System

Collect system logs and metrics from your servers with Elastic Agent.

Version
1.60.4 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The System integration allows you to monitor servers, personal computers, and more.

Use the System integration to collect metrics and logs from your machines. Then visualize that data in Kibana, create alerts to notify you if something goes wrong, and reference data when troubleshooting an issue.

For example, if you wanted to be notified when less than 10% of the disk space is still available, you could install the System integration to send file system metrics to Elastic. Then, you could view real-time updates to disk space used on your system in Kibana's [Metrics System] Overview dashboard. You could also set up a new rule in the Elastic Observability Metrics app to alert you when the percent free is less than 10% of the total disk space.

Data streams

The System integration collects two types of data: logs and metrics.

Logs help you keep a record of events that happen on your machine. Log data streams collected by the System integration include application, system, and security events on machines running Windows and auth and syslog events on machines running macOS or Linux. See more details in the Logs reference.

Metrics give you insight into the state of the machine. Metric data streams collected by the System integration include CPU usage, load statistics, memory usage, information on network behavior, and more. See more details in the Metrics reference.

You can enable and disable individual data streams. If all data streams are disabled and the System integration is still enabled, Fleet uses the default data streams.

Requirements

You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.

Each data stream collects different kinds of metric data, which may require dedicated permissions to be fetched and which may vary across operating systems. Details on the permissions needed for each data stream are available in the Metrics reference.

Setup

For step-by-step instructions on how to set up an integration, see the Getting started guide.

Troubleshooting

Note that certain data streams may access /proc to gather process information, and the resulting ptrace_may_access() call by the kernel to check for permissions can be blocked by AppArmor and other LSM software, even though the System module doesn't use ptrace directly.

In addition, when running inside a container the proc filesystem directory of the host should be set using system.hostfs setting to /hostfs.

Windows Event ID clause limit

If you specify more than 22 query conditions (event IDs or event ID ranges), some versions of Windows will prevent the integration from reading the event log due to limits in the query system. If this occurs, a similar warning as shown below:

The specified query is invalid.

In some cases, the limit may be lower than 22 conditions. For instance, using a mixture of ranges and single event IDs, along with an additional parameter such as ignore older, results in a limit of 21 conditions.

If you have more than 22 conditions, you can work around this Windows limitation by using a drop_event processor to do the filtering after filebeat has received the events from Windows. The filter shown below is equivalent to event_id: 903, 1024, 2000-2004, 4624 but can be expanded beyond 22 event IDs.

- drop_event.when.not.or:
  - equals.winlog.event_id: "903"
  - equals.winlog.event_id: "1024"
  - equals.winlog.event_id: "4624"
  - range:
      winlog.event_id.gte: 2000
      winlog.event_id.lte: 2004

Logs reference

Application

The Windows application data stream provides events from the Windows Application event log.

Supported operating systems

  • Windows

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
winlog.activity_id
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
keyword
winlog.api
The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
keyword
winlog.channel
The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration.
keyword
winlog.computer_name
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname.
keyword
winlog.event_data
The event-specific data. This field is mutually exclusive with user_data. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1, param2, and so on, because event log parameters are unnamed in earlier versions of Windows.
object
winlog.event_data.AuthenticationPackageName
keyword
winlog.event_data.Binary
keyword
winlog.event_data.BitlockerUserInputTime
keyword
winlog.event_data.BootMode
keyword
winlog.event_data.BootType
keyword
winlog.event_data.BuildVersion
keyword
winlog.event_data.Company
keyword
winlog.event_data.CorruptionActionState
keyword
winlog.event_data.CreationUtcTime
keyword
winlog.event_data.Description
keyword
winlog.event_data.Detail
keyword
winlog.event_data.DeviceName
keyword
winlog.event_data.DeviceNameLength
keyword
winlog.event_data.DeviceTime
keyword
winlog.event_data.DeviceVersionMajor
keyword
winlog.event_data.DeviceVersionMinor
keyword
winlog.event_data.DriveName
keyword
winlog.event_data.DriverName
keyword
winlog.event_data.DriverNameLength
keyword
winlog.event_data.DwordVal
keyword
winlog.event_data.EntryCount
keyword
winlog.event_data.ExtraInfo
keyword
winlog.event_data.FailureName
keyword
winlog.event_data.FailureNameLength
keyword
winlog.event_data.FileVersion
keyword
winlog.event_data.FinalStatus
keyword
winlog.event_data.Group
keyword
winlog.event_data.IdleImplementation
keyword
winlog.event_data.IdleStateCount
keyword
winlog.event_data.ImpersonationLevel
keyword
winlog.event_data.IntegrityLevel
keyword
winlog.event_data.IpAddress
keyword
winlog.event_data.IpPort
keyword
winlog.event_data.KeyLength
keyword
winlog.event_data.LastBootGood
keyword
winlog.event_data.LastShutdownGood
keyword
winlog.event_data.LmPackageName
keyword
winlog.event_data.LogonGuid
keyword
winlog.event_data.LogonId
keyword
winlog.event_data.LogonProcessName
keyword
winlog.event_data.LogonType
keyword
winlog.event_data.MajorVersion
keyword
winlog.event_data.MaximumPerformancePercent
keyword
winlog.event_data.MemberName
keyword
winlog.event_data.MemberSid
keyword
winlog.event_data.MinimumPerformancePercent
keyword
winlog.event_data.MinimumThrottlePercent
keyword
winlog.event_data.MinorVersion
keyword
winlog.event_data.NewProcessId
keyword
winlog.event_data.NewProcessName
keyword
winlog.event_data.NewSchemeGuid
keyword
winlog.event_data.NewTime
keyword
winlog.event_data.NominalFrequency
keyword
winlog.event_data.Number
keyword
winlog.event_data.OldSchemeGuid
keyword
winlog.event_data.OldTime
keyword
winlog.event_data.OriginalFileName
keyword
winlog.event_data.Path
keyword
winlog.event_data.PerformanceImplementation
keyword
winlog.event_data.PreviousCreationUtcTime
keyword
winlog.event_data.PreviousTime
keyword
winlog.event_data.PrivilegeList
keyword
winlog.event_data.ProcessId
keyword
winlog.event_data.ProcessName
keyword
winlog.event_data.ProcessPath
keyword
winlog.event_data.ProcessPid
keyword
winlog.event_data.Product
keyword
winlog.event_data.PuaCount
keyword
winlog.event_data.PuaPolicyId
keyword
winlog.event_data.QfeVersion
keyword
winlog.event_data.Reason
keyword
winlog.event_data.SchemaVersion
keyword
winlog.event_data.ScriptBlockText
keyword
winlog.event_data.ServiceName
keyword
winlog.event_data.ServiceVersion
keyword
winlog.event_data.ShutdownActionType
keyword
winlog.event_data.ShutdownEventCode
keyword
winlog.event_data.ShutdownReason
keyword
winlog.event_data.Signature
keyword
winlog.event_data.SignatureStatus
keyword
winlog.event_data.Signed
keyword
winlog.event_data.StartTime
keyword
winlog.event_data.State
keyword
winlog.event_data.Status
keyword
winlog.event_data.StopTime
keyword
winlog.event_data.SubjectDomainName
keyword
winlog.event_data.SubjectLogonId
keyword
winlog.event_data.SubjectUserName
keyword
winlog.event_data.SubjectUserSid
keyword
winlog.event_data.TSId
keyword
winlog.event_data.TargetDomainName
keyword
winlog.event_data.TargetInfo
keyword
winlog.event_data.TargetLogonGuid
keyword
winlog.event_data.TargetLogonId
keyword
winlog.event_data.TargetServerName
keyword
winlog.event_data.TargetUserName
keyword
winlog.event_data.TargetUserSid
keyword
winlog.event_data.TerminalSessionId
keyword
winlog.event_data.TokenElevationType
keyword
winlog.event_data.TransmittedServices
keyword
winlog.event_data.UserSid
keyword
winlog.event_data.Version
keyword
winlog.event_data.Workstation
keyword
winlog.event_data.param1
keyword
winlog.event_data.param2
keyword
winlog.event_data.param3
keyword
winlog.event_data.param4
keyword
winlog.event_data.param5
keyword
winlog.event_data.param6
keyword
winlog.event_data.param7
keyword
winlog.event_data.param8
keyword
winlog.event_id
The event identifier. The value is specific to the source of the event.
keyword
winlog.keywords
The keywords are used to classify an event.
keyword
winlog.opcode
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
keyword
winlog.process.pid
The process_id of the Client Server Runtime Process.
long
winlog.process.thread.id
long
winlog.provider_guid
A globally unique identifier that identifies the provider that logged the event.
keyword
winlog.provider_name
The source of the event log record (the application or service that logged the record).
keyword
winlog.record_id
The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
keyword
winlog.related_activity_id
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier.
keyword
winlog.task
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
keyword
winlog.user.domain
The domain that the account associated with this event is a member of.
keyword
winlog.user.identifier
The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the user.name, user.domain, and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
keyword
winlog.user.name
Name of the user associated with this event.
keyword
winlog.user.type
The type of account associated with this event.
keyword
winlog.user_data
The event specific data. This field is mutually exclusive with event_data.
object
winlog.version
The version number of the event's definition.
long

System

The Windows system data stream provides events from the Windows System event log.

