From 22f106b1bcb8e272838de7d880aaf3c891c684d8 Mon Sep 17 00:00:00 2001 From: DeDe Morton Date: Fri, 21 Jun 2019 13:39:16 -0700 Subject: [PATCH] [DOCS] [7.2] Backport 12242 7.2 (#12631) * [Docs] Reformat exported fields documentation (#12242) * [Docs] Remove extraneous section levels from field docs * Clean up headings to make content easier to scan * Move description and run make update * Rebase and run make update * Removed old commented out section from script * Rebase and run make update * Rebase and run make update * Fix code formatting and run make update * Fixing python script formatting to make pep8 linter happy * [Docs] Run make update --- auditbeat/docs/fields.asciidoc | 2788 +++--- filebeat/docs/fields.asciidoc | 3390 +++---- heartbeat/_meta/fields.common.yml | 1 + heartbeat/docs/fields.asciidoc | 1598 ++-- heartbeat/include/fields.go | 2 +- journalbeat/docs/fields.asciidoc | 1706 ++-- libbeat/scripts/generate_fields_docs.py | 29 +- metricbeat/docs/fields.asciidoc | 10128 ++++++++++----------- packetbeat/docs/fields.asciidoc | 2816 +++--- winlogbeat/docs/fields.asciidoc | 1542 ++-- x-pack/functionbeat/docs/fields.asciidoc | 1412 +-- 11 files changed, 12713 insertions(+), 12699 deletions(-) diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index 64df49def76..9d35cdbf0b5 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -115,7 +115,7 @@ alias to: user.filesystem.group.id -- [float] -== name_map fields +=== name_map If `resolve_ids` is set to true in the configuration then `name_map` will contain a mapping of uid field names to the resolved name (e.g. auid -> root). @@ -203,7 +203,7 @@ alias to: user.filesystem.group.name -- [float] -== selinux fields +=== selinux The SELinux identity of the actor. @@ -211,52 +211,52 @@ The SELinux identity of the actor. *`user.selinux.user`*:: + -- -type: keyword - account submitted for authentication +type: keyword + -- *`user.selinux.role`*:: + -- -type: keyword - user's SELinux role +type: keyword + -- *`user.selinux.domain`*:: + -- -type: keyword - The actor's SELinux domain or type. +type: keyword + -- *`user.selinux.level`*:: + -- +The actor's SELinux level. + type: keyword example: s0 -The actor's SELinux level. - -- *`user.selinux.category`*:: + -- -type: keyword - The actor's SELinux category or compartments. +type: keyword + -- [float] -== process fields +=== process Process attributes. @@ -264,16 +264,16 @@ Process attributes. *`process.cwd`*:: + -- +The current working directory. + type: alias alias to: process.working_directory -The current working directory. - -- [float] -== source fields +=== source Source that triggered the event. @@ -281,14 +281,14 @@ Source that triggered the event. *`source.path`*:: + -- -type: keyword - This is the path associated with a unix socket. +type: keyword + -- [float] -== destination fields +=== destination Destination address that triggered the event. @@ -296,59 +296,59 @@ Destination address that triggered the event. *`destination.path`*:: + -- -type: keyword - This is the path associated with a unix socket. +type: keyword + -- *`auditd.message_type`*:: + -- -type: keyword +The audit message type (e.g. syscall or apparmor_denied). -example: syscall -The audit message type (e.g. syscall or apparmor_denied). +type: keyword +example: syscall -- *`auditd.sequence`*:: + -- -type: long - The sequence number of the event as assigned by the kernel. Sequence numbers are stored as a uint32 in the kernel and can rollover. +type: long + -- *`auditd.session`*:: + -- -type: keyword - The session ID assigned to a login. All events related to a login session will have the same value. +type: keyword + -- *`auditd.result`*:: + -- +The result of the audited operation (success/fail). + type: keyword example: success or fail -The result of the audited operation (success/fail). - -- [float] -== actor fields +=== actor The actor is the user that triggered the audit event. @@ -356,24 +356,24 @@ The actor is the user that triggered the audit event. *`auditd.summary.actor.primary`*:: + -- -type: keyword - The primary identity of the actor. This is the actor's original login ID. It will not change even if the user changes to another account. +type: keyword + -- *`auditd.summary.actor.secondary`*:: + -- -type: keyword - The secondary identity of the actor. This is typically the same as the primary, except for when the user has used `su`. +type: keyword + -- [float] -== object fields +=== object This is the thing or object being acted upon in the event. @@ -382,43 +382,43 @@ This is the thing or object being acted upon in the event. *`auditd.summary.object.type`*:: + -- -type: keyword - A description of the what the "thing" is (e.g. file, socket, user-session). +type: keyword + -- *`auditd.summary.object.primary`*:: + -- -type: keyword +type: keyword -- *`auditd.summary.object.secondary`*:: + -- -type: keyword +type: keyword -- *`auditd.summary.how`*:: + -- -type: keyword - This describes how the action was performed. Usually this is the exe or command that was being executed that triggered the event. +type: keyword + -- [float] -== paths fields +=== paths List of paths associated with the event. @@ -426,131 +426,131 @@ List of paths associated with the event. *`auditd.paths.inode`*:: + -- -type: keyword - inode number +type: keyword + -- *`auditd.paths.dev`*:: + -- -type: keyword - device name as found in /dev +type: keyword + -- *`auditd.paths.obj_user`*:: + -- -type: keyword +type: keyword -- *`auditd.paths.obj_role`*:: + -- -type: keyword +type: keyword -- *`auditd.paths.obj_domain`*:: + -- -type: keyword +type: keyword -- *`auditd.paths.obj_level`*:: + -- -type: keyword +type: keyword -- *`auditd.paths.objtype`*:: + -- -type: keyword +type: keyword -- *`auditd.paths.ouid`*:: + -- -type: keyword - file owner user ID +type: keyword + -- *`auditd.paths.rdev`*:: + -- -type: keyword - the device identifier (special files only) +type: keyword + -- *`auditd.paths.nametype`*:: + -- -type: keyword - kind of file operation being referenced +type: keyword + -- *`auditd.paths.ogid`*:: + -- -type: keyword - file owner group ID +type: keyword + -- *`auditd.paths.item`*:: + -- -type: keyword - which item is being recorded +type: keyword + -- *`auditd.paths.mode`*:: + -- -type: keyword - mode flags on a file +type: keyword + -- *`auditd.paths.name`*:: + -- -type: keyword - file name in avcs +type: keyword + -- [float] -== data fields +=== data The data from the audit messages. @@ -558,1841 +558,1841 @@ The data from the audit messages. *`auditd.data.action`*:: + -- -type: keyword - netfilter packet disposition +type: keyword + -- *`auditd.data.minor`*:: + -- -type: keyword - device minor number +type: keyword + -- *`auditd.data.acct`*:: + -- -type: keyword - a user's account name +type: keyword + -- *`auditd.data.addr`*:: + -- -type: keyword - the remote address that the user is connecting from +type: keyword + -- *`auditd.data.cipher`*:: + -- -type: keyword - name of crypto cipher selected +type: keyword + -- *`auditd.data.id`*:: + -- -type: keyword - during account changes +type: keyword + -- *`auditd.data.entries`*:: + -- -type: keyword - number of entries in the netfilter table +type: keyword + -- *`auditd.data.kind`*:: + -- -type: keyword - server or client in crypto operation +type: keyword + -- *`auditd.data.ksize`*:: + -- -type: keyword - key size for crypto operation +type: keyword + -- *`auditd.data.spid`*:: + -- -type: keyword - sent process ID +type: keyword + -- *`auditd.data.arch`*:: + -- -type: keyword - the elf architecture flags +type: keyword + -- *`auditd.data.argc`*:: + -- -type: keyword - the number of arguments to an execve syscall +type: keyword + -- *`auditd.data.major`*:: + -- -type: keyword - device major number +type: keyword + -- *`auditd.data.unit`*:: + -- -type: keyword - systemd unit +type: keyword + -- *`auditd.data.table`*:: + -- -type: keyword - netfilter table name +type: keyword + -- *`auditd.data.terminal`*:: + -- -type: keyword - terminal name the user is running programs on +type: keyword + -- *`auditd.data.grantors`*:: + -- -type: keyword - pam modules approving the action +type: keyword + -- *`auditd.data.direction`*:: + -- -type: keyword - direction of crypto operation +type: keyword + -- *`auditd.data.op`*:: + -- -type: keyword - the operation being performed that is audited +type: keyword + -- *`auditd.data.tty`*:: + -- -type: keyword - tty udevice the user is running programs on +type: keyword + -- *`auditd.data.syscall`*:: + -- -type: keyword - syscall number in effect when the event occurred +type: keyword + -- *`auditd.data.data`*:: + -- -type: keyword - TTY text +type: keyword + -- *`auditd.data.family`*:: + -- -type: keyword - netfilter protocol +type: keyword + -- *`auditd.data.mac`*:: + -- -type: keyword - crypto MAC algorithm selected +type: keyword + -- *`auditd.data.pfs`*:: + -- -type: keyword - perfect forward secrecy method +type: keyword + -- *`auditd.data.items`*:: + -- -type: keyword - the number of path records in the event +type: keyword + -- *`auditd.data.a0`*:: + -- -type: keyword +type: keyword -- *`auditd.data.a1`*:: + -- -type: keyword +type: keyword -- *`auditd.data.a2`*:: + -- -type: keyword +type: keyword -- *`auditd.data.a3`*:: + -- -type: keyword +type: keyword -- *`auditd.data.hostname`*:: + -- -type: keyword - the hostname that the user is connecting from +type: keyword + -- *`auditd.data.lport`*:: + -- -type: keyword - local network port +type: keyword + -- *`auditd.data.rport`*:: + -- -type: keyword - remote port number +type: keyword + -- *`auditd.data.exit`*:: + -- -type: keyword - syscall exit code +type: keyword + -- *`auditd.data.fp`*:: + -- -type: keyword - crypto key finger print +type: keyword + -- *`auditd.data.laddr`*:: + -- -type: keyword - local network address +type: keyword + -- *`auditd.data.sport`*:: + -- -type: keyword - local port number +type: keyword + -- *`auditd.data.capability`*:: + -- -type: keyword - posix capabilities +type: keyword + -- *`auditd.data.nargs`*:: + -- -type: keyword - the number of arguments to a socket call +type: keyword + -- *`auditd.data.new-enabled`*:: + -- -type: keyword - new TTY audit enabled setting +type: keyword + -- *`auditd.data.audit_backlog_limit`*:: + -- -type: keyword - audit system's backlog queue size +type: keyword + -- *`auditd.data.dir`*:: + -- -type: keyword - directory name +type: keyword + -- *`auditd.data.cap_pe`*:: + -- -type: keyword - process effective capability map +type: keyword + -- *`auditd.data.model`*:: + -- -type: keyword - security model being used for virt +type: keyword + -- *`auditd.data.new_pp`*:: + -- -type: keyword - new process permitted capability map +type: keyword + -- *`auditd.data.old-enabled`*:: + -- -type: keyword - present TTY audit enabled setting +type: keyword + -- *`auditd.data.oauid`*:: + -- -type: keyword - object's login user ID +type: keyword + -- *`auditd.data.old`*:: + -- -type: keyword - old value +type: keyword + -- *`auditd.data.banners`*:: + -- -type: keyword - banners used on printed page +type: keyword + -- *`auditd.data.feature`*:: + -- -type: keyword - kernel feature being changed +type: keyword + -- *`auditd.data.vm-ctx`*:: + -- -type: keyword - the vm's context string +type: keyword + -- *`auditd.data.opid`*:: + -- -type: keyword - object's process ID +type: keyword + -- *`auditd.data.seperms`*:: + -- -type: keyword - SELinux permissions being used +type: keyword + -- *`auditd.data.seresult`*:: + -- -type: keyword - SELinux AVC decision granted/denied +type: keyword + -- *`auditd.data.new-rng`*:: + -- -type: keyword - device name of rng being added from a vm +type: keyword + -- *`auditd.data.old-net`*:: + -- -type: keyword - present MAC address assigned to vm +type: keyword + -- *`auditd.data.sigev_signo`*:: + -- -type: keyword - signal number +type: keyword + -- *`auditd.data.ino`*:: + -- -type: keyword - inode number +type: keyword + -- *`auditd.data.old_enforcing`*:: + -- -type: keyword - old MAC enforcement status +type: keyword + -- *`auditd.data.old-vcpu`*:: + -- -type: keyword - present number of CPU cores +type: keyword + -- *`auditd.data.range`*:: + -- -type: keyword - user's SE Linux range +type: keyword + -- *`auditd.data.res`*:: + -- -type: keyword - result of the audited operation(success/fail) +type: keyword + -- *`auditd.data.added`*:: + -- -type: keyword - number of new files detected +type: keyword + -- *`auditd.data.fam`*:: + -- -type: keyword - socket address family +type: keyword + -- *`auditd.data.nlnk-pid`*:: + -- -type: keyword - pid of netlink packet sender +type: keyword + -- *`auditd.data.subj`*:: + -- -type: keyword - lspp subject's context string +type: keyword + -- *`auditd.data.a[0-3]`*:: + -- -type: keyword - the arguments to a syscall +type: keyword + -- *`auditd.data.cgroup`*:: + -- -type: keyword - path to cgroup in sysfs +type: keyword + -- *`auditd.data.kernel`*:: + -- -type: keyword - kernel's version number +type: keyword + -- *`auditd.data.ocomm`*:: + -- -type: keyword - object's command line name +type: keyword + -- *`auditd.data.new-net`*:: + -- -type: keyword - MAC address being assigned to vm +type: keyword + -- *`auditd.data.permissive`*:: + -- -type: keyword - SELinux is in permissive mode +type: keyword + -- *`auditd.data.class`*:: + -- -type: keyword - resource class assigned to vm +type: keyword + -- *`auditd.data.compat`*:: + -- -type: keyword - is_compat_task result +type: keyword + -- *`auditd.data.fi`*:: + -- -type: keyword - file assigned inherited capability map +type: keyword + -- *`auditd.data.changed`*:: + -- -type: keyword - number of changed files +type: keyword + -- *`auditd.data.msg`*:: + -- -type: keyword - the payload of the audit record +type: keyword + -- *`auditd.data.dport`*:: + -- -type: keyword - remote port number +type: keyword + -- *`auditd.data.new-seuser`*:: + -- -type: keyword - new SELinux user +type: keyword + -- *`auditd.data.invalid_context`*:: + -- -type: keyword - SELinux context +type: keyword + -- *`auditd.data.dmac`*:: + -- -type: keyword - remote MAC address +type: keyword + -- *`auditd.data.ipx-net`*:: + -- -type: keyword - IPX network number +type: keyword + -- *`auditd.data.iuid`*:: + -- -type: keyword - ipc object's user ID +type: keyword + -- *`auditd.data.macproto`*:: + -- -type: keyword - ethernet packet type ID field +type: keyword + -- *`auditd.data.obj`*:: + -- -type: keyword - lspp object context string +type: keyword + -- *`auditd.data.ipid`*:: + -- -type: keyword - IP datagram fragment identifier +type: keyword + -- *`auditd.data.new-fs`*:: + -- -type: keyword - file system being added to vm +type: keyword + -- *`auditd.data.vm-pid`*:: + -- -type: keyword - vm's process ID +type: keyword + -- *`auditd.data.cap_pi`*:: + -- -type: keyword - process inherited capability map +type: keyword + -- *`auditd.data.old-auid`*:: + -- -type: keyword - previous auid value +type: keyword + -- *`auditd.data.oses`*:: + -- -type: keyword - object's session ID +type: keyword + -- *`auditd.data.fd`*:: + -- -type: keyword - file descriptor number +type: keyword + -- *`auditd.data.igid`*:: + -- -type: keyword - ipc object's group ID +type: keyword + -- *`auditd.data.new-disk`*:: + -- -type: keyword - disk being added to vm +type: keyword + -- *`auditd.data.parent`*:: + -- -type: keyword - the inode number of the parent file +type: keyword + -- *`auditd.data.len`*:: + -- -type: keyword - length +type: keyword + -- *`auditd.data.oflag`*:: + -- -type: keyword - open syscall flags +type: keyword + -- *`auditd.data.uuid`*:: + -- -type: keyword - a UUID +type: keyword + -- *`auditd.data.code`*:: + -- -type: keyword - seccomp action code +type: keyword + -- *`auditd.data.nlnk-grp`*:: + -- -type: keyword - netlink group number +type: keyword + -- *`auditd.data.cap_fp`*:: + -- -type: keyword - file permitted capability map +type: keyword + -- *`auditd.data.new-mem`*:: + -- -type: keyword - new amount of memory in KB +type: keyword + -- *`auditd.data.seperm`*:: + -- -type: keyword - SELinux permission being decided on +type: keyword + -- *`auditd.data.enforcing`*:: + -- -type: keyword - new MAC enforcement status +type: keyword + -- *`auditd.data.new-chardev`*:: + -- -type: keyword - new character device being assigned to vm +type: keyword + -- *`auditd.data.old-rng`*:: + -- -type: keyword - device name of rng being removed from a vm +type: keyword + -- *`auditd.data.outif`*:: + -- -type: keyword - out interface number +type: keyword + -- *`auditd.data.cmd`*:: + -- -type: keyword - command being executed +type: keyword + -- *`auditd.data.hook`*:: + -- -type: keyword - netfilter hook that packet came from +type: keyword + -- *`auditd.data.new-level`*:: + -- -type: keyword - new run level +type: keyword + -- *`auditd.data.sauid`*:: + -- -type: keyword - sent login user ID +type: keyword + -- *`auditd.data.sig`*:: + -- -type: keyword - signal number +type: keyword + -- *`auditd.data.audit_backlog_wait_time`*:: + -- -type: keyword - audit system's backlog wait time +type: keyword + -- *`auditd.data.printer`*:: + -- -type: keyword - printer name +type: keyword + -- *`auditd.data.old-mem`*:: + -- -type: keyword - present amount of memory in KB +type: keyword + -- *`auditd.data.perm`*:: + -- -type: keyword - the file permission being used +type: keyword + -- *`auditd.data.old_pi`*:: + -- -type: keyword - old process inherited capability map +type: keyword + -- *`auditd.data.state`*:: + -- -type: keyword - audit daemon configuration resulting state +type: keyword + -- *`auditd.data.format`*:: + -- -type: keyword - audit log's format +type: keyword + -- *`auditd.data.new_gid`*:: + -- -type: keyword - new group ID being assigned +type: keyword + -- *`auditd.data.tcontext`*:: + -- -type: keyword - the target's or object's context string +type: keyword + -- *`auditd.data.maj`*:: + -- -type: keyword - device major number +type: keyword + -- *`auditd.data.watch`*:: + -- -type: keyword - file name in a watch record +type: keyword + -- *`auditd.data.device`*:: + -- -type: keyword - device name +type: keyword + -- *`auditd.data.grp`*:: + -- -type: keyword - group name +type: keyword + -- *`auditd.data.bool`*:: + -- -type: keyword - name of SELinux boolean +type: keyword + -- *`auditd.data.icmp_type`*:: + -- -type: keyword - type of icmp message +type: keyword + -- *`auditd.data.new_lock`*:: + -- -type: keyword - new value of feature lock +type: keyword + -- *`auditd.data.old_prom`*:: + -- -type: keyword - network promiscuity flag +type: keyword + -- *`auditd.data.acl`*:: + -- -type: keyword - access mode of resource assigned to vm +type: keyword + -- *`auditd.data.ip`*:: + -- -type: keyword - network address of a printer +type: keyword + -- *`auditd.data.new_pi`*:: + -- -type: keyword - new process inherited capability map +type: keyword + -- *`auditd.data.default-context`*:: + -- -type: keyword - default MAC context +type: keyword + -- *`auditd.data.inode_gid`*:: + -- -type: keyword - group ID of the inode's owner +type: keyword + -- *`auditd.data.new-log_passwd`*:: + -- -type: keyword - new value for TTY password logging +type: keyword + -- *`auditd.data.new_pe`*:: + -- -type: keyword - new process effective capability map +type: keyword + -- *`auditd.data.selected-context`*:: + -- -type: keyword - new MAC context assigned to session +type: keyword + -- *`auditd.data.cap_fver`*:: + -- -type: keyword - file system capabilities version number +type: keyword + -- *`auditd.data.file`*:: + -- -type: keyword - file name +type: keyword + -- *`auditd.data.net`*:: + -- -type: keyword - network MAC address +type: keyword + -- *`auditd.data.virt`*:: + -- -type: keyword - kind of virtualization being referenced +type: keyword + -- *`auditd.data.cap_pp`*:: + -- -type: keyword - process