- Filebeat Reference: other versions:
- Filebeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade
- How Filebeat works
- Configure
- Inputs
- Multiline messages
- AWS CloudWatch
- AWS S3
- Azure Event Hub
- Azure Blob Storage
- Benchmark
- CEL
- Cloud Foundry
- CometD
- Container
- Entity Analytics
- ETW
- filestream
- GCP Pub/Sub
- Google Cloud Storage
- HTTP Endpoint
- HTTP JSON
- journald
- Kafka
- Log
- MQTT
- NetFlow
- Office 365 Management Activity API
- Redis
- Salesforce
- Stdin
- Streaming
- Syslog
- TCP
- UDP
- Unix
- winlog
- Modules
- General settings
- Project paths
- Config file loading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- cache
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_cef
- decode_csv_fields
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- parse_aws_vpc_flow_log
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- timestamp
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- filebeat.reference.yml
- Inputs
- How to guides
- Override configuration settings
- Load the Elasticsearch index template
- Change the index name
- Load Kibana dashboards
- Load ingest pipelines
- Enrich events with geoIP information
- Deduplicate data
- Parse data using an ingest pipeline
- Use environment variables in the configuration
- Avoid YAML formatting problems
- Migrate
loginput configurations tofilestream - Migrating from a Deprecated Filebeat Module
- Modules
- Modules overview
- ActiveMQ module
- Apache module
- Auditd module
- AWS module
- AWS Fargate module
- Azure module
- CEF module
- Check Point module
- Cisco module
- CoreDNS module
- CrowdStrike module
- Cyberark PAS module
- Elasticsearch module
- Envoyproxy Module
- Fortinet module
- Google Cloud module
- Google Workspace module
- HAproxy module
- IBM MQ module
- Icinga module
- IIS module
- Iptables module
- Juniper module
- Kafka module
- Kibana module
- Logstash module
- Microsoft module
- MISP module
- MongoDB module
- MSSQL module
- MySQL module
- MySQL Enterprise module
- NATS module
- NetFlow module
- Nginx module
- Office 365 module
- Okta module
- Oracle module
- Osquery module
- Palo Alto Networks module
- pensando module
- PostgreSQL module
- RabbitMQ module
- Redis module
- Salesforce module
- Santa module
- Snyk module
- Sophos module
- Suricata module
- System module
- Threat Intel module
- Traefik module
- Zeek (Bro) Module
- ZooKeeper module
- Zoom module
- Exported fields
- ActiveMQ fields
- Apache fields
- Auditd fields
- AWS fields
- AWS CloudWatch fields
- AWS Fargate fields
- Azure fields
- Beat fields
- Decode CEF processor fields fields
- CEF fields
- Checkpoint fields
- Cisco fields
- Cloud provider metadata fields
- Coredns fields
- Crowdstrike fields
- CyberArk PAS fields
- Docker fields
- ECS fields
- Elasticsearch fields
- Envoyproxy fields
- Fortinet fields
- Google Cloud Platform (GCP) fields
- google_workspace fields
- HAProxy fields
- Host fields
- ibmmq fields
- Icinga fields
- IIS fields
- iptables fields
- Jolokia Discovery autodiscover provider fields
- Juniper JUNOS fields
- Kafka fields
- kibana fields
- Kubernetes fields
- Log file content fields
- logstash fields
- Lumberjack fields
- Microsoft fields
- MISP fields
- mongodb fields
- mssql fields
- MySQL fields
- MySQL Enterprise fields
- NATS fields
- NetFlow fields
- Nginx fields
- Office 365 fields
- Okta fields
- Oracle fields
- Osquery fields
- panw fields
- Pensando fields
- PostgreSQL fields
- Process fields
- RabbitMQ fields
- Redis fields
- s3 fields
- Salesforce fields
- Google Santa fields
- Snyk fields
- sophos fields
- Suricata fields
- System fields
- threatintel fields
- Traefik fields
- Windows ETW fields
- Zeek fields
- ZooKeeper fields
- Zoom fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Common problems
- Error extracting container id while using Kubernetes metadata
- Can’t read log files from network volumes
- Filebeat isn’t collecting lines from a file
- Too many open file handlers
- Registry file is too large
- Inode reuse causes Filebeat to skip lines
- Log rotation results in lost or duplicate events
- Open file handlers cause issues with Windows file rotation
- Filebeat is using too much CPU
- Dashboard in Kibana is breaking up data fields incorrectly
- Fields are not indexed or usable in Kibana visualizations
- Filebeat isn’t shipping the last line of a file
- Filebeat keeps open file handlers of deleted files for a long time
- Filebeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Threat intelligence Filebeat Module.