Supported operating systems

  • Windows

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
winlog.activity_id
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
keyword
winlog.api
The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
keyword
winlog.channel
The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration.
keyword
winlog.computer_name
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname.
keyword
winlog.event_data
The event-specific data. This field is mutually exclusive with user_data. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1, param2, and so on, because event log parameters are unnamed in earlier versions of Windows.
object
winlog.event_data.AuthenticationPackageName
keyword
winlog.event_data.Binary
keyword
winlog.event_data.BitlockerUserInputTime
keyword
winlog.event_data.BootMode
keyword
winlog.event_data.BootType
keyword
winlog.event_data.BuildVersion
keyword
winlog.event_data.Company
keyword
winlog.event_data.CorruptionActionState
keyword
winlog.event_data.CreationUtcTime
keyword
winlog.event_data.Description
keyword
winlog.event_data.Detail
keyword
winlog.event_data.DeviceName
keyword
winlog.event_data.DeviceNameLength
keyword
winlog.event_data.DeviceTime
keyword
winlog.event_data.DeviceVersionMajor
keyword
winlog.event_data.DeviceVersionMinor
keyword
winlog.event_data.DriveName
keyword
winlog.event_data.DriverName
keyword
winlog.event_data.DriverNameLength
keyword
winlog.event_data.DwordVal
keyword
winlog.event_data.EntryCount
keyword
winlog.event_data.ExtraInfo
keyword
winlog.event_data.FailureName
keyword
winlog.event_data.FailureNameLength
keyword
winlog.event_data.FileVersion
keyword
winlog.event_data.FinalStatus
keyword
winlog.event_data.Group
keyword
winlog.event_data.IdleImplementation
keyword
winlog.event_data.IdleStateCount
keyword
winlog.event_data.ImpersonationLevel
keyword
winlog.event_data.IntegrityLevel
keyword
winlog.event_data.IpAddress
keyword
winlog.event_data.IpPort
keyword
winlog.event_data.KeyLength
keyword
winlog.event_data.LastBootGood
keyword
winlog.event_data.LastShutdownGood
keyword
winlog.event_data.LmPackageName
keyword
winlog.event_data.LogonGuid
keyword
winlog.event_data.LogonId
keyword
winlog.event_data.LogonProcessName
keyword
winlog.event_data.LogonType
keyword
winlog.event_data.MajorVersion
keyword
winlog.event_data.MaximumPerformancePercent
keyword
winlog.event_data.MemberName
keyword
winlog.event_data.MemberSid
keyword
winlog.event_data.MinimumPerformancePercent
keyword
winlog.event_data.MinimumThrottlePercent
keyword
winlog.event_data.MinorVersion
keyword
winlog.event_data.NewProcessId
keyword
winlog.event_data.NewProcessName
keyword
winlog.event_data.NewSchemeGuid
keyword
winlog.event_data.NewTime
keyword
winlog.event_data.NominalFrequency
keyword
winlog.event_data.Number
keyword
winlog.event_data.OldSchemeGuid
keyword
winlog.event_data.OldTime
keyword
winlog.event_data.OriginalFileName
keyword
winlog.event_data.Path
keyword
winlog.event_data.PerformanceImplementation
keyword
winlog.event_data.PreviousCreationUtcTime
keyword
winlog.event_data.PreviousTime
keyword
winlog.event_data.PrivilegeList
keyword
winlog.event_data.ProcessId
keyword
winlog.event_data.ProcessName
keyword
winlog.event_data.ProcessPath
keyword
winlog.event_data.ProcessPid
keyword
winlog.event_data.Product
keyword
winlog.event_data.PuaCount
keyword
winlog.event_data.PuaPolicyId
keyword
winlog.event_data.QfeVersion
keyword
winlog.event_data.Reason
keyword
winlog.event_data.SchemaVersion
keyword
winlog.event_data.ScriptBlockText
keyword
winlog.event_data.ServiceName
keyword
winlog.event_data.ServiceVersion
keyword
winlog.event_data.ShutdownActionType
keyword
winlog.event_data.ShutdownEventCode
keyword
winlog.event_data.ShutdownReason
keyword
winlog.event_data.Signature
keyword
winlog.event_data.SignatureStatus
keyword
winlog.event_data.Signed
keyword
winlog.event_data.StartTime
keyword
winlog.event_data.State
keyword
winlog.event_data.Status
keyword
winlog.event_data.StopTime
keyword
winlog.event_data.SubjectDomainName
keyword
winlog.event_data.SubjectLogonId
keyword
winlog.event_data.SubjectUserName
keyword
winlog.event_data.SubjectUserSid
keyword
winlog.event_data.TSId
keyword
winlog.event_data.TargetDomainName
keyword
winlog.event_data.TargetInfo
keyword
winlog.event_data.TargetLogonGuid
keyword
winlog.event_data.TargetLogonId
keyword
winlog.event_data.TargetServerName
keyword
winlog.event_data.TargetUserName
keyword
winlog.event_data.TargetUserSid
keyword
winlog.event_data.TerminalSessionId
keyword
winlog.event_data.TokenElevationType
keyword
winlog.event_data.TransmittedServices
keyword
winlog.event_data.UserSid
keyword
winlog.event_data.Version
keyword
winlog.event_data.Workstation
keyword
winlog.event_data.param1
keyword
winlog.event_data.param2
keyword
winlog.event_data.param3
keyword
winlog.event_data.param4
keyword
winlog.event_data.param5
keyword
winlog.event_data.param6
keyword
winlog.event_data.param7
keyword
winlog.event_data.param8
keyword
winlog.event_id
The event identifier. The value is specific to the source of the event.
keyword
winlog.keywords
The keywords are used to classify an event.
keyword
winlog.opcode
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
keyword
winlog.process.pid
The process_id of the Client Server Runtime Process.
long
winlog.process.thread.id
long
winlog.provider_guid
A globally unique identifier that identifies the provider that logged the event.
keyword
winlog.provider_name
The source of the event log record (the application or service that logged the record).
keyword
winlog.record_id
The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
keyword
winlog.related_activity_id
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier.
keyword
winlog.task
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
keyword
winlog.user.domain
The domain that the account associated with this event is a member of.
keyword
winlog.user.identifier
The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the user.name, user.domain, and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
keyword
winlog.user.name
Name of the user associated with this event.
keyword
winlog.user.type
The type of account associated with this event.
keyword
winlog.user_data
The event specific data. This field is mutually exclusive with event_data.
object
winlog.version
The version number of the event's definition.
long

Security

The Windows security data stream provides events from the Windows Security event log.