permitted capability map +type: keyword + -- *`auditd.data.old-range`*:: + -- -type: keyword - present SELinux range +type: keyword + -- *`auditd.data.resrc`*:: + -- -type: keyword - resource being assigned +type: keyword + -- *`auditd.data.new-range`*:: + -- -type: keyword - new SELinux range +type: keyword + -- *`auditd.data.obj_gid`*:: + -- -type: keyword - group ID of object +type: keyword + -- *`auditd.data.proto`*:: + -- -type: keyword - network protocol +type: keyword + -- *`auditd.data.old-disk`*:: + -- -type: keyword - disk being removed from vm +type: keyword + -- *`auditd.data.audit_failure`*:: + -- -type: keyword - audit system's failure mode +type: keyword + -- *`auditd.data.inif`*:: + -- -type: keyword - in interface number +type: keyword + -- *`auditd.data.vm`*:: + -- -type: keyword - virtual machine name +type: keyword + -- *`auditd.data.flags`*:: + -- -type: keyword - mmap syscall flags +type: keyword + -- *`auditd.data.nlnk-fam`*:: + -- -type: keyword - netlink protocol number +type: keyword + -- *`auditd.data.old-fs`*:: + -- -type: keyword - file system being removed from vm +type: keyword + -- *`auditd.data.old-ses`*:: + -- -type: keyword - previous ses value +type: keyword + -- *`auditd.data.seqno`*:: + -- -type: keyword - sequence number +type: keyword + -- *`auditd.data.fver`*:: + -- -type: keyword - file system capabilities version number +type: keyword + -- *`auditd.data.qbytes`*:: + -- -type: keyword - ipc objects quantity of bytes +type: keyword + -- *`auditd.data.seuser`*:: + -- -type: keyword - user's SE Linux user acct +type: keyword + -- *`auditd.data.cap_fe`*:: + -- -type: keyword - file assigned effective capability map +type: keyword + -- *`auditd.data.new-vcpu`*:: + -- -type: keyword - new number of CPU cores +type: keyword + -- *`auditd.data.old-level`*:: + -- -type: keyword - old run level +type: keyword + -- *`auditd.data.old_pp`*:: + -- -type: keyword - old process permitted capability map +type: keyword + -- *`auditd.data.daddr`*:: + -- -type: keyword - remote IP address +type: keyword + -- *`auditd.data.old-role`*:: + -- -type: keyword - present SELinux role +type: keyword + -- *`auditd.data.ioctlcmd`*:: + -- -type: keyword - The request argument to the ioctl syscall +type: keyword + -- *`auditd.data.smac`*:: + -- -type: keyword - local MAC address +type: keyword + -- *`auditd.data.apparmor`*:: + -- -type: keyword - apparmor event information +type: keyword + -- *`auditd.data.fe`*:: + -- -type: keyword - file assigned effective capability map +type: keyword + -- *`auditd.data.perm_mask`*:: + -- -type: keyword - file permission mask that triggered a watch event +type: keyword + -- *`auditd.data.ses`*:: + -- -type: keyword - login session ID +type: keyword + -- *`auditd.data.cap_fi`*:: + -- -type: keyword - file inherited capability map +type: keyword + -- *`auditd.data.obj_uid`*:: + -- -type: keyword - user ID of object +type: keyword + -- *`auditd.data.reason`*:: + -- -type: keyword - text string denoting a reason for the action +type: keyword + -- *`auditd.data.list`*:: + -- -type: keyword - the audit system's filter list number +type: keyword + -- *`auditd.data.old_lock`*:: + -- -type: keyword - present value of feature lock +type: keyword + -- *`auditd.data.bus`*:: + -- -type: keyword - name of subsystem bus a vm resource belongs to +type: keyword + -- *`auditd.data.old_pe`*:: + -- -type: keyword - old process effective capability map +type: keyword + -- *`auditd.data.new-role`*:: + -- -type: keyword - new SELinux role +type: keyword + -- *`auditd.data.prom`*:: + -- -type: keyword - network promiscuity flag +type: keyword + -- *`auditd.data.uri`*:: + -- -type: keyword - URI pointing to a printer +type: keyword + -- *`auditd.data.audit_enabled`*:: + -- -type: keyword - audit systems's enable/disable status +type: keyword + -- *`auditd.data.old-log_passwd`*:: + -- -type: keyword - present value for TTY password logging +type: keyword + -- *`auditd.data.old-seuser`*:: + -- -type: keyword - present SELinux user +type: keyword + -- *`auditd.data.per`*:: + -- -type: keyword - linux personality +type: keyword + -- *`auditd.data.scontext`*:: + -- -type: keyword - the subject's context string +type: keyword + -- *`auditd.data.tclass`*:: + -- -type: keyword - target's object classification +type: keyword + -- *`auditd.data.ver`*:: + -- -type: keyword - audit daemon's version number +type: keyword + -- *`auditd.data.new`*:: + -- -type: keyword - value being set in feature +type: keyword + -- *`auditd.data.val`*:: + -- -type: keyword - generic value associated with the operation +type: keyword + -- *`auditd.data.img-ctx`*:: + -- -type: keyword - the vm's disk image context string +type: keyword + -- *`auditd.data.old-chardev`*:: + -- -type: keyword - present character device assigned to vm +type: keyword + -- *`auditd.data.old_val`*:: + -- -type: keyword - current value of SELinux boolean +type: keyword + -- *`auditd.data.success`*:: + -- -type: keyword - whether the syscall was successful or not +type: keyword + -- *`auditd.data.inode_uid`*:: + -- -type: keyword - user ID of the inode's owner +type: keyword + -- *`auditd.data.removed`*:: + -- -type: keyword - number of deleted files +type: keyword + -- *`auditd.data.socket.port`*:: + -- -type: keyword - The port number. +type: keyword + -- *`auditd.data.socket.saddr`*:: + -- -type: keyword - The raw socket address structure. +type: keyword + -- *`auditd.data.socket.addr`*:: + -- -type: keyword - The remote address. +type: keyword + -- *`auditd.data.socket.family`*:: + -- +The socket family (unix, ipv4, ipv6, netlink). + type: keyword example: unix -The socket family (unix, ipv4, ipv6, netlink). - -- *`auditd.data.socket.path`*:: + -- -type: keyword - This is the path associated with a unix socket. +type: keyword + -- *`auditd.messages`*:: + -- -type: alias +An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config. -alias to: event.original -An ordered list of the raw messages received from the kernel that were used to construct this document. This field is present if an error occurred processing the data or if `include_raw_message` is set in the config. +type: alias +alias to: event.original -- *`auditd.warnings`*:: + -- -type: alias +The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. -alias to: error.message -The warnings generated by the Beat during the construction of the event. These are disabled by default and are used for development and debug purposes only. +type: alias +alias to: error.message -- [float] -== geoip fields +=== geoip The geoip fields are defined as a convenience in case you decide to enrich the data using a geoip filter in Logstash or Ingest Node. @@ -2401,51 +2401,51 @@ The geoip fields are defined as a convenience in case you decide to enrich the d *`geoip.continent_name`*:: + -- -type: keyword - The name of the continent. +type: keyword + -- *`geoip.city_name`*:: + -- -type: keyword - The name of the city. +type: keyword + -- *`geoip.region_name`*:: + -- -type: keyword - The name of the region. +type: keyword + -- *`geoip.country_iso_code`*:: + -- -type: keyword - Country ISO code. +type: keyword + -- *`geoip.location`*:: + -- -type: geo_point - The longitude and latitude. +type: geo_point + -- [[exported-fields-beat]] @@ -2458,10 +2458,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -2476,15 +2476,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -2493,11 +2493,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -2521,10 +2521,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cloud]] @@ -2537,11 +2537,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -2615,7 +2615,7 @@ Contains common fields available in all event types. [float] -== file fields +=== file File attributes. @@ -2623,47 +2623,47 @@ File attributes. *`file.setuid`*:: + -- +Set if the file has the `setuid` bit set. Omitted otherwise. + type: boolean example: True -Set if the file has the `setuid` bit set. Omitted otherwise. - -- *`file.setgid`*:: + -- +Set if the file has the `setgid` bit set. Omitted otherwise. + type: boolean example: True -Set if the file has the `setgid` bit set. Omitted otherwise. - -- *`file.origin`*:: + -- -type: keyword - An array of strings describing a possible external origin for this file. For example, the URL it was downloaded from. Only supported in macOS, via the kMDItemWhereFroms attribute. Omitted if origin information is not available. +type: keyword + +-- + *`file.origin.raw`*:: + -- -type: keyword - This is a non-analyzed field that is useful for aggregations on the origin data. --- +type: keyword -- [float] -== selinux fields +=== selinux The SELinux identity of the file. @@ -2671,49 +2671,49 @@ The SELinux identity of the file. *`file.selinux.user`*:: + -- -type: keyword - The owner of the object. +type: keyword + -- *`file.selinux.role`*:: + -- -type: keyword - The object's SELinux role. +type: keyword + -- *`file.selinux.domain`*:: + -- -type: keyword - The object's SELinux domain or type. +type: keyword + -- *`file.selinux.level`*:: + -- +The object's SELinux level. + type: keyword example: s0 -The object's SELinux level. - -- [float] -== user fields +=== user User information. [float] -== audit fields +=== audit Audit user information. @@ -2721,23 +2721,23 @@ Audit user information. *`user.audit.id`*:: + -- -type: keyword - Audit user ID. +type: keyword + -- *`user.audit.name`*:: + -- -type: keyword - Audit user name. +type: keyword + -- [float] -== effective fields +=== effective Effective user information. @@ -2745,23 +2745,23 @@ Effective user information. *`user.effective.id`*:: + -- -type: keyword - Effective user ID. +type: keyword + -- *`user.effective.name`*:: + -- -type: keyword - Effective user name. +type: keyword + -- [float] -== group fields +=== group Effective group information. @@ -2769,23 +2769,23 @@ Effective group information. *`user.effective.group.id`*:: + -- -type: keyword - Effective group ID. +type: keyword + -- *`user.effective.group.name`*:: + -- -type: keyword - Effective group name. +type: keyword + -- [float] -== filesystem fields +=== filesystem Filesystem user information. @@ -2793,23 +2793,23 @@ Filesystem user information. *`user.filesystem.id`*:: + -- -type: keyword - Filesystem user ID. +type: keyword + -- *`user.filesystem.name`*:: + -- -type: keyword - Filesystem user name. +type: keyword + -- [float] -== group fields +=== group Filesystem group information. @@ -2817,23 +2817,23 @@ Filesystem group information. *`user.filesystem.group.id`*:: + -- -type: keyword - Filesystem group ID. +type: keyword + -- *`user.filesystem.group.name`*:: + -- -type: keyword - Filesystem group name. +type: keyword + -- [float] -== saved fields +=== saved Saved user information. @@ -2841,23 +2841,23 @@ Saved user information. *`user.saved.id`*:: + -- -type: keyword - Saved user ID. +type: keyword + -- *`user.saved.name`*:: + -- -type: keyword - Saved user name. +type: keyword + -- [float] -== group fields +=== group Saved group information. @@ -2865,19 +2865,19 @@ Saved group information. *`user.saved.group.id`*:: + -- -type: keyword - Saved group ID. +type: keyword + -- *`user.saved.group.name`*:: + -- -type: keyword - Saved group name. +type: keyword + -- [[exported-fields-docker-processor]] @@ -2918,11 +2918,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -2934,58 +2934,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -2994,65 +2994,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -3062,234 +3062,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -3297,81 +3297,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -3380,61 +3380,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -3443,234 +3443,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -3678,19 +3678,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -3699,32 +3699,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -3733,203 +3733,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -3938,136 +3938,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -4076,95 +4076,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -4172,23 +4172,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -4197,299 +4197,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -4497,124 +4497,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -4622,30 +4622,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -4654,48 +4654,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -4707,91 +4703,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -4800,227 +4800,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -5029,23 +5029,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -5053,71 +5053,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -5126,101 +5126,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -5230,14 +5230,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -5247,234 +5247,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -5483,78 +5483,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -5563,234 +5563,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -5798,111 +5798,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -5911,73 +5911,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -5986,111 +5986,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-file_integrity]] @@ -6100,7 +6100,7 @@ These are the fields generated by the file_integrity module. [float] -== hash fields +=== hash Hashes of the file. The keys are algorithm names and the values are the hex encoded digest values. @@ -6109,145 +6109,145 @@ Hashes of the file. The keys are algorithm names and the values are the hex enco *`hash.blake2b_256`*:: + -- -type: keyword - BLAKE2b-256 hash of the file. +type: keyword + -- *`hash.blake2b_384`*:: + -- -type: keyword - BLAKE2b-384 hash of the file. +type: keyword + -- *`hash.blake2b_512`*:: + -- -type: keyword - BLAKE2b-512 hash of the file. +type: keyword + -- *`hash.md5`*:: + -- -type: keyword - MD5 hash of the file. +type: keyword + -- *`hash.sha1`*:: + -- -type: keyword - SHA1 hash of the file. +type: keyword + -- *`hash.sha224`*:: + -- -type: keyword - SHA224 hash of the file. +type: keyword + -- *`hash.sha256`*:: + -- -type: keyword - SHA256 hash of the file. +type: keyword + -- *`hash.sha384`*:: + -- -type: keyword - SHA384 hash of the file. +type: keyword + -- *`hash.sha3_224`*:: + -- -type: keyword - SHA3_224 hash of the file. +type: keyword + -- *`hash.sha3_256`*:: + -- -type: keyword - SHA3_256 hash of the file. +type: keyword + -- *`hash.sha3_384`*:: + -- -type: keyword - SHA3_384 hash of the file. +type: keyword + -- *`hash.sha3_512`*:: + -- -type: keyword - SHA3_512 hash of the file. +type: keyword + -- *`hash.sha512`*:: + -- -type: keyword - SHA512 hash of the file. +type: keyword + -- *`hash.sha512_224`*:: + -- -type: keyword - SHA512/224 hash of the file. +type: keyword + -- *`hash.sha512_256`*:: + -- -type: keyword - SHA512/256 hash of the file. +type: keyword + -- *`hash.xxh64`*:: + -- -type: keyword - XX64 hash of the file. +type: keyword + -- [[exported-fields-host-processor]] @@ -6261,34 +6261,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -6302,71 +6302,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kubernetes-processor]] @@ -6380,111 +6380,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-process]] @@ -6515,47 +6515,47 @@ These are the fields generated by the system module. *`event.origin`*:: + -- -type: keyword - Origin of the event. This can be a file path (e.g. `/var/log/log.1`), or the name of the system component that supplied the data (e.g. `netlink`). +type: keyword + -- *`user.entity_id`*:: + -- -type: keyword - ID uniquely identifying the user on a host. It is computed as a SHA-256 hash of the host ID, user ID, and user name. +type: keyword + -- *`user.terminal`*:: + -- -type: keyword - Terminal of the user. +type: keyword + -- *`process.entity_id`*:: + -- -type: keyword - ID uniquely identifying the process. It is computed as a SHA-256 hash of the host ID, PID, and process start time. +type: keyword + -- [float] -== hash fields +=== hash Hashes of the executable. The keys are algorithm names and the values are the hex encoded digest values. @@ -6564,166 +6564,166 @@ Hashes of the executable. The keys are algorithm names and the values are the he *`process.hash.blake2b_256`*:: + -- -type: keyword - BLAKE2b-256 hash of the executable. +type: keyword + -- *`process.hash.blake2b_384`*:: + -- -type: keyword - BLAKE2b-384 hash of the executable. +type: keyword + -- *`process.hash.blake2b_512`*:: + -- -type: keyword - BLAKE2b-512 hash of the executable. +type: keyword + -- *`process.hash.md5`*:: + -- -type: keyword - MD5 hash of the executable. +type: keyword + -- *`process.hash.sha1`*:: + -- -type: keyword - SHA1 hash of the executable. +type: keyword + -- *`process.hash.sha224`*:: + -- -type: keyword - SHA224 hash of the executable. +type: keyword + -- *`process.hash.sha256`*:: + -- -type: keyword - SHA256 hash of the executable. +type: keyword + -- *`process.hash.sha384`*:: + -- -type: keyword - SHA384 hash of the executable. +type: keyword + -- *`process.hash.sha3_224`*:: + -- -type: keyword - SHA3_224 hash of the executable. +type: keyword + -- *`process.hash.sha3_256`*:: + -- -type: keyword - SHA3_256 hash of the executable. +type: keyword + -- *`process.hash.sha3_384`*:: + -- -type: keyword - SHA3_384 hash of the executable. +type: keyword + -- *`process.hash.sha3_512`*:: + -- -type: keyword - SHA3_512 hash of the executable. +type: keyword + -- *`process.hash.sha512`*:: + -- -type: keyword - SHA512 hash of the executable. +type: keyword + -- *`process.hash.sha512_224`*:: + -- -type: keyword - SHA512/224 hash of the executable. +type: keyword + -- *`process.hash.sha512_256`*:: + -- -type: keyword - SHA512/256 hash of the executable. +type: keyword + -- *`process.hash.xxh64`*:: + -- -type: keyword - XX64 hash of the executable. +type: keyword + -- *`socket.entity_id`*:: + -- -type: keyword - ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host ID, socket inode, local IP, local port, remote IP, and remote port. +type: keyword + -- [float] -== system.audit fields +=== system.audit [float] -== host fields +=== host `host` contains general host information. @@ -6732,107 +6732,107 @@ ID uniquely identifying the socket. It is computed as a SHA-256 hash of the host *`system.audit.host.uptime`*:: + -- -type: long +Uptime in nanoseconds. -format: duration -Uptime in nanoseconds. +type: long +format: duration -- *`system.audit.host.boottime`*:: + -- -type: date - Boot time. +type: date + -- *`system.audit.host.containerized`*:: + -- -type: boolean - Set if host is a container. +type: boolean + -- *`system.audit.host.timezone.name`*:: + -- -type: keyword - Name of the timezone of the host, e.g. BST. +type: keyword + -- *`system.audit.host.timezone.offset.sec`*:: + -- -type: long - Timezone offset in seconds. +type: long + -- *`system.audit.host.hostname`*:: + -- -type: keyword - Hostname. +type: keyword + -- *`system.audit.host.id`*:: + -- -type: keyword - Host ID. +type: keyword + -- *`system.audit.host.architecture`*:: + -- -type: keyword - Host architecture (e.g. x86_64). +type: keyword + -- *`system.audit.host.mac`*:: + -- -type: keyword - MAC addresses. +type: keyword + -- *`system.audit.host.ip`*:: + -- -type: ip - IP addresses. +type: ip + -- [float] -== os fields +=== os `os` contains information about the operating system. @@ -6841,65 +6841,65 @@ IP addresses. *`system.audit.host.os.codename`*:: + -- -type: keyword - OS codename, if any (e.g. stretch). +type: keyword + -- *`system.audit.host.os.platform`*:: + -- -type: keyword - OS platform (e.g. centos, ubuntu, windows). +type: keyword + -- *`system.audit.host.os.name`*:: + -- -type: keyword - OS name (e.g. Mac OS