System Fieldsedit

Module for parsing system log files.

system Fieldsedit

Fields from the system log files.

auth Fieldsedit

Fields from the Linux authorization logs.

system.auth.timestampedit

The timestamp as read from the auth message.

system.auth.hostnameedit

The hostname as read from the auth message.

system.auth.programedit

The process name as read from the auth message.

system.auth.pidedit

type: long

The PID of the process that sent the auth message.

system.auth.messageedit

The message in the log line.

system.auth.useredit

The Unix user that this event refers to.

ssh Fieldsedit

Fields specific to SSH login events.

system.auth.ssh.eventedit

The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.

system.auth.ssh.methodedit

The SSH authentication method. Can be one of "password" or "publickey".

system.auth.ssh.ipedit

type: ip

The client IP from where the login attempt was made.

system.auth.ssh.dropped_ipedit

type: ip

The client IP from SSH connections that are open and immediately dropped.

system.auth.ssh.portedit

type: long

The client port from where the login attempt was made.

system.auth.ssh.signatureedit

The signature of the client public key.

geoip Fieldsedit

Contains GeoIP information gathered based on the system.auth.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

system.auth.ssh.geoip.continent_nameedit

type: keyword

The name of the continent.

system.auth.ssh.geoip.city_nameedit

type: keyword

The name of the city.

system.auth.ssh.geoip.region_nameedit

type: keyword

The name of the region.

system.auth.ssh.geoip.country_iso_codeedit

type: keyword

Country ISO code.

system.auth.ssh.geoip.locationedit

type: geo_point

The longitude and latitude.

sudo Fieldsedit

Fields specific to events created by the sudo command.

system.auth.sudo.erroredit

example: user NOT in sudoers

The error message in case the sudo command failed.

system.auth.sudo.ttyedit

The TTY where the sudo command is executed.

system.auth.sudo.pwdedit

The current directory where the sudo command is executed.

system.auth.sudo.useredit

example: root

The target user to which the sudo command is switching.

system.auth.sudo.commandedit

The command executed via sudo.

useradd Fieldsedit

Fields specific to events created by the useradd command.

system.auth.useradd.nameedit

The user name being added.

system.auth.useradd.uidedit

type: long

The user ID.

system.auth.useradd.gidedit

type: long

The group ID.

system.auth.useradd.homeedit

The home folder for the new user.

system.auth.useradd.shelledit

The default shell for the new user.

groupadd Fieldsedit

Fields specific to events created by the groupadd command.

system.auth.groupadd.nameedit

The name of the new group.

system.auth.groupadd.gidedit

type: long

The ID of the new group.

syslog Fieldsedit

Contains fields from the syslog system logs.

system.syslog.timestampedit

The timestamp as read from the syslog message.

system.syslog.hostnameedit

The hostname as read from the syslog message.

system.syslog.programedit

The process name as read from the syslog message.

system.syslog.pidedit

The PID of the process that sent the syslog message.

system.syslog.messageedit

The message in the log line.