Supported operating systems

  • Windows

An example event for security looks as following:

{
    "@timestamp": "2019-11-07T10:37:04.226Z",
    "agent": {
        "ephemeral_id": "7b61ba2a-a1b9-4711-87d0-1b3aad5afb85",
        "id": "a152fcd9-5b11-4ed3-9958-e3a95043132d",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.8.0"
    },
    "data_stream": {
        "dataset": "system.security",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "a152fcd9-5b11-4ed3-9958-e3a95043132d",
        "snapshot": false,
        "version": "8.8.0"
    },
    "event": {
        "action": "logging-service-shutdown",
        "agent_id_status": "verified",
        "category": [
            "process"
        ],
        "code": "1100",
        "created": "2023-07-18T12:31:50.439Z",
        "dataset": "system.security",
        "ingested": "2023-07-18T12:31:51Z",
        "kind": "event",
        "original": "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Eventlog' Guid='{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}'/><EventID>1100</EventID><Version>0</Version><Level>4</Level><Task>103</Task><Opcode>0</Opcode><Keywords>0x4020000000000000</Keywords><TimeCreated SystemTime='2019-11-07T10:37:04.226092500Z'/><EventRecordID>14257</EventRecordID><Correlation/><Execution ProcessID='1144' ThreadID='4532'/><Channel>Security</Channel><Computer>WIN-41OB2LO92CR.wlbeat.local</Computer><Security/></System><UserData><ServiceShutdown xmlns='http://manifests.microsoft.com/win/2004/08/windows/eventlog'></ServiceShutdown></UserData></Event>",
        "outcome": "success",
        "provider": "Microsoft-Windows-Eventlog",
        "type": [
            "end"
        ]
    },
    "host": {
        "name": "WIN-41OB2LO92CR.wlbeat.local"
    },
    "input": {
        "type": "httpjson"
    },
    "log": {
        "level": "information"
    },
    "tags": [
        "forwarded",
        "preserve_original_event"
    ],
    "winlog": {
        "channel": "Security",
        "computer_name": "WIN-41OB2LO92CR.wlbeat.local",
        "event_id": "1100",
        "keywords": [
            "Audit Success"
        ],
        "level": "information",
        "opcode": "Info",
        "outcome": "success",
        "process": {
            "pid": 1144,
            "thread": {
                "id": 4532
            }
        },
        "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}",
        "provider_name": "Microsoft-Windows-Eventlog",
        "record_id": "14257",
        "time_created": "2019-11-07T10:37:04.226Z"
    }
}

