NOTE: You are looking at documentation for an older release. For the latest information, see the current release documentation.
System login dataset
editSystem login dataset
editThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
This is the login dataset of the system module.
Implementation
editThe login dataset is implemented for Linux only.
On Linux, the dataset reads the utmp files
that keep track of logins and logouts to the system. They are usually located
at /var/log/wtmp (successful logins) and /var/log/btmp (failed logins).
The file patterns used to locate the files can be configured using
login.wtmp_file_pattern and login.btmp_file_pattern. By default,
both the current files and any rotated files (e.g. wtmp.1, wtmp.2)
are read.
utmp files are binary, but you can display their contents using the
utmpdump utility.
Example dashboard
editThe dataset comes with a sample dashboard:
Fields
editFor a description of each field in the dataset, see the exported fields section.
Here is an example document generated by this dataset:
{
"@timestamp": "2017-10-12T08:05:34.853Z",
"agent": {
"hostname": "host.example.com",
"name": "host.example.com"
},
"event": {
"action": "user_login",
"dataset": "login",
"kind": "event",
"module": "system",
"origin": "/var/log/wtmp.1",
"outcome": "success"
},
"message": "Login by user vagrant (UID: 1000) on pts/1 (PID: 17559) from 10.0.2.2 (IP: 10.0.2.2)",
"process": {
"pid": 17559
},
"service": {
"type": "system"
},
"source": {
"ip": "10.0.2.2"
},
"user": {
"id": 1000,
"name": "vagrant",
"terminal": "pts/1"
}
}