Log Fields


Details about the event’s logging mechanism or logging transport.

The log.* fields are typically populated with details about the logging mechanism used to create and/or transport the event. For example, syslog details belong under log.syslog.*.

The details specific to your event source are typically not logged under log.*, but rather in event.* or in other ECS fields.

Log Field Details

Field Description Level


Original log level of the log event.

If the source of the event provides a log level or textual severity, this is the one that goes in log.level. If your source doesn’t specify one, you may put your event transport’s severity here (e.g. Syslog severity).

Some examples are warn, err, i, informational.

type: keyword

example: error



The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.

type: keyword

example: org.elasticsearch.bootstrap.Bootstrap



The line number of the file containing the source code which originated the log event.

type: integer

example: 42



The name of the file containing the source code which originated the log event. Note that this is not the name of the log file.

type: keyword

example: Bootstrap.java



The name of the function or method which originated the log event.

type: keyword

example: init



This is the original log message and contains the full log message before splitting it up in multiple parts.

In contrast to the message field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message.

This field is not indexed and doc_values are disabled so it can’t be queried but the value can be retrieved from _source.

type: keyword

example: Sep 19 08:26:10 localhost My log



The Syslog metadata of the event, if the event was transmitted via Syslog. Please see RFCs 5424 or 3164.

type: object



The Syslog numeric facility of the log event, if available.

According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.

type: long

example: 23



The Syslog text-based facility of the log event, if available.

type: keyword

example: local7



Syslog numeric priority of the event, if available.

According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.

type: long

example: 135



The Syslog numeric severity of the log event, if available.

If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source’s numeric severity should go to event.severity. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity.

type: long

example: 3



The Syslog numeric severity of the log event, if available.

If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source’s text severity should go to log.level. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level.

type: keyword

example: Error
