System fields

Stack

Module for parsing system log files.

system

Fields from the system log files.

auth

Fields from the Linux authorization logs.

system.auth.timestamp

type: alias

alias to: @timestamp

system.auth.hostname

type: alias

alias to: host.hostname

system.auth.program

type: alias

alias to: process.name

system.auth.pid

type: alias

alias to: process.pid

system.auth.message

type: alias

alias to: message

system.auth.user

type: alias

alias to: user.name

system.auth.ssh.method

The SSH authentication method. Can be one of "password" or "publickey".

system.auth.ssh.signature

The signature of the client public key.

system.auth.ssh.dropped_ip

The client IP from SSH connections that are open and immediately dropped.

type: ip

system.auth.ssh.event

The SSH event as found in the logs (Accepted, Invalid, Failed, etc.)

example: Accepted

system.auth.ssh.ip

type: alias

alias to: source.ip

system.auth.ssh.port

type: alias

alias to: source.port

system.auth.ssh.geoip.continent_name

type: alias

alias to: source.geo.continent_name

system.auth.ssh.geoip.country_iso_code

type: alias

alias to: source.geo.country_iso_code

system.auth.ssh.geoip.location

type: alias

alias to: source.geo.location

system.auth.ssh.geoip.region_name

type: alias

alias to: source.geo.region_name

system.auth.ssh.geoip.city_name

type: alias

alias to: source.geo.city_name

system.auth.ssh.geoip.region_iso_code

type: alias

alias to: source.geo.region_iso_code

sudo

Fields specific to events created by the sudo command.

system.auth.sudo.error

The error message in case the sudo command failed.

example: user NOT in sudoers

system.auth.sudo.tty

The TTY where the sudo command is executed.

system.auth.sudo.pwd

The current directory where the sudo command is executed.

system.auth.sudo.user

The target user to which the sudo command is switching.

example: root

system.auth.sudo.command

The command executed via sudo.

useradd

Fields specific to events created by the useradd command.

system.auth.useradd.home

The home folder for the new user.

system.auth.useradd.shell

The default shell for the new user.

system.auth.useradd.name

type: alias

alias to: user.name

system.auth.useradd.uid

type: alias

alias to: user.id

system.auth.useradd.gid

type: alias

alias to: group.id

groupadd

Fields specific to events created by the groupadd command.

system.auth.groupadd.name

type: alias

alias to: group.name

system.auth.groupadd.gid

type: alias

alias to: group.id

syslog

Contains fields from the syslog system logs.

system.syslog.timestamp

type: alias

alias to: @timestamp

system.syslog.hostname

type: alias

alias to: host.hostname

system.syslog.program

type: alias

alias to: process.name

system.syslog.pid

type: alias

alias to: process.pid

system.syslog.message

type: alias

alias to: message