System fieldsedit

Module for parsing system log files.

system fieldsedit

Fields from the system log files.

auth fieldsedit

Fields from the Linux authorization logs.

system.auth.timestamp
The timestamp as read from the auth message.
system.auth.hostname
The hostname as read from the auth message.
system.auth.program
The process name as read from the auth message.
system.auth.pid

type: long

The PID of the process that sent the auth message.

system.auth.message

type: text

The message in the log line.

system.auth.user
The Unix user that this event refers to.

ssh fieldsedit

Fields specific to SSH login events.

system.auth.ssh.event
The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
system.auth.ssh.method
The SSH authentication method. Can be one of "password" or "publickey".
system.auth.ssh.ip

type: ip

The client IP from where the login attempt was made.

system.auth.ssh.dropped_ip

type: ip

The client IP from SSH connections that are open and immediately dropped.

system.auth.ssh.port

type: long

The client port from where the login attempt was made.

system.auth.ssh.signature
The signature of the client public key.

geoip fieldsedit

Contains GeoIP information gathered based on the system.auth.ip field. Only present if the GeoIP Elasticsearch plugin is available and used.

system.auth.ssh.geoip.continent_name

type: keyword

The name of the continent.

system.auth.ssh.geoip.city_name

type: keyword

The name of the city.

system.auth.ssh.geoip.region_name

type: keyword

The name of the region.

system.auth.ssh.geoip.country_iso_code

type: keyword

Country ISO code.

system.auth.ssh.geoip.location

type: geo_point

The longitude and latitude.

sudo fieldsedit

Fields specific to events created by the sudo command.

system.auth.sudo.error

example: user NOT in sudoers

The error message in case the sudo command failed.

system.auth.sudo.tty
The TTY where the sudo command is executed.
system.auth.sudo.pwd
The current directory where the sudo command is executed.
system.auth.sudo.user

example: root

The target user to which the sudo command is switching.

system.auth.sudo.command
The command executed via sudo.

useradd fieldsedit

Fields specific to events created by the useradd command.

system.auth.useradd.name
The user name being added.
system.auth.useradd.uid

type: long

The user ID.

system.auth.useradd.gid

type: long

The group ID.

system.auth.useradd.home
The home folder for the new user.
system.auth.useradd.shell
The default shell for the new user.

groupadd fieldsedit

Fields specific to events created by the groupadd command.

system.auth.groupadd.name
The name of the new group.
system.auth.groupadd.gid

type: long

The ID of the new group.

syslog fieldsedit

Contains fields from the syslog system logs.

system.syslog.timestamp
The timestamp as read from the syslog message.
system.syslog.hostname
The hostname as read from the syslog message.
system.syslog.program
The process name as read from the syslog message.
system.syslog.pid
The PID of the process that sent the syslog message.
system.syslog.message

type: text

The message in the log line.