Common Journalbeat fields

edit

Contains common fields available in all event types.

read_timestamp

The time when Journalbeat read the journal entry.

coredump fields

edit

Fields used by systemd-coredump kernel helper.

coredump.unit

type: keyword

Annotations of messages containing coredumps from system units.

coredump.user_unit

type: keyword

Annotations of messages containing coredumps from user units.

journald fields

edit

Fields provided by journald.

object fields

edit

Fields to log on behalf of a different program.

audit fields

edit

Audit fields of event.

journald.object.audit.login_uid

type: long

example: 1000

required: False

The login UID of the object process.

journald.object.audit.session

type: long

example: 3

required: False

The audit session of the object process.

journald.object.cmd

type: keyword

example: /lib/systemd/systemd --user

required: False

The command line of the process.

journald.object.name

type: keyword

example: /lib/systemd/systemd

required: False

Name of the executable.

journald.object.executable

type: keyword

example: /lib/systemd/systemd

required: False

Path to the the executable.

journald.object.uid

type: long

required: False

UID of the object process.

journald.object.gid

type: long

required: False

GID of the object process.

journald.object.pid

type: long

required: False

PID of the object process.

systemd fields

edit

Systemd fields of event.

journald.object.systemd.owner_uid

type: long

required: False

The UID of the owner.

journald.object.systemd.session

type: keyword

required: False

The ID of the systemd session.

journald.object.systemd.unit

type: keyword

required: False

The name of the systemd unit.

journald.object.systemd.user_unit

type: keyword

required: False

The name of the systemd user unit.

kernel fields

edit

Fields to log on behalf of a different program.

journald.kernel.device

type: keyword

required: False

The kernel device name.

journald.kernel.subsystem

type: keyword

required: False

The kernel subsystem name.

journald.kernel.device_symlinks

type: text

required: False

Additional symlink names pointing to the device node in /dev.

journald.kernel.device_node_path

type: text

required: False

The device node path of this device in /dev.

journald.kernel.device_name

type: text

required: False

The kernel device name as it shows up in the device tree below /sys.

code fields

edit

Fields of the code generating the event.

journald.code.file

type: text

example: ../src/core/manager.c

required: False

The name of the source file where the log is generated.

journald.code.function

type: text

example: job_log_status_message

required: False

The name of the function which generated the log message.

journald.code.line

type: long

example: 123

required: False

The line number of the code which generated the log message.

process fields

edit

Fields to log on behalf of a different program.

audit fields

edit

Audit fields of event.

journald.process.audit.loginuid

type: long

example: 1000

required: False

The login UID of the source process.

journald.process.audit.session

type: long

example: 3

required: False

The audit session of the source process.

journald.process.cmd

type: keyword

example: /lib/systemd/systemd --user

required: False

The command line of the process.

journald.process.name

type: keyword

example: /lib/systemd/systemd

required: False

Name of the executable.

journald.process.executable

type: keyword

example: /lib/systemd/systemd

required: False

Path to the the executable.

journald.process.pid

type: long

example: 1

required: False

The ID of the process which logged the message.

journald.process.gid

type: long

example: 1

required: False

The ID of the group which runs the process.

journald.process.uid

type: long

example: 1

required: False

The ID of the user which runs the process.

journald.process.capabilites

required: False

The effective capabilites of the process.

systemd fields

edit

Fields of systemd.

systemd.invocation_id

type: keyword

example: 8450f1672de646c88cd133aadd4f2d70

required: False

The invocation ID for the runtime cycle of the unit the message was generated in.

systemd.cgroup

type: keyword

example: /user.slice/user-1234.slice/session-2.scope

required: False

The control group path in the systemd hierarchy.

systemd.owner_uid

type: long

required: False

The owner UID of the systemd user unit or systemd session.

systemd.session

type: keyword

required: False

The ID of the systemd session.

systemd.slice

type: keyword

example: user-1234.slice

required: False

The systemd slice unit.

systemd.user_slice

type: keyword

required: False

The systemd user slice unit.

systemd.unit

type: keyword

example: nginx.service

required: False

The name of the systemd unit.

systemd.user_unit

type: keyword

example: user-1234.slice

required: False

The name of the systemd user unit.

systemd.transport

type: keyword

example: syslog

required: True

How the log message was received by journald.

host fields

edit

Fields of the host.

host.boot_id

type: text

example: dd8c974asdf01dbe2ef26d7fasdf264c9

required: False

The boot ID for the boot the log was generated in.

syslog fields

edit

Fields of the code generating the event.

syslog.priority

type: long

example: 1

required: False

The priority of the message. A syslog compatibility field.

syslog.facility

type: long

example: 1

required: False

The facility of the message. A syslog compatibility field.

syslog.identifier

type: text

example: su

required: False

The identifier of the message. A syslog compatibility field.

message

type: text

required: True

The logged message.

custom

type: nested

required: False

Arbitrary fields coming from processes.