X). +type: keyword + -- *`system.audit.host.os.family`*:: + -- -type: keyword - OS family (e.g. redhat, debian, freebsd, windows). +type: keyword + -- *`system.audit.host.os.version`*:: + -- -type: keyword - OS version. +type: keyword + -- *`system.audit.host.os.kernel`*:: + -- -type: keyword - The operating system's kernel version. +type: keyword + -- [float] -== package fields +=== package `package` contains information about an installed or removed package. @@ -6908,82 +6908,82 @@ The operating system's kernel version. *`system.audit.package.entity_id`*:: + -- -type: keyword - ID uniquely identifying the package. It is computed as a SHA-256 hash of the host ID, package name, and package version. +type: keyword + -- *`system.audit.package.name`*:: + -- -type: keyword - Package name. +type: keyword + -- *`system.audit.package.version`*:: + -- -type: keyword - Package version. +type: keyword + -- *`system.audit.package.release`*:: + -- -type: keyword - Package release. +type: keyword + -- *`system.audit.package.arch`*:: + -- -type: keyword - Package architecture. +type: keyword + -- *`system.audit.package.license`*:: + -- -type: keyword - Package license. +type: keyword + -- *`system.audit.package.installtime`*:: + -- -type: date - Package install time. +type: date + -- *`system.audit.package.size`*:: + -- -type: long - Package size. +type: long + -- *`system.audit.package.summary`*:: @@ -6997,15 +6997,15 @@ Package summary. *`system.audit.package.url`*:: + -- -type: keyword - Package URL. +type: keyword + -- [float] -== user fields +=== user `user` contains information about the users on a system. @@ -7014,75 +7014,75 @@ Package URL. *`system.audit.user.name`*:: + -- -type: keyword - User name. +type: keyword + -- *`system.audit.user.uid`*:: + -- -type: keyword - User ID. +type: keyword + -- *`system.audit.user.gid`*:: + -- -type: keyword - Group ID. +type: keyword + -- *`system.audit.user.dir`*:: + -- -type: keyword - User's home directory. +type: keyword + -- *`system.audit.user.shell`*:: + -- -type: keyword - Program to run at login. +type: keyword + -- *`system.audit.user.user_information`*:: + -- -type: keyword - General user information. On Linux, this is the gecos field. +type: keyword + -- *`system.audit.user.group`*:: + -- -type: object - `group` contains information about any groups the user is part of (beyond the user's primary group). +type: object + -- [float] -== password fields +=== password `password` contains information about a user's password (not the password itself). @@ -7091,20 +7091,20 @@ type: object *`system.audit.user.password.type`*:: + -- -type: keyword - A user's password type. Possible values are `shadow_password` (the password hash is in the shadow file), `password_disabled`, `no_password` (this is dangerous as anyone can log in), and `crypt_password` (when the password field in /etc/passwd seems to contain an encrypted password). +type: keyword + -- *`system.audit.user.password.last_changed`*:: + -- -type: date - The day the user's password was last changed. +type: date + -- diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index eb1be4e443e..da26e02f443 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -60,7 +60,7 @@ Apache Module [float] -== apache2 fields +=== apache2 Aliases for backward compatibility with old apache2 fields @@ -314,14 +314,14 @@ alias to: apache.error.module -- [float] -== apache fields +=== apache Apache fields. [float] -== access fields +=== access Contains fields for the Apache HTTP Server access logs. @@ -330,25 +330,25 @@ Contains fields for the Apache HTTP Server access logs. *`apache.access.ssl.protocol`*:: + -- -type: keyword - SSL protocol version. +type: keyword + -- *`apache.access.ssl.cipher`*:: + -- -type: keyword - SSL cipher name. +type: keyword + -- [float] -== error fields +=== error Fields from the Apache error logs. @@ -357,11 +357,11 @@ Fields from the Apache error logs. *`apache.error.module`*:: + -- -type: keyword - The module producing the logged message. +type: keyword + -- [[exported-fields-auditd]] @@ -375,237 +375,237 @@ Module for parsing auditd logs. *`user.terminal`*:: + -- -type: keyword - Terminal or tty device on which the user is performing the observed activity. +type: keyword + -- *`user.audit.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.audit.name`*:: + -- -type: keyword +Short name or login of the user. -example: albert -Short name or login of the user. +type: keyword +example: albert -- *`user.audit.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.audit.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.effective.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.effective.name`*:: + -- -type: keyword +Short name or login of the user. -example: albert -Short name or login of the user. +type: keyword +example: albert -- *`user.effective.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.effective.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.filesystem.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.filesystem.name`*:: + -- -type: keyword +Short name or login of the user. -example: albert -Short name or login of the user. +type: keyword +example: albert -- *`user.filesystem.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.filesystem.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.owner.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.owner.name`*:: + -- -type: keyword +Short name or login of the user. -example: albert -Short name or login of the user. +type: keyword +example: albert -- *`user.owner.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.owner.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.saved.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.saved.name`*:: + -- -type: keyword +Short name or login of the user. -example: albert -Short name or login of the user. +type: keyword +example: albert -- *`user.saved.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.saved.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== auditd fields +=== auditd Fields from the auditd logs. [float] -== log fields +=== log Fields from the Linux audit log. Not all fields are documented here because they are dynamic and vary by audit event type. @@ -646,11 +646,11 @@ For login events this is the new session ID. It can be used to tie a user to fut *`auditd.log.sequence`*:: + -- -type: long - The audit event sequence number. +type: long + -- *`auditd.log.items`*:: @@ -993,10 +993,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -1011,15 +1011,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -1028,11 +1028,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -1056,10 +1056,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cisco]] @@ -1070,14 +1070,14 @@ Module for handling Cisco network device logs. [float] -== cisco fields +=== cisco Fields from Cisco logs. [float] -== asa fields +=== asa Fields for Cisco ASA Firewall. @@ -1086,163 +1086,163 @@ Fields for Cisco ASA Firewall. *`cisco.asa.message_id`*:: + -- -type: keyword - The Cisco ASA message identifier. +type: keyword + -- *`cisco.asa.suffix`*:: + -- -type: keyword +Optional suffix after %ASA identifier. -example: session -Optional suffix after %ASA identifier. +type: keyword +example: session -- *`cisco.asa.source_interface`*:: + -- -type: keyword - Source interface for the flow or event. +type: keyword + -- *`cisco.asa.destination_interface`*:: + -- -type: keyword - Destination interface for the flow or event. +type: keyword + -- *`cisco.asa.list_id`*:: + -- -type: keyword - Name of the Access Control List that matched this event. +type: keyword + -- *`cisco.asa.source_username`*:: + -- -type: keyword - Name of the user that is the source for this event. +type: keyword + -- *`cisco.asa.destination_username`*:: + -- -type: keyword - Name of the user that is the destination for this event. +type: keyword + -- *`cisco.asa.mapped_source_ip`*:: + -- -type: ip - The translated source IP address. +type: ip + -- *`cisco.asa.mapped_source_port`*:: + -- -type: long - The translated source port. +type: long + -- *`cisco.asa.mapped_destination_ip`*:: + -- -type: ip - The translated destination IP address. +type: ip + -- *`cisco.asa.mapped_destination_port`*:: + -- -type: long - The translated destination port. +type: long + -- *`cisco.asa.threat_level`*:: + -- -type: keyword - Threat level for malware / botnet traffic. One of very-low, low, moderate, high or very-high. +type: keyword + -- *`cisco.asa.threat_category`*:: + -- -type: keyword - Category for the malware / botnet traffic. For example: virus, botnet, trojan, etc. +type: keyword + -- *`cisco.asa.connection_id`*:: + -- -type: keyword - Unique identifier for a flow. +type: keyword + -- *`cisco.asa.icmp_type`*:: + -- -type: short - ICMP type. +type: short + -- *`cisco.asa.icmp_code`*:: + -- -type: short - ICMP code. +type: short + -- [[exported-fields-cloud]] @@ -1255,11 +1255,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -1333,7 +1333,7 @@ Module for handling logs produced by coredns [float] -== coredns fields +=== coredns coredns fields after normalization @@ -1342,95 +1342,95 @@ coredns fields after normalization *`coredns.id`*:: + -- -type: keyword - id of the DNS transaction +type: keyword + -- *`coredns.query.size`*:: + -- -type: integer +size of the DNS query -format: bytes -size of the DNS query +type: integer +format: bytes -- *`coredns.query.class`*:: + -- -type: keyword - DNS query class +type: keyword + -- *`coredns.query.name`*:: + -- -type: keyword - DNS query name +type: keyword + -- *`coredns.query.type`*:: + -- -type: keyword - DNS query type +type: keyword + -- *`coredns.response.code`*:: + -- -type: keyword - DNS response code +type: keyword + -- *`coredns.response.flags`*:: + -- -type: keyword - DNS response flags +type: keyword + -- *`coredns.response.size`*:: + -- -type: integer +size of the DNS response -format: bytes -size of the DNS response +type: integer +format: bytes -- *`coredns.dnssec_ok`*:: + -- -type: boolean - dnssec flag +type: boolean + -- [[exported-fields-docker-processor]] @@ -1471,11 +1471,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -1487,58 +1487,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. --- +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + +-- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -1547,65 +1547,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -1615,234 +1615,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -1850,81 +1850,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -1933,61 +1933,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -1996,234 +1996,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -2231,19 +2231,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -2252,32 +2252,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -2286,203 +2286,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -2491,136 +2491,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -2629,95 +2629,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -2725,23 +2725,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -2750,299 +2750,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3050,124 +3050,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -3175,30 +3175,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -3207,48 +3207,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -3260,91 +3256,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -3353,227 +3353,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -3582,23 +3582,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -3606,71 +3606,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -3679,101 +3679,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -3783,14 +3783,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -3800,234 +3800,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -4036,78 +4036,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -4116,234 +4116,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -4351,111 +4351,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -4464,73 +4464,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -4539,111 +4539,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-elasticsearch]] @@ -4654,7 +4654,7 @@ elasticsearch Module [float] -== elasticsearch fields +=== elasticsearch @@ -4662,93 +4662,93 @@ elasticsearch Module *`elasticsearch.component`*:: + -- +Elasticsearch component from where the log event originated + type: keyword example: o.e.c.m.MetaDataCreateIndexService -Elasticsearch component from where the log event originated - -- *`elasticsearch.cluster.uuid`*:: + -- +UUID of the cluster + type: keyword example: GmvrbHlNTiSVYiPf8kxg9g -UUID of the cluster - -- *`elasticsearch.cluster.name`*:: + -- +Name of the cluster + type: keyword example: docker-cluster -Name of the cluster - -- *`elasticsearch.node.id`*:: + -- +ID of the node + type: keyword example: DSiWcTyeThWtUXLB9J0BMw -ID of the node - -- *`elasticsearch.node.name`*:: + -- +Name of the node + type: keyword example: vWNJsZ3 -Name of the node - -- *`elasticsearch.index.name`*:: + -- +Index name + type: keyword example: filebeat-test-input -Index name - -- *`elasticsearch.index.id`*:: + -- +Index id + type: keyword example: aOGgDwbURfCV57AScqbCgw -Index id - -- *`elasticsearch.shard.id`*:: + -- +Id of the shard + type: keyword example: 0 -Id of the shard - -- [float] -== audit fields +=== audit @@ -4756,116 +4756,116 @@ Id of the shard *`elasticsearch.audit.layer`*:: + -- +The layer from which this event originated: rest, transport or ip_filter + type: keyword example: rest -The layer from which this event originated: rest, transport or ip_filter - -- *`elasticsearch.audit.event_type`*:: + -- +The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied + type: keyword example: access_granted -The type of event that occurred: anonymous_access_denied, authentication_failed, access_denied, access_granted, connection_granted, connection_denied, tampered_request, run_as_granted, run_as_denied - -- *`elasticsearch.audit.origin.type`*:: + -- +Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) + type: keyword example: local_node -Where the request originated: rest (request originated from a REST API request), transport (request was received on the transport channel), local_node (the local node issued the request) - -- *`elasticsearch.audit.realm`*:: + -- -type: keyword - The authentication realm the authentication was validated against +type: keyword + -- *`elasticsearch.audit.user.realm`*:: + -- -type: keyword - The user's authentication realm, if authenticated +type: keyword + -- *`elasticsearch.audit.user.roles`*:: + -- +Roles to which the principal belongs + type: keyword example: ['kibana_user', 'beats_admin'] -Roles to which the principal belongs - -- *`elasticsearch.audit.action`*:: + -- +The name of the action that was executed + type: keyword example: cluster:monitor/main -The name of the action that was executed - -- *`elasticsearch.audit.url.params`*:: + -- -example: {username=jacknich2} - REST URI parameters +example: {username=jacknich2} + -- *`elasticsearch.audit.indices`*:: + -- +Indices accessed by action + type: keyword example: ['foo-2019.01.04', 'foo-2019.01.03', 'foo-2019.01.06'] -Indices accessed by action - -- *`elasticsearch.audit.request.id`*:: + -- +Unique ID of request + type: keyword example: WzL_kb6VSvOhAq0twPvHOQ -Unique ID of request - -- *`elasticsearch.audit.request.name`*:: + -- +The type of request that was executed + type: keyword example: ClearScrollRequest -The type of request that was executed - -- *`elasticsearch.audit.request_body`*:: @@ -4905,19 +4905,19 @@ alias to: user.name -- [float] -== deprecation fields +=== deprecation [float] -== gc fields +=== gc GC fileset fields. [float] -== phase fields +=== phase Fields specific to GC phase. @@ -4926,75 +4926,75 @@ Fields specific to GC phase. *`elasticsearch.gc.phase.name`*:: + -- -type: keyword - Name of the GC collection phase. +type: keyword + -- *`elasticsearch.gc.phase.duration_sec`*:: + -- -type: float - Collection phase duration according to the Java virtual machine. +type: float + -- *`elasticsearch.gc.phase.scrub_symbol_table_time_sec`*:: + -- -type: float - Pause time in seconds cleaning up symbol tables. +type: float + -- *`elasticsearch.gc.phase.scrub_string_table_time_sec`*:: + -- -type: float - Pause time in seconds cleaning up string tables. +type: float + -- *`elasticsearch.gc.phase.weak_refs_processing_time_sec`*:: + -- -type: float - Time spent processing weak references in seconds. +type: float + -- *`elasticsearch.gc.phase.parallel_rescan_time_sec`*:: + -- -type: float - Time spent in seconds marking live objects while application is stopped. +type: float + -- *`elasticsearch.gc.phase.class_unload_time_sec`*:: + -- -type: float - Time spent unloading unused classes in seconds. +type: float + -- [float] -== cpu_time fields +=== cpu_time Process CPU time spent performing collections. @@ -5003,75 +5003,75 @@ Process CPU time spent performing collections. *`elasticsearch.gc.phase.cpu_time.user_sec`*:: + -- -type: float - CPU time spent outside the kernel. +type: float + -- *`elasticsearch.gc.phase.cpu_time.sys_sec`*:: + -- -type: float - CPU time spent inside the kernel. +type: float + -- *`elasticsearch.gc.phase.cpu_time.real_sec`*:: + -- -type: float - Total elapsed CPU time spent to complete the collection from start to finish. +type: float + -- *`elasticsearch.gc.jvm_runtime_sec`*:: + -- -type: float - The time from JVM start up in seconds, as a floating point number. +type: float + -- *`elasticsearch.gc.threads_total_stop_time_sec`*:: + --- -type: float - +-- Garbage collection threads total stop time seconds. +type: float + -- *`elasticsearch.gc.stopping_threads_time_sec`*:: + -- -type: float - Time took to stop threads seconds. +type: float + -- *`elasticsearch.gc.tags`*:: + -- -type: keyword - GC logging tags. +type: keyword + -- [float] -== heap fields +=== heap Heap allocation and total size. @@ -5080,25 +5080,25 @@ Heap allocation and total size. *`elasticsearch.gc.heap.size_kb`*:: + -- -type: integer - Total heap size in kilobytes. +type: integer + -- *`elasticsearch.gc.heap.used_kb`*:: + -- -type: integer - Used heap in kilobytes. +type: integer + -- [float] -== old_gen fields +=== old_gen Old generation occupancy and total size. @@ -5107,25 +5107,25 @@ Old generation occupancy and total size. *`elasticsearch.gc.old_gen.size_kb`*:: + -- -type: integer - Total size of old generation in kilobytes. +type: integer + -- *`elasticsearch.gc.old_gen.used_kb`*:: + -- -type: integer - Old generation occupancy in kilobytes. +type: integer + -- [float] -== young_gen fields +=== young_gen Young generation occupancy and total size. @@ -5134,25 +5134,25 @@ Young generation occupancy and total size. *`elasticsearch.gc.young_gen.size_kb`*:: + -- -type: integer - Total size of young generation in kilobytes. +type: integer + -- *`elasticsearch.gc.young_gen.used_kb`*:: + -- -type: integer - Young generation occupancy in kilobytes. +type: integer + -- [float] -== server fields +=== server Server log file @@ -5165,13 +5165,13 @@ Field is not indexed. -- [float] -== gc fields +=== gc GC log [float] -== young fields +=== young Young GC @@ -5179,60 +5179,60 @@ Young GC *`elasticsearch.server.gc.young.one`*:: + -- -type: long -example: +type: long +example: -- *`elasticsearch.server.gc.young.two`*:: + -- -type: long -example: +type: long +example: -- *`elasticsearch.server.gc.overhead_seq`*:: + -- +Sequence number + type: long example: 3449992 -Sequence number - -- *`elasticsearch.server.gc.collection_duration.ms`*:: + -- +Time spent in GC, in milliseconds + type: float example: 1600 -Time spent in GC, in milliseconds - -- *`elasticsearch.server.gc.observation_duration.ms`*:: + -- +Total time over which collection was observed, in milliseconds + type: float example: 1800 -Total time over which collection was observed, in milliseconds - -- [float] -== slowlog fields +=== slowlog Slowlog events from Elasticsearch @@ -5240,133 +5240,133 @@ Slowlog events from Elasticsearch *`elasticsearch.slowlog.logger`*:: + -- +Logger name + type: keyword example: index.search.slowlog.fetch -Logger name - -- *`elasticsearch.slowlog.took`*:: + -- +Time it took to execute the query + type: keyword example: 300ms -Time it took to execute the query - -- *`elasticsearch.slowlog.types`*:: + -- +Types + type: keyword example: -Types - -- *`elasticsearch.slowlog.stats`*:: + -- +Stats groups + type: keyword example: group1 -Stats groups - -- *`elasticsearch.slowlog.search_type`*:: + -- +Search type + type: keyword example: QUERY_THEN_FETCH -Search type - -- *`elasticsearch.slowlog.source_query`*:: + -- +Slow query + type: keyword example: {"query":{"match_all":{"boost":1.0}}} -Slow query - -- *`elasticsearch.slowlog.extra_source`*:: + -- +Extra source information + type: keyword example: -Extra source information - -- *`elasticsearch.slowlog.total_hits`*:: + -- +Total hits + type: keyword example: 42 -Total hits - -- *`elasticsearch.slowlog.total_shards`*:: + -- +Total queried shards + type: keyword example: 22 -Total queried shards - -- *`elasticsearch.slowlog.routing`*:: + -- +Routing + type: keyword example: s01HZ2QBk9jw4gtgaFtn -Routing - -- *`elasticsearch.slowlog.id`*:: + -- +Id + type: keyword example: -Id - -- *`elasticsearch.slowlog.type`*:: + -- +Type + type: keyword example: doc -Type - -- [[exported-fields-envoyproxy]] @@ -5377,7 +5377,7 @@ Module for handling logs produced by envoy [float] -== envoyproxy fields +=== envoyproxy Fields from envoy proxy logs after normalization @@ -5386,63 +5386,63 @@ Fields from envoy proxy logs after normalization *`envoyproxy.log_type`*:: + -- -type: keyword - Envoy log type, normally ACCESS +type: keyword + -- *`envoyproxy.response_flags`*:: + -- -type: keyword - Response flags +type: keyword + -- *`envoyproxy.upstream_service_time`*:: + -- -type: long +Upstream service time in nanoseconds -format: duration -Upstream service time in nanoseconds +type: long +format: duration -- *`envoyproxy.request_id`*:: + -- -type: keyword - ID of the request +type: keyword + -- *`envoyproxy.authority`*:: + -- -type: keyword - Envoy proxy authority field +type: keyword + -- *`envoyproxy.proxy_type`*:: + -- -type: keyword - Envoy proxy type, tcp or http +type: keyword + -- [[exported-fields-haproxy]] @@ -5453,7 +5453,7 @@ haproxy Module [float] -== haproxy fields +=== haproxy @@ -5482,64 +5482,64 @@ Name of the last server to which the connection was sent. *`haproxy.total_waiting_time_ms`*:: + -- -type: long - Total time in milliseconds spent waiting in the various queues +type: long + -- *`haproxy.connection_wait_time_ms`*:: + -- -type: long - Total time in milliseconds spent waiting for the connection to establish to the final server +type: long + -- *`haproxy.bytes_read`*:: + -- -type: long - Total number of bytes transmitted to the client when the log is emitted. +type: long + -- *`haproxy.time_queue`*:: + -- -type: long - Total time in milliseconds spent waiting in the various queues. +type: long + -- *`haproxy.time_backend_connect`*:: + -- -type: long - Total time in milliseconds spent waiting for the connection to establish to the final server, including retries. +type: long + -- *`haproxy.server_queue`*:: + -- -type: long - Total number of requests which were processed before this one in the server queue. +type: long + -- *`haproxy.backend_queue`*:: + -- -type: long - Total number of requests which were processed before this one in the backend's global queue. +type: long + -- *`haproxy.bind_name`*:: @@ -5552,19 +5552,19 @@ Name of the listening address which received the connection. *`haproxy.error_message`*:: + -- -type: text - Error message logged by HAProxy in case of error. +type: text + -- *`haproxy.source`*:: + -- -type: keyword - The HAProxy source of the log +type: keyword + -- *`haproxy.termination_state`*:: @@ -5577,14 +5577,14 @@ Condition the session was in when the session ended. *`haproxy.mode`*:: + -- -type: keyword - mode that the frontend is operating (TCP or HTTP) +type: keyword + -- [float] -== connections fields +=== connections Contains various counts of connections active in the process. @@ -5592,50 +5592,50 @@ Contains various counts of connections active in the process. *`haproxy.connections.active`*:: + -- -type: long - Total number of concurrent connections on the process when the session was logged. +type: long + -- *`haproxy.connections.frontend`*:: + -- -type: long - Total number of concurrent connections on the frontend when the session was logged. +type: long + -- *`haproxy.connections.backend`*:: + -- -type: long - Total number of concurrent connections handled by the backend when the session was logged. +type: long + -- *`haproxy.connections.server`*:: + -- -type: long - Total number of concurrent connections still active on the server when the session was logged. +type: long + -- *`haproxy.connections.retries`*:: + -- -type: long - Number of connection retries experienced by this session when trying to connect to the server. +type: long + -- [float] -== client fields +=== client Information about the client doing the request @@ -5677,7 +5677,7 @@ alias to: process.pid -- [float] -== destination fields +=== destination Destination information @@ -5701,7 +5701,7 @@ alias to: destination.ip -- [float] -== geoip fields +=== geoip Contains GeoIP information gathered based on the client.ip field. Only present if the GeoIP Elasticsearch plugin is available and used. @@ -5762,13 +5762,13 @@ alias to: source.geo.region_iso_code -- [float] -== http fields +=== http Please add description [float] -== response fields +=== response Fields related to the HTTP response @@ -5784,11 +5784,11 @@ Optional "name=value" entry indicating that the client had this cookie in the re *`haproxy.http.response.captured_headers`*:: + -- -type: keyword - List of headers captured in the response due to the presence of the "capture response header" statement in the frontend. +type: keyword + -- *`haproxy.http.response.status_code`*:: @@ -5801,7 +5801,7 @@ alias to: http.response.status_code -- [float] -== request fields +=== request Fields related to the HTTP request @@ -5817,42 +5817,42 @@ Optional "name=value" entry indicating that the server has returned a cookie wit *`haproxy.http.request.captured_headers`*:: + -- -type: keyword - List of headers captured in the request due to the presence of the "capture request header" statement in the frontend. +type: keyword + -- *`haproxy.http.request.raw_request_line`*:: + -- -type: keyword - Complete HTTP request line, including the method, request and HTTP version string. +type: keyword + -- *`haproxy.http.request.time_wait_without_data_ms`*:: + -- -type: long - Total time in milliseconds spent waiting for the server to send a full HTTP response, not counting data. +type: long + -- *`haproxy.http.request.time_wait_ms`*:: + -- -type: long - Total time in milliseconds spent waiting for a full HTTP request from the client (not counting body) after the first byte was received. +type: long + -- [float] -== tcp fields +=== tcp TCP log format @@ -5860,10 +5860,10 @@ TCP log format *`haproxy.tcp.connection_waiting_time_ms`*:: + -- -type: long - Total time in milliseconds elapsed between the accept and the last close +type: long + -- [[exported-fields-host-processor]] @@ -5877,34 +5877,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -5916,13 +5916,13 @@ Icinga Module [float] -== icinga fields +=== icinga [float] -== debug fields +=== debug Contains fields for the Icinga debug logs. @@ -5931,11 +5931,11 @@ Contains fields for the Icinga debug logs. *`icinga.debug.facility`*:: + -- -type: keyword - Specifies what component of Icinga logged the message. +type: keyword + -- *`icinga.debug.severity`*:: @@ -5957,7 +5957,7 @@ alias to: message -- [float] -== main fields +=== main Contains fields for the Icinga main logs. @@ -5966,11 +5966,11 @@ Contains fields for the Icinga main logs. *`icinga.main.facility`*:: + -- -type: keyword - Specifies what component of Icinga logged the message. +type: keyword + -- *`icinga.main.severity`*:: @@ -5992,7 +5992,7 @@ alias to: message -- [float] -== startup fields +=== startup Contains fields for the Icinga startup logs. @@ -6001,11 +6001,11 @@ Contains fields for the Icinga startup logs. *`icinga.startup.facility`*:: + -- -type: keyword - Specifies what component of Icinga logged the message. +type: keyword + -- *`icinga.startup.severity`*:: @@ -6034,14 +6034,14 @@ Module for parsing IIS log files. [float] -== iis fields +=== iis Fields from IIS log files. [float] -== access fields +=== access Contains fields for IIS access logs. @@ -6050,51 +6050,51 @@ Contains fields for IIS access logs. *`iis.access.sub_status`*:: + -- -type: long - The HTTP substatus code. +type: long + -- *`iis.access.win32_status`*:: + -- -type: long - The Windows status code. +type: long + -- *`iis.access.site_name`*:: + -- -type: keyword - The site name and instance number. +type: keyword + -- *`iis.access.server_name`*:: + -- -type: keyword - The name of the server on which the log file entry was generated. +type: keyword + -- *`iis.access.cookie`*:: + -- -type: keyword - The content of the cookie sent or received, if any. +type: keyword + -- *`iis.access.body_received.bytes`*:: @@ -6316,7 +6316,7 @@ alias to: source.geo.region_iso_code -- [float] -== error fields +=== error Contains fields for IIS error logs. @@ -6325,21 +6325,21 @@ Contains fields for IIS error logs. *`iis.error.reason_phrase`*:: + -- -type: keyword - The HTTP reason phrase. +type: keyword + -- *`iis.error.queue_name`*:: + -- -type: keyword - The IIS application pool name. +type: keyword + -- *`iis.error.remote_ip`*:: @@ -6477,7 +6477,7 @@ Module for handling the iptables logs. [float] -== iptables fields +=== iptables Fields from the iptables logs. @@ -6486,45 +6486,45 @@ Fields from the iptables logs. *`iptables.ether_type`*:: + -- -type: long - Value of the ethernet type field identifying the network layer protocol. +type: long + -- *`iptables.flow_label`*:: + -- -type: integer - IPv6 flow label. +type: integer + -- *`iptables.fragment_flags`*:: + -- -type: keyword - IP fragment flags. A combination of CE, DF and MF. +type: keyword + -- *`iptables.fragment_offset`*:: + -- -type: long - Offset of the current IP fragment. +type: long + -- [float] -== icmp fields +=== icmp ICMP fields. @@ -6533,135 +6533,135 @@ ICMP fields. *`iptables.icmp.code`*:: + -- -type: long - ICMP code. +type: long + -- *`iptables.icmp.id`*:: + -- -type: long - ICMP ID. +type: long + -- *`iptables.icmp.parameter`*:: + -- -type: long - ICMP parameter. +type: long + -- *`iptables.icmp.redirect`*:: + -- -type: ip - ICMP redirect address. +type: ip + -- *`iptables.icmp.seq`*:: + -- -type: long - ICMP sequence number. +type: long + -- *`iptables.icmp.type`*:: + -- -type: long - ICMP type. +type: long + -- *`iptables.id`*:: + -- -type: long - Packet identifier. +type: long + -- *`iptables.incomplete_bytes`*:: + -- -type: long - Number of incomplete bytes. +type: long + -- *`iptables.input_device`*:: + -- -type: keyword - Device that received the packet. +type: keyword + -- *`iptables.precedence_bits`*:: + -- -type: short - IP precedence bits. +type: short + -- *`iptables.tos`*:: + -- -type: long - IP Type of Service field. +type: long + -- *`iptables.length`*:: + -- -type: long - Packet length. +type: long + -- *`iptables.output_device`*:: + -- -type: keyword - Device that output the packet. +type: keyword + -- [float] -== tcp fields +=== tcp TCP fields. @@ -6670,65 +6670,65 @@ TCP fields. *`iptables.tcp.flags`*:: + -- -type: keyword - TCP flags. +type: keyword + -- *`iptables.tcp.reserved_bits`*:: + -- -type: short - TCP reserved bits. +type: short + -- *`iptables.tcp.seq`*:: + -- -type: long - TCP sequence number. +type: long + -- *`iptables.tcp.ack`*:: + -- -type: long - TCP Acknowledgment number. +type: long + -- *`iptables.tcp.window`*:: + -- -type: long - Advertised TCP window size. +type: long + -- *`iptables.ttl`*:: + -- -type: integer - Time To Live field. +type: integer + -- [float] -== udp fields +=== udp UDP fields. @@ -6737,15 +6737,15 @@ UDP fields. *`iptables.udp.length`*:: + -- -type: long - Length of the UDP header and payload. +type: long + -- [float] -== ubiquiti fields +=== ubiquiti Fields for Ubiquiti network devices. @@ -6754,39 +6754,39 @@ Fields for Ubiquiti network devices. *`iptables.ubiquiti.input_zone`*:: + -- -type: keyword - Input zone. +type: keyword + -- *`iptables.ubiquiti.output_zone`*:: + -- -type: keyword - Output zone. +type: keyword + -- *`iptables.ubiquiti.rule_number`*:: + -- -type: keyword - The rule number within the rule set. +type: keyword + -- *`iptables.ubiquiti.rule_set`*:: + -- -type: keyword - The rule set name. +type: keyword + -- [[exported-fields-jolokia-autodiscover]] @@ -6799,71 +6799,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kafka]] @@ -6874,13 +6874,13 @@ Kafka module [float] -== kafka fields +=== kafka [float] -== log fields +=== log Kafka log lines. @@ -6907,25 +6907,25 @@ alias to: message *`kafka.log.component`*:: + -- -type: keyword - Component the log is coming from. +type: keyword + -- *`kafka.log.class`*:: + -- -type: keyword - Java class the log is coming from. +type: keyword + -- [float] -== trace fields +=== trace Trace in the log line. @@ -6934,21 +6934,21 @@ Trace in the log line. *`kafka.log.trace.class`*:: + -- -type: keyword - Java class the trace is coming from. +type: keyword + -- *`kafka.log.trace.message`*:: + -- -type: text - Message part of the trace. +type: text + -- [[exported-fields-kibana]] @@ -6959,13 +6959,13 @@ kibana Module [float] -== kibana fields +=== kibana [float] -== log fields +=== log Kafka log lines. @@ -6974,21 +6974,21 @@ Kafka log lines. *`kibana.log.tags`*:: + -- -type: keyword - Kibana logging tags. +type: keyword + -- *`kibana.log.state`*:: + -- -type: keyword - Current state of Kibana. +type: keyword + -- *`kibana.log.meta`*:: @@ -7072,111 +7072,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-log]] @@ -7189,130 +7189,130 @@ Contains log file lines. *`log.file.path`*:: + -- -type: keyword +The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. -required: False -The file from which the line was read. This field contains the absolute path to the file. For example: `/var/log/system.log`. +type: keyword +required: False -- *`log.source.address`*:: + -- -type: keyword +Source address from which the log event was read / sent from. -required: False -Source address from which the log event was read / sent from. +type: keyword +required: False -- *`log.offset`*:: + -- -type: long +The file offset the reported line starts at. -required: False -The file offset the reported line starts at. +type: long +required: False -- *`stream`*:: + -- -type: keyword +Log stream when reading container logs, can be 'stdout' or 'stderr' -required: False -Log stream when reading container logs, can be 'stdout' or 'stderr' +type: keyword +required: False -- *`input.type`*:: + -- -required: True - The input type from which the event was generated. This field is set to the value specified for the `type` option in the input section of the Filebeat config file. +required: True + -- *`event.sequence`*:: + -- -type: long +The sequence number of this event. -required: False -The sequence number of this event. +type: long +required: False -- *`syslog.facility`*:: + -- -type: long +The facility extracted from the priority. -required: False -The facility extracted from the priority. +type: long +required: False -- *`syslog.priority`*:: + -- -type: long +The priority of the syslog event. -required: False -The priority of the syslog event. +type: long +required: False -- *`syslog.severity_label`*:: + -- -type: keyword +The human readable severity. -required: False -The human readable severity. +type: keyword +required: False -- *`syslog.facility_label`*:: + -- -type: keyword +The human readable facility. -required: False -The human readable facility. +type: keyword +required: False -- *`process.program`*:: + -- -type: keyword +The name of the program. -required: False -The name of the program. +type: keyword +required: False -- @@ -7345,11 +7345,11 @@ type: keyword *`fileset.name`*:: + -- -type: keyword - The Filebeat fileset that generated this event. +type: keyword + -- *`fileset.module`*:: @@ -7378,13 +7378,13 @@ logstash Module [float] -== logstash fields +=== logstash [float] -== log fields +=== log Fields from the Logstash logs. @@ -7393,21 +7393,23 @@ Fields from the Logstash logs. *`logstash.log.module`*:: + -- -type: keyword - The module or class where the event originate. +type: keyword + -- *`logstash.log.thread`*:: + -- -type: keyword - Information about the running thread where the log originate. +type: keyword + +-- + *`logstash.log.thread.text`*:: + -- @@ -7415,16 +7417,14 @@ type: text -- --- - *`logstash.log.log_event`*:: + -- -type: object - key and value debugging information. +type: object + -- *`logstash.log.message`*:: @@ -7446,7 +7446,7 @@ alias to: log.level -- [float] -== slowlog fields +=== slowlog slowlog @@ -7455,21 +7455,23 @@ slowlog *`logstash.slowlog.module`*:: + -- -type: keyword - The module or class where the event originate. +type: keyword + -- *`logstash.slowlog.thread`*:: + -- -type: keyword - Information about the running thread where the log originate. +type: keyword + +-- + *`logstash.slowlog.thread.text`*:: + -- @@ -7477,16 +7479,16 @@ type: text -- --- - *`logstash.slowlog.event`*:: + -- -type: keyword - Raw dump of the original event +type: keyword + +-- + *`logstash.slowlog.event.text`*:: + -- @@ -7494,46 +7496,46 @@ type: text -- --- - *`logstash.slowlog.plugin_name`*:: + -- -type: keyword - Name of the plugin +type: keyword + -- *`logstash.slowlog.plugin_type`*:: + -- -type: keyword - Type of the plugin: Inputs, Filters, Outputs or Codecs. +type: keyword + -- *`logstash.slowlog.took_in_millis`*:: + -- -type: long - Execution time for the plugin in milliseconds. +type: long + -- *`logstash.slowlog.plugin_params`*:: + -- -type: keyword - String value of the plugin configuration +type: keyword + +-- + *`logstash.slowlog.plugin_params.text`*:: + -- @@ -7541,16 +7543,14 @@ type: text -- --- - *`logstash.slowlog.plugin_params_object`*:: + -- -type: object - key -> value of the configuration used by the plugin. +type: object + -- *`logstash.slowlog.level`*:: @@ -7579,14 +7579,14 @@ Module for parsing MongoDB log files. [float] -== mongodb fields +=== mongodb Fields from MongoDB logs. [float] -== log fields +=== log Contains fields from MongoDB logs. @@ -7595,24 +7595,24 @@ Contains fields from MongoDB logs. *`mongodb.log.component`*:: + -- -type: keyword +Functional categorization of message -example: COMMAND -Functional categorization of message +type: keyword +example: COMMAND -- *`mongodb.log.context`*:: + -- -type: keyword +Context of message -example: initandlisten -Context of message +type: keyword +example: initandlisten -- @@ -7642,7 +7642,7 @@ Module for parsing the MySQL log files. [float] -== mysql fields +=== mysql Fields from the MySQL log files. @@ -7651,15 +7651,15 @@ Fields from the MySQL log files. *`mysql.thread_id`*:: + -- -type: long - The connection or thread ID for the query. +type: long + -- [float] -== error fields +=== error Contains fields from the MySQL error logs. @@ -7693,7 +7693,7 @@ alias to: message -- [float] -== slowlog fields +=== slowlog