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Type of Filebeat input.
keyword
process.executable
Absolute path to the process executable.
keyword
process.executable.caseless
Multi-field of process.executable.
keyword
process.executable.text
Multi-field of process.executable.
match_only_text
process.name
Process name. Sometimes called program name or similar.
keyword
process.name.caseless
Multi-field of process.name.
keyword
process.name.text
Multi-field of process.name.
match_only_text
winlog.activity_id
A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
keyword
winlog.api
The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs.
keyword
winlog.channel
The name of the channel from which this record was read. This value is one of the names from the event_logs collection in the configuration.
keyword
winlog.computerObject.domain
keyword
winlog.computerObject.id
keyword
winlog.computerObject.name
keyword
winlog.computer_name
The name of the computer that generated the record. When using Windows event forwarding, this name can differ from agent.hostname.
keyword
winlog.event_data
The event-specific data. This field is mutually exclusive with user_data. If you are capturing event data on versions prior to Windows Vista, the parameters in event_data are named param1, param2, and so on, because event log parameters are unnamed in earlier versions of Windows.
object
winlog.event_data.AccessGranted
keyword
winlog.event_data.AccessList
keyword
winlog.event_data.AccessListDescription
keyword
winlog.event_data.AccessMask
keyword
winlog.event_data.AccessMaskDescription
keyword
winlog.event_data.AccessReason
keyword
winlog.event_data.AccessRemoved
keyword
winlog.event_data.AccountDomain
keyword
winlog.event_data.AccountExpires
keyword
winlog.event_data.AccountName
keyword
winlog.event_data.AllowedToDelegateTo
keyword
winlog.event_data.Application
keyword
winlog.event_data.AttributeValue
keyword
winlog.event_data.AttributeValue.wildcard
Multi-field of winlog.event_data.AttributeValue.
wildcard
winlog.event_data.AuditPolicyChanges
keyword
winlog.event_data.AuditPolicyChangesDescription
keyword
winlog.event_data.AuditSourceName
keyword
winlog.event_data.AuthenticationPackageName
keyword
winlog.event_data.Binary
keyword
winlog.event_data.BitlockerUserInputTime
keyword
winlog.event_data.BootMode
keyword
winlog.event_data.BootType
keyword
winlog.event_data.BuildVersion
keyword
winlog.event_data.CallerProcessId
keyword
winlog.event_data.CallerProcessName
keyword
winlog.event_data.Category
keyword
winlog.event_data.CategoryId
keyword
winlog.event_data.ClientAddress
keyword
winlog.event_data.ClientName
keyword
winlog.event_data.ClientProcessId
keyword
winlog.event_data.CommandLine
keyword
winlog.event_data.Company
keyword
winlog.event_data.ComputerAccountChange
keyword
winlog.event_data.CorruptionActionState
keyword
winlog.event_data.CountOfCredentialsReturned
keyword
winlog.event_data.CrashOnAuditFailValue
keyword
winlog.event_data.CreationUtcTime
keyword
winlog.event_data.CurrentProfile
keyword
winlog.event_data.Description
keyword
winlog.event_data.DestAddress
keyword
winlog.event_data.DestPort
keyword
winlog.event_data.Detail
keyword
winlog.event_data.DeviceName
keyword
winlog.event_data.DeviceNameLength
keyword
winlog.event_data.DeviceTime
keyword
winlog.event_data.DeviceVersionMajor
keyword
winlog.event_data.DeviceVersionMinor
keyword
winlog.event_data.Direction
keyword
winlog.event_data.DisplayName
keyword
winlog.event_data.DnsHostName
keyword
winlog.event_data.DomainBehaviorVersion
keyword
winlog.event_data.DomainName
keyword
winlog.event_data.DomainPolicyChanged
keyword
winlog.event_data.DomainSid
keyword
winlog.event_data.DriveName
keyword
winlog.event_data.DriverName
keyword
winlog.event_data.DriverNameLength
keyword
winlog.event_data.Dummy
keyword
winlog.event_data.DwordVal
keyword
winlog.event_data.EnabledPrivilegeList
keyword
winlog.event_data.EntryCount
keyword
winlog.event_data.EventSourceId
keyword
winlog.event_data.ExtraInfo
keyword
winlog.event_data.FailureName
keyword
winlog.event_data.FailureNameLength
keyword
winlog.event_data.FailureReason
keyword
winlog.event_data.FileVersion
keyword
winlog.event_data.FilterOrigin
keyword
winlog.event_data.FilterRTID
keyword
winlog.event_data.FinalStatus
keyword
winlog.event_data.Flags
keyword
winlog.event_data.Group
keyword
winlog.event_data.GroupTypeChange
keyword
winlog.event_data.HandleId
keyword
winlog.event_data.HasRemoteDynamicKeywordAddress
keyword
winlog.event_data.HomeDirectory
keyword
winlog.event_data.HomePath
keyword
winlog.event_data.Identity
keyword
winlog.event_data.IdleImplementation
keyword
winlog.event_data.IdleStateCount
keyword
winlog.event_data.ImpersonationLevel
keyword
winlog.event_data.IntegrityLevel
keyword
winlog.event_data.InterfaceIndex
keyword
winlog.event_data.IpAddress
keyword
winlog.event_data.IpPort
keyword
winlog.event_data.IsLoopback
keyword
winlog.event_data.KerberosPolicyChange
keyword
winlog.event_data.KeyLength
keyword
winlog.event_data.LastBootGood
keyword
winlog.event_data.LastShutdownGood
keyword
winlog.event_data.LayerName
keyword
winlog.event_data.LayerNameDescription
keyword
winlog.event_data.LayerRTID
keyword
winlog.event_data.LmPackageName
keyword
winlog.event_data.LogonGuid
keyword
winlog.event_data.LogonHours
keyword
winlog.event_data.LogonID
keyword
winlog.event_data.LogonId
keyword
winlog.event_data.LogonProcessName
keyword
winlog.event_data.LogonType
keyword
winlog.event_data.MachineAccountQuota
keyword
winlog.event_data.MajorVersion
keyword
winlog.event_data.MandatoryLabel
keyword
winlog.event_data.MaximumPerformancePercent
keyword
winlog.event_data.MemberName
keyword
winlog.event_data.MemberSid
keyword
winlog.event_data.MinimumPerformancePercent
keyword
winlog.event_data.MinimumThrottlePercent
keyword
winlog.event_data.MinorVersion
keyword
winlog.event_data.MixedDomainMode
keyword
winlog.event_data.NewProcessId
keyword
winlog.event_data.NewProcessName
keyword
winlog.event_data.NewSchemeGuid
keyword
winlog.event_data.NewSd
keyword
winlog.event_data.NewSdDacl0
keyword
winlog.event_data.NewSdDacl1
keyword
winlog.event_data.NewSdDacl2
keyword
winlog.event_data.NewSdSacl0
keyword
winlog.event_data.NewSdSacl1
keyword
winlog.event_data.NewSdSacl2
keyword
winlog.event_data.NewTargetUserName
keyword
winlog.event_data.NewTime
keyword
winlog.event_data.NewUACList
keyword
winlog.event_data.NewUacValue
keyword
winlog.event_data.NominalFrequency
keyword
winlog.event_data.Number
keyword
winlog.event_data.ObjectName
keyword
winlog.event_data.ObjectServer
keyword
winlog.event_data.ObjectType
keyword
winlog.event_data.OemInformation
keyword
winlog.event_data.OldSchemeGuid
keyword
winlog.event_data.OldSd
keyword
winlog.event_data.OldSdDacl0
keyword
winlog.event_data.OldSdDacl1
keyword
winlog.event_data.OldSdDacl2
keyword
winlog.event_data.OldSdSacl0
keyword
winlog.event_data.OldSdSacl1
keyword
winlog.event_data.OldSdSacl2
keyword
winlog.event_data.OldTargetUserName
keyword
winlog.event_data.OldTime
keyword
winlog.event_data.OldUacValue
keyword
winlog.event_data.OriginalFileName
keyword
winlog.event_data.OriginalProfile
keyword
winlog.event_data.PackageName
keyword
winlog.event_data.ParentProcessName
keyword
winlog.event_data.PasswordHistoryLength
keyword
winlog.event_data.PasswordLastSet
keyword
winlog.event_data.Path
keyword
winlog.event_data.PerformanceImplementation
keyword
winlog.event_data.PreAuthType
keyword
winlog.event_data.PreviousCreationUtcTime
keyword
winlog.event_data.PreviousTime
keyword
winlog.event_data.PrimaryGroupId
keyword
winlog.event_data.PrivilegeList
keyword
winlog.event_data.ProcessCreationTime
keyword
winlog.event_data.ProcessID
keyword
winlog.event_data.ProcessId
keyword
winlog.event_data.ProcessName
keyword
winlog.event_data.ProcessPath
keyword
winlog.event_data.ProcessPid
keyword
winlog.event_data.Product
keyword
winlog.event_data.ProfilePath
keyword
winlog.event_data.Protocol
keyword
winlog.event_data.PuaCount
keyword
winlog.event_data.PuaPolicyId
keyword
winlog.event_data.QfeVersion
keyword
winlog.event_data.ReadOperation
keyword
winlog.event_data.Reason
keyword
winlog.event_data.RelativeTargetName
keyword
winlog.event_data.RemoteMachineDescription
keyword
winlog.event_data.RemoteMachineID
keyword
winlog.event_data.RemoteUserDescription
keyword
winlog.event_data.RemoteUserID
keyword
winlog.event_data.Resource
keyword
winlog.event_data.ResourceAttributes
keyword
winlog.event_data.ReturnCode
keyword
winlog.event_data.SamAccountName
keyword
winlog.event_data.Schema
keyword
winlog.event_data.SchemaFriendlyName
keyword
winlog.event_data.SchemaVersion
keyword
winlog.event_data.ScriptBlockText
keyword
winlog.event_data.ScriptPath
keyword
winlog.event_data.SearchString
keyword
winlog.event_data.Service
keyword
winlog.event_data.ServiceAccount
keyword
winlog.event_data.ServiceFileName
keyword
winlog.event_data.ServiceName
keyword
winlog.event_data.ServicePrincipalNames
keyword
winlog.event_data.ServiceSid
keyword
winlog.event_data.ServiceStartType
keyword
winlog.event_data.ServiceType
keyword
winlog.event_data.ServiceVersion
keyword
winlog.event_data.SessionName
keyword
winlog.event_data.ShareLocalPath
keyword
winlog.event_data.ShareName
keyword
winlog.event_data.ShutdownActionType
keyword
winlog.event_data.ShutdownEventCode
keyword
winlog.event_data.ShutdownReason
keyword
winlog.event_data.SidFilteringEnabled
keyword
winlog.event_data.SidHistory
keyword
winlog.event_data.Signature
keyword
winlog.event_data.SignatureStatus
keyword
winlog.event_data.Signed
keyword
winlog.event_data.SourceAddress
keyword
winlog.event_data.SourcePort
keyword
winlog.event_data.StartTime
keyword
winlog.event_data.State
keyword
winlog.event_data.Status
keyword
winlog.event_data.StatusDescription
keyword
winlog.event_data.StopTime
keyword
winlog.event_data.SubCategory
keyword
winlog.event_data.SubCategoryGuid
keyword
winlog.event_data.SubCategoryId
keyword
winlog.event_data.SubStatus
keyword
winlog.event_data.SubcategoryGuid
keyword
winlog.event_data.SubcategoryId
keyword
winlog.event_data.SubjectDomainName
keyword
winlog.event_data.SubjectLogonId
keyword
winlog.event_data.SubjectUserName
keyword
winlog.event_data.SubjectUserSid
keyword
winlog.event_data.TSId
keyword
winlog.event_data.TargetDomainName
keyword
winlog.event_data.TargetInfo
keyword
winlog.event_data.TargetLogonGuid
keyword
winlog.event_data.TargetLogonId
keyword
winlog.event_data.TargetName
keyword
winlog.event_data.TargetServerName
keyword
winlog.event_data.TargetSid
keyword
winlog.event_data.TargetUserName
keyword
winlog.event_data.TargetUserSid
keyword
winlog.event_data.TdoAttributes
keyword
winlog.event_data.TdoDirection
keyword
winlog.event_data.TdoType
keyword
winlog.event_data.TerminalSessionId
keyword
winlog.event_data.TicketEncryptionType
keyword
winlog.event_data.TicketEncryptionTypeDescription
keyword
winlog.event_data.TicketOptions
keyword
winlog.event_data.TicketOptionsDescription
keyword
winlog.event_data.TokenElevationType
keyword
winlog.event_data.TransmittedServices
keyword
winlog.event_data.Type
keyword
winlog.event_data.UserAccountControl
keyword
winlog.event_data.UserParameters
keyword
winlog.event_data.UserPrincipalName
keyword
winlog.event_data.UserSid
keyword
winlog.event_data.UserWorkstations
keyword
winlog.event_data.Version
keyword
winlog.event_data.Workstation
keyword
winlog.event_data.WorkstationName
keyword
winlog.event_data.param1
keyword
winlog.event_data.param2
keyword
winlog.event_data.param3
keyword
winlog.event_data.param4
keyword
winlog.event_data.param5
keyword
winlog.event_data.param6
keyword
winlog.event_data.param7
keyword
winlog.event_data.param8
keyword
winlog.event_id
The event identifier. The value is specific to the source of the event.
keyword
winlog.keywords
The keywords are used to classify an event.
keyword
winlog.level
The event severity. Levels are Critical, Error, Warning and Information, Verbose
keyword
winlog.logon.failure.reason
The reason the logon failed.
keyword
winlog.logon.failure.status
The reason the logon failed. This is textual description based on the value of the hexadecimal Status field.
keyword
winlog.logon.failure.sub_status
Additional information about the logon failure. This is a textual description based on the value of the hexidecimal SubStatus field.
keyword
winlog.logon.id
Logon ID that can be used to associate this logon with other events related to the same logon session.
keyword
winlog.logon.type
Logon type name. This is the descriptive version of the winlog.event_data.LogonType ordinal. This is an enrichment added by the Security module.
keyword
winlog.opcode
The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
keyword
winlog.outcome
Success or Failure of the event.
keyword
winlog.process.pid
The process_id of the Client Server Runtime Process.
long
winlog.process.thread.id
long
winlog.provider_guid
A globally unique identifier that identifies the provider that logged the event.
keyword
winlog.provider_name
The source of the event log record (the application or service that logged the record).
keyword
winlog.record_id
The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0.
keyword
winlog.related_activity_id
A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their activity_id identifier.
keyword
winlog.task
The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field.
keyword
winlog.time_created
Time event was created
date
winlog.trustAttribute
keyword
winlog.trustDirection
keyword
winlog.trustType
keyword
winlog.user.domain
The domain that the account associated with this event is a member of.
keyword
winlog.user.identifier
The Windows security identifier (SID) of the account associated with this event. If Winlogbeat cannot resolve the SID to a name, then the user.name, user.domain, and user.type fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be.
keyword
winlog.user.name
Name of the user associated with this event.
keyword
winlog.user.type
The type of account associated with this event.
keyword
winlog.user_data
The event specific data. This field is mutually exclusive with event_data.
object
winlog.user_data.BackupPath
keyword
winlog.user_data.Channel
keyword
winlog.user_data.SubjectDomainName
keyword
winlog.user_data.SubjectLogonId
keyword
winlog.user_data.SubjectUserName
keyword
winlog.user_data.SubjectUserSid
keyword
winlog.user_data.xml_name
keyword
winlog.version
The version number of the event's definition.
long

Auth

The auth data stream provides auth logs.

