WARNING: Version 5.4 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
System Fieldsedit
Module for parsing system log files.
system Fieldsedit
Fields from the system log files.
auth Fieldsedit
Fields from the Linux authorization logs.
system.auth.timestampedit
The timestamp as read from the auth message.
system.auth.hostnameedit
The hostname as read from the auth message.
system.auth.programedit
The process name as read from the auth message.
system.auth.pidedit
type: long
The PID of the process that sent the auth message.
system.auth.messageedit
The message in the log line.
system.auth.useredit
The Unix user that this event refers to.
ssh Fieldsedit
Fields specific to SSH login events.
system.auth.ssh.eventedit
The SSH login event. Can be one of "Accepted", "Failed", or "Invalid". "Accepted" means a successful login. "Invalid" means that the user is not configured on the system. "Failed" means that the SSH login attempt has failed.
system.auth.ssh.methodedit
The SSH authentication method. Can be one of "password" or "publickey".
system.auth.ssh.ipedit
type: ip
The client IP from where the login attempt was made.
system.auth.ssh.dropped_ipedit
type: ip
The client IP from SSH connections that are open and immediately dropped.
system.auth.ssh.portedit
type: long
The client port from where the login attempt was made.
system.auth.ssh.signatureedit
The signature of the client public key.
geoip Fieldsedit
Contains GeoIP information gathered based on the system.auth.ip
field. Only present if the GeoIP Elasticsearch plugin is available and used.
system.auth.ssh.geoip.continent_nameedit
type: keyword
The name of the continent.
system.auth.ssh.geoip.city_nameedit
type: keyword
The name of the city.
system.auth.ssh.geoip.region_nameedit
type: keyword
The name of the region.
system.auth.ssh.geoip.country_iso_codeedit
type: keyword
Country ISO code.
system.auth.ssh.geoip.locationedit
type: geo_point
The longitude and latitude.
sudo Fieldsedit
Fields specific to events created by the sudo
command.
system.auth.sudo.erroredit
example: user NOT in sudoers
The error message in case the sudo command failed.
system.auth.sudo.ttyedit
The TTY where the sudo command is executed.
system.auth.sudo.pwdedit
The current directory where the sudo command is executed.
system.auth.sudo.useredit
example: root
The target user to which the sudo command is switching.
system.auth.sudo.commandedit
The command executed via sudo.
useradd Fieldsedit
Fields specific to events created by the useradd
command.
system.auth.useradd.nameedit
The user name being added.
system.auth.useradd.uidedit
type: long
The user ID.
system.auth.useradd.gidedit
type: long
The group ID.
system.auth.useradd.homeedit
The home folder for the new user.
system.auth.useradd.shelledit
The default shell for the new user.
groupadd Fieldsedit
Fields specific to events created by the groupadd
command.
system.auth.groupadd.nameedit
The name of the new group.
system.auth.groupadd.gidedit
type: long
The ID of the new group.
syslog Fieldsedit
Contains fields from the syslog system logs.
system.syslog.timestampedit
The timestamp as read from the syslog message.
system.syslog.hostnameedit
The hostname as read from the syslog message.
system.syslog.programedit
The process name as read from the syslog message.
system.syslog.pidedit
The PID of the process that sent the syslog message.
system.syslog.messageedit
The message in the log line.