-
threat.indicator.file.hash.tlsh -
The file’s import tlsh, if available.
type: keyword
-
threat.indicator.file.hash.sha384 -
The file’s sha384 hash, if available.
type: keyword
-
threat.feed.name -
type: keyword
-
threat.feed.dashboard_id -
type: keyword
Fields for AbuseCH Malware Threat Intel
-
abusech.malware.file_type -
File type guessed by URLhaus.
type: keyword
-
abusech.malware.signature -
Malware familiy.
type: keyword
-
abusech.malware.urlhaus_download -
Location (URL) where you can download a copy of this file.
type: keyword
-
abusech.malware.virustotal.result -
AV detection ration.
type: keyword
-
abusech.malware.virustotal.percent -
AV detection in percent.
type: float
-
abusech.malware.virustotal.link -
Link to the Virustotal report.
type: keyword
Fields for AbuseCH Malware Threat Intel
-
abusech.url.id -
The ID of the url.
type: keyword
-
abusech.url.urlhaus_reference -
Link to URLhaus entry.
type: keyword
-
abusech.url.url_status -
The current status of the URL. Possible values are: online, offline and unknown.
type: keyword
-
abusech.url.threat -
The threat corresponding to this malware URL.
type: keyword
-
abusech.url.blacklists.surbl -
SURBL blacklist status. Possible values are: listed and not_listed
type: keyword
-
abusech.url.blacklists.spamhaus_dbl -
Spamhaus DBL blacklist status.
type: keyword
-
abusech.url.reporter -
The Twitter handle of the reporter that has reported this malware URL (or anonymous).
type: keyword
-
abusech.url.larted -
Indicates whether the malware URL has been reported to the hosting provider (true or false)
type: boolean
-
abusech.url.tags -
A list of tags associated with the queried malware URL
type: keyword
Fields for Anomali Threat Intel
-
anomali.limo.id -
The ID of the indicator.
type: keyword
-
anomali.limo.name -
The name of the indicator.
type: keyword
-
anomali.limo.pattern -
The pattern ID of the indicator.
type: keyword
-
anomali.limo.valid_from -
When the indicator was first found or is considered valid.
type: date
-
anomali.limo.modified -
When the indicator was last modified
type: date
-
anomali.limo.labels -
The labels related to the indicator
type: keyword
-
anomali.limo.indicator -
The value of the indicator, for example if the type is domain, this would be the value.
type: keyword
-
anomali.limo.description -
A description of the indicator.
type: keyword
-
anomali.limo.title -
Title describing the indicator.
type: keyword
-
anomali.limo.content -
Extra text or descriptive content related to the indicator.
type: keyword
-
anomali.limo.type -
The indicator type, can for example be "domain, email, FileHash-SHA256".
type: keyword
-
anomali.limo.object_marking_refs -
The STIX reference object.
type: keyword
Fields for Anomali ThreatStream
-
anomali.threatstream.classification -
Indicates whether an indicator is private or from a public feed and available publicly. Possible values: private, public.
type: keyword
example: private
-
anomali.threatstream.confidence -
The measure of the accuracy (from 0 to 100) assigned by ThreatStream’s predictive analytics technology to indicators.
type: short
-
anomali.threatstream.detail2 -
Detail text for indicator.
type: text
example: Imported by user 42.