Supported operating systems

  • macOS prior to 10.8
  • Linux

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
system.auth.ssh.dropped_ip
The client IP from SSH connections that are open and immediately dropped.
ip
system.auth.ssh.event
The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)
keyword
system.auth.ssh.method
The SSH authentication method. Can be one of "password" or "publickey".
keyword
system.auth.ssh.signature
The signature of the client public key.
keyword
system.auth.sudo.command
The command executed via sudo.
keyword
system.auth.sudo.error
The error message in case the sudo command failed.
keyword
system.auth.sudo.pwd
The current directory where the sudo command is executed.
keyword
system.auth.sudo.tty
The TTY where the sudo command is executed.
keyword
system.auth.sudo.user
The target user to which the sudo command is switching.
keyword
system.auth.syslog.version
keyword
system.auth.useradd.home
The home folder for the new user.
keyword
system.auth.useradd.shell
The default shell for the new user.
keyword
version
Operating system version as a raw string.
keyword

syslog

The syslog data stream provides system logs.

Supported operating systems

  • macOS
  • Linux

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionType
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Input type
keyword
log.offset
Log offset
long

Metrics reference

Core

The System core data stream provides usage statistics for each CPU core.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • OpenBSD
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.core.id
CPU Core number.
keyword
system.core.idle.pct
The percentage of CPU time spent idle.
scaled_float
percent
gauge
system.core.idle.ticks
The amount of CPU time spent idle.
long
counter
system.core.iowait.pct
The percentage of CPU time spent in wait (on disk).
scaled_float
percent
gauge
system.core.iowait.ticks
The amount of CPU time spent in wait (on disk).
long
counter
system.core.irq.pct
The percentage of CPU time spent servicing and handling hardware interrupts.
scaled_float
percent
gauge
system.core.irq.ticks
The amount of CPU time spent servicing and handling hardware interrupts.
long
counter
system.core.nice.pct
The percentage of CPU time spent on low-priority processes.
scaled_float
percent
gauge
system.core.nice.ticks
The amount of CPU time spent on low-priority processes.
long
counter
system.core.softirq.pct
The percentage of CPU time spent servicing and handling software interrupts.
scaled_float
percent
gauge
system.core.softirq.ticks
The amount of CPU time spent servicing and handling software interrupts.
long
counter
system.core.steal.pct
The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
scaled_float
percent
gauge
system.core.steal.ticks
The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
long
counter
system.core.system.pct
The percentage of CPU time spent in kernel space.
scaled_float
percent
gauge
system.core.system.ticks
The amount of CPU time spent in kernel space.
long
counter
system.core.user.pct
The percentage of CPU time spent in user space.
scaled_float
percent
gauge
system.core.user.ticks
The amount of CPU time spent in user space.
long
counter

CPU

The System cpu data stream provides CPU statistics.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • OpenBSD
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.cpu.pct
Percent CPU used. This value is normalized by the number of CPU cores and it ranges from 0 to 1.
scaled_float
percent
gauge
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.cpu.cores
The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of 100% \* cores. The normalized percentages already take this value into account and have a maximum value of 100%.
long
gauge
system.cpu.idle.norm.pct
The percentage of CPU time spent idle.
scaled_float
percent
gauge
system.cpu.idle.pct
The percentage of CPU time spent idle.
scaled_float
percent
gauge
system.cpu.idle.ticks
The amount of CPU time spent idle.
long
counter
system.cpu.iowait.norm.pct
The percentage of CPU time spent in wait (on disk).
scaled_float
percent
gauge
system.cpu.iowait.pct
The percentage of CPU time spent in wait (on disk).
scaled_float
percent
gauge
system.cpu.iowait.ticks
The amount of CPU time spent in wait (on disk).
long
counter
system.cpu.irq.norm.pct
The percentage of CPU time spent servicing and handling hardware interrupts.
scaled_float
percent
gauge
system.cpu.irq.pct
The percentage of CPU time spent servicing and handling hardware interrupts.
scaled_float
percent
gauge
system.cpu.irq.ticks
The amount of CPU time spent servicing and handling hardware interrupts.
long
counter
system.cpu.nice.norm.pct
The percentage of CPU time spent on low-priority processes.
scaled_float
percent
gauge
system.cpu.nice.pct
The percentage of CPU time spent on low-priority processes.
scaled_float
percent
gauge
system.cpu.nice.ticks
The amount of CPU time spent on low-priority processes.
long
counter
system.cpu.softirq.norm.pct
The percentage of CPU time spent servicing and handling software interrupts.
scaled_float
percent
gauge
system.cpu.softirq.pct
The percentage of CPU time spent servicing and handling software interrupts.
scaled_float
percent
gauge
system.cpu.softirq.ticks
The amount of CPU time spent servicing and handling software interrupts.
long
counter
system.cpu.steal.norm.pct
The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
scaled_float
percent
gauge
system.cpu.steal.pct
The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
scaled_float
percent
gauge
system.cpu.steal.ticks
The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix.
long
counter
system.cpu.system.norm.pct
The percentage of CPU time spent in kernel space.
scaled_float
percent
gauge
system.cpu.system.pct
The percentage of CPU time spent in kernel space.
scaled_float
percent
gauge
system.cpu.system.ticks
The amount of CPU time spent in kernel space.
long
counter
system.cpu.total.norm.pct
The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores.
scaled_float
percent
gauge
system.cpu.total.pct
The percentage of CPU time spent in states other than Idle and IOWait.
scaled_float
percent
gauge
system.cpu.user.norm.pct
The percentage of CPU time spent in user space.
scaled_float
percent
gauge
system.cpu.user.pct
The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the system.cpu.user.pct will be 180%.
scaled_float
percent
gauge
system.cpu.user.ticks
The amount of CPU time spent in user space.
long
counter

Disk IO

The System diskio data stream provides disk IO metrics collected from the operating system. One event is created for each disk mounted on the system.

Note: For retrieving Linux-specific disk I/O metrics, use the Linux integration.

Supported operating systems

  • Linux
  • macOS (requires 10.10+)
  • Windows
  • FreeBSD (amd64)

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.disk.read.bytes
The total number of bytes (gauge) read successfully (aggregated from all disks) since the last metric collection.
long
byte
gauge
host.disk.write.bytes
The total number of bytes (gauge) written successfully (aggregated from all disks) since the last metric collection.
long
byte
gauge
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.diskio.io.time
The total amount of time in milliseconds spent doing I/Os.
long
counter
system.diskio.name
The disk name.
keyword
system.diskio.read.bytes
The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512.
long
byte
counter
system.diskio.read.count
The total number of reads completed successfully.
long
counter
system.diskio.read.time
The total amount of time in milliseconds spent by all reads.
long
counter
system.diskio.serial_number
The disk's serial number. This may not be provided by all operating systems.
keyword
system.diskio.write.bytes
The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512.
long
byte
counter
system.diskio.write.count
The total number of writes completed successfully.
long
counter
system.diskio.write.time
The total amount of time in milliseconds spent by all writes.
long
counter

Filesystem

The System filesystem data stream provides file system statistics. For each file system, one document is provided.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • OpenBSD
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.filesystem.available
The disk space available to an unprivileged user in bytes.
long
byte
gauge
system.filesystem.device_name
The disk name. For example: /dev/disk1
keyword
system.filesystem.files
The total number of file nodes in the file system.
long
gauge
system.filesystem.free
The disk space available in bytes.
long
byte
gauge
system.filesystem.free_files
The number of free file nodes in the file system.
long
gauge
system.filesystem.mount_point
The mounting point. For example: /
keyword
system.filesystem.total
The total disk space in bytes.
long
byte
gauge
system.filesystem.type
The disk type. For example: ext4
keyword
system.filesystem.used.bytes
The used disk space in bytes.
long
byte
gauge
system.filesystem.used.pct
The percentage of used disk space.
scaled_float
percent
gauge

Fsstat

The System fsstat data stream provides overall file system statistics.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • OpenBSD
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.fsstat.count
Number of file systems found.
long
gauge
system.fsstat.total_files
Total number of files.
long
gauge
system.fsstat.total_size.free
Total free space.
long
byte
gauge
system.fsstat.total_size.total
Total space (used plus free).
long
byte
gauge
system.fsstat.total_size.used
Total used space.
long
byte
gauge

Load

The System load data stream provides load statistics.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • OpenBSD

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.load.1
Load average for the last minute.
scaled_float
gauge
system.load.15
Load average for the last 15 minutes.
scaled_float
gauge
system.load.5
Load average for the last 5 minutes.
scaled_float
gauge
system.load.cores
The number of CPU cores present on the host.
long
gauge
system.load.norm.1
Load for the last minute divided by the number of cores.
scaled_float
gauge
system.load.norm.15
Load for the last 15 minutes divided by the number of cores.
scaled_float
gauge
system.load.norm.5
Load for the last 5 minutes divided by the number of cores.
scaled_float
gauge

Memory

The System memory data stream provides memory statistics.

