v2 normalized usage | float | gauge | |
system.process.cgroup.cpu.stats.usage.ns | cgroups v2 usage in nanoseconds | long | counter | |
system.process.cgroup.cpu.stats.usage.pct | cgroups v2 usage | float | gauge | |
system.process.cgroup.cpu.stats.user.norm.pct | cgroups v2 normalized cpu user time | float | gauge | |
system.process.cgroup.cpu.stats.user.ns | cgroups v2 cpu user time in nanoseconds | long | counter | |
system.process.cgroup.cpu.stats.user.pct | cgroups v2 cpu user time | float | gauge | |
system.process.cgroup.cpuacct.id | ID of the cgroup. | keyword | ||
system.process.cgroup.cpuacct.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | ||
system.process.cgroup.cpuacct.percpu | CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. | object | gauge | |
system.process.cgroup.cpuacct.stats.system.norm.pct | Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count. | scaled_float | gauge | |
system.process.cgroup.cpuacct.stats.system.ns | CPU time consumed by tasks in user (kernel) mode. | long | counter | |
system.process.cgroup.cpuacct.stats.system.pct | Time the cgroup spent in kernel space, as a percentage of total CPU time | scaled_float | gauge | |
system.process.cgroup.cpuacct.stats.user.norm.pct | time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count. | scaled_float | gauge | |
system.process.cgroup.cpuacct.stats.user.ns | CPU time consumed by tasks in user mode. | long | counter | |
system.process.cgroup.cpuacct.stats.user.pct | time the cgroup spent in user space, as a percentage of total CPU time | scaled_float | gauge | |
system.process.cgroup.cpuacct.total.norm.pct | CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs. | scaled_float | gauge | |
system.process.cgroup.cpuacct.total.ns | Total CPU time in nanoseconds consumed by all tasks in the cgroup. | long | counter | |
system.process.cgroup.cpuacct.total.pct | CPU time of the cgroup as a percentage of overall CPU time. | scaled_float | gauge | |
system.process.cgroup.id | The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. | keyword | ||
system.process.cgroup.io.id | ID of the cgroup. | keyword | ||
system.process.cgroup.io.path | Path to the cgroup relative to the cgroup subsystems mountpoint. | keyword | ||
system.process.cgroup.io.pressure.full.10.pct | Pressure over 10 seconds | float | gauge | |
system.process.cgroup.io.pressure.full.300.pct | Pressure over 300 seconds | float | gauge | |
system.process.cgroup.io.pressure.full.60.pct | Pressure over 60 seconds | float | gauge | |
system.process.cgroup.io.pressure.full.total | total Some pressure time | long | counter | |
system.process.cgroup.io.pressure.some.10.pct | Pressure over 10 seconds | float | gauge | |
system.process.cgroup.io.pressure.some.300.pct | Pressure over 300 seconds | float | gauge | |
system.process.cgroup.io.pressure.some.60.pct | Pressure over 60 seconds | float | gauge | |
system.process.cgroup.io.pressure.some.total | total Some pressure time | long | counter | |
system.process.cgroup.io.stats.*.*.bytes | per-device bytes usage stats | object | gauge | |
system.process.cgroup.io.stats.*.*.ios | per-device IO usage stats | object | gauge | |
system.process.cgroup.memory.id | ID of the cgroup. | keyword | ||
system.process.cgroup.memory.kmem.failures | The number of times that the memory limit (kmem.limit.bytes) was reached. | long | counter | |
system.process.cgroup.memory.kmem.limit.bytes | The maximum amount of kernel memory that tasks in the cgroup are allowed to use. | long | gauge | |
system.process.cgroup.memory.kmem.usage.bytes | Total kernel memory usage by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.kmem.usage.max.bytes | The maximum kernel memory used by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.kmem_tcp.failures | The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. | long | counter | |
system.process.cgroup.memory.kmem_tcp.limit.bytes | The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. | long | gauge | |
system.process.cgroup.memory.kmem_tcp.usage.bytes | Total memory usage for TCP buffers in bytes. | long | gauge | |
system.process.cgroup.memory.kmem_tcp.usage.max.bytes | The maximum memory used for TCP buffers by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.mem.events.fail | failed threshold | long | counter | |
system.process.cgroup.memory.mem.events.high | high threshold | long | counter | |
system.process.cgroup.memory.mem.events.low | low threshold | long | counter | |
system.process.cgroup.memory.mem.events.max | max threshold | long | counter | |
system.process.cgroup.memory.mem.events.oom | oom threshold | long | counter | |
system.process.cgroup.memory.mem.events.oom_kill | oom killer threshold | long | counter | |
system.process.cgroup.memory.mem.failures | The number of times that the memory limit (mem.limit.bytes) was reached. | long | counter | |
system.process.cgroup.memory.mem.high.bytes | memory high threshhold | long | gauge | |
system.process.cgroup.memory.mem.limit.bytes | The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. | long | gauge | |
system.process.cgroup.memory.mem.low.bytes | memory low threshhold | long | gauge | |
system.process.cgroup.memory.mem.max.bytes | memory max threshhold | long | gauge | |
system.process.cgroup.memory.mem.usage.bytes | Total memory usage by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.mem.usage.max.bytes | The maximum memory used by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.memsw.events.fail | failed threshold | long | counter | |
system.process.cgroup.memory.memsw.events.high | high threshold | long | counter | |
system.process.cgroup.memory.memsw.events.low | low threshold | long | counter | |
system.process.cgroup.memory.memsw.events.max | max threshold | long | counter | |
system.process.cgroup.memory.memsw.events.oom | oom threshold | long | counter | |