Contains fields from the MySQL slow logs. @@ -7702,64 +7702,64 @@ Contains fields from the MySQL slow logs. *`mysql.slowlog.lock_time.sec`*:: + -- -type: float - The amount of time the query waited for the lock to be available. The value is in seconds, as a floating point number. +type: float + -- *`mysql.slowlog.rows_sent`*:: + -- -type: long - The number of rows returned by the query. +type: long + -- *`mysql.slowlog.rows_examined`*:: + -- -type: long - The number of rows scanned by the query. +type: long + -- *`mysql.slowlog.rows_affected`*:: + -- -type: long - The number of rows modified by the query. +type: long + -- *`mysql.slowlog.bytes_sent`*:: + -- -type: long +The number of bytes sent to client. -format: bytes -The number of bytes sent to client. +type: long +format: bytes -- *`mysql.slowlog.bytes_received`*:: + -- -type: long +The number of bytes received from client. -format: bytes -The number of bytes received from client. +type: long +format: bytes -- @@ -7783,296 +7783,296 @@ alias to: mysql.thread_id *`mysql.slowlog.schema`*:: + -- -type: keyword - The schema where the slow query was executed. +type: keyword + -- *`mysql.slowlog.current_user`*:: + -- -type: keyword - Current authenticated user, used to determine access privileges. Can differ from the value for user. +type: keyword + -- *`mysql.slowlog.last_errno`*:: + -- -type: keyword - Last SQL error seen. +type: keyword + -- *`mysql.slowlog.killed`*:: + -- -type: keyword - Code of the reason if the query was killed. +type: keyword + -- *`mysql.slowlog.query_cache_hit`*:: + -- -type: boolean - Whether the query cache was hit. +type: boolean + -- *`mysql.slowlog.tmp_table`*:: + -- -type: boolean - Whether a temporary table was used to resolve the query. +type: boolean + -- *`mysql.slowlog.tmp_table_on_disk`*:: + -- -type: boolean - Whether the query needed temporary tables on disk. +type: boolean + -- *`mysql.slowlog.tmp_tables`*:: + -- -type: long - Number of temporary tables created for this query +type: long + -- *`mysql.slowlog.tmp_disk_tables`*:: + -- -type: long - Number of temporary tables created on disk for this query. +type: long + -- *`mysql.slowlog.tmp_table_sizes`*:: + -- +Size of temporary tables created for this query. + type: long format: bytes -Size of temporary tables created for this query. - -- *`mysql.slowlog.filesort`*:: + -- -type: boolean - Whether filesort optimization was used. +type: boolean + -- *`mysql.slowlog.filesort_on_disk`*:: + -- -type: boolean - Whether filesort optimization was used and it needed temporary tables on disk. +type: boolean + -- *`mysql.slowlog.priority_queue`*:: + -- -type: boolean - Whether a priority queue was used for filesort. +type: boolean + -- *`mysql.slowlog.full_scan`*:: + -- -type: boolean - Whether a full table scan was needed for the slow query. +type: boolean + -- *`mysql.slowlog.full_join`*:: + -- -type: boolean - Whether a full join was needed for the slow query (no indexes were used for joins). +type: boolean + -- *`mysql.slowlog.merge_passes`*:: + -- -type: long - Number of merge passes executed for the query. +type: long + -- *`mysql.slowlog.sort_merge_passes`*:: + -- -type: long - Number of merge passes that the sort algorithm has had to do. +type: long + -- *`mysql.slowlog.sort_range_count`*:: + -- -type: long - Number of sorts that were done using ranges. +type: long + -- *`mysql.slowlog.sort_rows`*:: + -- -type: long - Number of sorted rows. +type: long + -- *`mysql.slowlog.sort_scan_count`*:: + -- -type: long - Number of sorts that were done by scanning the table. +type: long + -- *`mysql.slowlog.log_slow_rate_type`*:: + -- -type: keyword - Type of slow log rate limit, it can be `session` if the rate limit is applied per session, or `query` if it applies per query. +type: keyword + -- *`mysql.slowlog.log_slow_rate_limit`*:: + -- -type: keyword - Slow log rate limit, a value of 100 means that one in a hundred queries or sessions are being logged. +type: keyword + -- *`mysql.slowlog.read_first`*:: + -- -type: long - The number of times the first entry in an index was read. +type: long + -- *`mysql.slowlog.read_last`*:: + -- -type: long - The number of times the last key in an index was read. +type: long + -- *`mysql.slowlog.read_key`*:: + -- -type: long - The number of requests to read a row based on a key. +type: long + -- *`mysql.slowlog.read_next`*:: + -- -type: long - The number of requests to read the next row in key order. +type: long + -- *`mysql.slowlog.read_prev`*:: + -- -type: long - The number of requests to read the previous row in key order. +type: long + -- *`mysql.slowlog.read_rnd`*:: + -- -type: long - The number of requests to read a row based on a fixed position. +type: long + -- *`mysql.slowlog.read_rnd_next`*:: + -- -type: long - The number of requests to read the next row in the data file. +type: long + -- [float] -== innodb fields +=== innodb Contains fields relative to InnoDB engine @@ -8081,73 +8081,73 @@ Contains fields relative to InnoDB engine *`mysql.slowlog.innodb.trx_id`*:: + -- -type: keyword - Transaction ID +type: keyword + -- *`mysql.slowlog.innodb.io_r_ops`*:: + -- -type: long - Number of page read operations. +type: long + -- *`mysql.slowlog.innodb.io_r_bytes`*:: + -- -type: long +Bytes read during page read operations. -format: bytes -Bytes read during page read operations. +type: long +format: bytes -- *`mysql.slowlog.innodb.io_r_wait.sec`*:: + -- -type: long - How long it took to read all needed data from storage. +type: long + -- *`mysql.slowlog.innodb.rec_lock_wait.sec`*:: + -- -type: long - How long the query waited for locks. +type: long + -- *`mysql.slowlog.innodb.queue_wait.sec`*:: + -- -type: long - How long the query waited to enter the InnoDB queue and to be executed once in the queue. +type: long + -- *`mysql.slowlog.innodb.pages_distinct`*:: + -- -type: long - Approximated count of pages accessed to execute the query. +type: long + -- *`mysql.slowlog.user`*:: @@ -8185,21 +8185,21 @@ Module for parsing NATS log files. [float] -== nats fields +=== nats Fields from NATS logs. [float] -== log fields +=== log Nats log files [float] -== client fields +=== client Fields from NATS logs client. @@ -8208,15 +8208,15 @@ Fields from NATS logs client. *`nats.log.client.id`*:: + -- -type: integer - The id of the client +type: integer + -- [float] -== msg fields +=== msg Fields from NATS logs message. @@ -8225,83 +8225,83 @@ Fields from NATS logs message. *`nats.log.msg.bytes`*:: + -- -type: long +Size of the payload in bytes -format: bytes -Size of the payload in bytes +type: long +format: bytes -- *`nats.log.msg.type`*:: + -- -type: keyword - The protocol message type +type: keyword + -- *`nats.log.msg.subject`*:: + -- -type: keyword - Subject name this message was received on +type: keyword + -- *`nats.log.msg.sid`*:: + -- -type: integer - The unique alphanumeric subscription ID of the subject +type: integer + -- *`nats.log.msg.reply_to`*:: + -- -type: keyword - The inbox subject on which the publisher is listening for responses +type: keyword + -- *`nats.log.msg.max_messages`*:: + -- -type: integer - An optional number of messages to wait for before automatically unsubscribing +type: integer + -- *`nats.log.msg.error.message`*:: + -- -type: text - Details about the error occurred +type: text + -- *`nats.log.msg.queue_group`*:: + -- -type: text - The queue group which subscriber will join +type: text + -- [[exported-fields-netflow]] @@ -8312,7 +8312,7 @@ Fields from NetFlow and IPFIX flows. [float] -== netflow fields +=== netflow Fields from NetFlow and IPFIX. @@ -8321,15 +8321,15 @@ Fields from NetFlow and IPFIX. *`netflow.type`*:: + -- -type: keyword - The type of NetFlow record described by this event. +type: keyword + -- [float] -== exporter fields +=== exporter Metadata related to the exporter device that generated this record. @@ -8338,51 +8338,51 @@ Metadata related to the exporter device that generated this record. *`netflow.exporter.address`*:: + -- -type: keyword - Exporter's network address in IP:port format. +type: keyword + -- *`netflow.exporter.source_id`*:: + -- -type: long - Observation domain ID to which this record belongs. +type: long + -- *`netflow.exporter.timestamp`*:: + -- -type: date - Time and date of export. +type: date + -- *`netflow.exporter.uptime_millis`*:: + -- -type: long - How long the exporter process has been running, in milliseconds. +type: long + -- *`netflow.exporter.version`*:: + -- -type: long - NetFlow version used. +type: long + -- *`netflow.octet_delta_count`*:: @@ -11521,14 +11521,14 @@ Module for parsing the Nginx log files. [float] -== nginx fields +=== nginx Fields from the Nginx log files. [float] -== access fields +=== access Contains fields for the Nginx access logs. @@ -11537,11 +11537,11 @@ Contains fields for the Nginx access logs. *`nginx.access.remote_ip_list`*:: + -- -type: array - An array of remote IP addresses. It is a list because it is common to include, besides the client IP address, IP addresses from headers like `X-Forwarded-For`. Real source IP is restored to `source.ip`. +type: array + -- *`nginx.access.body_sent.bytes`*:: @@ -11718,7 +11718,7 @@ alias to: source.geo.region_iso_code -- [float] -== error fields +=== error Contains fields for the Nginx error logs. @@ -11727,11 +11727,11 @@ Contains fields for the Nginx error logs. *`nginx.error.connection_id`*:: + -- -type: long - Connection identifier. +type: long + -- *`nginx.error.level`*:: @@ -11778,13 +11778,13 @@ Fields exported by the `osquery` module [float] -== osquery fields +=== osquery [float] -== result fields +=== result Common fields exported by the result metricset. @@ -11793,41 +11793,41 @@ Common fields exported by the result metricset. *`osquery.result.name`*:: + -- -type: keyword - The name of the query that generated this event. +type: keyword + -- *`osquery.result.action`*:: + -- -type: keyword - For incremental data, marks whether the entry was added or removed. It can be one of "added", "removed", or "snapshot". +type: keyword + -- *`osquery.result.host_identifier`*:: + -- -type: keyword - The identifier for the host on which the osquery agent is running. Normally the hostname. +type: keyword + -- *`osquery.result.unix_time`*:: + -- -type: long - Unix timestamp of the event, in seconds since the epoch. Used for computing the `@timestamp` column. +type: long + -- *`osquery.result.calendar_time`*:: @@ -11846,14 +11846,14 @@ Module for Palo Alto Networks (PAN-OS) [float] -== panw fields +=== panw Fields from the panw module. [float] -== panos fields +=== panos Fields for the Palo Alto Networks PAN-OS logs. @@ -11862,15 +11862,15 @@ Fields for the Palo Alto Networks PAN-OS logs. *`panw.panos.ruleset`*:: + -- -type: keyword - Name of the rule that matched this session. +type: keyword + -- [float] -== source fields +=== source Fields to extend the top-level source object. @@ -11879,25 +11879,25 @@ Fields to extend the top-level source object. *`panw.panos.source.zone`*:: + -- -type: keyword - Source zone for this session. +type: keyword + -- *`panw.panos.source.interface`*:: + -- -type: keyword - Source interface for this session. +type: keyword + -- [float] -== nat fields +=== nat Post-NAT source address, if source NAT is performed. @@ -11906,25 +11906,25 @@ Post-NAT source address, if source NAT is performed. *`panw.panos.source.nat.ip`*:: + -- -type: ip - Post-NAT source IP. +type: ip + -- *`panw.panos.source.nat.port`*:: + -- -type: long - Post-NAT source port. +type: long + -- [float] -== destination fields +=== destination Fields to extend the top-level destination object. @@ -11933,25 +11933,25 @@ Fields to extend the top-level destination object. *`panw.panos.destination.zone`*:: + -- -type: keyword - Destination zone for this session. +type: keyword + -- *`panw.panos.destination.interface`*:: + -- -type: keyword - Destination interface for this session. +type: keyword + -- [float] -== nat fields +=== nat Post-NAT destination address, if destination NAT is performed. @@ -11960,25 +11960,25 @@ Post-NAT destination address, if destination NAT is performed. *`panw.panos.destination.nat.ip`*:: + -- -type: ip - Post-NAT destination IP. +type: ip + -- *`panw.panos.destination.nat.port`*:: + -- -type: long - Post-NAT destination port. +type: long + -- [float] -== network fields +=== network Fields to extend the top-level network object. @@ -11987,26 +11987,26 @@ Fields to extend the top-level network object. *`panw.panos.network.pcap_id`*:: + -- -type: keyword - Packet capture ID for a threat. +type: keyword + -- *`panw.panos.network.nat.community_id`*:: + -- -type: keyword - Community ID flow-hash for the NAT 5-tuple. +type: keyword + -- [float] -== file fields +=== file Fields to extend the top-level file object. @@ -12015,15 +12015,15 @@ Fields to extend the top-level file object. *`panw.panos.file.hash`*:: + -- -type: keyword - Binary hash for a threat file sent to be analyzed by the WildFire service. +type: keyword + -- [float] -== url fields +=== url Fields to extend the top-level url object. @@ -12032,61 +12032,61 @@ Fields to extend the top-level url object. *`panw.panos.url.category`*:: + -- -type: keyword - For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. +type: keyword + -- *`panw.panos.flow_id`*:: + -- -type: keyword - Internal numeric identifier for each session. +type: keyword + -- *`panw.panos.sequence_number`*:: + -- -type: long - Log entry identifier that is incremented sequentially. Unique for each log type. +type: long + -- *`panw.panos.threat.resource`*:: + -- -type: keyword - URL or file name for a threat. +type: keyword + -- *`panw.panos.threat.id`*:: + -- -type: keyword - Palo Alto Networks identifier for the threat. +type: keyword + -- *`panw.panos.threat.name`*:: + -- -type: keyword - Palo Alto Networks name for the threat. +type: keyword + -- [[exported-fields-postgresql]] @@ -12097,14 +12097,14 @@ Module for parsing the PostgreSQL log files. [float] -== postgresql fields +=== postgresql Fields from PostgreSQL logs. [float] -== log fields +=== log Fields from the PostgreSQL log files. @@ -12121,29 +12121,29 @@ The timestamp from the log line. *`postgresql.log.core_id`*:: + -- -type: long - Core id +type: long + -- *`postgresql.log.database`*:: + -- -example: mydb - Name of database +example: mydb + -- *`postgresql.log.query`*:: + -- -example: SELECT * FROM users; - Query statement. +example: SELECT * FROM users; + -- *`postgresql.log.timezone`*:: @@ -12216,13 +12216,13 @@ RabbitMQ Module [float] -== rabbitmq fields +=== rabbitmq [float] -== log fields +=== log RabbitMQ log files @@ -12231,12 +12231,12 @@ RabbitMQ log files *`rabbitmq.log.pid`*:: + -- +The Erlang process id + type: keyword example: <0.222.0> -The Erlang process id - -- [[exported-fields-redis]] @@ -12247,13 +12247,13 @@ Redis Module [float] -== redis fields +=== redis [float] -== log fields +=== log Redis log files @@ -12262,11 +12262,11 @@ Redis log files *`redis.log.role`*:: + -- -type: keyword - The role of the Redis instance. Can be one of `master`, `slave`, `child` (for RDF/AOF writing child), or `sentinel`. +type: keyword + -- *`redis.log.pid`*:: @@ -12297,7 +12297,7 @@ alias to: message -- [float] -== slowlog fields +=== slowlog Slow logs are retrieved from Redis via a network connection. @@ -12306,51 +12306,51 @@ Slow logs are retrieved from Redis via a network connection. *`redis.slowlog.cmd`*:: + -- -type: keyword - The command executed. +type: keyword + -- *`redis.slowlog.duration.us`*:: + -- -type: long - How long it took to execute the command in microseconds. +type: long + -- *`redis.slowlog.id`*:: + -- -type: long - The ID of the query. +type: long + -- *`redis.slowlog.key`*:: + -- -type: keyword - The key on which the command was executed. +type: keyword + -- *`redis.slowlog.args`*:: + -- -type: keyword - The arguments with which the command was called. +type: keyword + -- [[exported-fields-santa]] @@ -12361,7 +12361,7 @@ Santa Module [float] -== santa fields +=== santa @@ -12369,49 +12369,49 @@ Santa Module *`santa.action`*:: + -- +Action + type: keyword example: EXEC -Action - -- *`santa.decision`*:: + -- +Decision that santad took. + type: keyword example: ALLOW -Decision that santad took. - -- *`santa.reason`*:: + -- +Reason for the decsision. + type: keyword example: CERT -Reason for the decsision. - -- *`santa.mode`*:: + -- +Operating mode of Santa. + type: keyword example: M -Operating mode of Santa. - -- [float] -== disk fields +=== disk Fields for DISKAPPEAR actions. @@ -12440,28 +12440,28 @@ The disk serial number. *`santa.disk.bsdname`*:: + -- -example: disk1s3 - The disk BSD name. +example: disk1s3 + -- *`santa.disk.model`*:: + -- -example: APPLE SSD SM0512L - The disk model. +example: APPLE SSD SM0512L + -- *`santa.disk.fs`*:: + -- -example: apfs - The disk volume kind (filesystem type). +example: apfs + -- *`santa.disk.mount`*:: @@ -12474,28 +12474,28 @@ The disk volume path. *`certificate.common_name`*:: + -- -type: keyword - Common name from code signing certificate. +type: keyword + -- *`certificate.sha256`*:: + -- -type: keyword - SHA256 hash of code signing certificate. +type: keyword + -- *`hash.sha256`*:: + -- -type: keyword - Hash of process executable. +type: keyword + -- [[exported-fields-suricata]] @@ -12506,14 +12506,14 @@ Module for handling the EVE JSON logs produced by Suricata. [float] -== suricata fields +=== suricata Fields from the Suricata EVE log file. [float] -== eve fields +=== eve Fields exported by the EVE JSON logs @@ -14032,14 +14032,14 @@ Module for parsing system log files. [float] -== system fields +=== system Fields from the system log files. [float] -== auth fields +=== auth Fields from the Linux authorization logs. @@ -14119,21 +14119,21 @@ The signature of the client public key. *`system.auth.ssh.dropped_ip`*:: + -- -type: ip - The client IP from SSH connections that are open and immediately dropped. +type: ip + -- *`system.auth.ssh.event`*:: + -- -example: Accepted - The SSH event as found in the logs (Accepted, Invalid, Failed, etc.) +example: Accepted + -- *`system.auth.ssh.ip`*:: @@ -14210,7 +14210,7 @@ alias to: source.geo.region_iso_code -- [float] -== sudo fields +=== sudo Fields specific to events created by the `sudo` command. @@ -14219,11 +14219,11 @@ Fields specific to events created by the `sudo` command. *`system.auth.sudo.error`*:: + -- -example: user NOT in sudoers - The error message in case the sudo command failed. +example: user NOT in sudoers + -- *`system.auth.sudo.tty`*:: @@ -14245,11 +14245,11 @@ The current directory where the sudo command is executed. *`system.auth.sudo.user`*:: + -- -example: root - The target user to which the sudo command is switching. +example: root + -- *`system.auth.sudo.command`*:: @@ -14261,7 +14261,7 @@ The command executed via sudo. -- [float] -== useradd fields +=== useradd Fields specific to events created by the `useradd` command. @@ -14309,7 +14309,7 @@ alias to: group.id -- [float] -== groupadd fields +=== groupadd Fields specific to events created by the `groupadd` command. @@ -14334,7 +14334,7 @@ alias to: group.id -- [float] -== syslog fields +=== syslog Contains fields from the syslog system logs. @@ -14393,14 +14393,14 @@ Module for parsing the Traefik log files. [float] -== traefik fields +=== traefik Fields from the Traefik log files. [float] -== access fields +=== access Contains fields for the Traefik access logs. @@ -14409,40 +14409,40 @@ Contains fields for the Traefik access logs. *`traefik.access.user_identifier`*:: + -- -type: keyword - Is the RFC 1413 identity of the client +type: keyword + -- *`traefik.access.request_count`*:: + -- -type: long - The number of requests +type: long + -- *`traefik.access.frontend_name`*:: + -- -type: