- Filebeat Reference: other versions:
- Overview
- Getting Started With Filebeat
- Step 1: Install Filebeat
- Step 2: Configure Filebeat
- Step 3: Configure Filebeat to use Logstash
- Step 4: Load the index template in Elasticsearch
- Step 5: Set up the Kibana dashboards
- Step 6: Start Filebeat
- Step 7: View the sample Kibana dashboards
- Quick start: modules for common log formats
- Repositories for APT and YUM
- Setting up and running Filebeat
- Upgrading Filebeat
- How Filebeat works
- Configuring Filebeat
- Specify which modules to run
- Configure inputs
- Manage multiline messages
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Load balance the output hosts
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- filebeat.reference.yml
- Beats central management
- Modules
- Exported fields
- Apache2 fields
- Auditd fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- elasticsearch fields
- haproxy fields
- Host fields
- Icinga fields
- IIS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- mongodb fields
- MySQL fields
- Nginx fields
- Osquery fields
- PostgreSQL fields
- Redis fields
- System fields
- Traefik fields
- Monitoring Filebeat
- Securing Filebeat
- Troubleshooting
- Migrating from Logstash Forwarder to Filebeat
- Contributing to Beats
Log file content fields
editLog file content fields
editContains log file lines.
-
source -
type: keyword
required: True
The file from which the line was read. This field contains the absolute path to the file. For example:
/var/log/system.log. -
offset -
type: long
required: False
The file offset the reported line starts at.
-
message -
type: text
required: True
The content of the line read from the log file.
-
stream -
type: keyword
required: False
Log stream when reading container logs, can be stdout or stderr
-
prospector.type -
[6.3] Deprecated in 6.3.
required: True
The input type from which the event was generated. This field is set to the value specified for the
typeoption in the input section of the Filebeat config file. (DEPRECATED: seeinput.type) -
input.type -
required: True
The input type from which the event was generated. This field is set to the value specified for the
typeoption in the input section of the Filebeat config file. -
read_timestamp -
In case the ingest pipeline parses the timestamp from the log contents, it stores the original
@timestamp(representing the time when the log line was read) in this field. -
fileset.module -
The Filebeat module that generated this event.
-
fileset.name -
The Filebeat fileset that generated this event.
-
syslog.facility -
type: long
required: False
The facility extracted from the priority.
-
syslog.priority -
type: long
required: False
The priority of the syslog event.
-
syslog.severity_label -
type: keyword
required: False
The human readable severity.
-
syslog.facility_label -
type: keyword
required: False
The human readable facility.
-
process.program -
type: keyword
required: False
The name of the program.
-
process.pid -
type: long
required: False
The pid of the process.
-
event.severity -
type: long
required: False
The severity of the event.
-
service.name -
type: keyword
Service name.
-
log.level -
type: keyword
Logging level.
-
log.flags -
This field contains the flags of the event.
-
event.created -
type: date
event.created contains the date on which the event was created. In case of log events this is when the log line was read by Filebeat. In comparison @timestamp is the processed timestamp from the log line. If both are identical only @timestamp should be used.
-
event.type -
type: keyword
A type given to this kind of event which can be used for grouping.
-
http.response.status_code -
type: long
example: 404
HTTP response status_code.
-
http.response.elapsed_time -
type: long
Elapsed time between request and response in milli seconds.
-
http.response.content_length -
type: long
Content length of the HTTP response body.
-
http.request.method -
type: keyword
Request method.
-
source_ecs.ip -
type: ip
IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.
-
source_ecs.port -
type: long
Port of the source.
geo fields
editGeolocation for source.
-
source_ecs.geo.continent_name -
type: keyword
Name of the continent.
-
source_ecs.geo.country_iso_code -
type: keyword
Country ISO code.
-
source_ecs.geo.location -
type: geo_point
Longitude and latitude.
-
source_ecs.geo.region_name -
type: keyword
Region name.
-
source_ecs.geo.city_name -
type: keyword
City name.
-
source_ecs.geo.region_iso_code -
type: keyword
Region ISO code.
-
destination.ip -
type: ip
IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.
-
destination.port -
type: long
Port of the destination.
geo fields
editGeolocation for destination.
-
destination.geo.continent_name -
type: keyword
Name of the continent.
-
destination.geo.country_iso_code -
type: keyword
Country ISO code.
-
destination.geo.location -
type: geo_point
Longitude and latitude.
-
destination.geo.region_name -
type: keyword
Region name.
-
destination.geo.city_name -
type: keyword
City name.
-
destination.geo.region_iso_code -
type: keyword
Region ISO code.
user_agent fields
editThe user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
-
user_agent.original -
type: keyword
Unparsed version of the user_agent.
-
user_agent.device -
type: keyword
Name of the physical device.
-
user_agent.version -
type: keyword
Version of the physical device.
-
user_agent.major -
type: long
Major version of the user agent.
-
user_agent.minor -
type: long
Minor version of the user agent.
-
user_agent.patch -
type: keyword
Patch version of the user agent.
-
user_agent.name -
type: keyword
example: Chrome
Name of the user agent.
-
user_agent.os.name -
type: keyword
Name of the operating system.
-
user_agent.os.full_name -
type: keyword
Full name of the operating system (includes version).
-
user_agent.os.version -
type: keyword
Version of the operating system.
-
user_agent.os.major -
type: long
Major version of the operating system.
-
user_agent.os.minor -
type: long
Minor version of the operating system.
url fields
editURL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as host.url.* for example. Keep the structure consistent whenever you use URL fields.
-
url.hostname -
type: keyword
Hostname of the request, such as "elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the
hostnamefield.
file fields
editFile fields provide details about each file.
-
file.path -
type: keyword
Path to the file.
-
file.size -
type: long
File size in bytes (field is only added when
typeisfile).