Note: For retrieving Linux-specific memory metrics, use the Linux integration.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • OpenBSD
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.memory.actual.free
Actual free memory in bytes. It is calculated based on the OS. On Linux this value will be MemAvailable from /proc/meminfo, or calculated from free memory plus caches and buffers if /proc/meminfo is not available. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to system.memory.free.
long
byte
gauge
system.memory.actual.used.bytes
Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check system.actual.free.
long
byte
gauge
system.memory.actual.used.pct
The percentage of actual used memory.
scaled_float
percent
gauge
system.memory.free
The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free).
long
byte
gauge
system.memory.swap.free
Available swap memory.
long
byte
gauge
system.memory.swap.total
Total swap memory.
long
byte
gauge
system.memory.swap.used.bytes
Used swap memory.
long
byte
gauge
system.memory.swap.used.pct
The percentage of used swap memory.
scaled_float
percent
gauge
system.memory.total
Total memory.
long
byte
gauge
system.memory.used.bytes
Used memory.
long
byte
gauge
system.memory.used.pct
The percentage of used memory.
scaled_float
percent
gauge

Network

The System network data stream provides network IO metrics collected from the operating system. One event is created for each network interface.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.network.in.bytes
The number of bytes received on all network interfaces by the host in a given period of time.
long
byte
counter
host.network.in.packets
The number of packets received on all network interfaces by the host in a given period of time.
long
counter
host.network.out.bytes
The number of bytes sent out on all network interfaces by the host in a given period of time.
long
byte
counter
host.network.out.packets
The number of packets sent out on all network interfaces by the host in a given period of time.
long
counter
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.network.in.bytes
The number of bytes received.
long
byte
counter
system.network.in.dropped
The number of incoming packets that were dropped.
long
counter
system.network.in.errors
The number of errors while receiving.
long
counter
system.network.in.packets
The number or packets received.
long
counter
system.network.name
The network interface name.
keyword
system.network.out.bytes
The number of bytes sent.
long
byte
counter
system.network.out.dropped
The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system.
long
counter
system.network.out.errors
The number of errors while sending.
long
counter
system.network.out.packets
The number of packets sent.
long
counter

Process

The System process data stream provides process statistics. One document is provided for each process.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • Windows