-
anomali.threatstream.id -
The ID of the indicator.
type: keyword
-
anomali.threatstream.import_session_id -
ID of the import session that created the indicator on ThreatStream.
type: keyword
-
anomali.threatstream.itype -
Indicator type. Possible values: "apt_domain", "apt_email", "apt_ip", "apt_url", "bot_ip", "c2_domain", "c2_ip", "c2_url", "i2p_ip", "mal_domain", "mal_email", "mal_ip", "mal_md5", "mal_url", "parked_ip", "phish_email", "phish_ip", "phish_url", "scan_ip", "spam_domain", "ssh_ip", "suspicious_domain", "tor_ip" and "torrent_tracker_url".
type: keyword
-
anomali.threatstream.maltype -
Information regarding a malware family, a CVE ID, or another attack or threat, associated with the indicator.
type: wildcard
-
anomali.threatstream.md5 -
Hash for the indicator.
type: keyword
-
anomali.threatstream.resource_uri -
Relative URI for the indicator details.
type: keyword
-
anomali.threatstream.severity -
Criticality associated with the threat feed that supplied the indicator. Possible values: low, medium, high, very-high.
type: keyword
-
anomali.threatstream.source -
Source for the indicator.
type: keyword
example: Analyst
-
anomali.threatstream.source_feed_id -
ID for the integrator source.
type: keyword
-
anomali.threatstream.state -
State for this indicator.
type: keyword
example: active
-
anomali.threatstream.trusted_circle_ids -
ID of the trusted circle that imported the indicator.
type: keyword
-
anomali.threatstream.update_id -
Update ID.
type: keyword
-
anomali.threatstream.url -
URL for the indicator.
type: keyword
-
anomali.threatstream.value_type -
Data type of the indicator. Possible values: ip, domain, url, email, md5.
type: keyword
Fields for Malware Bazaar Threat Intel
-
abusech.malwarebazaar.file_type -
File type guessed by Malware Bazaar.
type: keyword
-
abusech.malwarebazaar.signature -
Malware familiy.
type: keyword
-
abusech.malwarebazaar.tags -
A list of tags associated with the queried malware sample.
type: keyword
-
abusech.malwarebazaar.intelligence.downloads -
Number of downloads from MalwareBazaar.
type: long
-
abusech.malwarebazaar.intelligence.uploads -
Number of uploads from MalwareBazaar.
type: long
-
abusech.malwarebazaar.intelligence.mail.Generic -
Malware seen in generic spam traffic.
type: keyword
-
abusech.malwarebazaar.intelligence.mail.IT -
Malware seen in IT spam traffic.
type: keyword
-
abusech.malwarebazaar.anonymous -
Identifies if the sample was submitted anonymously.
type: long
-
abusech.malwarebazaar.code_sign -
Code signing information for the sample.
type: nested
Fields for MISP Threat Intel
-
misp.id -
Attribute ID.
type: keyword
-
misp.orgc_id -
Organization Community ID of the event.
type: keyword
-
misp.org_id -
Organization ID of the event.
type: keyword
-
misp.threat_level_id -
Threat level from 5 to 1, where 1 is the most critical.
type: long
-
misp.info -
Additional text or information related to the event.
type: keyword
-
misp.published -
When the event was published.
type: boolean
-
misp.uuid -
The UUID of the event object.
type: keyword
-
misp.date -
The date of when the event object was created.
type: date
-
misp.attribute_count -
How many attributes are included in a single event object.
type: long
-
misp.timestamp -
The timestamp of when the event object was created.
type: date
-
misp.distribution -
Distribution type related to MISP.
type: keyword
-
misp.proposal_email_lock -
Settings configured on MISP for email lock on this event object.
type: boolean
-
misp.locked -
If the current MISP event object is locked or not.
type: boolean
-
misp.publish_timestamp -
At what time the event object was published
type: date
-
misp.sharing_group_id -
The ID of the grouped events or sources of the event.
type: keyword
-
misp.disable_correlation -
If correlation is disabled on the MISP event object.
type: boolean
-
misp.extends_uuid -
The UUID of the event object it might extend.
type: keyword
-
misp.org.id -
The organization ID related to the event object.
type: keyword
-
misp.org.name -
The organization name related to the event object.
type: keyword
-
misp.org.uuid -
The UUID of the organization related to the event object.
type: keyword
-
misp.org.local -
If the event object is local or from a remote source.
type: boolean
-
misp.orgc.id -
The Organization Community ID in which the event object was reported from.
type: keyword
-
misp.orgc.name -
The Organization Community name in which the event object was reported from.
type: keyword
-
misp.orgc.uuid -
The Organization Community UUID in which the event object was reported from.
type: keyword
-
misp.orgc.local -
If the Organization Community was local or synced from a remote source.