keyword - The name of the frontend used +type: keyword + -- *`traefik.access.backend_url`*:: + -- -type: keyword - The url of the backend where request is forwarded +type: keyword + -- *`traefik.access.body_sent.bytes`*:: @@ -14635,7 +14635,7 @@ Module for handling logs produced by Zeek/Bro [float] -== zeek fields +=== zeek Fields from Zeek/Bro logs after normalization @@ -14644,1185 +14644,1185 @@ Fields from Zeek/Bro logs after normalization *`zeek.session_id`*:: + -- -type: keyword - A unique identifier of the session +type: keyword + -- *`zeek.connection.local_orig`*:: + -- -type: boolean - Indicates whether the session is originated locally +type: boolean + -- *`zeek.connection.local_resp`*:: + -- -type: boolean - Indicates whether the session is responded locally +type: boolean + -- *`zeek.connection.missed_bytes`*:: + -- -type: long - Missed bytes for the session +type: long + -- *`zeek.connection.state`*:: + -- -type: keyword - Flags indicating the state of the session +type: keyword + -- *`zeek.connection.history`*:: + -- -type: keyword - Flags indicating the history of the session +type: keyword + -- *`zeek.connection.orig_l2_addr`*:: + -- -type: keyword - Link-layer address of the originator, if available +type: keyword + -- *`zeek.connection.resp_l2_addr`*:: + -- -type: keyword - Link-layer address of the responder, if available +type: keyword + -- *`zeek.connection.vlan`*:: + -- -type: integer - VLAN identifier +type: integer + -- *`zeek.connection.inner_vlan`*:: + -- -type: integer - VLAN identifier +type: integer + -- *`zeek.dns.trans_id`*:: + -- -type: keyword - DNS transaction identifier +type: keyword + -- *`zeek.dns.rtt`*:: + -- -type: double - Round trip time for the query and response +type: double + -- *`zeek.dns.query`*:: + -- -type: keyword - The domain name that is the subject of the DNS query +type: keyword + -- *`zeek.dns.qclass`*:: + -- -type: long - The QCLASS value specifying the class of the query +type: long + -- *`zeek.dns.qclass_name`*:: + -- -type: keyword - A descriptive name for the class of the query +type: keyword + -- *`zeek.dns.qtype`*:: + -- -type: long - A QTYPE value specifying the type of the query +type: long + -- *`zeek.dns.qtype_name`*:: + -- -type: keyword - A descriptive name for the type of the query +type: keyword + -- *`zeek.dns.rcode`*:: + -- -type: long - The response code value in DNS response messages +type: long + -- *`zeek.dns.rcode_name`*:: + -- -type: keyword - A descriptive name for the response code value +type: keyword + -- *`zeek.dns.AA`*:: + -- -type: boolean - The Authoritative Answer bit for response messages specifies that the responding name server is an authority for the domain name in the question section +type: boolean + -- *`zeek.dns.TC`*:: + -- -type: boolean - The Truncation bit specifies that the message was truncated +type: boolean + -- *`zeek.dns.RD`*:: + -- -type: boolean - The Recursion Desired bit in a request message indicates that the client wants recursive service for this query +type: boolean + -- *`zeek.dns.RA`*:: + -- -type: boolean - The Recursion Available bit in a response message indicates that the name server supports recursive queries. +type: boolean + -- *`zeek.dns.answers`*:: + -- -type: keyword - The set of resource descriptions in the query answer +type: keyword + -- *`zeek.dns.TTLs`*:: + -- -type: double - The caching intervals of the associated RRs described by the answers field +type: double + -- *`zeek.dns.rejected`*:: + -- -type: boolean - Indicates whether the DNS query was rejected by the server +type: boolean + -- *`zeek.dns.total_answers`*:: + -- -type: integer - The total number of resource records in the reply +type: integer + -- *`zeek.dns.total_replies`*:: + -- -type: integer - The total number of resource records in the reply message +type: integer + -- *`zeek.dns.saw_query`*:: + -- -type: boolean - Whether the full DNS query has been seen +type: boolean + -- *`zeek.dns.saw_reply`*:: + -- -type: boolean - Whether the full DNS reply has been seen +type: boolean + -- *`zeek.http.trans_depth`*:: + -- -type: integer - Represents the pipelined depth into the connection of this request/response transaction +type: integer + -- *`zeek.http.status_msg`*:: + -- -type: keyword - Status message returned by the server +type: keyword + -- *`zeek.http.info_code`*:: + -- -type: integer - Last seen 1xx informational reply code returned by the server. +type: integer + -- *`zeek.http.info_msg`*:: + -- -type: keyword - Last seen 1xx informational reply message returned by the server. +type: keyword + -- *`zeek.http.tags`*:: + -- -type: keyword - A set of indicators of various attributes discovered and related to a particular request/response pair. +type: keyword + -- *`zeek.http.password`*:: + -- -type: keyword - Password if basic-auth is performed for the request +type: keyword + -- *`zeek.http.captured_password`*:: + -- -type: boolean - Determines if the password will be captured for this request +type: boolean + -- *`zeek.http.proxied`*:: + -- -type: keyword - All of the headers that may indicate if the HTTP request was proxied +type: keyword + -- *`zeek.http.range_request`*:: + -- -type: boolean - Indicates if this request can assume 206 partial content in response +type: boolean + -- *`zeek.http.client_header_names`*:: + -- -type: keyword - The vector of HTTP header names sent by the client. No header values are included here, just the header names. +type: keyword + -- *`zeek.http.server_header_names`*:: + -- -type: keyword - The vector of HTTP header names sent by the server. No header values are included here, just the header names +type: keyword + -- *`zeek.http.orig_fuids`*:: + -- -type: keyword - An ordered vector of file unique IDs from the originator +type: keyword + -- *`zeek.http.orig_mime_types`*:: + -- -type: keyword - An ordered vector of mime types from the originator +type: keyword + -- *`zeek.http.orig_filenames`*:: + -- -type: keyword - An ordered vector of filenames from the originator +type: keyword + -- *`zeek.http.resp_fuids`*:: + -- -type: keyword - An ordered vector of file unique IDs from the responder +type: keyword + -- *`zeek.http.resp_mime_types`*:: + -- -type: keyword - An ordered vector of mime types from the responder +type: keyword + -- *`zeek.http.resp_filenames`*:: + -- -type: keyword - An ordered vector of filenames from the responder +type: keyword + -- *`zeek.http.orig_mime_depth`*:: + -- -type: integer - Current number of MIME entities in the HTTP request message body +type: integer + -- *`zeek.http.resp_mime_depth`*:: + -- -type: integer - Current number of MIME entities in the HTTP response message body +type: integer + -- *`zeek.files.fuid`*:: + -- -type: keyword - A file unique identifier +type: keyword + -- *`zeek.files.tx_host`*:: + -- -type: ip - The host that transferred the file +type: ip + -- *`zeek.files.rx_host`*:: + -- -type: ip - The host that received the file +type: ip + -- *`zeek.files.session_ids`*:: + -- -type: keyword - The sessions that have this file +type: keyword + -- *`zeek.files.source`*:: + -- -type: keyword - An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source +type: keyword + -- *`zeek.files.depth`*:: + -- -type: long - A value to represent the depth of this file in relation to its source. In SMTP, it is the depth of the MIME attachment on the message. In HTTP, it is the depth of the request within the TCP connection +type: long + -- *`zeek.files.analyzers`*:: + -- -type: keyword - A set of analysis types done during the file analysis +type: keyword + -- *`zeek.files.mime_type`*:: + -- -type: keyword - Mime type of the file +type: keyword + -- *`zeek.files.filename`*:: + -- -type: keyword - Name of the file if available +type: keyword + -- *`zeek.files.local_orig`*:: + -- -type: boolean - If the source of this file is a network connection, this field indicates if the data originated from the local network or not +type: boolean + -- *`zeek.files.is_orig`*:: + -- -type: boolean - If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder +type: boolean + -- *`zeek.files.duration`*:: + -- -type: double - The duration the file was analyzed for. Not the duration of the session. +type: double + -- *`zeek.files.seen_bytes`*:: + -- -type: long - Number of bytes provided to the file analysis engine for the file +type: long + -- *`zeek.files.total_bytes`*:: + -- -type: long - Total number of bytes that are supposed to comprise the full file +type: long + -- *`zeek.files.missing_bytes`*:: + -- -type: long - The number of bytes in the file stream that were completely missed during the process of analysis +type: long + -- *`zeek.files.overflow_bytes`*:: + -- -type: long - The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled +type: long + -- *`zeek.files.timedout`*:: + -- -type: boolean - Whether the file analysis timed out at least once for the file +type: boolean + -- *`zeek.files.parent_fuid`*:: + -- -type: keyword - Identifier associated with a container file from which this one was extracted as part of the file analysis +type: keyword + -- *`zeek.files.md5`*:: + -- -type: keyword - An MD5 digest of the file contents +type: keyword + -- *`zeek.files.sha1`*:: + -- -type: keyword - A SHA1 digest of the file contents +type: keyword + -- *`zeek.files.sha256`*:: + -- -type: keyword - A SHA256 digest of the file contents. +type: keyword + -- *`zeek.files.extracted`*:: + -- -type: keyword - Local filename of extracted file +type: keyword + -- *`zeek.files.extracted_cutoff`*:: + -- -type: boolean - Indicate whether the file being extracted was cut off hence not extracted completely +type: boolean + -- *`zeek.files.extracted_size`*:: + -- -type: long - The number of bytes extracted to disk +type: long + -- *`zeek.files.entropy`*:: + -- -type: double - The information density of the contents of the file +type: double + -- *`zeek.ssl.version`*:: + -- -type: keyword - SSL/TLS version that was logged +type: keyword + -- *`zeek.ssl.cipher`*:: + -- -type: keyword - SSL/TLS cipher suite that was logged +type: keyword + -- *`zeek.ssl.curve`*:: + -- -type: keyword - Elliptic curve that was logged when using ECDH/ECDHE +type: keyword + -- *`zeek.ssl.server_name`*:: + -- -type: keyword - Value of the Server Name Indicator SSL/TLS extension. It indicates the server name that the client was requesting +type: keyword + -- *`zeek.ssl.resumed`*:: + -- -type: boolean - Flag to indicate if the session was resumed reusing the key material exchanged in an earlier connection +type: boolean + -- *`zeek.ssl.next_protocol`*:: + -- -type: keyword - Next protocol the server chose using the application layer next protocol extension +type: keyword + -- *`zeek.ssl.established`*:: + -- -type: boolean - Flag to indicate if this ssl session has been established successfully +type: boolean + -- *`zeek.ssl.cert_chain`*:: + -- -type: keyword - Chain of certificates offered by the server to validate its complete signing chain +type: keyword + -- *`zeek.ssl.cert_chain_fuids`*:: + -- -type: keyword - An ordered vector of certificate file identifiers for the certificates offered by the server +type: keyword + -- *`zeek.ssl.client_cert_chain`*:: + -- -type: keyword - Chain of certificates offered by the client to validate its complete signing chain +type: keyword + -- *`zeek.ssl.client_cert_chain_fuids`*:: + -- -type: keyword - An ordered vector of certificate file identifiers for the certificates offered by the client +type: keyword + -- *`zeek.ssl.issuer`*:: + -- -type: keyword - Subject of the signer of the X.509 certificate offered by the server +type: keyword + -- *`zeek.ssl.client_issuer`*:: + -- -type: keyword - Subject of the X.509 certificate offered by the client +type: keyword + -- *`zeek.ssl.validation_status`*:: + -- -type: keyword - Result of certificate validation for this connection +type: keyword + -- *`zeek.ssl.validation_code`*:: + -- -type: keyword - Result of certificate validation for this connection, given as OpenSSL validation code +type: keyword + -- *`zeek.ssl.subject`*:: + -- -type: keyword - Subject of the X.509 certificate offered by the server +type: keyword + -- *`zeek.ssl.client_subject`*:: + -- -type: keyword - Subject of the X.509 certificate offered by the client +type: keyword + -- *`zeek.ssl.last_alert`*:: + -- -type: keyword - Last alert that was seen during the connection +type: keyword + -- *`zeek.notice.connection_id`*:: + -- -type: keyword - Identifier of the related connection session +type: keyword + -- *`zeek.notice.icmp_id`*:: + -- -type: keyword - Identifier of the related ICMP session +type: keyword + -- *`zeek.notice.file.id`*:: + -- -type: keyword - An identifier associated with a single file that is related to this notice +type: keyword + -- *`zeek.notice.file.parent_id`*:: + -- -type: keyword - Identifier associated with a container file from which this one was extracted +type: keyword + -- *`zeek.notice.file.source`*:: + -- -type: keyword - An identification of the source of the file data. E.g. it may be a network protocol over which it was transferred, or a local file path which was read, or some other input source +type: keyword + -- *`zeek.notice.file.mime_type`*:: + -- -type: keyword - A mime type if the notice is related to a file +type: keyword + -- *`zeek.notice.file.is_orig`*:: + -- -type: boolean - If the source of this file is a network connection, this field indicates if the file is being sent by the originator of the connection or the responder +type: boolean + -- *`zeek.notice.file.seen_bytes`*:: + -- -type: long - Number of bytes provided to the file analysis engine for the file +type: long + -- *`zeek.fnotice.file.total_bytes`*:: + -- -type: long - Total number of bytes that are supposed to comprise the full file +type: long + -- *`zeek.notice.file.missing_bytes`*:: + -- -type: long - The number of bytes in the file stream that were completely missed during the process of analysis +type: long + -- *`zeek.notice.file.overflow_bytes`*:: + -- -type: long - The number of bytes in the file stream that were not delivered to stream file analyzers. This could be overlapping bytes or bytes that couldn't be reassembled +type: long + -- *`zeek.notice.fuid`*:: + -- -type: keyword - A file unique ID if this notice is related to a file +type: keyword + -- *`zeek.notice.note`*:: + -- -type: keyword - The type of the notice +type: keyword + -- *`zeek.notice.msg`*:: + -- -type: keyword - The human readable message for the notice. +type: keyword + -- *`zeek.notice.sub`*:: + -- -type: keyword - The human readable sub-message +type: keyword + -- *`zeek.notice.n`*:: + -- -type: long - Associated count, or a status code +type: long + -- *`zeek.notice.peer_name`*:: + -- -type: keyword - Name of remote peer that raised this notice +type: keyword + -- *`zeek.notice.peer_descr`*:: + -- -type: text - Textual description for the peer that raised this notice +type: text + -- *`zeek.notice.actions`*:: + -- -type: keyword - The actions which have been applied to this notice +type: keyword + -- *`zeek.notice.email_body_sections`*:: + -- -type: text - By adding chunks of text into this element, other scripts can expand on notices that are being emailed +type: text + -- *`zeek.notice.email_delay_tokens`*:: + -- -type: keyword - Adding a string token to this set will cause the built-in emailing functionality to delay sending the email either the token has been removed or the email has been delayed for the specified time duration +type: keyword + -- *`zeek.notice.identifier`*:: + -- -type: keyword - This field is provided when a notice is generated for the purpose of deduplicating notices +type: keyword + -- *`zeek.notice.suppress_for`*:: + -- -type: double - This field indicates the length of time that this unique notice should be suppressed +type: double + -- *`zeek.notice.dropped`*:: + -- -type: boolean - Indicate if the source IP address was dropped and denied network access +type: boolean + -- diff --git a/heartbeat/_meta/fields.common.yml b/heartbeat/_meta/fields.common.yml index b6f6c3c30b3..7cd6393278b 100644 --- a/heartbeat/_meta/fields.common.yml +++ b/heartbeat/_meta/fields.common.yml @@ -65,6 +65,7 @@ - key: summary title: "Monitor summary" + description: fields: - name: summary type: group diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index 9a75cd02dee..70b6b9a9a9a 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -40,10 +40,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -58,15 +58,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -75,11 +75,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -103,10 +103,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cloud]] @@ -119,11 +119,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -196,7 +196,7 @@ None [float] -== monitor fields +=== monitor Common monitor fields. @@ -205,35 +205,35 @@ Common monitor fields. *`monitor.type`*:: + -- -type: keyword - The monitor type. +type: keyword + -- *`monitor.name`*:: + -- -type: keyword - The monitors configured name +type: keyword + -- *`monitor.id`*:: + -- -type: keyword - The monitors full job ID as used by heartbeat. +type: keyword + -- [float] -== duration fields +=== duration Total monitoring test duration @@ -241,66 +241,66 @@ Total monitoring test duration *`monitor.duration.us`*:: + -- -type: long - Duration in microseconds +type: long + -- *`monitor.scheme`*:: + -- -type: alias +Address url scheme. For example `tcp`, `tls`, `http`, and `https`. -alias to: url.scheme -Address url scheme. For example `tcp`, `tls`, `http`, and `https`. +type: alias +alias to: url.scheme -- *`monitor.host`*:: + -- -type: alias +Hostname of service being monitored. Can be missing, if service is monitored by IP. -alias to: url.domain -Hostname of service being monitored. Can be missing, if service is monitored by IP. +type: alias +alias to: url.domain -- *`monitor.ip`*:: + -- -type: ip - IP of service being monitored. If service is monitored by hostname, the `ip` field contains the resolved ip address for the current host. +type: ip + -- *`monitor.status`*:: + -- -type: keyword +Indicator if monitor could validate the service to be available. -required: True -Indicator if monitor could validate the service to be available. +type: keyword +required: True -- *`monitor.check_group`*:: + -- -type: keyword - A token unique to a simultaneously invoked group of checks as in the case where multiple IPs are checked for a single DNS entry. +type: keyword + -- [[exported-fields-docker-processor]] @@ -341,11 +341,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -357,58 +357,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -417,65 +417,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -485,234 +485,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -720,81 +720,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -803,61 +803,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -866,234 +866,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -1101,19 +1101,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -1122,32 +1122,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -1156,203 +1156,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -1361,136 +1361,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -1499,95 +1499,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -1595,23 +1595,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -1620,299 +1620,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -1920,124 +1920,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -2045,30 +2045,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -2077,48 +2077,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -2130,91 +2126,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. --- +type: keyword + +example: inbound + +-- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -2223,227 +2223,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -2452,23 +2452,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -2476,71 +2476,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -2549,101 +2549,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -2653,14 +2653,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -2670,234 +2670,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -2906,78 +2906,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -2986,234 +2986,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -3221,111 +3221,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -3334,73 +3334,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -3409,111 +3409,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-host-processor]] @@ -3527,34 +3527,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -3565,7 +3565,7 @@ None [float] -== http fields +=== http HTTP related fields. @@ -3574,24 +3574,24 @@ HTTP related fields. *`http.url`*:: + -- -type: alias +Service url used by monitor. -alias to: url.full -Service url used by monitor. +type: alias +alias to: url.full -- [float] -== rtt fields +=== rtt HTTP layer round trip times. [float] -== validate fields +=== validate Duration between first byte of HTTP request being written and response being processed by validator. Duration based on already @@ -3606,14 +3606,14 @@ Note: if validator is not reading body or only a prefix, this *`http.rtt.validate.