Permissions

Process execution data should be available for an authorized user. If running as less privileged user, it may not be able to read process data belonging to other users.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
process.cpu.pct
The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 1.
scaled_float
process.cpu.start_time
The time when the process was started.
date
process.memory.pct
The percentage of memory the process occupied in main memory (RAM).
scaled_float
process.pid
Process id.
long
process.state
The process state. For example: "running".
keyword
system.process.cgroup.blkio.id
ID of the cgroup.
keyword
system.process.cgroup.blkio.path
Path to the cgroup relative to the cgroup subsystems mountpoint.
keyword
system.process.cgroup.blkio.total.bytes
Total number of bytes transferred to and from all block devices by processes in the cgroup.
long
counter
system.process.cgroup.blkio.total.ios
Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy.
long
counter
system.process.cgroup.cgroups_version
The version of cgroups reported for the process
long
system.process.cgroup.cpu.cfs.period.us
Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated.
long
gauge
system.process.cgroup.cpu.cfs.quota.us
Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us).
long
gauge
system.process.cgroup.cpu.cfs.shares
An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher.
long
gauge
system.process.cgroup.cpu.id
ID of the cgroup.
keyword
system.process.cgroup.cpu.path
Path to the cgroup relative to the cgroup subsystem's mountpoint.
keyword
system.process.cgroup.cpu.pressure.full.10.pct
Pressure over 10 seconds
float
gauge
system.process.cgroup.cpu.pressure.full.300.pct
Pressure over 300 seconds
float
gauge
system.process.cgroup.cpu.pressure.full.60.pct
Pressure over 60 seconds
float
gauge
system.process.cgroup.cpu.pressure.full.total
total Full pressure time
long
counter
system.process.cgroup.cpu.pressure.some.10.pct
Pressure over 10 seconds
float
gauge
system.process.cgroup.cpu.pressure.some.300.pct
Pressure over 300 seconds
float
gauge
system.process.cgroup.cpu.pressure.some.60.pct
Pressure over 60 seconds
float
gauge
system.process.cgroup.cpu.pressure.some.total
total Some pressure time
long
counter
system.process.cgroup.cpu.rt.period.us
Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated.
long
gauge
system.process.cgroup.cpu.rt.runtime.us
Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources.
long
gauge
system.process.cgroup.cpu.stats.periods
Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed.
long
counter
system.process.cgroup.cpu.stats.system.norm.pct
cgroups v2 normalized system time
float
gauge
system.process.cgroup.cpu.stats.system.ns
cgroups v2 system time in nanoseconds
long
counter
system.process.cgroup.cpu.stats.system.pct
cgroups v2 system time
float
gauge
system.process.cgroup.cpu.stats.throttled.ns
The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled.
long
counter
system.process.cgroup.cpu.stats.throttled.periods
Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota).
long
counter
system.process.cgroup.cpu.stats.throttled.us
The total time duration (in microseconds) for which tasks in a cgroup have been throttled, as reported by cgroupsv2
long
counter
system.process.cgroup.cpu.stats.usage.norm.pct
cgroups v2 normalized usage
float
gauge
system.process.cgroup.cpu.stats.usage.ns
cgroups v2 usage in nanoseconds
long
counter
system.process.cgroup.cpu.stats.usage.pct
cgroups v2 usage
float
gauge
system.process.cgroup.cpu.stats.user.norm.pct
cgroups v2 normalized cpu user time
float
gauge
system.process.cgroup.cpu.stats.user.ns
cgroups v2 cpu user time in nanoseconds
long
counter
system.process.cgroup.cpu.stats.user.pct
cgroups v2 cpu user time
float
gauge
system.process.cgroup.cpuacct.id
ID of the cgroup.
keyword
system.process.cgroup.cpuacct.path
Path to the cgroup relative to the cgroup subsystem's mountpoint.
keyword
system.process.cgroup.cpuacct.percpu
CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup.
object
gauge
system.process.cgroup.cpuacct.stats.system.norm.pct
Time the cgroup spent in kernel space, as a percentage of total CPU time, normalized by CPU count.
scaled_float
gauge
system.process.cgroup.cpuacct.stats.system.ns
CPU time consumed by tasks in user (kernel) mode.
long
counter
system.process.cgroup.cpuacct.stats.system.pct
Time the cgroup spent in kernel space, as a percentage of total CPU time
scaled_float
gauge
system.process.cgroup.cpuacct.stats.user.norm.pct
time the cgroup spent in user space, as a percentage of total CPU time, normalized by CPU count.
scaled_float
gauge
system.process.cgroup.cpuacct.stats.user.ns
CPU time consumed by tasks in user mode.
long
counter
system.process.cgroup.cpuacct.stats.user.pct
time the cgroup spent in user space, as a percentage of total CPU time
scaled_float
gauge
system.process.cgroup.cpuacct.total.norm.pct
CPU time of the cgroup as a percentage of overall CPU time, normalized by CPU count. This is functionally an average of time spent across individual CPUs.
scaled_float
gauge
system.process.cgroup.cpuacct.total.ns
Total CPU time in nanoseconds consumed by all tasks in the cgroup.
long
counter
system.process.cgroup.cpuacct.total.pct
CPU time of the cgroup as a percentage of overall CPU time.
scaled_float
gauge
system.process.cgroup.id
The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent.
keyword
system.process.cgroup.io.id
ID of the cgroup.
keyword
system.process.cgroup.io.path
Path to the cgroup relative to the cgroup subsystems mountpoint.
keyword
system.process.cgroup.io.pressure.full.10.pct
Pressure over 10 seconds
float
gauge
system.process.cgroup.io.pressure.full.300.pct
Pressure over 300 seconds
float
gauge
system.process.cgroup.io.pressure.full.60.pct
Pressure over 60 seconds
float
gauge
system.process.cgroup.io.pressure.full.total
total Some pressure time
long
counter
system.process.cgroup.io.pressure.some.10.pct
Pressure over 10 seconds
float
gauge
system.process.cgroup.io.pressure.some.300.pct
Pressure over 300 seconds
float
gauge
system.process.cgroup.io.pressure.some.60.pct
Pressure over 60 seconds
float
gauge
system.process.cgroup.io.pressure.some.total
total Some pressure time
long
counter
system.process.cgroup.io.stats.*.*.bytes
per-device bytes usage stats
object
gauge
system.process.cgroup.io.stats.*.*.ios
per-device IO usage stats
object
gauge
system.process.cgroup.memory.id
ID of the cgroup.
keyword
system.process.cgroup.memory.kmem.failures
The number of times that the memory limit (kmem.limit.bytes) was reached.
long
counter
system.process.cgroup.memory.kmem.limit.bytes
The maximum amount of kernel memory that tasks in the cgroup are allowed to use.
long
gauge
system.process.cgroup.memory.kmem.usage.bytes
Total kernel memory usage by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.kmem.usage.max.bytes
The maximum kernel memory used by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.kmem_tcp.failures
The number of times that the memory limit (kmem_tcp.limit.bytes) was reached.
long
counter
system.process.cgroup.memory.kmem_tcp.limit.bytes
The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use.
long
gauge
system.process.cgroup.memory.kmem_tcp.usage.bytes
Total memory usage for TCP buffers in bytes.
long
gauge
system.process.cgroup.memory.kmem_tcp.usage.max.bytes
The maximum memory used for TCP buffers by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.mem.events.fail
failed threshold
long
counter
system.process.cgroup.memory.mem.events.high
high threshold
long
counter
system.process.cgroup.memory.mem.events.low
low threshold
long
counter
system.process.cgroup.memory.mem.events.max
max threshold
long
counter
system.process.cgroup.memory.mem.events.oom
oom threshold
long
counter
system.process.cgroup.memory.mem.events.oom_kill
oom killer threshold
long
counter
system.process.cgroup.memory.mem.failures
The number of times that the memory limit (mem.limit.bytes) was reached.
long
counter
system.process.cgroup.memory.mem.high.bytes
memory high threshhold
long
gauge
system.process.cgroup.memory.mem.limit.bytes
The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use.
long
gauge
system.process.cgroup.memory.mem.low.bytes
memory low threshhold
long
gauge
system.process.cgroup.memory.mem.max.bytes
memory max threshhold
long
gauge
system.process.cgroup.memory.mem.usage.bytes
Total memory usage by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.mem.usage.max.bytes
The maximum memory used by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.memsw.events.fail
failed threshold
long
counter
system.process.cgroup.memory.memsw.events.high
high threshold
long
counter
system.process.cgroup.memory.memsw.events.low
low threshold
long
counter
system.process.cgroup.memory.memsw.events.max
max threshold
long
counter
system.process.cgroup.memory.memsw.events.oom
oom threshold
long
counter
system.process.cgroup.memory.memsw.events.oom_kill
oom killer threshold
long
counter
system.process.cgroup.memory.memsw.failures
The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached.
long
counter
system.process.cgroup.memory.memsw.high.bytes
memory high threshhold
long
gauge
system.process.cgroup.memory.memsw.limit.bytes
The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use.
long
gauge
system.process.cgroup.memory.memsw.low.bytes
memory low threshhold
long
gauge
system.process.cgroup.memory.memsw.max.bytes
memory max threshhold
long
gauge
system.process.cgroup.memory.memsw.usage.bytes
The sum of current memory usage plus swap space used by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.memsw.usage.max.bytes
The maximum amount of memory and swap space used by processes in the cgroup (in bytes).
long
gauge
system.process.cgroup.memory.path
Path to the cgroup relative to the cgroup subsystem's mountpoint.
keyword
system.process.cgroup.memory.stats.*.bytes
detailed memory IO stats
object
gauge
system.process.cgroup.memory.stats.active_anon.bytes
Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes.
long
gauge
system.process.cgroup.memory.stats.active_file.bytes
File-backed memory on active LRU list, in bytes.
long
gauge
system.process.cgroup.memory.stats.cache.bytes
Page cache, including tmpfs (shmem), in bytes.
long
gauge
system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes
Memory limit for the hierarchy that contains the memory cgroup, in bytes.
long
gauge
system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes
Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes.
long
gauge
system.process.cgroup.memory.stats.inactive_anon.bytes
Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes
long
gauge
system.process.cgroup.memory.stats.inactive_file.bytes
File-backed memory on inactive LRU list, in bytes.
long
gauge
system.process.cgroup.memory.stats.major_page_faults
Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk.
long
counter
system.process.cgroup.memory.stats.mapped_file.bytes
Size of memory-mapped mapped files, including tmpfs (shmem), in bytes.
long
gauge
system.process.cgroup.memory.stats.page_faults
Number of times that a process in the cgroup triggered a page fault.
long
counter
system.process.cgroup.memory.stats.pages_in
Number of pages paged into memory. This is a counter.
long
counter
system.process.cgroup.memory.stats.pages_out
Number of pages paged out of memory. This is a counter.
long
counter
system.process.cgroup.memory.stats.rss.bytes
Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes.
long
gauge
system.process.cgroup.memory.stats.rss_huge.bytes
Number of bytes of anonymous transparent hugepages.
long
gauge
system.process.cgroup.memory.stats.swap.bytes
Swap usage, in bytes.
long
gauge
system.process.cgroup.memory.stats.unevictable.bytes
Memory that cannot be reclaimed, in bytes.
long
gauge
system.process.cgroup.path
The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent.
keyword
system.process.cmdline
The full command-line used to start the process, including the arguments separated by space.
keyword
system.process.cpu.start_time
The time when the process was started.
date
system.process.cpu.system.ticks
The amount of CPU time the process spent in kernel space.
long
counter
system.process.cpu.total.norm.pct
The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%.
scaled_float
percent
gauge
system.process.cpu.total.pct
The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems.
scaled_float
percent
gauge
system.process.cpu.total.ticks
The total CPU time spent by the process.
long
counter
system.process.cpu.total.value
The value of CPU usage since starting the process.
long
counter
system.process.cpu.user.ticks
The amount of CPU time the process spent in user space.
long
counter
system.process.env
The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X.
flattened
system.process.fd.limit.hard
The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root.
long
gauge
system.process.fd.limit.soft
The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time.
long
gauge
system.process.fd.open
The number of file descriptors open by the process.
long
gauge
system.process.io.cancelled_write_bytes
The number of bytes this process cancelled, or caused not to be written.
long
byte
counter
system.process.io.read_bytes
The number of bytes fetched from the storage layer.
long
byte
counter
system.process.io.read_char
The number of bytes read from read(2) and similar syscalls.
long
byte
counter
system.process.io.read_ops
The count of read-related syscalls.
long
counter
system.process.io.write_bytes
The number of bytes written to the storage layer.
long
byte
counter
system.process.io.write_char
The number of bytes sent to syscalls for writing.
long
byte
counter
system.process.io.write_ops
The count of write-related syscalls.
long
counter
system.process.memory.rss.bytes
The Resident Set Size. The amount of memory the process occupied in main memory (RAM). On Windows this represents the current working set size, in bytes.
long
byte
gauge
system.process.memory.rss.pct
The percentage of memory the process occupied in main memory (RAM).
scaled_float
percent
gauge
system.process.memory.share
The shared memory the process uses.
long
byte
gauge
system.process.memory.size
The total virtual memory the process has. On Windows this represents the Commit Charge (the total amount of memory that the memory manager has committed for a running process) value in bytes for this process.
long
byte
gauge
system.process.num_threads
Number of threads in the process
integer
system.process.state
The process state. For example: "running".
keyword

Process summary

The process_summary data stream collects high level statistics about the running processes.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • Windows

Permissions

General process summary data should be available without elevated permissions. If the process data belongs to the other users, it will be counted as unknown value.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.process.summary.dead
Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen.
long
gauge
system.process.summary.idle
Number of idle processes on this host.
long
gauge
system.process.summary.running
Number of running processes on this host.
long
gauge
system.process.summary.sleeping
Number of sleeping processes on this host.
long
gauge
system.process.summary.stopped
Number of stopped processes on this host.
long
gauge
system.process.summary.total
Total number of processes on this host.
long
gauge
system.process.summary.unknown
Number of processes for which the state couldn't be retrieved or is unknown.
long
gauge
system.process.summary.zombie
Number of zombie processes on this host.
long
gauge

Socket summary

The System socket_summary data stream provides the summary of open network sockets in the host system.

It collects a summary of metrics with the count of existing TCP and UDP connections and the count of listening ports.

