Common Journalbeat fields
editCommon Journalbeat fields
editContains common fields available in all event types.
coredump
editFields used by systemd-coredump kernel helper.
-
coredump.unit -
Annotations of messages containing coredumps from system units.
type: keyword
-
coredump.user_unit -
Annotations of messages containing coredumps from user units.
type: keyword
journald
editFields provided by journald.
object
editFields to log on behalf of a different program.
audit
editAudit fields of event.
-
journald.object.audit.login_uid -
The login UID of the object process.
type: long
example: 1000
required: False
-
journald.object.audit.session -
The audit session of the object process.
type: long
example: 3
required: False
-
journald.object.process.command_line -
The command line of the process.
type: keyword
example: /lib/systemd/systemd --user
required: False
-
journald.object.process.name -
Name of the executable.
type: keyword
example: /lib/systemd/systemd
required: False
-
journald.object.process.executable -
Path to the the executable.
type: keyword
example: /lib/systemd/systemd
required: False
-
journald.object.uid -
UID of the object process.
type: long
required: False
-
journald.object.gid -
GID of the object process.
type: long
required: False
-
journald.object.pid -
PID of the object process.
type: long
required: False
systemd
editSystemd fields of event.
-
journald.object.systemd.owner_uid -
The UID of the owner.
type: long
required: False
-
journald.object.systemd.session -
The ID of the systemd session.
type: keyword
required: False
-
journald.object.systemd.unit -
The name of the systemd unit.
type: keyword
required: False
-
journald.object.systemd.user_unit -
The name of the systemd user unit.
type: keyword
required: False
kernel
editFields to log on behalf of a different program.
-
journald.kernel.device -
The kernel device name.
type: keyword
required: False
-
journald.kernel.subsystem -
The kernel subsystem name.
type: keyword
required: False
-
journald.kernel.device_symlinks -
Additional symlink names pointing to the device node in /dev.
type: keyword
required: False
-
journald.kernel.device_node_path -
The device node path of this device in /dev.
type: keyword
required: False
-
journald.kernel.device_name -
The kernel device name as it shows up in the device tree below /sys.
type: keyword
required: False
code
editFields of the code generating the event.
-
journald.code.file -
The name of the source file where the log is generated.
type: keyword
example: ../src/core/manager.c
required: False
-
journald.code.function -
The name of the function which generated the log message.
type: keyword
example: job_log_status_message
required: False
-
journald.code.line -
The line number of the code which generated the log message.
type: long
example: 123
required: False
process
editFields to log on behalf of a different program.
audit
editAudit fields of event.
-
journald.process.audit.loginuid -
The login UID of the source process.
type: long
example: 1000
required: False
-
journald.process.audit.session -
The audit session of the source process.
type: long
example: 3
required: False
-
journald.process.command_line -
The command line of the process.
type: keyword
example: /lib/systemd/systemd --user
required: False
-
journald.process.name -
Name of the executable.
type: keyword
example: /lib/systemd/systemd
required: False
-
journald.process.executable -
Path to the the executable.
type: keyword
example: /lib/systemd/systemd
required: False
-
journald.process.pid -
The ID of the process which logged the message.
type: long
example: 1
required: False
-
journald.process.gid -
The ID of the group which runs the process.
type: long
example: 1
required: False
-
journald.process.uid -
The ID of the user which runs the process.
type: long
example: 1
required: False
-
journald.process.capabilites -
The effective capabilites of the process.
required: False
systemd
editFields of systemd.
-
systemd.invocation_id -
The invocation ID for the runtime cycle of the unit the message was generated in.
type: keyword
example: 8450f1672de646c88cd133aadd4f2d70
required: False
-
systemd.cgroup -
The control group path in the systemd hierarchy.
type: keyword
example: /user.slice/user-1234.slice/session-2.scope
required: False
-
systemd.owner_uid -
The owner UID of the systemd user unit or systemd session.
type: long
required: False
-
systemd.session -
The ID of the systemd session.
type: keyword
required: False
-
systemd.slice -
The systemd slice unit.
type: keyword
example: user-1234.slice
required: False
-
systemd.user_slice -
The systemd user slice unit.
type: keyword
required: False
-
systemd.unit -
The name of the systemd unit.
type: keyword
example: nginx.service
required: False
-
systemd.user_unit -
The name of the systemd user unit.
type: keyword
example: user-1234.slice
required: False
-
systemd.transport -
How the log message was received by journald.
type: keyword
example: syslog
required: True
host
editFields of the host.
-
host.boot_id -
The boot ID for the boot the log was generated in.
type: keyword
example: dd8c974asdf01dbe2ef26d7fasdf264c9
required: False
syslog
editFields of the code generating the event.
-
syslog.priority -
The priority of the message. A syslog compatibility field.
type: long
example: 1
required: False
-
syslog.facility -
The facility of the message. A syslog compatibility field.
type: long
example: 1
required: False
-
syslog.identifier -
The identifier of the message. A syslog compatibility field.
type: keyword
example: su
required: False
-
custom -
Arbitrary fields coming from processes.
type: nested
required: False
-
read_timestamp -
type: alias
alias to: event.created
-
container.log.tag -
User defined tag of a container.
type: keyword