System fieldsedit

Module for parsing system log files.

system fieldsedit

Fields from the system log files.

auth fieldsedit

Fields from the Linux authorization logs.

system.auth.timestamp

type: alias

alias to: @timestamp

system.auth.hostname

type: alias

alias to: host.hostname

system.auth.program

type: alias

alias to: process.name

system.auth.pid

type: alias

alias to: process.pid

system.auth.message

type: alias

alias to: message

system.auth.user

type: alias

alias to: user.name

system.auth.ssh.method
The SSH authentication method. Can be one of "password" or "publickey".
system.auth.ssh.signature
The signature of the client public key.
system.auth.ssh.dropped_ip

type: ip

The client IP from SSH connections that are open and immediately dropped.

system.auth.ssh.event

example: Accepted

The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)

system.auth.ssh.ip

type: alias

alias to: source.ip

system.auth.ssh.port

type: alias

alias to: source.port

system.auth.ssh.geoip.continent_name

type: alias

alias to: source.geo.continent_name

system.auth.ssh.geoip.country_iso_code

type: alias

alias to: source.geo.country_iso_code

system.auth.ssh.geoip.location

type: alias

alias to: source.geo.location

system.auth.ssh.geoip.region_name

type: alias

alias to: source.geo.region_name

system.auth.ssh.geoip.city_name

type: alias

alias to: source.geo.city_name

system.auth.ssh.geoip.region_iso_code

type: alias

alias to: source.geo.region_iso_code

sudo fieldsedit

Fields specific to events created by the sudo command.

system.auth.sudo.error

example: user NOT in sudoers

The error message in case the sudo command failed.

system.auth.sudo.tty
The TTY where the sudo command is executed.
system.auth.sudo.pwd
The current directory where the sudo command is executed.
system.auth.sudo.user

example: root

The target user to which the sudo command is switching.

system.auth.sudo.command
The command executed via sudo.

useradd fieldsedit

Fields specific to events created by the useradd command.

system.auth.useradd.home
The home folder for the new user.
system.auth.useradd.shell
The default shell for the new user.
system.auth.useradd.name

type: alias

alias to: user.name

system.auth.useradd.uid

type: alias

alias to: user.id

system.auth.useradd.gid

type: alias

alias to: group.id

groupadd fieldsedit

Fields specific to events created by the groupadd command.

system.auth.groupadd.name

type: alias

alias to: group.name

system.auth.groupadd.gid

type: alias

alias to: group.id

syslog fieldsedit

Contains fields from the syslog system logs.

system.syslog.timestamp

type: alias

alias to: @timestamp

system.syslog.hostname

type: alias

alias to: host.hostname

system.syslog.program

type: alias

alias to: process.name

system.syslog.pid

type: alias

alias to: process.pid

system.syslog.message

type: alias

alias to: message