Supported operating systems

  • FreeBSD
  • Linux
  • macOS
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.socket.summary.all.count
All open connections
integer
gauge
system.socket.summary.all.listening
All listening ports
integer
gauge
system.socket.summary.tcp.all.close_wait
Number of TCP connections in close_wait state
integer
gauge
system.socket.summary.tcp.all.closing
Number of TCP connections in closing state
integer
gauge
system.socket.summary.tcp.all.count
All open TCP connections
integer
gauge
system.socket.summary.tcp.all.established
Number of established TCP connections
integer
gauge
system.socket.summary.tcp.all.fin_wait1
Number of TCP connections in fin_wait1 state
integer
gauge
system.socket.summary.tcp.all.fin_wait2
Number of TCP connections in fin_wait2 state
integer
gauge
system.socket.summary.tcp.all.last_ack
Number of TCP connections in last_ack state
integer
gauge
system.socket.summary.tcp.all.listening
All TCP listening ports
integer
gauge
system.socket.summary.tcp.all.orphan
A count of all orphaned tcp sockets. Only available on Linux.
integer
gauge
system.socket.summary.tcp.all.syn_recv
Number of TCP connections in syn_recv state
integer
gauge
system.socket.summary.tcp.all.syn_sent
Number of TCP connections in syn_sent state
integer
gauge
system.socket.summary.tcp.all.time_wait
Number of TCP connections in time_wait state
integer
gauge
system.socket.summary.tcp.memory
Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux.
integer
byte
gauge
system.socket.summary.udp.all.count
All open UDP connections
integer
gauge
system.socket.summary.udp.memory
Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux.
integer
byte
gauge

Uptime

The System uptime data stream provides the uptime of the host operating system.

Supported operating systems

  • Linux
  • macOS
  • OpenBSD
  • FreeBSD
  • Windows

Permissions

This data should be available without elevated permissions.

ECS Field Reference

Please refer to the following document for detailed information on ECS fields.

Exported fields

FieldDescriptionTypeUnitMetric Type
@timestamp
Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events.
date
agent.id
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
keyword
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host, resource, or service is located.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host, resource, or service is located.
keyword
container.id
Unique container id.
keyword
data_stream.dataset
The field can contain anything that makes sense to signify the source of the data. Examples include nginx.access, prometheus, endpoint etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. event.dataset should have the same value as data_stream.dataset. Beyond the Elasticsearch data stream naming criteria noted above, the dataset value has additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.namespace
A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with default. If no value is used, it falls back to default. Beyond the Elasticsearch index naming criteria noted above, namespace value has the additional restrictions: * Must not contain - * No longer than 100 characters
constant_keyword
data_stream.type
An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future.
constant_keyword
event.dataset
Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name.
constant_keyword
event.module
Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), event.module should contain the name of this module.
constant_keyword
host.containerized
If the host is a container.
boolean
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
system.uptime.duration.ms
The OS uptime in milliseconds.
long
ms
counter

Changelog

VersionDetailsKibana version(s)

1.60.4

Bug fix View pull request
Fix IPv6 cleanup step.

8.13.0 or higher

1.60.3

Bug fix View pull request
Fix broken query on Users Renamed

8.13.0 or higher

1.60.2

Bug fix View pull request
Add windows.forward where it was missing on visualizations and searches.

8.13.0 or higher

1.60.1

Bug fix View pull request
Ensure process.name is populated from syslog messages

8.13.0 or higher

1.60.0

Enhancement View pull request
Add caseless fields to process events.

8.13.0 or higher

1.59.4

Enhancement View pull request
Mark system.diskio data stream as requires root

8.13.0 or higher

1.59.3

Bug fix View pull request
Convert error.code to string for winlog inputs

8.13.0 or higher

1.59.2

8.13.0 or higher

1.59.1

Bug fix View pull request
Ensure the syslog processor is not used with Elastic Agent 7.17.X versions.

8.13.0 or higher

1.59.0

Enhancement View pull request
ECS version updated to 8.11.0. Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.58.2

Bug fix View pull request
Fix filesystem ignore_types

8.12.0 or higher

1.58.1

Bug fix View pull request
Fix metrics overview dashboard.

8.12.0 or higher

1.58.0

Enhancement View pull request
Mark logs-system.syslog data stream as requires root

8.12.0 or higher

1.57.0

Enhancement View pull request
Adjust winlog.event_data.AttributeValue ignore_above parameter and add wildcard multi-field.

8.12.0 or higher

1.56.0

Enhancement View pull request
Add custom configuration option to windows system inputs.

8.12.0 or higher

1.55.2

Bug fix View pull request
Fix typos in Failed and Block Accounts dashboard.

8.12.0 or higher

1.55.1

Bug fix View pull request
Add missing preserve_original_event tag when toggled on.

8.12.0 or higher

1.55.0

Enhancement View pull request
Add global filter on data_stream.dataset to improve performance.

8.12.0 or higher

1.54.0

Enhancement View pull request
Enable 'secret' for the sensitive fields.

8.12.0 or higher

1.53.1

Enhancement View pull request
Inline "by reference" visualizations

8.11.0 or higher

1.53.0

Enhancement View pull request
Enable TSDB by default for core datastream. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html

8.11.0 or higher

1.52.0

Enhancement View pull request
Add missing num_threads field in system/process

8.11.0 or higher

1.51.0

Enhancement View pull request
Add fields for IO metrics in system/process

8.10.2 or higher

1.50.1

Enhancement View pull request
Improve the wording on milliseconds.

8.10.2 or higher

1.50.0

Bug fix View pull request
Fix the message parsing failure in syslog datastream.

Enhancement View pull request
Make exclude files configurable in syslog datastream.

8.10.2 or higher

1.49.1

Bug fix View pull request
Fix handling of preserve original event configuration in syslog datastream.

Bug fix View pull request
Fix exclude files pattern.

8.10.2 or higher

1.49.0

Enhancement View pull request
Limit request tracer log count to five.

8.10.2 or higher

1.48.0

Enhancement View pull request
Adding EventID 4662 and 5136, to use the winlog.event_data.SubjectUserName as user.name and related.user

8.10.2 or higher

1.47.2

Bug fix View pull request
Fix UAC attribute bit table in security data stream.

8.10.2 or higher

1.47.1

Bug fix View pull request
Fix indentation of tags inside syslog datastream.

Enhancement View pull request
Add system tests for syslog datastream.

Bug fix View pull request
Add missing fields "input.type", "log.file.path", and "log.offset" into syslog datastream.

8.10.2 or higher

1.47.0

Enhancement View pull request
Add RFC 5424 support for Auth datastream

8.10.2 or higher

1.46.1

Bug fix View pull request
Added dimension setting to host.name field in memory and diskio datastream

8.10.2 or higher

1.46.0

Enhancement View pull request
Added field winlog.event_data.EnabledPrivilegeList as type keyword to security data stream.

8.10.2 or higher

1.45.0

Enhancement View pull request
Upgrade to package spec 3.0.0.

8.10.2 or higher

1.44.0

Enhancement View pull request
Enable TSDB by default for process datastream. This improves storage usage and query performance. For more details, see https://www.elastic.co/guide/en/elasticsearch/reference/current/tsds.html

8.10.2 or higher

1.43.0

Enhancement View pull request
Remove all remaining legacy visualizations.

8.10.2 or higher

1.42.0

Enhancement View pull request
Rework system metrics dashboards to use Lens and display current system state more reliably.

8.10.2 or higher

1.41.0

Enhancement View pull request
Modified the field definitions to reference ECS where possible and remove invalid field attributes.

8.9.0 or higher

1.40.0

Enhancement View pull request
Add metric_type metadata for object fields, set stack restriction to 8.9.0 version

8.9.0 or higher

1.39.0

Enhancement View pull request
Update documentation to remove unpopulated Linux-only field mappings in diskio and memory datastreams.

8.8.0 or higher

1.38.2

Bug fix View pull request
Validate ClientAddress IP for events 4778 and 4779

8.8.0 or higher

1.38.1

Enhancement View pull request
Remove duplicated fields in diskio datastream

8.8.0 or higher

1.38.0

Enhancement View pull request
Add source, destination and network fields for Windows Firewall events

8.8.0 or higher

1.37.1

Enhancement View pull request
Add metric_type metadata to the process data_stream

8.8.0 or higher

1.37.0

Enhancement View pull request
Improve event.action, event.category and event.outcome enrichment for auth datastream.

8.8.0 or higher

1.36.2

Bug fix View pull request
Add ecs mapping for error.code to avoid type conflicts

8.8.0 or higher

1.36.1

Bug fix