system.process.cgroup.memory.memsw.events.oom_kill | oom killer threshold | long | counter | |
system.process.cgroup.memory.memsw.failures | The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. | long | counter | |
system.process.cgroup.memory.memsw.high.bytes | memory high threshhold | long | gauge | |
system.process.cgroup.memory.memsw.limit.bytes | The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. | long | gauge | |
system.process.cgroup.memory.memsw.low.bytes | memory low threshhold | long | gauge | |
system.process.cgroup.memory.memsw.max.bytes | memory max threshhold | long | gauge | |
system.process.cgroup.memory.memsw.usage.bytes | The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.memsw.usage.max.bytes | The maximum amount of memory and swap space used by processes in the cgroup (in bytes). | long | gauge | |
system.process.cgroup.memory.path | Path to the cgroup relative to the cgroup subsystem's mountpoint. | keyword | ||
system.process.cgroup.memory.stats.*.bytes | detailed memory IO stats | object | gauge | |
system.process.cgroup.memory.stats.active_anon.bytes | Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. | long | gauge | |
system.process.cgroup.memory.stats.active_file.bytes | File-backed memory on active LRU list, in bytes. | long | gauge | |
system.process.cgroup.memory.stats.cache.bytes | Page cache, including tmpfs (shmem), in bytes. | long | gauge | |
system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes | Memory limit for the hierarchy that contains the memory cgroup, in bytes. | long | gauge | |
system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes | Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. | long | gauge | |
system.process.cgroup.memory.stats.inactive_anon.bytes | Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes | long | gauge | |
system.process.cgroup.memory.stats.inactive_file.bytes | File-backed memory on inactive LRU list, in bytes. | long | gauge | |
system.process.cgroup.memory.stats.major_page_faults | Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. | long | counter | |
system.process.cgroup.memory.stats.mapped_file.bytes | Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. | long | gauge | |
system.process.cgroup.memory.stats.page_faults | Number of times that a process in the cgroup triggered a page fault. | long | counter | |
system.process.cgroup.memory.stats.pages_in | Number of pages paged into memory. This is a counter. | long | counter | |
system.process.cgroup.memory.stats.pages_out | Number of pages paged out of memory. This is a counter. | long | counter | |
system.process.cgroup.memory.stats.rss.bytes | Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. | long | gauge | |
system.process.cgroup.memory.stats.rss_huge.bytes | Number of bytes of anonymous transparent hugepages. | long | gauge | |
system.process.cgroup.memory.stats.swap.bytes | Swap usage, in bytes. | long | gauge | |
system.process.cgroup.memory.stats.unevictable.bytes | Memory that cannot be reclaimed, in bytes. | long | gauge | |
system.process.cgroup.path | The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. | keyword | ||
system.process.cmdline | The full command-line used to start the process, including the arguments separated by space. | keyword | ||
system.process.cpu.start_time | The time when the process was started. | date | ||
system.process.cpu.system.ticks | The amount of CPU time the process spent in kernel space. | long | counter | |
system.process.cpu.total.norm.pct | The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. | scaled_float | percent | gauge |
system.process.cpu.total.pct | The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. | scaled_float | percent | gauge |
system.process.cpu.total.ticks | The total CPU time spent by the process. | long | counter | |
system.process.cpu.total.value | The value of CPU usage since starting the process. | long | counter | |
system.process.cpu.user.ticks | The amount of CPU time the process spent in user space. | long | counter | |
system.process.env | The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. | flattened | ||
system.process.fd.limit.hard | The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. | long | gauge | |
system.process.fd.limit.soft | The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. | long | gauge | |
system.process.fd.open | The number of file descriptors open by the process. | long | gauge | |
system.process.io.cancelled_write_bytes | The number of bytes this process cancelled, or caused not to be written. | long | byte | counter |
system.process.io.read_bytes | The number of bytes fetched from the storage layer. | long | byte | counter |
system.process.io.read_char | The number of bytes read from read(2) and similar syscalls. | long | byte | counter |
system.process.io.read_ops | The count of read-related syscalls. | long | counter | |
system.process.io.write_bytes | The number of bytes written to the storage layer. | long | byte | counter |
system.process.io.write_char | The number of bytes sent to syscalls for writing. | long | byte | counter |
system.process.io.write_ops | The count of write-related syscalls. | long | counter | |
system.process.memory.rss.bytes | The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes. | long | byte | gauge |
system.process.memory.rss.pct | The percentage of memory the process occupied in main memory (RAM). | scaled_float | percent | gauge |
system.process.memory.share | The shared memory the process uses. | long | byte | gauge |
system.process.memory.size | The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process. | long | byte | gauge |
system.process.num_threads | Number of threads in the process | integer | ||
system.process.state | The process state. For example: "running". | keyword |
Process summary
The process_summary
data stream collects high level statistics about the running
processes.
