Common Journalbeat fieldsedit

Contains common fields available in all event types.

coredumpedit

Fields used by systemd-coredump kernel helper.

coredump.unit

Annotations of messages containing coredumps from system units.

type: keyword

coredump.user_unit

Annotations of messages containing coredumps from user units.

type: keyword

journaldedit

Fields provided by journald.

objectedit

Fields to log on behalf of a different program.

auditedit

Audit fields of event.

journald.object.audit.login_uid

The login UID of the object process.

type: long

example: 1000

required: False

journald.object.audit.session

The audit session of the object process.

type: long

example: 3

required: False

journald.object.cmd

The command line of the process.

type: keyword

example: /lib/systemd/systemd --user

required: False

journald.object.name

Name of the executable.

type: keyword

example: /lib/systemd/systemd

required: False

journald.object.executable

Path to the the executable.

type: keyword

example: /lib/systemd/systemd

required: False

journald.object.uid

UID of the object process.

type: long

required: False

journald.object.gid

GID of the object process.

type: long

required: False

journald.object.pid

PID of the object process.

type: long

required: False

systemdedit

Systemd fields of event.

journald.object.systemd.owner_uid

The UID of the owner.

type: long

required: False

journald.object.systemd.session

The ID of the systemd session.

type: keyword

required: False

journald.object.systemd.unit

The name of the systemd unit.

type: keyword

required: False

journald.object.systemd.user_unit

The name of the systemd user unit.

type: keyword

required: False

kerneledit

Fields to log on behalf of a different program.

journald.kernel.device

The kernel device name.

type: keyword

required: False

journald.kernel.subsystem

The kernel subsystem name.

type: keyword

required: False

journald.kernel.device_symlinks

Additional symlink names pointing to the device node in /dev.

type: keyword

required: False

journald.kernel.device_node_path

The device node path of this device in /dev.

type: keyword

required: False

journald.kernel.device_name

The kernel device name as it shows up in the device tree below /sys.

type: keyword

required: False

codeedit

Fields of the code generating the event.

journald.code.file

The name of the source file where the log is generated.

type: keyword

example: ../src/core/manager.c

required: False

journald.code.function

The name of the function which generated the log message.

type: keyword

example: job_log_status_message

required: False

journald.code.line

The line number of the code which generated the log message.

type: long

example: 123

required: False

processedit

Fields to log on behalf of a different program.

auditedit

Audit fields of event.

journald.process.audit.loginuid

The login UID of the source process.

type: long

example: 1000

required: False

journald.process.audit.session

The audit session of the source process.

type: long

example: 3

required: False

journald.process.cmd

The command line of the process.

type: keyword

example: /lib/systemd/systemd --user

required: False

journald.process.name

Name of the executable.

type: keyword

example: /lib/systemd/systemd

required: False

journald.process.executable

Path to the the executable.

type: keyword

example: /lib/systemd/systemd

required: False

journald.process.pid

The ID of the process which logged the message.

type: long

example: 1

required: False

journald.process.gid

The ID of the group which runs the process.

type: long

example: 1

required: False

journald.process.uid

The ID of the user which runs the process.

type: long

example: 1

required: False

journald.process.capabilites

The effective capabilites of the process.

required: False

systemdedit

Fields of systemd.

systemd.invocation_id

The invocation ID for the runtime cycle of the unit the message was generated in.

type: keyword

example: 8450f1672de646c88cd133aadd4f2d70

required: False

systemd.cgroup

The control group path in the systemd hierarchy.

type: keyword

example: /user.slice/user-1234.slice/session-2.scope

required: False

systemd.owner_uid

The owner UID of the systemd user unit or systemd session.

type: long

required: False

systemd.session

The ID of the systemd session.

type: keyword

required: False

systemd.slice

The systemd slice unit.

type: keyword

example: user-1234.slice

required: False

systemd.user_slice

The systemd user slice unit.

type: keyword

required: False

systemd.unit

The name of the systemd unit.

type: keyword

example: nginx.service

required: False

systemd.user_unit

The name of the systemd user unit.

type: keyword

example: user-1234.slice

required: False

systemd.transport

How the log message was received by journald.

type: keyword

example: syslog

required: True

hostedit

Fields of the host.

host.boot_id

The boot ID for the boot the log was generated in.

type: keyword

example: dd8c974asdf01dbe2ef26d7fasdf264c9

required: False

syslogedit

Fields of the code generating the event.

syslog.priority

The priority of the message. A syslog compatibility field.

type: long

example: 1

required: False

syslog.facility

The facility of the message. A syslog compatibility field.

type: long

example: 1

required: False

syslog.identifier

The identifier of the message. A syslog compatibility field.

type: keyword

example: su

required: False

custom

Arbitrary fields coming from processes.

type: nested

required: False

read_timestamp

type: alias

alias to: event.created

container.log.tag

User defined tag of a container.

type: keyword