type: boolean
-
misp.attribute.id -
The ID of the attribute related to the event object.
type: keyword
-
misp.attribute.type -
The type of the attribute related to the event object. For example email, ipv4, sha1 and such.
type: keyword
-
misp.attribute.category -
The category of the attribute related to the event object. For example "Network Activity".
type: keyword
-
misp.attribute.to_ids -
If the attribute should be automatically synced with an IDS.
type: boolean
-
misp.attribute.uuid -
The UUID of the attribute related to the event.
type: keyword
-
misp.attribute.event_id -
The local event ID of the attribute related to the event.
type: keyword
-
misp.attribute.distribution -
How the attribute has been distributed, represented by integer numbers.
type: long
-
misp.attribute.timestamp -
The timestamp in which the attribute was attached to the event object.
type: date
-
misp.attribute.comment -
Comments made to the attribute itself.
type: keyword
-
misp.attribute.sharing_group_id -
The group ID of the sharing group related to the specific attribute.
type: keyword
-
misp.attribute.deleted -
If the attribute has been removed from the event object.
type: boolean
-
misp.attribute.disable_correlation -
If correlation has been enabled on the attribute related to the event object.
type: boolean
-
misp.attribute.object_id -
The ID of the Object in which the attribute is attached.
type: keyword
-
misp.attribute.object_relation -
The type of relation the attribute has with the event object itself.
type: keyword
-
misp.attribute.value -
The value of the attribute, depending on the type like "url, sha1, email-src".
type: keyword
-
misp.context.attribute.id -
The ID of the secondary attribute related to the event object.
type: keyword
-
misp.context.attribute.type -
The type of the secondary attribute related to the event object. For example email, ipv4, sha1 and such.
type: keyword
-
misp.context.attribute.category -
The category of the secondary attribute related to the event object. For example "Network Activity".
type: keyword
-
misp.context.attribute.to_ids -
If the secondary attribute should be automatically synced with an IDS.
type: boolean
-
misp.context.attribute.uuid -
The UUID of the secondary attribute related to the event.
type: keyword
-
misp.context.attribute.event_id -
The local event ID of the secondary attribute related to the event.
type: keyword
-
misp.context.attribute.distribution -
How the secondary attribute has been distributed, represented by integer numbers.
type: long
-
misp.context.attribute.timestamp -
The timestamp in which the secondary attribute was attached to the event object.
type: date
-
misp.context.attribute.comment -
Comments made to the secondary attribute itself.
type: keyword
-
misp.context.attribute.sharing_group_id -
The group ID of the sharing group related to the specific secondary attribute.
type: keyword
-
misp.context.attribute.deleted -
If the secondary attribute has been removed from the event object.
type: boolean
-
misp.context.attribute.disable_correlation -
If correlation has been enabled on the secondary attribute related to the event object.
type: boolean
-
misp.context.attribute.object_id -
The ID of the Object in which the secondary attribute is attached.
type: keyword
-
misp.context.attribute.object_relation -
The type of relation the secondary attribute has with the event object itself.
type: keyword
-
misp.context.attribute.value -
The value of the attribute, depending on the type like "url, sha1, email-src".
type: keyword
Fields for OTX Threat Intel
-
otx.id -
The ID of the indicator.
type: keyword
-
otx.indicator -
The value of the indicator, for example if the type is domain, this would be the value.
type: keyword
-
otx.description -
A description of the indicator.
type: keyword
-
otx.title -
Title describing the indicator.
type: keyword
-
otx.content -
Extra text or descriptive content related to the indicator.
type: keyword
-
otx.type -
The indicator type, can for example be "domain, email, FileHash-SHA256".
type: keyword
Fields for ThreatQ Threat Library
-
threatq.updated_at -
Last modification time
type: date
-
threatq.created_at -
Object creation time
type: date
-
threatq.expires_at -
Expiration time
type: date
-
threatq.expires_calculated_at -
Expiration calculation time
type: date
-
threatq.published_at -
Object publication time
type: date
-
threatq.status -
Object status within the Threat Library
type: keyword
-
threatq.indicator_value -
Original indicator value
type: keyword
-
threatq.adversaries -
Adversaries that are linked to the object
type: keyword
-
threatq.attributes -
These provide additional context about an object
type: flattened
On this page