WARNING: Version 6.2 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Log file content fieldsedit
Contains log file lines.
source
edit
type: keyword
required: True
The file from which the line was read. This field contains the absolute path to the file. For example: /var/log/system.log
.
offset
edit
type: long
required: False
The file offset the reported line starts at.
message
edit
type: text
required: True
The content of the line read from the log file.
stream
edit
type: keyword
required: False
Log stream when reading container logs, can be stdout or stderr
prospector.type
edit
required: True
The prospector type from which the event was generated. This field is set to the value specified for the type
option in the prospector section of the Filebeat config file.
read_timestamp
edit
In case the ingest pipeline parses the timestamp from the log contents, it stores the original @timestamp
(representing the time when the log line was read) in this field.
fileset.module
edit
The Filebeat module that generated this event.
fileset.name
edit
The Filebeat fileset that generated this event.