The CloudTrail version of the log event format.

type: keyword

The type of the identity

type: keyword

The Amazon Resource Name (ARN) of the principal that made the call.

type: keyword

The access key ID that was used to sign the request.

type: keyword

The value is true if the root user or IAM user whose credentials were used for the request also was authenticated with an MFA device; otherwise, false.

type: keyword

The date and time when the temporary security credentials were issued.

type: date

The name of the AWS service that made the request, such as Amazon EC2 Auto Scaling or AWS Elastic Beanstalk.

type: keyword

The source of the temporary security credentials, such as Root, IAMUser, or Role.

type: keyword

The internal ID of the entity that was used to get credentials.

type: keyword

The ARN of the source (account, IAM user, or role) that was used to get temporary security credentials.

type: keyword

The account that owns the entity that was used to get credentials.

type: keyword

The AWS service error if the request returns an error.

type: keyword

If the request returns an error, the description of the error.

type: keyword

The parameters, if any, that were sent with the request.

type: keyword

The response element for actions that make changes (create, update, or delete actions).

type: keyword

Additional data about the event that was not part of the request or response.

type: keyword

The value that identifies the request. The service being called generates this value.

type: keyword

Identifies the type of event that generated the event record.

type: keyword

Identifies the API version associated with the AwsApiCall eventType value.

type: keyword

A Boolean value that identifies whether the event is a management event.

type: keyword

Identifies whether this operation is a read-only operation.

type: keyword

Resource ARNs

type: keyword

Account ID of the resource owner

type: keyword

Resource type identifier in the format: AWS::aws-service-name::data-type-name

type: keyword

Represents the account ID that received this event.

type: keyword

Identifies the service event, including what triggered the event and the result.

type: keyword

GUID generated by CloudTrail to uniquely identify CloudTrail events from the same AWS action that is sent to different AWS accounts.

type: keyword

Identifies the VPC endpoint in which requests were made from a VPC to another AWS service, such as Amazon S3.

type: keyword

Identifies whether ConsoleLogin was from mobile version

type: boolean

URL for ConsoleLogin

type: keyword

Identifies whether multi factor authentication was used during ConsoleLogin

type: boolean

The internet address of the requester.

type: keyword

The name of the load balancer.

type: keyword

The type of the load balancer for v2 Load Balancers.

type: keyword

The ARN of the target group handling the request.

type: keyword

The ELB listener that received the connection.

type: keyword

The protocol of the load balancer (http or tcp).

type: keyword

The total time in seconds since the connection or request is received until it is sent to a registered backend.

type: float

The total time in seconds since the connection is sent to the backend till the backend starts responding.

type: float

The total time in seconds since the response is received from the backend till it is sent to the client.

type: float

The total time of the connection in milliseconds, since it is opened till it is closed.

type: long

The total time for the TLS handshake to complete in milliseconds once the connection has been established.

type: long

The IP address of the backend processing this connection.

type: keyword

The port in the backend processing this connection.

type: keyword

The status code from the backend (status code sent to the client from ELB is stored in http.response.status_code

type: keyword

The SSL cipher used in TLS/SSL connections.

type: keyword

The SSL protocol used in TLS/SSL connections.

type: keyword

The ARN of the chosen certificate presented to the client in TLS/SSL connections.

type: keyword

The serial number of the chosen certificate presented to the client in TLS/SSL connections.

type: keyword

The integer value of TLS alerts received by the load balancer from the client, if present.

type: keyword

The TLS named group.

type: keyword

The contents of the X-Amzn-Trace-Id header.

type: keyword

The priority value of the rule that matched the request, if a rule matched.

type: keyword

The action executed when processing the request (forward, fixed-response, authenticate…​). It can contain several values.

type: keyword

The URL used if a redirection action was executed.

type: keyword

The error reason if the executed action failed.

type: keyword

The canonical user ID of the owner of the source bucket.

type: keyword

The name of the bucket that the request was processed against.

type: keyword

The apparent internet address of the requester.

type: ip

The canonical user ID of the requester, or a - for unauthenticated requests.

type: keyword

A string generated by Amazon S3 to uniquely identify each request.

type: keyword

The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.

type: keyword

The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.

type: keyword

The Request-URI part of the HTTP request message.

type: keyword

The numeric HTTP status code of the response.

type: long

The Amazon S3 Error Code, or "-" if no error occurred.

type: keyword

The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.

type: long

The total size of the object in question.

type: long

The number of milliseconds the request was in flight from the server’s perspective.

type: long

The number of milliseconds that Amazon S3 spent processing your request.

type: long

The value of the HTTP Referrer header, if present.

type: keyword

The value of the HTTP User-Agent header.

type: keyword

The version ID in the request, or "-" if the operation does not take a versionId parameter.

type: keyword

The x-amz-id-2 or Amazon S3 extended request ID.

type: keyword

The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.

type: keyword

The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.

type: keyword

The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.

type: keyword

The endpoint used to connect to Amazon S3.

type: keyword

The Transport Layer Security (TLS) version negotiated by the client.

type: keyword

The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.

type: keyword

The AWS account ID for the flow log.

type: keyword

The ID of the network interface for which the traffic is recorded.

type: keyword

The action that is associated with the traffic, ACCEPT or REJECT.

type: keyword

The logging status of the flow log, OK, NODATA or SKIPDATA.

type: keyword

The ID of the instance that’s associated with network interface for which the traffic is recorded, if the instance is owned by you.

type: keyword

The packet-level (original) source IP address of the traffic.

type: ip

The packet-level (original) destination IP address for the traffic.

type: ip

The ID of the VPC that contains the network interface for which the traffic is recorded.

type: keyword

The ID of the subnet that contains the network interface for which the traffic is recorded.

type: keyword

The bitmask value for the following TCP flags: 2=SYN,18=SYN-ACK,1=FIN,4=RST

type: keyword

The type of traffic: IPv4, IPv6, or EFA.

type: keyword