- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Step 1: Install Filebeat
- Step 2: Configure Filebeat
- Step 3: Configure Filebeat to use Logstash
- Step 4: Load the index template in Elasticsearch
- Step 5: Set up the Kibana dashboards
- Step 6: Start Filebeat
- Step 7: View the sample Kibana dashboards
- Quick start: modules for common log formats
- Repositories for APT and YUM
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Beats central management
- Modules
- Exported fields
- Apache2 fields
- Auditd fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- elasticsearch fields
- haproxy fields
- Host fields
- Icinga fields
- IIS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- MySQL fields
- Nginx fields
- Osquery fields
- PostgreSQL fields
- Redis fields
- System fields
- Traefik fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Migrating from Logstash Forwarder to Filebeat
- Contributing to Beats
IIS fields
editIIS fields
editModule for parsing IIS log files.
iis fields
editFields from IIS log files.
access fields
editContains fields for IIS access logs.
-
iis.access.server_ip -
type: keyword
The server IP address.
-
iis.access.method -
type: keyword
example: GET
The request HTTP method.
-
iis.access.url -
type: keyword
The request HTTP URL.
-
iis.access.query_string -
type: keyword
The request query string, if any.
-
iis.access.port -
type: long
The request port number.
-
iis.access.user_name -
type: keyword
The user name used when basic authentication is used.
-
iis.access.remote_ip -
type: keyword
The client IP address.
-
iis.access.referrer -
type: keyword
The HTTP referrer.
-
iis.access.response_code -
type: long
The HTTP response code.
-
iis.access.sub_status -
type: long
The HTTP substatus code.
-
iis.access.win32_status -
type: long
The Windows status code.
-
iis.access.request_time_ms -
type: long
The request time in milliseconds.
-
iis.access.site_name -
type: keyword
The site name and instance number.
-
iis.access.server_name -
type: keyword
The name of the server on which the log file entry was generated.
-
iis.access.http_version -
type: keyword
The HTTP version.
-
iis.access.cookie -
type: keyword
The content of the cookie sent or received, if any.
-
iis.access.hostname -
type: keyword
The host header name, if any.
-
iis.access.body_sent.bytes -
type: long
format: bytes
The number of bytes of the server response body.
-
iis.access.body_received.bytes -
type: long
format: bytes
The number of bytes of the server request body.
-
iis.access.agent -
type: text
Contains the un-parsed user agent string. Only present if the user agent Elasticsearch plugin is not available or not used.
user_agent fields
editContains the parsed user agent field. Only present if the user agent Elasticsearch plugin is available and used.
-
iis.access.user_agent.device -
type: keyword
The name of the physical device.
-
iis.access.user_agent.major -
type: long
The major version of the user agent.
-
iis.access.user_agent.minor -
type: long
The minor version of the user agent.
-
iis.access.user_agent.patch -
type: keyword
The patch version of the user agent.
-
iis.access.user_agent.name -
type: keyword
example: Chrome
The name of the user agent.
-
iis.access.user_agent.os -
type: keyword
The name of the operating system.
-
iis.access.user_agent.os_major -
type: long
The major version of the operating system.
-
iis.access.user_agent.os_minor -
type: long
The minor version of the operating system.
-
iis.access.user_agent.os_name -
type: keyword
The name of the operating system.
-
iis.access.user_agent.original -
type: text
Original user agent value before parsing by ingest-user-agent plugin.
Field is not indexed.
geoip fields
editContains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
iis.access.geoip.continent_name -
type: keyword
The name of the continent.
-
iis.access.geoip.country_iso_code -
type: keyword
Country ISO code.
-
iis.access.geoip.location -
type: geo_point
The longitude and latitude.
-
iis.access.geoip.region_name -
type: keyword
The region name.
-
iis.access.geoip.city_name -
type: keyword
The city name.
-
iis.access.geoip.region_iso_code -
type: keyword
Region ISO code.
error fields
editContains fields for IIS error logs.
-
iis.error.remote_ip -
type: keyword
The client IP address.
-
iis.error.remote_port -
type: long
The client port number.
-
iis.error.server_ip -
type: keyword
The server IP address.
-
iis.error.server_port -
type: long
The server port number.
-
iis.error.http_version -
type: keyword
The HTTP version.
-
iis.error.method -
type: keyword
example: GET
The request HTTP method.
-
iis.error.url -
type: keyword
The request HTTP URL.
-
iis.error.response_code -
type: long
The HTTP response code.
-
iis.error.reason_phrase -
type: keyword
The HTTP reason phrase.
-
iis.error.queue_name -
type: keyword
The IIS application pool name.
geoip fields
editContains GeoIP information gathered based on the remote_ip field. Only present if the GeoIP Elasticsearch plugin is available and used.
-
iis.error.geoip.continent_name -
type: keyword
The name of the continent.
-
iis.error.geoip.country_iso_code -
type: keyword
Country ISO code.
-
iis.error.geoip.location -
type: geo_point
The longitude and latitude.
-
iis.error.geoip.region_name -
type: keyword
The region name.
-
iis.error.geoip.city_name -
type: keyword
The city name.
-
iis.error.geoip.region_iso_code -
type: keyword
Region ISO code.