Supported operating systems
- FreeBSD
- Linux
- macOS
- Windows
Permissions
General process summary data should be available without elevated permissions. If the process data belongs to the other users, it will be counted as unknown value.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Metric Type |
---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | |
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | |
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | |
cloud.image.id | Image ID for the cloud instance. | keyword | |
cloud.instance.id | Instance ID of the host machine. | keyword | |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | |
cloud.region | Region in which this host, resource, or service is located. | keyword | |
container.id | Unique container id. | keyword | |
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | |
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | |
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | |
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | |
host.containerized | If the host is a container. | boolean | |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | |
host.os.build | OS build information. | keyword | |
host.os.codename | OS codename, if any. | keyword | |
system.process.summary.dead | Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. | long | gauge |
system.process.summary.idle | Number of idle processes on this host. | long | gauge |
system.process.summary.running | Number of running processes on this host. | long | gauge |
system.process.summary.sleeping | Number of sleeping processes on this host. | long | gauge |
system.process.summary.stopped | Number of stopped processes on this host. | long | gauge |
system.process.summary.total | Total number of processes on this host. | long | gauge |
system.process.summary.unknown | Number of processes for which the state couldn't be retrieved or is unknown. | long | gauge |
system.process.summary.zombie | Number of zombie processes on this host. | long | gauge |
Socket summary
The System socket_summary
data stream provides the summary of open network
sockets in the host system.
It collects a summary of metrics with the count of existing TCP and UDP connections and the count of listening ports.
Supported operating systems
- FreeBSD
- Linux
- macOS
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.socket.summary.all.count | All open connections | integer | gauge | |
system.socket.summary.all.listening | All listening ports | integer | gauge | |
system.socket.summary.tcp.all.close_wait | Number of TCP connections in close_wait state | integer | gauge | |
system.socket.summary.tcp.all.closing | Number of TCP connections in closing state | integer | gauge | |
system.socket.summary.tcp.all.count | All open TCP connections | integer | gauge | |
system.socket.summary.tcp.all.established | Number of established TCP connections | integer | gauge | |
system.socket.summary.tcp.all.fin_wait1 | Number of TCP connections in fin_wait1 state | integer | gauge | |
system.socket.summary.tcp.all.fin_wait2 | Number of TCP connections in fin_wait2 state | integer | gauge | |
system.socket.summary.tcp.all.last_ack | Number of TCP connections in last_ack state | integer | gauge | |
system.socket.summary.tcp.all.listening | All TCP listening ports | integer | gauge | |
system.socket.summary.tcp.all.orphan | A count of all orphaned tcp sockets. Only available on Linux. | integer | gauge | |
system.socket.summary.tcp.all.syn_recv | Number of TCP connections in syn_recv state | integer | gauge | |
system.socket.summary.tcp.all.syn_sent | Number of TCP connections in syn_sent state | integer | gauge | |
system.socket.summary.tcp.all.time_wait | Number of TCP connections in time_wait state | integer | gauge | |
system.socket.summary.tcp.memory | Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. | integer | byte | gauge |
system.socket.summary.udp.all.count | All open UDP connections | integer | gauge | |
system.socket.summary.udp.memory | Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. | integer | byte | gauge |
Uptime
The System uptime
data stream provides the uptime of the host operating system.
