use-cases/filebeat-apache-access.yml

title: Filebeat Apache
name: filebeat-apache-access
description:
  ECS fields used in Filebeat for the apache module.
fields:
- name: base
  fields:
    - name: id
      type: keyword
      description: >
        Unique id to describe the event.
      example: 8a4f500d
    - name: "@timestamp"
      type: date
      example: "2016-05-23T08:05:34.853Z"
      description: >
        Timestamp of the log line after processing.
    - name: message
      type: date
      example: "Hello World"
      description: >
        Log message of the event

- name: event
  fields:
    - name: module
      type: keyword
      description: >
        Currently fileset.module
      example: apache
    - name: dataset
      type: keyword
      example: access
      description: >
        Currenly fileset.name

- name: source
  fields:
    - name: ip
      type: ip
      description: >
        Source ip of the request. Currently apache.access.remote_ip
      example: 192.168.1.1

- name: user
  fields:
    - name: name
      type: keyword
      description: >
        User name in the request. Currently apache.access.user_name
      example: ruflin

# TODO (@ruflin 2018-05-01): These fields are not in ECS. Needs decision or removal.
#
#- name: http
#  fields:
#    - name: method
#      type: keyword
#      description: >
#        Http method, currently apache.access.method
#      example: GET
#    - name: url
#      type: keyword
#      description: >
#        Http url, currently apache.access.url
#      example: "http://elastic.co/"
#    - name: version
#      type: keyword
#      description: >
#        Http version, currently apache.access.http_version
#      example: 1.1
#    - name: response.code
#      type: keyword
#      description: >
#        Http response code, currently apache.access.response_code
#      example: 404
#    - name: response.body_sent.bytes
#      type: long
#      description: >
#        Http response body bytes sent, currently apache.access.body_sent.bytes
#      example: 117
#    - name: referer
#      type: keyword
#      description: >
#        Http referrer code, currently apache.access.referrer
#
#        NOTE: In the RFC its misspell as referer and has become accepted standard
#      example: http://elastic.co/

- name: user_agent
  title: User Agent
  description: >
    User agent fields as in schema. Currently under apache.access.user_agent.*
  fields:
    - name: raw
      type: text
      description: >
        Raw user agent. Currently apache.access.agent
      example: http://elastic.co/

- name: geoip
  title: Geoip
  description: >
    User agent fields as in schema. Currently under apache.access.geoip.*

    These are extracted from source.ip

    Should they be under source.geoip?
  fields:
    - name: ...
      type: text
      description: >
        All geoip fields.