Supported operating systems
- Linux
- macOS
- OpenBSD
- FreeBSD
- Windows
Permissions
This data should be available without elevated permissions.
ECS Field Reference
Please refer to the following document for detailed information on ECS fields.
Exported fields
Field | Description | Type | Unit | Metric Type |
---|---|---|---|---|
@timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | ||
agent.id | Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id. | keyword | ||
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | ||
cloud.availability_zone | Availability zone in which this host, resource, or service is located. | keyword | ||
cloud.image.id | Image ID for the cloud instance. | keyword | ||
cloud.instance.id | Instance ID of the host machine. | keyword | ||
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | ||
cloud.region | Region in which this host, resource, or service is located. | keyword | ||
container.id | Unique container id. | keyword | ||
data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access , prometheus , endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset . Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default . If no value is used, it falls back to default . Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters | constant_keyword | ||
data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | ||
event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword | ||
event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module. | constant_keyword | ||
host.containerized | If the host is a container. | boolean | ||
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword | ||
host.os.build | OS build information. | keyword | ||
host.os.codename | OS codename, if any. | keyword | ||
system.uptime.duration.ms | The OS uptime in milliseconds. | long | ms | counter |
Changelog
Version | Details | Kibana version(s) |
---|---|---|
1.60.5 | Bug fix View pull request | 8.13.0 or higher |
1.60.4 | Bug fix View pull request | 8.13.0 or higher |
1.60.3 | Bug fix View pull request | 8.13.0 or higher |
1.60.2 | Bug fix View pull request | 8.13.0 or higher |
1.60.1 | Bug fix View pull request | 8.13.0 or higher |
1.60.0 | Enhancement View pull request | 8.13.0 or higher |
1.59.4 | Enhancement View pull request | 8.13.0 or higher |
1.59.3 | Bug fix View pull request | 8.13.0 or higher |
1.59.2 | Bug fix View pull request | 8.13.0 or higher |
1.59.1 | Bug fix View pull request | 8.13.0 or higher |
1.59.0 | Enhancement View pull request | 8.13.0 or higher |
1.58.2 | Bug fix View pull request | 8.12.0 or higher |
1.58.1 | Bug fix View pull request | 8.12.0 or higher |
1.58.0 | Enhancement View pull request | 8.12.0 or higher |
1.57.0 | Enhancement View pull request | 8.12.0 or higher |
1.56.0 | Enhancement View pull request | 8.12.0 or higher |
1.55.2 | Bug fix View pull request | 8.12.0 or higher |
1.55.1 | Bug fix View pull request | 8.12.0 or higher |
1.55.0 | Enhancement View pull request | 8.12.0 or higher |
1.54.0 | Enhancement View pull request | 8.12.0 or higher |
1.53.1 | Enhancement View pull request | 8.11.0 or higher |
1.53.0 | Enhancement View pull request | 8.11.0 or higher |
1.52.0 | Enhancement View pull request | 8.11.0 or higher |
1.51.0 | Enhancement View pull request | 8.10.2 or higher |
1.50.1 | Enhancement View pull request | 8.10.2 or higher |
1.50.0 | Bug fix View pull request | 8.10.2 or higher |
1.49.1 | Bug fix View pull request | 8.10.2 or higher |
1.49.0 | Enhancement View pull request | 8.10.2 or higher |
1.48.0 | Enhancement View pull request | 8.10.2 or higher |
1.47.2 | Bug fix View pull request | 8.10.2 or higher |
1.47.1 | Bug fix View pull request | 8.10.2 or higher |
1.47.0 | Enhancement View pull request | 8.10.2 or higher |
1.46.1 | Bug fix View pull request | 8.10.2 or higher |
1.46.0 | Enhancement View pull request | 8.10.2 or higher |
1.45.0 | Enhancement View pull request | 8.10.2 or higher |
1.44.0 | Enhancement View pull request | 8.10.2 or higher |
1.43.0 | Enhancement View pull request | 8.10.2 or higher |
1.42.0 | Enhancement View pull request | 8.10.2 or higher |
1.41.0 | Enhancement View pull request | 8.9.0 or higher |
1.40.0 | Enhancement View pull request | 8.9.0 or higher |
1.39.0 | Enhancement View pull request | 8.8.0 or higher |
1.38.2 | Bug fix View pull request | 8.8.0 or higher |
1.38.1 | Enhancement View pull request | 8.8.0 or higher |
1.38.0 | Enhancement View pull request | 8.8.0 or higher |
1.37.1 | Enhancement View pull request | 8.8.0 or higher |
1 |