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [float] -== validate_body fields +=== validate_body Duration of validator required to read and validate the response body. @@ -3627,14 +3627,14 @@ Note: if validator is not reading body or only a prefix, this *`http.rtt.validate_body.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [float] -== write_request fields +=== write_request Duration of sending the complete HTTP request. Duration based on already available network connection. @@ -3642,14 +3642,14 @@ Duration of sending the complete HTTP request. Duration based on already availab *`http.rtt.write_request.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [float] -== response_header fields +=== response_header Time required between sending the start of sending the HTTP request and first byte from HTTP response being read. Duration based on already available network connection. @@ -3657,23 +3657,23 @@ Time required between sending the start of sending the HTTP request and first by *`http.rtt.response_header.us`*:: + -- -type: long - Duration in microseconds +type: long + -- *`http.rtt.content.us`*:: + -- -type: long - Time required to retrieved the content in micro seconds. +type: long + -- [float] -== total fields +=== total Duration required to process the HTTP transaction. Starts with the initial TCP connection attempt. Ends with after validator @@ -3687,10 +3687,10 @@ Note: if validator is not reading body or only a prefix, this *`http.rtt.total.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [[exported-fields-icmp]] @@ -3700,7 +3700,7 @@ None [float] -== icmp fields +=== icmp IP ping fields. @@ -3709,15 +3709,15 @@ IP ping fields. *`icmp.requests`*:: + -- -type: integer - Number if ICMP EchoRequests send. +type: integer + -- [float] -== rtt fields +=== rtt ICMP Echo Request and Reply round trip time @@ -3725,10 +3725,10 @@ ICMP Echo Request and Reply round trip time *`icmp.rtt.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [[exported-fields-jolokia-autodiscover]] @@ -3741,71 +3741,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kubernetes-processor]] @@ -3819,111 +3819,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-process]] @@ -3950,7 +3950,7 @@ None [float] -== resolve fields +=== resolve Host lookup fields. @@ -3959,27 +3959,27 @@ Host lookup fields. *`resolve.host`*:: + -- -type: alias +Hostname of service being monitored. -alias to: url.domain -Hostname of service being monitored. +type: alias +alias to: url.domain -- *`resolve.ip`*:: + -- -type: ip - IP address found for the given host. +type: ip + -- [float] -== rtt fields +=== rtt Duration required to resolve an IP from hostname. @@ -3987,10 +3987,10 @@ Duration required to resolve an IP from hostname. *`resolve.rtt.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [[exported-fields-socks5]] @@ -4000,21 +4000,21 @@ None [float] -== socks5 fields +=== socks5 SOCKS5 proxy related fields: [float] -== rtt fields +=== rtt TLS layer round trip times. [float] -== connect fields +=== connect Time required to establish a connection via SOCKS5 to endpoint based on available connection to SOCKS5 proxy. @@ -4023,16 +4023,20 @@ Time required to establish a connection via SOCKS5 to endpoint based on availabl *`socks5.rtt.connect.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [[exported-fields-summary]] +== Monitor summary fields + +None + [float] -== summary fields +=== summary Present in the last event emitted during a check. If a monitor checks multiple endpoints, as is the case with `mode: all`. @@ -4040,21 +4044,21 @@ Present in the last event emitted during a check. If a monitor checks multiple e *`summary.up`*:: + -- -type: integer - The number of endpoints that succeeded +type: integer + -- *`summary.down`*:: + -- -type: integer - The number of endpoints that failed +type: integer + -- [[exported-fields-tcp]] @@ -4064,7 +4068,7 @@ None [float] -== tcp fields +=== tcp TCP network layer related fields. @@ -4073,24 +4077,24 @@ TCP network layer related fields. *`tcp.port`*:: + -- -type: alias +Service port number. -alias to: url.port -Service port number. +type: alias +alias to: url.port -- [float] -== rtt fields +=== rtt TCP layer round trip times. [float] -== connect fields +=== connect Duration required to establish a TCP connection based on already available IP address. @@ -4099,14 +4103,14 @@ Duration required to establish a TCP connection based on already available IP ad *`tcp.rtt.connect.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [float] -== validate fields +=== validate Duration of validation step based on existing TCP connection. @@ -4115,10 +4119,10 @@ Duration of validation step based on existing TCP connection. *`tcp.rtt.validate.us`*:: + -- -type: long - Duration in microseconds +type: long + -- [[exported-fields-tls]] @@ -4128,7 +4132,7 @@ None [float] -== tls fields +=== tls TLS layer related fields. @@ -4137,30 +4141,30 @@ TLS layer related fields. *`tls.certificate_not_valid_before`*:: + -- -type: date - Earliest time at which the connection's certificates are valid. +type: date + -- *`tls.certificate_not_valid_after`*:: + -- -type: date - Latest time at which the connection's certificates are valid. +type: date + -- [float] -== rtt fields +=== rtt TLS layer round trip times. [float] -== handshake fields +=== handshake Time required to finish TLS handshake based on already available network connection. @@ -4169,9 +4173,9 @@ Time required to finish TLS handshake based on already available network connect *`tls.rtt.handshake.us`*:: + -- -type: long - Duration in microseconds +type: long + -- diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 013c73b7825..05ba44641f2 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "eJzsfX93GzeS4P/5FDjlvVO8S1GSLTuO9s3ueWQn0Y3taC15s7M7+0SwGyQRdQMdAC2aubvvfg9VBTT6ByXKFj32W+WPWCS7gUKhUFWon9+yX1+8e3v69qf/wV5qprRjIpeOuYW0bCYLwXJpROaK1YhJx5bcsrlQwnAncjZdMbcQ7NXJOauM/k1kbvTNt2zKrciZVvD9tTBWasUOxwfjg/E337KzQnAr2LW00rGFc5U93t+fS7eop+NMl/ui4NbJbF9kljnNbD2fC+tYtuBqLuArP+xMiiK342++2WNXYnXMRGa/YcxJV4hj/8A3jOXCZkZWTmoFX7Ef6R1Gbx9/w9geU7wUx2z3fzlZCut4We1+wxhjhbgWxTHLtBHw2Yjfa2lEfsycqfErt6rEMcu5w4+t+XZfcif2/ZhsuRAK0CSuhXJMGzmXyqNv/A28x9iFx7W08FAe3xMfnOGZR/PM6LIZYeQnlhkvihUzojLCCuWkmsNENGIz3eCGWV2bTMT5T2fJC/gbW3DLlA7QFiyiZ4Skcc2LWgDQEZhKV3Xhp6FhabKZNNbB+x2wjMiEvG6gqmQlCqkauN4RznG/2EwbxosCR7Bj3CfxgZeV3/TdxweHz/YOnu49fnJx8Pz44Onxk6Px86dP/mM32eaCT0VhBzcYd1NPPRXDF/jnJX5/JVZLbfKBjT6prdOlf2AfcVJxaWxcwwlXbCpY7Y+E04znOSuF40yqmTYl94P472lN7Hyh6yKHY5hp5bhUTAnrtw7BAfL1/70oCtwDy7gRzDrtEcVtgDQC8CogaJLr7EqYCeMqZ5Or53ZC6Ohgkt7jVVXIjOMqZ1rvTbmhn4S6PvYHPq8z/3OC31JYy+fiBgQ78cENYPFHbVih54QHIAcaizafsIE/+Sfp5xHTlZOl/COSnSeTaymW/khIxTg87b8QJiLFT2edqTNXe7QVem7ZUrqFrh3jqqH6Fgwjpt1CGOIeLMOdzbTKuBMqIXynPRAl42xRl1ztGcFzPi0Es3VZcrNiOjlw6Sks68LJqohrt0x8kNaf+IVYNROWU6lEzqRymmkVn+6eiJ9FUWj2qzZFnmyR4/ObDkBK6HKutBGXfKqvxTE7PHh81N+519I6vx56z0ZKd3zOBM8WYZXtw/qfOw397IzYjlDXj3f+Kz2qfC4UUgpx9Rfxi7nRdXXMHg/Q0cVC4Jtxl+gUEW/ljE/9JiMXnLmlPzyefzov32aB9tXK45z7Q1gU/tiNWC4c/qEN01MrzLXfHiRX7clsof1OacMcvxKWlYLb2ojSP0DDxse6h9MyqbKizgX7s+CeDcBaLSv5ivHCamZq5d+meY0dg0CDhY7/gZZKQ9qF55FT0bBjoGwPP5eFDbSHSDK1Uv6caESQhy1ZXzjvy4UwKfNe8KoSngL9YuGkxqUCY/cIUESNM62d0s7veVjsMTvF6TKvCOgZLhrOrT+Iowa+sScFRorIVHA3Ts7vi7M3oJKQ4GwviHacV9W+X4rMxJg1tJEy31yLgDrguqBnMDlDapGWefHK3MLoer5gv9ei9uPblXWitKyQV4L9hc+u+Ii9E7lE+qiMzoS1Us3DptDjts4Wnkm/1nPruF0wXAc7B3QTyvAgApEjCqO20pwOUS1EKQwvLmXgOnSexQcnVN7wot6pXnuuu2fpVZiDydwfkZkUBslHWkLkd3IGHAjYlH0U6TroNF6SmRK0g6DA8cxo64W/ddz48zStHZvgdst8Avvhd4KQkTCN5/xo9vTgYNZCRHf5kZ190tLfK/m7V2/uvu4obj2JImHDe0uQ61PBgIxlvnZ5eWt5/v/bWCBpLXC+Uo7Q20HLOD6F7BBF0FxeC1BbuKLX8Gn6eSGKalYX/hD5Q00rjAO7pWY/0oFmUlnHVUZqTIcfWT8xMCVPJCROWSNORcUNJxWElm+ZEiLH+8dyIbNFf6p4sjNd+sm8ep2s+3TmFd/AeWCpyJLCV3rmhGKFmDkmysqt+ls507q1i36jtrGLF6vqhu0L3M5PwKzjK8t4sfT/RNx6VdAuAmnitpI2ju96aT5uUKMiz45YbZ5FEqcppqJ5BESYnLU2vtmxLgG0Nr/k2cJfCfooTscJeKbL5hZQ/W90jW0juwPTM3/H3TPZ40SNyQrZ0WNOmm9uUGRe0Jue4HIxA4WP485JJZ3kTgNT4kwJt9Tmyms6SoBC5U9dgA0VFCPm3OQguLxc0sqOkudRaE0l3vSl9prvrNBLf0PzOl1Lbb44OaNR8VQ0YPZg81/4xxPIgItYoaK64p85/+tbVvHsSrjv7KMxzIKadmW005kuelPhjdaLldakQc8ycF0X/lIUNIGAJWe4shyAGbNzXYoom2uLOo4TpmQ74ZquzU6j1RsxE6YFiuos0KKaQT+TDoo7OxVRBwMdNEEAgsA8WGoetrmZIoUftWkiojCBPzm1rT1CaNRG+ZPKg/dbrXADQBdE7S4YUdjAaA2ClXa9MT1Xxw3bg0MWrq/x0ovj7YeJopkCmDXKCX8TtqLkyskMtHTxwZFIER9QWRghB/8msvYgWJxm19KvV/4hGs3er1QY0PatdDWn/TidsZWuTZxjxosiUJ9UQa45MddmNfKPBo5onSwKJpTXbYlw0TbiuWYurPP04XHqETaTRRGVLl5VRldGcieK1R20Op7nRli7LYUOyB1VeCIumpCYb+Qz5VTOa13bYoXkDO9Ejr30aLG6FGATYoW/AXLFTs9GjLNcl34DtGGc1Up+YFZ7Ohkz9tcGsyQjwGjRqAULwQxfBpgC4U/G9MUEUdYWccrfABoJltdotMAr6GQsq4kHZTJGsCb+GlcJlZOOgQqCVg0QcJ+gHQu7Ml05YW+RKYWOuj5eLdqvtfbhz/4HvFZEyx7th783e36A14GufDl8ftQCDBe1BWlH5xfHH7fmnAs9zqRbXW5JMz2RbgVT9Vb/RitnBC/64GjlpBLKbQumt4mWHCfrwfdWG7dgL0phZMYHgKyVM6tLafVlpvOtoA6nYKfnvzA/RQ/CkxdrwdrWbhJIgxt6whXP+5gqdJbq9OvAmQt9WWkZ+VLbKqXVXLo6R15dcAcfehDs/h+2U2i1c8z2vn8yfnZ49PzJwYjtFNztHLOjp+OnB09/OHzO/t9uD8g+vu6PTb+3wuwFXpz8hOpeQM+IkfKNEljP2NxwVRfcSLdKmeqKZZ65g86RMM+TwDPj1QYpXBqUpplQThjSvGaF1oapupwKMwJVfiEbvcbGQRG8glWLlZX+j2Bay8KxtgkIb7VL3AdgOJSK8drpElj4XOiw2v4FYKqt02ovz3p7Y8RcarXNk/YOZrjpoO3968k6uLZ01AimwZP2r7WYijaiZHULDPGBNnGenkUBHTgiCIuUstAKoJXwsjfatE/Pro/8F6dn188axaMja0uebQE3b16crIM6nRxV2juI+tYkZ/j2Rwn2x204tHEfC4Q27qYl1laYsSi5LLbEvTzzYjBBwPgAALO6KAbOwb0CsWuZnwamBZbFr7ks+LToH48XxVQYx15JZZ0ghaoFL2jt461ZWvvWxhlZ1mHiaBCBW+J+VXDndcwBvCKcW0RsqgnhZH0gFtwutiYaEVN+Hubn8ecq08YIfy9tmfVneAPxD3qZorRapU5CVNMTpvXeCjJZTmAVMsebA3zwq5tEV1Km1Qz3ihetOb2ukXHV3JhZcP12uBzNsAVO90uH6dZd0ooMEGDoQ7Ul6XS+8IwJ1Qxw80jVByQ5khyOZMuOpmucMprRwhfrrWgY8cGQPPLAhGEoBqahmeHRDdw4uPA2jNbhcKkDGzFb69CasTfCGZmhodmmhmyu2KuTx2jG9hQyEy5bCAtaVjI6k86SD7EB0lNX2/Xd8mFKGw2kbRBoXFMrck4aUWoXzalM187KXCQzdSFDmDgj71lYUNh01bxKGmLbS4+DNgOBm5AmD4LQDyttAyoh7C72kgzuL9vjzLsXDYJwLnCPmjlX8g889DKPLm86ZSuWy9lMmNRmAnqwBEcv43g895xQXDkm1LU0WpVtJaqhrRe/nsfJZT5iP2k9LwTSP/vl3U/sNEenNJhMewe+rzk/e/bs+++/f/78+Q8//NBGJ0pIWfj7/R+NWeS+sfoimYf5eTxW0BYDNA1HpTlEPeZQ2z3Brds77Ki05EnYHjmcBg/S6cvAvQDWcAi7gMq9w8dPjp4++/75Dwd8muVidjAM8RZFdoQ59fX1oU4UcPiy77K6N4jeBD6QeK9uRKN7PC5FLuuyrSUbfS3zGKSwTVUHOUCYcBwOZxqAxZd2xPgftREjNs+qUTzI2rBczqXjhc4EV31Jt7StZeEtcUuLokviRx63VBwjoyfsB5Hc+vIG51Z8sO3AIM9CLz4uCdmpRCZnMtwRIxRonicfFFnp9SwdJAm2FFaEeReiqBIFEuQVhq/GoS1JQrXyCHKyFHcQUFvR8UgJbhYv8/YZliWfb5WnpGcDJoumUQRoyS2b1rJwXpwPgOb4fEuQNZRFcPF5G4AkAvTm2ZNI0BtiQbvMFialsMrWvFvcjWbNjfEnchMk2W2xExydlVzxudfegJ9EOuhxEoxATdhI4kVLGcnLztc3sJLk0Zvdrag9J0+DNRVNPvvtSMyBMRMP622+VeQ+5Fv9En1/LdflRg7ARo3F4O17cgDGYcER+N/bAZhuSjAWUpR+5xB9Ni9gegweXIEPrsD7AenBFbg5zh5cgQ+uwK/JFZgIsa/NH9gCnW3ZKXgHYb8Vz+DaxT64Bx/cgw/uQfbgHvza3IOY/93JAL/JcPBGOL6X7k4wLVKGOU65ycX9tqSDgczxT0vLSrLqQfeiiF4Ni7HM6TGbiMyO6aEJJvEEMBoKB4+dJ8qytg5TmeAwFL14bsZ+9Tft32thVhChjjlckYykymUmLNvboxt1yVcBIEjiL+R84Yohx1iyGnif6g540AovOKVyYm4obpznv3lQg8jMFqLkHfyzVnKt7SuLUIggpRxjdMuK/Sp+cXOeaWNFziApiULccUA4R1yt2JVUjcXiPaYYlJgWhc+B5RozKj3yCoFuWI/mkF0KPCrjVtgmFTMsC/ZeOiuKWeN95QpHv4P5aUvqMSATBg9XBDQTCgKwrYhu0Vo+ID0HIEjz19eDEXPYBxcbsrFTGrvu5AC9ut4wlxn3d8hLEtIZhh0lhQ5KIDpUjMxatBJJ8gWkx7eTjDz5BJ7iCcpvWZI+DJa/Be4jb7KBA5N+3aTxA2MJqc2QWyNL4S+rwfvkv/UDxTGajGg9SxZB44WheMiwZZBEGgItKHyiSYlC3Z1NBWY+kQpOY/JgqnWa8VQlHqHxciCvaircUgg/U8ifUDnFSEQ/JE5GKUmYI50V2gt59iLsxO3oxssSDVlqI/yNG8xJBYyI+SrwMU00B4CGEZ08RsM2qdotrKfU0qC8FKU2K+aZHOTD0HB5gviG4K7rQgmDHn7Z5MLTw9YrQSLHTPi7BHtsYAr66CAPHJ1lvMKSEJQF2XYMUFJsNHZQ9llzAGVS6WXMTsElCbvXaBcLrtgEHwhZR5MmwzJuhD/rE0DIHs/zyYhNiOT3gOQFfDWThdjLjPCENsFUnVCXJY4YE7ADxdHKpJ+nBMtOX0h6pWuv4tZ6ZO5hNlZbXBDo29iOV3gYaIYu8qOQW8j5gtLPhnkgcEgQoLPersQxYXcg262zOUgQk1HYUyuUpTSwxlDFI5gRrmbkoB3xkBn4Kzf+cEP9g1kNMWdR9dEzrwqN2FKwquBgFqB4A8bjkAUV2+BZJioHOdAUgoAyLahOI1ZhlaXaCvRKZbwetp3BToP/rmENcZORsm7Z41gAqbuPROQ4SC+Kbbg6kudJUDAortkIDjQbUs0xV3WFOX29kkFEJKhA+qMqPVvPyPbSFHmKmX/JV822EqxxzMhRB2oyxVoxXVZxqliprUtyEcGA6oloqZt6ShbdaVMxoCXjkQ4fs8ZLlbWrCmW8yMAlSdadgq+irAI8kaSjQlCgwpPQaQJVWqIDtgVeDdVUjHVB6oqcyU7Kf4Ck1Eo2ibgsGWJ3FzTZsGP+YwgBc5pdCVGxukJihZfSalRtrEIKOkDaxqNnmajmZbwYpTvb+AcHbts5d9yK28xqH8XJUnsITdPJ0M+08kcZ7fkTembCvvOc3QrH9kkcW+EeeXoOlnGsLOGVB2braQM+XH9KndeFsMDqWscu5ZOoGfgdrI2ntWIVikhJ1UyaXviRRJqfcBq/qQQtPNxnMdZx145xymuziV9nwKfaeVOqqnaX4UfFlbYi0012ua5d+gC3b2RRyMFnKiMyaWHfDgc38yVN3RInHlnJtO0yEsgRQF4D6vCz8DqjEexK6aVKi6k1VOqGT3040jC7wrs7jp6EJcU7h9rEHrmOeTeg9vh2l2XDoJ4K4vde4F2nrifP1QvuZRcWFurEK23RJPgztwv2XSXMglcWygtB2Z2ZVHNhKiOVe+T30/AlyQyn/QaAaHU6LiAXpVbWGb98uC+BVUK61YDBPgR8Dv314s8nLz/blff0pV9NjIZJ1NkOzIOVZ67kRgT00Qq3H3+4EBrJ8Lm8hnjprmq3JBWsG+GXkGSg2Ua4heJudBVMbH03aIodbRy+nTRjTjxjE14P5wU35eTLVPAAyLaRA/j2tuUdSQf0Dt9YcAcLDaW3qNaTyWhd+adNrKTVX3i5sr+3I0SCqraNpb/jS7ALxZKBegYebxOp6T2pSDfwkjVKrNJezuTig0Cen+vsMgk9zqX1lJKjvAcHA6iTgptsIfKGYKe1YzIWcTJekIvroMtOLlHXmvQxeS4qdvgDO3h+/PjZ8eEBBgyfvPrx+OB/fnv4+OifzkVW+wXgJ+YWXuXHO4XB7w7H9OjhAf3RnExtSmbrzCuWs7pANaSqRB5ewH+tyf50eABFZA9Zbt2fHo8Px4/Hj23l/nT4+EnbTaprl+ntRWV49kVTrONgrZKqjb3AX2IytDE1h9m2ZWxr5KRQUiha09hq8EHiToRCKu8547KojRjkSXHEjXjT5jwpjrs5b0KYW3tnpL26tMmhXHdMZ4Xmg2bYd9JeMRgBa/FJ7YmzrbZ9J8bzMbNEuMzqAkC0jxpTzHsr6PIEjlW4vtBVD/W1hTDdaNsI+6XSptyA/tYuYvct2G3kHyKHYW9Z0Cia1rxGPouLOPB7eXhwMFDXreRSYawNeTZXuoY9KzEYkyuwQlJtIrgsc2vlXNkEINu+P/ohlhzzna3w1KOaZSDWyHfEiyJUXuoorlZciyRw6a5xDuf0esdKF/cuDN+R9b8uMIaqUfnCJbx5g8i+FFwBE70WJrmsR/Xc4xC8NZ4h7zYGoboK+kZie4NLM78SDKyqNJUUIQVRWWkdWJoRbcEx1zlIu993cOhvBZ+s/uPd4tYLABkk0ytAi2n5q0Bj2FlzB/A3mC2mnO0mErW5ZyUlUltL2t21jWEhrRDKSBaTR4NgbiuphRE8XxGHycWM14Vj5yvrZX1jrUgYzSnaRgBSXmAe31La1OrxouG9cVKcEgjlGAyRSitwCJy+pMl3XtVGV2L/RWmdMDkvdx4lx3U6NeIafRTh8fOLnUfg/FDs55+Py7IhbsmL8NTewdPjg4OdR51ju60ah+8EkgtIG1Kqa3SwxbVQTXl+rSEbM2YiNHXDIdLDq6HjtMbwTJIeTG65H8PnGwvzQVX8jguHWeH69xHwjlk29VyhbUwlL5P/FRzvwTcClhRgi03RPT8dVf8Ouhu3VmeyKe4LGlmoytcqFWdHnjHvk5Em8A307cCGek1EW0H1vNE/AFOeBr2UvUGjnkfrf/54+ua/Qu1v27ioKJ8XyveBDxsVm6BF9DMx+Gwm0JDqH++sJ1BNUjSf7E538WhvmPiyjge+5qFsPYBYCscxGha8IR32lQu//C0xr5cw+JocN0y+LjqaCMzdD0u5P34Kuxxn6aoXMc2j0EsmuF15EJ0AEpquEKHx5YEgjYpke4yZ3Vpw3ZmRUJIdQ+k86/zp9OWj9YhtaG7bsKT5un04pOoFbNxjyrDORbu3RAAieMNSPsXatoWtpQ17oBJ8eFB05njRKS/ZU46ODp+1YbxfxkDGI9BwSp3LmewyB71UW0tTRungJ9gF64jp5wBW3G3LvHrG3SIotX0atfKPTfC8TpOHpfkx/E5DMhX7LtpEtL+78DwPutvEjwWhbuAVnzzqqJfczIW73CIqLmAGQDZoHHZVFlJddeKbt5hWD+gCuyh4j0YslwaUDIKkg5F6ayz1gqI2gZu+B25qmqt2Eoj13XmH1SIhp5FTc6FTBe0n+niDfvaT0GlcXsaNv6Q1VVN4Y/0NGSVpgRiuUh2p3aInSUJpKXqklOXCyGhOcyJbgBm+KfrvITs9S8Jk0B9p9mxdVYWMjsmNlJsvJ+/ui8+5+wLz7b6wXLsvPs/uIcfuy8yx+xLz676A3Lr+ZSHIr/jFegl2ERN7krDfUpBVtYkzh2cofhxaJ4hCXPN4OEkrSzy+H1Ow5ItKYvrcmUsxPkHbVvT2z+HzjWaiUFanZSaiuvos02VVO4wUphpQsSfUyTmGxobGTsMGy7SnU2NWwQ5OTXmfdp5ACLMGtRDUlMH44DQy2K8V8BpDgWnEBTf5khsxYtfSuJoXoXyTHbGXUOcjqaEDRij2l3oqjBIOGvzk4k7VMUy2kE5kif/qXvOiqhAXF1oxJPP1zvmH588un7WLMDzUQniohXB3kB5qIWyOswc97aEWwvZrIXj5uSVIdn+msdOah2nIiEua5QWf65Lc0mwSIJt43aH059cIVxss8Norobh7o1Z3r03yUM9JyzK9sBGPIXyJOr5gvvEIXOTkTY/6q1dxpZpDMALFnt9YGhU1ZYpeRpegx+wEGuwBprpY+Lg6F6AByWq4XsF26lP8TFs5POe26PPtjbQJxjRKcQeqTCgyocT3UPILAzuISUJQ1+81L8A0HsekQmFYgAEz7jwAZJ1rEpUgARz22npJYlguMplDLqzXXYGMGsau/fOdjdd2POOlLFZbEk2/nDMcn30XbH1G5AvuRiwXU8nViM2MEFObj9hSqlwvG/d/UxsPnuzBXRfbKsXR03mpFAZo+cHnExLNQxLvsArKM4+DN/o3fi26K7jyKv9nWwPOFsGGO5fhS2adGSptejQ+Gh/sHR4+3qMUsC70W1Ro1uA/RCon2F+H8H/vQhuuzZ8L4jAf0b3XjbQdsXpaK1ffROvcLGWP1gcLKWwP+E1p5PBgfHg0PmxBu61gl9DQs8N+f9SG6n2HGsTUVZY8D63q6n4IaEs8iXWTJ1Ae/rocJQowBFknum68rI/Spq1JZfHU49HI6jjikMweKGvyUFyoTV0PxYUeigs9FBf6sosLLZxrWfF/vrg4g8936TziX4rhsONQCoZNalNMQmCqwMDppC0mAGmKAC+1td3cnh9emOp8NR6oY3tbQMattWzPW/EZbTAZzNpF7/Pn368HkYJptnSGL+g6gptxI5Q/i6LQbKlNkQ9DuwVcXmjHi07ESwej33lg4bAvBPd6QF+5Ojx6MozgUriF3lpOXwulOFUn1xmJHLMAoDLMVKTpAU6zQi+FgfRuz0JDuakxOxeUE6uzugxxXnFsS9VZdk5DWL3X8l6dnO/0zWNz4UasgjIxVe0G0QRNns3WArbe0fBN9kyKud5uet5jj/f3p4Wej+nbcabL/Q7sttLKis9+znHaTQ96CuTnPek3wbn+qAd4P/dZJ2g/7rAT0NZxV9sBU++dYvDa6MMxh427Rwdtj9h2b3MA17rr8eE4bVUSqkiR8H5NH2+V3Whe4q3iPRoyNtMknE2EMCx+G9fFX0JSk4cqOjyo/lcvJxFbALRSmpfcqMmITaAUmv9DDqR/CmNay9lmGm1ITmulbPnFhLRa3i1JAKc8eSJRf2dYeamQDj3tjtVQ+CVqqBU3rSqHp2jiNLwpMjihYYOOhlSRGkOhYX0oC+NHTPPvwl7QKGnaZyfrkxY76i0opPXGMRf8WsQ0I+s3FcOOs1AlEaMJ0QggVKax24FhSixZIZWw0A7uOrmQ+KtMIbiCHLU2yJ+alcyspqTj3V0Q+V6sp3bgaTB2gWLwycnJ4GkDn8SbFZ39aDjHxJiUG7xNvrqlFF9Iq2mHdKDppCxrRfjHCGB9LUzgIE38CMNdSNJzKCTDpu2JwhMfFQASRu/U4OgmDIXyP3cJwaiwtcYWk0pe4C1tLq+FwmDcdFbicJXRTme6aBcg4mYqneGmsfIzSlel1DEoNGjxUJQyMzqkLI2AAnlhNUy2wpPfPGyvVpVoLGcy+33EZjwTU62vRswtpXPooJCWLdM6Q57VNMWfmtKd7FqoPKmRBNHR2A4xRhJ7EZvHyOFYBgFPwX7udezTMwyXtiMoC25HLBlzKU3IEPwCtXAu263c7rvByi5qV6hVOcOVBZ0bdmSq/bmRRlBVtlbO/oTqTcGblEqfFksP34fyPSM2CYeVfkLZJZudsHXZR8CTZ89bCCAO4laX22tl+QKtVlDAE5LHgGknlehPz7B+JFETt2wpioKYXFxPOH5NYEKb/41jgjlnTutij8+Vtk5mXntUOTetVplx2Fmhl+lmvBbcKExF5y7egubSLeop3H88gUDBtP2IvD2Z73ldbaDo7/Hil3+0b49+/sc3Pz1989f954tT8+9nv2dH//Gvfxz8qbUVkTS2oN7svAyDBz0tsGtn+Gwms/Hf1Dvh14NFlRpxevw3xf4WkfM39g9MqqmuVf43xdg/MF275JNUThjFC/zkKaj5VCsg3L+pv6lfF0KlY5a8qpKyw9QA1guvPeyJVzZ5oFR9dhQFUqLYpGNGzuWH2bUMQpP84q+lWI4RhjUTB9RowyphZCmcMAhIC+jNYGoAaUHg/wWvBU2WjhwnHe90yYlw36KbmTZLbnKRX35KnEHSUyOmpNNxTX4iBbky+sNABaofHo8Px4fjdkkUyRW/xEilLTGY0xdvX7CzwB3ewlTsu3Byl8vl2MMw1ma+j4IZKtbuB36yh8D1vxh/WLiySPLlz4mPgLwK1UnCW5b4Dy+gUgVwMNB43gr3Y6GXWDQN/iLjbBy30PNw66vJOju0ph7C29mF2/aAoHI0XTENDk0oIa6D9LVNtFqQS11ofwID3a9yJltgf1qbExK4NMhHiVx6d0DoNr8MiN3wY6OfkQAeFryP20aKQDXbuMq+/j7cLhqZCeETTHwYg0QbsQIo6jeeeU3SI83L3kbD/fI0t+gKiZ7wAPU2UHjuCZ7bSMsJE0OtHbymvKn5INhfcJ70GMaWAA2GC77yzKnOqxFzWTVisrp+tiezshox4bLxoy8P8y7rIH5LIQinKHR+OT+FjOsChegyDRUIZP3aY3HscXeEGExuSZUV2YhVsgSEfnno9EAnpgEqStNqBPFL+t1NqR4qvt4vC1KJTPIiUPAo5sFiyFvvSo11JGI53Vw4kblRGB9ewkIit4+415ZvpFwlJVzbya0xGISzrLZOlzHDAweFHuLg2KaldsqbaDWT87ppMOI0M7XaHAHM6pnz0yUVztoZJzNpxJIXhR15DdfUEL2DGJJa7VcGlghDhfjDoEMmWqIVymoT61YtxbQFRTIJxHsX2lo2NLRH5IuzN4QNm/ZJDdSQGnA41nheY78hBoWDY8SIWo3S+m+4ThtJwYayLkgOtlGYb0BxKKZCY1JJFfaGbKu/16LGgdmri9eQo6QVUE2461EB6HZzEiKnYGkyAkyDULsqF1D1n/ABLV1fnZzfwej0kFfzkFdzd5Ae8mo2x9lDXs1DXs1XnVfTTauJ0rdt//g4o0y/x+nw8J+tT2lLUX1IcHhIcHhIcHhIcLj/BAcrjOTFdg3G4X5Nk5G8v61e1v21/Ao9BFK2Glu13FSuXhjKa/QXw6A5BUN0M9KqEnY8FHUTXAUmbSYQLp4QhZNb+Key1Pjrwwr+0EUhIEwHL7H+r+YKOhAbEcZsobTlfb5PpMaV4wxpePq4A8HNHVPvgaQSxtKELc25kn80yn4w83S/vyUOJB0n3O+FMjJbIOHAxX5dR7Ky4ipIaW1IX20RXSdSIw0MaTqOLkRRQbFtbgxX89CEx1GR26STD1cYpAMeg3aAfgSjWc9dSnL8HVJSUlA/W2mYlD6ietBw9RYpRRZ8Diz4FnK6ADtrpwnAGtLRHe6+efThV6kZfuVq4VesE35FCuFXrA1+8apg4iGNLTqIy50lX23cInstc4u9fIclXcZVI+2adDuyObc72kFgY2wNLPP9hJYpqKQVVwsMOPRVHVeQdjdzQjHr+MqGUsehZy/22OaxKxYoiJVERw0kJRZ6youk6HwAtzEobVbqar5JssHHxYAZw1cULgFI4mYOjrTUTvYGukeSPoHLq4x2InPgPJFOXrfyHXt6J33cYzZmY+6xvSL+Wdt4p9hjoalPO4pCfBBZDQ0PtoSKF1Po+SIwXJd2MGClmb13QvZra/anUu2HtX2OEpV04kgKxY3yVwvoKMEyXhQCssPnhpcx19HKUhZ8oL9vF/jq1oTQdZEfZ/G0dYpO94a8U95JGLbiUN2lO/qn9je5CH1O012nPiZ9s/3jg8NnewdP9x4/uTh4fnzw9PjJ0fj50yf/0WmAsTCC55tlaq9b9gWMwU5f9oX246N2QBcw420THEzSCUPx6ILvR5h8gBQI7ksK16hScmUnXGF09bRpaumO45BJsQHG2dTopQWTQMjZICDCEV2KKav4XCRtSzW2jm/vxlKbK6nmlxh21OtUfa+JZjQXi3MFq0KUbF0mstCl2OcFtoxoUrcafz2J2nfJVzeK2qa5jcCm46Fe6IxnspDOy8xKXmvs/Wt0DY3rKymypF0U9EcJmw12C3jAdhubUJS6FQI6npdcrbxulIHH3t84X52ch75KFykINDR2pgPTCl7syhHeWCHgP4go6BDlpwiFojT5i0Cs2korr60H8Y5ZKYpNCIvjSVzJC+iya4SLdhiPocayL+woSeuZClZDmSHoaR+NGiMKwxw1RBAC1EYsKyT04AqPcpXHmKU0LhTKcMC1vaqggWtRsNOzIO2dbqCX1WSEKg8HLUQR0qi2AAYBnp4xZ+S15EWxGjGlWcmdg7wTEbm3dDAZNyIfsekqxtKkUx3z8XScjfPJXW7/mzTBGPapvChimtrpmcU91irp+pxesPthOeebBeXQcwPpOkQ8VJ0hxohkWikKIJpF+xhFORgx5ybH8BFrsZd387zFnuQyhjh6LRAjTDNtkq7AP2rDLk7OYmceYJoRTIQtE9J/JgRJJaHUw/lf31J05Xc2lMwP6vLJWQLLGCbBii0xJrY7E1WhLVY9fITta4emKxuaDwJXoBgYxjNXB18qBtgJU7KdON4OFiyeRW0vhUJ1ALehxhf8TNp/cPn2E50CK6FyrRkyNtuZIl0HMaTz1gQcuknBKmjEJkIHy238VqusuV7gSae3hwZrUNuU4miG9KcXt3EP/eghlZSePMHh98MS2p1N8DbEc8/lS66czELMOyVLiQ/YnIj4WXNR8TeoWV34x66lX678QyRWR8UyYeB+1uQrBV5l4hwzXhSBV4X2+Rl3Yq7NCpkV5alZJ4uCCQUt7eCxNRknHmEz6VVXGpZXldGVkdyJYnWXOxNy8m2pQ2jDx2Z3uDFRdGCuY2Aw5VTOa13bYoXUDO9EVQca/duotIPHgHs2PmI8lMPD0jFQRE97Ohkz9tcGs1RGMa0QgqfK3+ljdgDS/WRMX1DqaluNU14yNHmFeY1RYnjdm3j5AyVoxgjWZMRy4UUWZJKG8tJNuz6QM7LbyfG+07r+DPlcUPy8yYgjZws1cobz0zdrPG+HfeOiboHso0rNIDQ4fqdx1EMk20Mk20Mk20Mk20Mk21cdyfaRgWS7/UiyEEfWUBZePztuWnZ6dn3kvzg9u37WKB4dWfvZAtCGot8+LXnsjLLGPkawt21iG+QhrQVCQ+GOtUt8KF75ULzyoXgleyhe+bUVr6TSIvBcYkELX90S7BQKk3TtMS79TZuBfkJeFyLgltyyTBcFNHy+JaBpJlVORZ4CdUJeNpJlrMQV5vZPhpiBzc0FolqIUhhebLHcxqswR8qeNCmAAfzv5AzEPfQAt4+6tZZknrSEAMuOZTwz2lpmBLirqHrNhAaE05draLDk+qrfc340e3pwMGsrNNs4Trt91hyq29VKoSEVIe4vmawSeAKL2DF01UIdpfmX/EpYJh2rtLVyin6iSDpxaCChJPURaVaJHkENtZkINnvj96kSRgqVgW/K2lpYtAv6sYzI/QKon1djvkdHehw3dIaXOSbuN8EMcOUKxI52M6nm0OmYeoT1djR/8r14KqYzccDFs+zoh+8f51Pxw+zg8PsjfvjsyffT6fPHR9/PbitRcP8NJAKFN7G0dP4HwmnTW1R8EQJsifZBGoHPI1Z3KPTSwn1qqSN6mutUGAsaSgRWYRriC4qB/z0WTscbn2r5KWWrQgR1pIinDcRb2vikwGJnBJ7fxlxaZ+S09isPFadwb00Nbo8ocRbaOjtMvmilD1ZpWizDoiy0lE5oAGVxQwq1nrFXBbdOZuRDStAMS6Dc3yCmUd+urROmdStC/8WfBXe2P4S0Hju5mPG6cFATqIpu0IgvBz2agSPHMeWMKc3CGLH7x0AZwnQNe2nSaRIV4LZijKEeMzB+h07/PuHqdzpd8GJwbVJiOerHA3K2xSS9RAcumSgMYSVrOCUM0iQFw6lrQ9cmxlGHOuKgseLApLXxQ/Up099b27G9QPPdfwsBou0NiT6Vls7T35WGh0G1A33FuD81GLwtHLY37+g8182UPJJfv7TY+PE4rWyArpeW+td8c4P2h0/d7ogLvh2ACg0B++3Ko+2REo/bLb621FNEDrcv0iNEvq0Hj9AX4hHC/SDDUVpIqGc9+mxuIQTpwS304Ba6H5Ae3EKb4+zBLfTgFvqq3EJYD+9rcwsR1GzbbqHNpft2fEMD63zwDT34hh58Q+zBN/S1+YZqgxyLDAPv372Gj+utAu/fvQ73eOpEyWxdQUlNTHjzEzkAp+IG9vL9u9dULY+ejOHuC8GmRnBMndBLxaRymtlsITxzwcvSCPKz6H3NApvfxAIwdJu7v0Pzki7nhG5TjGK1/p3lcjkmo9Q40zttsyzkzGQcDAWAz5KvMEiagni9RoCl/QCvGFRerJo8Wd5eGqM8GzD5QkMEK0YUXd8UkwbtdK5jWxO6xZMhoKcNtpfQwuvM8Hm5vc5Nu17aJpa12hSMzxyV5ph8O0kQ7XS10zF2Tr6dhOYk1IsFFW4CusMztphmfjpDUenpH0xCsvT7SWk5EFhdW9Hs1iqxvWD5hrguqaBNIEj4yYgtFwLC+12rHYsRmVbWmRoMjp56MHI8GH/ahqdUjRnoNtbe/uOjoyf7aF79l9//1DK3fut0uyztcHOg+xRW2OwG1kj9gYBEbMxHiqvtq9JvtaOIdKkGioOO0loweTydUBQ1bOYI02u4TbeHZ5DwVug5XfD8q9JSOvFvtXVNKH8oDesZ29rmOjF/K74Wh+Xg71xyGwEdtRjvoOf3ozbWj7bm546eb22yk/e952c0/GATzAYGty0F6Qwa+rTmTngQIWhnfMtt427pr8mNozfl0dGTfnro0ZPW/JDmta0z6PksTED0Gu0WAC/+ggUGBtcQSd6jr0NXPXb+L8DOxQcoBJy0cUhngVQVFKaxp5bS/l04jIlhHKs2JbDDqy5UdOIw37R28alRMhkuFkM14oixm1JZuQYeAB2fnNDbHQdcy8PMpsIthWgkOiRTLTXqCR2ZhQrStvb2HEZfT+7ASHY6LBXTYCfHg6IX4V3Dknq68pYvsGmkQcJHUghaGrG9PdPwgtTtnqtsuJAPPIoiCPoDi2se5TIpZ2332Y9JIQx+jXYgAVbg9E7iv5HC0lEIdzlsoOMWXMFrMg/pq0F7jwm3JBThmIFvkrBU3iWs6u9oAvmKrB9fgeHj723zeDB33Gru+OIsHV+skcMKc8nn4faTcHbWfLsBf8cxApdv4jL9fZ6qC4XqFVGyEHAX/npHpYUWekltSJdiGuNGIGwmqTeJ5SO48dpCHUEN+sXmLBn7SXyuk0yzdbdEni1CYMDn6pKUUAiirgfUOZ9xIz/n3fW9og29bscONcQ14KP/QxYF3386PmDfIRr/iZ2cvSeUsl/O2eHjy0NsVBlqpD1iL6qqEL+K6V+k23928HR8OD58GtnJd3/5+eLN6xG+85PIrvQjRtFM+4ePxwfsjZ7KQuwfPn11ePSc8LT/7KBbIvah6PQg1A9Fpx+KTn8axP9ti05vF9R/63PdNaLBc8Fv9vwkx2wqoAUPaQ1/xk+tcf8ZXj8JhodMl6VW8F4MeQzXBFAjC6r6QQWiv1kTvwiQddomDC3+xl4ItL7WyB6ysZOl+KOJ1sOBeSGjWbPibnFMN9HOw6WcG47zOVOL9ui4ltawevqbyGIDbPhweetK/jnKq4hZ2LHQZwrQSVGhbQigl30LgEZFWjvJK/9Sp1glVJTJc0kVfbyWDnGqFFMP88TaXukesuGI8HU7eANYDWhJyHVrI3vU0d9ET0TpczfuHww6SHb9gQdp9MbRIcxVgKEi5DFsStoXEnM5pGhybPwliM5pVug6bw7qif8YrBwQjc4pIW0A02/oV9S8s9ar1pOAyEPqB8/zS3jgMgwZirxpkx7l1qrhhXFltCf95uIf+Q39svfhZhpNFVt6xdPjT1rPC4ErJgr5lr3wm4VZTkWeHsoYGCQcH0fAYKm37PbgwzfudjJH2LEm4e7maWLGU3z+zjNtQMCduTal4mQ2Sh66TI75zZPRC+PkhU3nIjEiC+lWlxsw75vf2nRWorRNN65H5ZvOg9F8G83RerQ7PvGDXGdXQKXEEF6GzwOHC3+D9J5u0gb95o+2XWjjLlH+HLMZL6xHJVfZQpsw315kBmvEegSLDUqndVKEJFIa4DKMpgRVw68MbseaqUo+78uuW2fzb6VH6Y6zdt7cbNKPn67gU1FYzzIvfnn5i9eglsxpVvLK81kr/qUHS0udYTerNOxm0X7qccUQhHGgXC9PG7r9GT8NDHLq9ZGEWsnI618POY3jhEChj/sQeZLEeHVynqboyJhzIzI7XpXFmJ7DtG1uKNBZq73mzY4RF0G/mdLXb03L0hqGmGpdCK42RO+swQh495pt78+r7Xhay6I/ZX9Ho+DeOXz+8vDgh53NwPnlnMEM7cYoQ4BkOheD5+AmWKwzwmWLzYEJs4R+o5ECr+qpv/Bjzg3R4V/S7wbGbX6PylZbc2oGZSkV3sxVm5du5awtoG+muS7GK50Ps507HeYEA5WmBtSDU9UDPPxjZzrTOXt/+rI/EeQGVDy7v0U1I/Yn03mP5X/iZMEs1p8M2eXtbHmziYj/l7zqzwRuGKyGeV/TJUMOz2kEpN1Z4e4Xoc24a9Cai6rQK4iRu9eJm3HXTAxZ1bO6uPclJwOvmfoWreNjJ47D3jrtsIr16fPiuMTOmxYevQYeA+OG0u+Ri8fL4xDXTduD3IXlig+bKnmhhnqvIwRbr/z/pgt9Jfker53Opc30dXoV+N/4K3tJv6xY+hxLbri32goGhkplHsERh1xn7KPnxmhQaZtB72ApCxZOzCtjehYBSOycw3PKm+yr62xmPFuQX3IB5t7oLW6XUxcyVKP2SMhZXmMjdseNq6uWqRLUTm1KTM2Ltj7wjFfc8FI4AcWGpgKsc37foDG6wEgu/MJ/xMAtmQNoVlxDJZ6KG2cxWOn0bMTS5g8yH0E0APhjWiBxlWMbArDADaGQ6sVVRud15u6OyAvKg8WzS8N4pSyu7aZpP5pcWtPu2mi6/y6Z+dEtUyetBO84MzUJTNKAcfkJLdhYr6WbNR3gCAkMd579/bvXbOGvelCJAaYjagVIbkJ6VpuON6J9KVkz668xajusD0tEIInTBY7XbiGUC/36KZo32jjBtdAwsp0T9DUsBDcOHA4UyrzT4V1r2A49vZZ5rzXIw6z0dtsIv01DuN+3MGmnAslAWMGnT9LanWFJ/qmafGs2iC37TU/Z6UvGLUaKTlfN7g6sNyfm2IMi3cYeDBfa8SIJe2dOWDc0VncvWStYs/X1QETz4NwvAzuXipUyM9qKTKvcDuiFaZwru0VLqE0x7r3Q1Q422pIXlDFTmyKErkLdo9A6ZOKyajJiE1dAc9aFc/6jFxLwt50MbFNiCdlkIZ30no9cSOoLDGFGKDZp573MpNziUloL+Q9ylhTgag0XX/I0eXo2sEpZ9dYo19Jgx1JzdiOUpylUbUiC92nUGg9ShWRF6U1NVDi1u9DFtciZrGJ6VDCeUVMhdJkNX1VadG/E77U0Iu/ty8cYA1Xu+b42fhMCn8PKXNe8kDl37bKLDjoqJSGo/XvGQmRXl11W8BGgvWBOXwkVFDynGWdWlnXhuBJQ3IZJda2vRB5iTGc4uYVslaQWGeTOpDnsVCHKPxxkYKh69/LtOQY6j78JEtDWZckhsSGIwDeEKPplZ42oa15kt4u6nbN26lTBrSOfvSilc40OyxFyirqOm4ZLT2Kzc6isYUeADpugQ7oFm5Q6B35QTMY7t0jRgZ2Uyol5Ul/wVoHTXA8iYFRtsM4yIfLE7Nq4LZZ9GXN/E8+4LEQed5lOaLLLnpdBmay62lC3acbYYMMbUJOJWjbt9TvyxfL2+2bQDa+sVeNuwE5Ua/ilcX3U3KiZRO0gMFZMgYOtpNxYuHcHrj/+eykrgR/p7Mo+TQj1/JeTv5w/ZdCyfUNKjWMM42jNpqQTxdqQbRSso9g770rnJL8+ZwVfCcOwjZwzssLAjk13g5o+DW5JF5BbgAGAZClaBCOs49NC2gXaEEJXr2vJA9r8Q8SCesPFsppN2FYyiNMt1I87rw8tm91EiOwmYuwtfj1BBop0RWLo2/F7JVRmVljwCLZtQ7J0xXqr3rqLdUMZLYK8jYVmwjg5g2Jzl0q7S1B3Lqdilta0C3DkaWHUDiivuCmkv8tAb0/uknLUzRbu2nRC1D9gxvGGgEE2+p3ges3dPUL1dz+/C65yu+BXYmsneCaVP74e1DhZcjALI3i+Sg4opXL3Bk764n0pBzV4+Z2rUgXn4uLsjtYbGmEY8evUGz/N3Q5nY2JjG6g3SWQ9+1jlhsrTww08GEEINfd+GAAhn3YawuXs4w7D/+1RUiQdSgpmM2msgxqYXt2jLYQEI9L5lsZfSlTSm7z5D5sx2qAekrkbkUqQazNOJu0cst6AvUPXOmS9xzE9WM6ayUKOsB/egzTVOaSyQslbziojZvLDCCyzA6fM/0f3iFDnHgxnq06lBAc2LuC4qn2n6WyTBkCwGo3OvxyBPjRZILVLD+m905tON6mtgHPsydCyQwTK6itQgMYHSmBbpAR/5MUlsYGPooQb6cBSYV/UUai2SMp5BjhGn1OsE9NfolgemixQ+OVC8Lyl8n0Cmtu6TuDxKcLBMdrdBY/8AeaOYsCfzURKwBWZdqvF/aFBfUTCDTefr33noGWtcuOPu/ffrp8a4YwU1yKPzksyFwJojGAbDwMHDOneuXcKXnBqB8Lp9HCGxjFge+wN55Ke0+3+zIw7J8rKjdkrlVPXE6zLFfl5b7Rc5mgMbQmML1k2fClUTbcEmZXpLeH05M3ZhrcDepPd5XZwesYqSEDf6GJAzKcfGncnu/Bb3CU5Y35x7FW20O9oYOB/92FVjCOzdwnDfCcqTw9trX9Dnf++7YnBeJOlu+3P350sNtmdd9xPEVj7x1hukjJXbIPbYefxT7odQnFEPOP3QSMdG8nJp94K79nGOcjmUztnh1nf4RrXmPa/FOa3hWv2DRhtrj3+k3WiarAHJbw8S2yj90tB1P8PAAD//0kcsC4=" + return "eJzsfX93GzeS4P/5FDjlvVO8S1GSLTuO9s3ueWQn0Y3taC15s7M7+0SwGyQRdQMdAC2aubvvfg9VBTT6ByXKFj32W+WPWCS7gUKhUFWon9+yX1+8e3v69qf/wV5qprRjIpeOuYW0bCYLwXJpROaK1YhJx5bcsrlQwnAncjZdMbcQ7NXJOauM/k1kbvTNt2zKrciZVvD9tTBWasUOxwfjg/E337KzQnAr2LW00rGFc5U93t+fS7eop+NMl/ui4NbJbF9kljnNbD2fC+tYtuBqLuArP+xMiiK342++2WNXYnXMRGa/YcxJV4hj/8A3jOXCZkZWTmoFX7Ef6R1Gbx9/w9geU7wUx2z3fzlZCut4We1+wxhjhbgWxTHLtBHw2Yjfa2lEfsycqfErt6rEMcu5w4+t+XZfcif2/ZhsuRAK0CSuhXJMGzmXyqNv/A28x9iFx7W08FAe3xMfnOGZR/PM6LIZYeQnlhkvihUzojLCCuWkmsNENGIz3eCGWV2bTMT5T2fJC/gbW3DLlA7QFiyiZ4Skcc2LWgDQEZhKV3Xhp6FhabKZNNbB+x2wjMiEvG6gqmQlCqkauN4RznG/2EwbxosCR7Bj3CfxgZeV3/TdxweHz/YOnu49fnJx8Pz44Onxk6Px86dP/mM32eaCT0VhBzcYd1NPPRXDF/jnJX5/JVZLbfKBjT6prdOlf2AfcVJxaWxcwwlXbCpY7Y+E04znOSuF40yqmTYl94P472lN7Hyh6yKHY5hp5bhUTAnrtw7BAfL1/70oCtwDy7gRzDrtEcVtgDQC8CogaJLr7EqYCeMqZ5Or53ZC6Ohgkt7jVVXIjOMqZ1rvTbmhn4S6PvYHPq8z/3OC31JYy+fiBgQ78cENYPFHbVih54QHIAcaizafsIE/+Sfp5xHTlZOl/COSnSeTaymW/khIxTg87b8QJiLFT2edqTNXe7QVem7ZUrqFrh3jqqH6Fgwjpt1CGOIeLMOdzbTKuBMqIXynPRAl42xRl1ztGcFzPi0Es3VZcrNiOjlw6Sks68LJqohrt0x8kNaf+IVYNROWU6lEzqRymmkVn+6eiJ9FUWj2qzZFnmyR4/ObDkBK6HKutBGXfKqvxTE7PHh81N+519I6vx56z0ZKd3zOBM8WYZXtw/qfOw397IzYjlDXj3f+Kz2qfC4UUgpx9Rfxi7nRdXXMHg/Q0cVC4Jtxl+gUEW/ljE/9JiMXnLmlPzyefzov32aB9tXK45z7Q1gU/tiNWC4c/qEN01MrzLXfHiRX7clsof1OacMcvxKWlYLb2ojSP0DDxse6h9MyqbKizgX7s+CeDcBaLSv5ivHCamZq5d+meY0dg0CDhY7/gZZKQ9qF55FT0bBjoGwPP5eFDbSHSDK1Uv6caESQhy1ZXzjvy4UwKfNe8KoSngL9YuGkxqUCY/cIUESNM62d0s7veVjsMTvF6TKvCOgZLhrOrT+Iowa+sScFRorIVHA3Ts7vi7M3oJKQ4GwviHacV9W+X4rMxJg1tJEy31yLgDrguqBnMDlDapGWefHK3MLoer5gv9ei9uPblXWitKyQV4L9hc+u+Ii9E7lE+qiMzoS1Us3DptDjts4Wnkm/1nPruF0wXAc7B3QTyvAgApEjCqO20pwOUS1EKQwvLmXgOnSexQcnVN7wot6pXnuuu2fpVZiDydwfkZkUBslHWkLkd3IGHAjYlH0U6TroNF6SmRK0g6DA8cxo64W/ddz48zStHZvgdst8Avvhd4KQkTCN5/xo9vTgYNZCRHf5kZ190tLfK/m7V2/uvu4obj2JImHDe0uQ61PBgIxlvnZ5eWt5/v/bWCBpLXC+Uo7Q20HLOD6F7BBF0FxeC1BbuKLX8Gn6eSGKalYX/hD5Q00rjAO7pWY/0oFmUlnHVUZqTIcfWT8xMCVPJCROWSNORcUNJxWElm+ZEiLH+8dyIbNFf6p4sjNd+sm8ep2s+3TmFd/AeWCpyJLCV3rmhGKFmDkmysqt+ls507q1i36jtrGLF6vqhu0L3M5PwKzjK8t4sfT/RNx6VdAuAmnitpI2ju96aT5uUKMiz45YbZ5FEqcppqJ5BESYnLU2vtmxLgG0Nr/k2cJfCfooTscJeKbL5hZQ/W90jW0juwPTM3/H3TPZ40SNyQrZ0WNOmm9uUGRe0Jue4HIxA4WP485JJZ3kTgNT4kwJt9Tmyms6SoBC5U9dgA0VFCPm3OQguLxc0sqOkudRaE0l3vSl9prvrNBLf0PzOl1Lbb44OaNR8VQ0YPZg81/4xxPIgItYoaK64p85/+tbVvHsSrjv7KMxzIKadmW005kuelPhjdaLldakQc8ycF0X/lIUNIGAJWe4shyAGbNzXYoom2uLOo4TpmQ74ZquzU6j1RsxE6YFiuos0KKaQT+TDoo7OxVRBwMdNEEAgsA8WGoetrmZIoUftWkiojCBPzm1rT1CaNRG+ZPKg/dbrXADQBdE7S4YUdjAaA2ClXa9MT1Xxw3bg0MWrq/x0ovj7YeJopkCmDXKCX8TtqLkyskMtHTxwZFIER9QWRghB/8msvYgWJxm19KvV/4hGs3er1QY0PatdDWn/TidsZWuTZxjxosiUJ9UQa45MddmNfKPBo5onSwKJpTXbYlw0TbiuWYurPP04XHqETaTRRGVLl5VRldGcieK1R20Op7nRli7LYUOyB1VeCIumpCYb+Qz5VTOa13bYoXkDO9Ejr30aLG6FGATYoW/AXLFTs9GjLNcl34DtGGc1Up+YFZ7Ohkz9tcGsyQjwGjRqAULwQxfBpgC4U/G9MUEUdYWccrfABoJltdotMAr6GQsq4kHZTJGsCb+GlcJlZOOgQqCVg0QcJ+gHQu7Ml05YW+RKYWOuj5eLdqvtfbhz/4HvFZEyx7th783e36A14GufDl8ftQCDBe1BWlH5xfHH7fmnAs9zqRbXW5JMz2RbgVT9Vb/RitnBC/64GjlpBLKbQumt4mWHCfrwfdWG7dgL0phZMYHgKyVM6tLafVlpvOtoA6nYKfnvzA/RQ/CkxdrwdrWbhJIgxt6whXP+5gqdJbq9OvAmQt9WWkZ+VLbKqXVXLo6R15dcAcfehDs/h+2U2i1c8z2vn8yfnZ49PzJwYjtFNztHLOjp+OnB09/OHzO/t9uD8g+vu6PTb+3wuwFXpz8hOpeQM+IkfKNEljP2NxwVRfcSLdKmeqKZZ65g86RMM+TwDPj1QYpXBqUpplQThjSvGaF1oapupwKMwJVfiEbvcbGQRG8glWLlZX+j2Bay8KxtgkIb7VL3AdgOJSK8drpElj4XOiw2v4FYKqt02ovz3p7Y8RcarXNk/YOZrjpoO3968k6uLZ01AimwZP2r7WYijaiZHULDPGBNnGenkUBHTgiCIuUstAKoJXwsjfatE/Pro/8F6dn188axaMja0uebQE3b16crIM6nRxV2juI+tYkZ/j2Rwn2x204tHEfC4Q27qYl1laYsSi5LLbEvTzzYjBBwPgAALO6KAbOwb0CsWuZnwamBZbFr7ks+LToH48XxVQYx15JZZ0ghaoFL2jt461ZWvvWxhlZ1mHiaBCBW+J+VXDndcwBvCKcW0RsqgnhZH0gFtwutiYaEVN+Hubn8ecq08YIfy9tmfVneAPxD3qZorRapU5CVNMTpvXeCjJZTmAVMsebA3zwq5tEV1Km1Qz3ihetOb2ukXHV3JhZcP12uBzNsAVO90uH6dZd0ooMEGDoQ7Ul6XS+8IwJ1Qxw80jVByQ5khyOZMuOpmucMprRwhfrrWgY8cGQPPLAhGEoBqahmeHRDdw4uPA2jNbhcKkDGzFb69CasTfCGZmhodmmhmyu2KuTx2jG9hQyEy5bCAtaVjI6k86SD7EB0lNX2/Xd8mFKGw2kbRBoXFMrck4aUWoXzalM187KXCQzdSFDmDgj71lYUNh01bxKGmLbS4+DNgOBm5AmD4LQDyttAyoh7C72kgzuL9vjzLsXDYJwLnCPmjlX8g889DKPLm86ZSuWy9lMmNRmAnqwBEcv43g895xQXDkm1LU0WpVtJaqhrRe/nsfJZT5iP2k9LwTSP/vl3U/sNEenNJhMewe+rzk/e/bs+++/f/78+Q8//NBGJ0pIWfj7/R+NWeS+sfoimYf5eTxW0BYDNA1HpTlEPeZQ2z3Brds77Ki05EnYHjmcBg/S6cvAvQDWcAi7gMq9w8dPjp4++/75Dwd8muVidjAM8RZFdoQ59fX1oU4UcPiy77K6N4jeBD6QeK9uRKN7PC5FLuuyrSUbfS3zGKSwTVUHOUCYcBwOZxqAxZd2xPgftREjNs+qUTzI2rBczqXjhc4EV31Jt7StZeEtcUuLokviRx63VBwjoyfsB5Hc+vIG51Z8sO3AIM9CLz4uCdmpRCZnMtwRIxRonicfFFnp9SwdJAm2FFaEeReiqBIFEuQVhq/GoS1JQrXyCHKyFHcQUFvR8UgJbhYv8/YZliWfb5WnpGcDJoumUQRoyS2b1rJwXpwPgOb4fEuQNZRFcPF5G4AkAvTm2ZNI0BtiQbvMFialsMrWvFvcjWbNjfEnchMk2W2xExydlVzxudfegJ9EOuhxEoxATdhI4kVLGcnLztc3sJLk0Zvdrag9J0+DNRVNPvvtSMyBMRMP622+VeQ+5Fv9En1/LdflRg7ARo3F4O17cgDGYcER+N/bAZhuSjAWUpR+5xB9Ni9gegweXIEPrsD7AenBFbg5zh5cgQ+uwK/JFZgIsa/NH9gCnW3ZKXgHYb8Vz+DaxT64Bx/cgw/uQfbgHvza3IOY/93JAL/JcPBGOL6X7k4wLVKGOU65ycX9tqSDgczxT0vLSrLqQfeiiF4Ni7HM6TGbiMyO6aEJJvEEMBoKB4+dJ8qytg5TmeAwFL14bsZ+9Tft32thVhChjjlckYykymUmLNvboxt1yVcBIEjiL+R84Yohx1iyGnif6g540AovOKVyYm4obpznv3lQg8jMFqLkHfyzVnKt7SuLUIggpRxjdMuK/Sp+cXOeaWNFziApiULccUA4R1yt2JVUjcXiPaYYlJgWhc+B5RozKj3yCoFuWI/mkF0KPCrjVtgmFTMsC/ZeOiuKWeN95QpHv4P5aUvqMSATBg9XBDQTCgKwrYhu0Vo+ID0HIEjz19eDEXPYBxcbsrFTGrvu5AC9ut4wlxn3d8hLEtIZhh0lhQ5KIDpUjMxatBJJ8gWkx7eTjDz5BJ7iCcpvWZI+DJa/Be4jb7KBA5N+3aTxA2MJqc2QWyNL4S+rwfvkv/UDxTGajGg9SxZB44WheMiwZZBEGgItKHyiSYlC3Z1NBWY+kQpOY/JgqnWa8VQlHqHxciCvaircUgg/U8ifUDnFSEQ/JE5GKUmYI50V2gt59iLsxO3oxssSDVlqI/yNG8xJBYyI+SrwMU00B4CGEZ08RsM2qdotrKfU0qC8FKU2K+aZHOTD0HB5gviG4K7rQgmDHn7Z5MLTw9YrQSLHTPi7BHtsYAr66CAPHJ1lvMKSEJQF2XYMUFJsNHZQ9llzAGVS6WXMTsElCbvXaBcLrtgEHwhZR5MmwzJuhD/rE0DIHs/zyYhNiOT3gOQFfDWThdjLjPCENsFUnVCXJY4YE7ADxdHKpJ+nBMtOX0h6pWuv4tZ6ZO5hNlZbXBDo29iOV3gYaIYu8qOQW8j5gtLPhnkgcEgQoLPersQxYXcg262zOUgQk1HYUyuUpTSwxlDFI5gRrmbkoB3xkBn4Kzf+cEP9g1kNMWdR9dEzrwqN2FKwquBgFqB4A8bjkAUV2+BZJioHOdAUgoAyLahOI1ZhlaXaCvRKZbwetp3BToP/rmENcZORsm7Z41gAqbuPROQ4SC+Kbbg6kudJUDAortkIDjQbUs0xV3WFOX29kkFEJKhA+qMqPVvPyPbSFHmKmX/JV822EqxxzMhRB2oyxVoxXVZxqliprUtyEcGA6oloqZt6ShbdaVMxoCXjkQ4fs8ZLlbWrCmW8yMAlSdadgq+irAI8kaSjQlCgwpPQaQJVWqIDtgVeDdVUjHVB6oqcyU7Kf4Ck1Eo2ibgsGWJ3FzTZsGP+YwgBc5pdCVGxukJihZfSalRtrEIKOkDaxqNnmajmZbwYpTvb+AcHbts5d9yK28xqH8XJUnsITdPJ0M+08kcZ7fkTembCvvOc3QrH9kkcW+EeeXoOlnGsLOGVB2braQM+XH9KndeFsMDqWscu5ZOoGfgdrI2ntWIVikhJ1UyaXviRRJqfcBq/qQQtPNxnMdZx145xymuziV9nwKfaeVOqqnaX4UfFlbYi0012ua5d+gC3b2RRyMFnKiMyaWHfDgc38yVN3RInHlnJtO0yEsgRQF4D6vCz8DqjEexK6aVKi6k1VOqGT3040jC7wrs7jp6EJcU7h9rEHrmOeTeg9vh2l2XDoJ4K4vde4F2nrifP1QvuZRcWFurEK23RJPgztwv2XSXMglcWygtB2Z2ZVHNhKiOVe+T30/AlyQyn/QaAaHU6LiAXpVbWGb98uC+BVUK61YDBPgR8Dv314s8nLz/blff0pV9NjIZJ1NkOzIOVZ67kRgT00Qq3H3+4EBrJ8Lm8hnjprmq3JBWsG+GXkGSg2Ua4heJudBVMbH03aIodbRy+nTRjTjxjE14P5wU35eTLVPAAyLaRA/j2tuUdSQf0Dt9YcAcLDaW3qNaTyWhd+adNrKTVX3i5sr+3I0SCqraNpb/jS7ALxZKBegYebxOp6T2pSDfwkjVKrNJezuTig0Cen+vsMgk9zqX1lJKjvAcHA6iTgptsIfKGYKe1YzIWcTJekIvroMtOLlHXmvQxeS4qdvgDO3h+/PjZ8eEBBgyfvPrx+OB/fnv4+OifzkVW+wXgJ+YWXuXHO4XB7w7H9OjhAf3RnExtSmbrzCuWs7pANaSqRB5ewH+tyf50eABFZA9Zbt2fHo8Px4/Hj23l/nT4+EnbTaprl+ntRWV49kVTrONgrZKqjb3AX2IytDE1h9m2ZWxr5KRQUiha09hq8EHiToRCKu8547KojRjkSXHEjXjT5jwpjrs5b0KYW3tnpL26tMmhXHdMZ4Xmg2bYd9JeMRgBa/FJ7YmzrbZ9J8bzMbNEuMzqAkC0jxpTzHsr6PIEjlW4vtBVD/W1hTDdaNsI+6XSptyA/tYuYvct2G3kHyKHYW9Z0Cia1rxGPouLOPB7eXhwMFDXreRSYawNeTZXuoY9KzEYkyuwQlJtIrgsc2vlXNkEINu+P/ohlhzzna3w1KOaZSDWyHfEiyJUXuoorlZciyRw6a5xDuf0esdKF/cuDN+R9b8uMIaqUfnCJbx5g8i+FFwBE70WJrmsR/Xc4xC8NZ4h7zYGoboK+kZie4NLM78SDKyqNJUUIQVRWWkdWJoRbcEx1zlIu993cOhvBZ+s/uPd4tYLABkk0ytAi2n5q0Bj2FlzB/A3mC2mnO0mErW5ZyUlUltL2t21jWEhrRDKSBaTR4NgbiuphRE8XxGHycWM14Vj5yvrZX1jrUgYzSnaRgBSXmAe31La1OrxouG9cVKcEgjlGAyRSitwCJy+pMl3XtVGV2L/RWmdMDkvdx4lx3U6NeIafRTh8fOLnUfg/FDs55+Py7IhbsmL8NTewdPjg4OdR51ju60ah+8EkgtIG1Kqa3SwxbVQTXl+rSEbM2YiNHXDIdLDq6HjtMbwTJIeTG65H8PnGwvzQVX8jguHWeH69xHwjlk29VyhbUwlL5P/FRzvwTcClhRgi03RPT8dVf8Ouhu3VmeyKe4LGlmoytcqFWdHnjHvk5Em8A307cCGek1EW0H1vNE/AFOeBr2UvUGjnkfrf/54+ua/Qu1v27ioKJ8XyveBDxsVm6BF9DMx+Gwm0JDqH++sJ1BNUjSf7E538WhvmPiyjge+5qFsPYBYCscxGha8IR32lQu//C0xr5cw+JocN0y+LjqaCMzdD0u5P34Kuxxn6aoXMc2j0EsmuF15EJ0AEpquEKHx5YEgjYpke4yZ3Vpw3ZmRUJIdQ+k86/zp9OWj9YhtaG7bsKT5un04pOoFbNxjyrDORbu3RAAieMNSPsXatoWtpQ17oBJ8eFB05njRKS/ZU46ODp+1YbxfxkDGI9BwSp3LmewyB71UW0tTRungJ9gF64jp5wBW3G3LvHrG3SIotX0atfKPTfC8TpOHpfkx/E5DMhX7LtpEtL+78DwPutvEjwWhbuAVnzzqqJfczIW73CIqLmAGQDZoHHZVFlJddeKbt5hWD+gCuyh4j0YslwaUDIKkg5F6ayz1gqI2gZu+B25qmqt2Eoj13XmH1SIhp5FTc6FTBe0n+niDfvaT0GlcXsaNv6Q1VVN4Y/0NGSVpgRiuUh2p3aInSUJpKXqklOXCyGhOcyJbgBm+KfrvITs9S8Jk0B9p9mxdVYWMjsmNlJsvJ+/ui8+5+wLz7b6wXLsvPs/uIcfuy8yx+xLz676A3Lr+ZSHIr/jFegl2ERN7krDfUpBVtYkzh2cofhxaJ4hCXPN4OEkrSzy+H1Ow5ItKYvrcmUsxPkHbVvT2z+HzjWaiUFanZSaiuvos02VVO4wUphpQsSfUyTmGxobGTsMGy7SnU2NWwQ5OTXmfdp5ACLMGtRDUlMH44DQy2K8V8BpDgWnEBTf5khsxYtfSuJoXoXyTHbGXUOcjqaEDRij2l3oqjBIOGvzk4k7VMUy2kE5kif/qXvOiqhAXF1oxJPP1zvmH588un7WLMDzUQniohXB3kB5qIWyOswc97aEWwvZrIXj5uSVIdn+msdOah2nIiEua5QWf65Lc0mwSIJt43aH059cIVxss8Norobh7o1Z3r03yUM9JyzK9sBGPIXyJOr5gvvEIXOTkTY/6q1dxpZpDMALFnt9YGhU1ZYpeRpegx+wEGuwBprpY+Lg6F6AByWq4XsF26lP8TFs5POe26PPtjbQJxjRKcQeqTCgyocT3UPILAzuISUJQ1+81L8A0HsekQmFYgAEz7jwAZJ1rEpUgARz22npJYlguMplDLqzXXYGMGsau/fOdjdd2POOlLFZbEk2/nDMcn30XbH1G5AvuRiwXU8nViM2MEFObj9hSqlwvG/d/UxsPnuzBXRfbKsXR03mpFAZo+cHnExLNQxLvsArKM4+DN/o3fi26K7jyKv9nWwPOFsGGO5fhS2adGSptejQ+Gh/sHR4+3qMUsC70W1Ro1uA/RCon2F+H8H/vQhuuzZ8L4jAf0b3XjbQdsXpaK1ffROvcLGWP1gcLKWwP+E1p5PBgfHg0PmxBu61gl9DQs8N+f9SG6n2HGsTUVZY8D63q6n4IaEs8iXWTJ1Ae/rocJQowBFknum68rI/Spq1JZfHU49HI6jjikMweKGvyUFyoTV0PxYUeigs9FBf6sosLLZxrWfF/vrg4g8936TziX4rhsONQCoZNalNMQmCqwMDppC0mAGmKAC+1td3cnh9emOp8NR6oY3tbQMattWzPW/EZbTAZzNpF7/Pn368HkYJptnSGL+g6gptxI5Q/i6LQbKlNkQ9DuwVcXmjHi07ESwej33lg4bAvBPd6QF+5Ojx6MozgUriF3lpOXwulOFUn1xmJHLMAoDLMVKTpAU6zQi+FgfRuz0JDuakxOxeUE6uzugxxXnFsS9VZdk5DWL3X8l6dnO/0zWNz4UasgjIxVe0G0QRNns3WArbe0fBN9kyKud5uet5jj/f3p4Wej+nbcabL/Q7sttLKis9+znHaTQ96CuTnPek3wbn+qAd4P/dZJ2g/7rAT0NZxV9sBU++dYvDa6MMxh427Rwdtj9h2b3MA17rr8eE4bVUSqkiR8H5NH2+V3Whe4q3iPRoyNtMknE2EMCx+G9fFX0JSk4cqOjyo/lcvJxFbALRSmpfcqMmITaAUmv9DDqR/CmNay9lmGm1ITmulbPnFhLRa3i1JAKc8eSJRf2dYeamQDj3tjtVQ+CVqqBU3rSqHp2jiNLwpMjihYYOOhlSRGkOhYX0oC+NHTPPvwl7QKGnaZyfrkxY76i0opPXGMRf8WsQ0I+s3FcOOs1AlEaMJ0QggVKax24FhSixZIZWw0A7uOrmQ+KtMIbiCHLU2yJ+alcyspqTj3V0Q+V6sp3bgaTB2gWLwycnJ4GkDn8SbFZ39aDjHxJiUG7xNvrqlFF9Iq2mHdKDppCxrRfjHCGB9LUzgIE38CMNdSNJzKCTDpu2JwhMfFQASRu/U4OgmDIXyP3cJwaiwtcYWk0pe4C1tLq+FwmDcdFbicJXRTme6aBcg4mYqneGmsfIzSlel1DEoNGjxUJQyMzqkLI2AAnlhNUy2wpPfPGyvVpVoLGcy+33EZjwTU62vRswtpXPooJCWLdM6Q57VNMWfmtKd7FqoPKmRBNHR2A4xRhJ7EZvHyOFYBgFPwX7udezTMwyXtiMoC25HLBlzKU3IEPwCtXAu263c7rvByi5qV6hVOcOVBZ0bdmSq/bmRRlBVtlbO/oTqTcGblEqfFksP34fyPSM2CYeVfkLZJZudsHXZR8CTZ89bCCAO4laX22tl+QKtVlDAE5LHgGknlehPz7B+JFETt2wpioKYXFxPOH5NYEKb/41jgjlnTutij8+Vtk5mXntUOTetVplx2Fmhl+lmvBbcKExF5y7egubSLeop3H88gUDBtP2IvD2Z73ldbaDo7/Hil3+0b49+/sc3Pz1989f954tT8+9nv2dH//Gvfxz8qbUVkTS2oN7svAyDBz0tsGtn+Gwms/Hf1Dvh14NFlRpxevw3xf4WkfM39g9MqqmuVf43xdg/MF275JNUThjFC/zkKaj5VCsg3L+pv6lfF0KlY5a8qpKyw9QA1guvPeyJVzZ5oFR9dhQFUqLYpGNGzuWH2bUMQpP84q+lWI4RhjUTB9RowyphZCmcMAhIC+jNYGoAaUHg/wWvBU2WjhwnHe90yYlw36KbmTZLbnKRX35KnEHSUyOmpNNxTX4iBbky+sNABaofHo8Px4fjdkkUyRW/xEilLTGY0xdvX7CzwB3ewlTsu3Byl8vl2MMw1ma+j4IZKtbuB36yh8D1vxh/WLiySPLlz4mPgLwK1UnCW5b4Dy+gUgVwMNB43gr3Y6GXWDQN/iLjbBy30PNw66vJOju0ph7C29mF2/aAoHI0XTENDk0oIa6D9LVNtFqQS11ofwID3a9yJltgf1qbExK4NMhHiVx6d0DoNr8MiN3wY6OfkQAeFryP20aKQDXbuMq+/j7cLhqZCeETTHwYg0QbsQIo6jeeeU3SI83L3kbD/fI0t+gKiZ7wAPU2UHjuCZ7bSMsJE0OtHbymvKn5INhfcJ70GMaWAA2GC77yzKnOqxFzWTVisrp+tiezshox4bLxoy8P8y7rIH5LIQinKHR+OT+FjOsChegyDRUIZP3aY3HscXeEGExuSZUV2YhVsgSEfnno9EAnpgEqStNqBPFL+t1NqR4qvt4vC1KJTPIiUPAo5sFiyFvvSo11JGI53Vw4kblRGB9ewkIit4+415ZvpFwlJVzbya0xGISzrLZOlzHDAweFHuLg2KaldsqbaDWT87ppMOI0M7XaHAHM6pnz0yUVztoZJzNpxJIXhR15DdfUEL2DGJJa7VcGlghDhfjDoEMmWqIVymoT61YtxbQFRTIJxHsX2lo2NLRH5IuzN4QNm/ZJDdSQGnA41nheY78hBoWDY8SIWo3S+m+4ThtJwYayLkgOtlGYb0BxKKZCY1JJFfaGbKu/16LGgdmri9eQo6QVUE2461EB6HZzEiKnYGkyAkyDULsqF1D1n/ABLV1fnZzfwej0kFfzkFdzd5Ae8mo2x9lDXs1DXs1XnVfTTauJ0rdt//g4o0y/x+nw8J+tT2lLUX1IcHhIcHhIcHhIcLj/BAcrjOTFdg3G4X5Nk5G8v61e1v21/Ao9BFK2Glu13FSuXhjKa/QXw6A5BUN0M9KqEnY8FHUTXAUmbSYQLp4QhZNb+Key1Pjrwwr+0EUhIEwHL7H+r+YKOhAbEcZsobTlfb5PpMaV4wxpePq4A8HNHVPvgaQSxtKELc25kn80yn4w83S/vyUOJB0n3O+FMjJbIOHAxX5dR7Ky4ipIaW1IX20RXSdSIw0MaTqOLkRRQbFtbgxX89CEx1GR26STD1cYpAMeg3aAfgSjWc9dSnL8HVJSUlA/W2mYlD6ietBw9RYpRRZ8Diz4FnK6ADtrpwnAGtLRHe6+efThV6kZfuVq4VesE35FCuFXrA1+8apg4iGNLTqIy50lX23cInstc4u9fIclXcZVI+2adDuyObc72kFgY2wNLPP9hJYpqKQVVwsMOPRVHVeQdjdzQjHr+MqGUsehZy/22OaxKxYoiJVERw0kJRZ6youk6HwAtzEobVbqar5JssHHxYAZw1cULgFI4mYOjrTUTvYGukeSPoHLq4x2InPgPJFOXrfyHXt6J33cYzZmY+6xvSL+Wdt4p9hjoalPO4pCfBBZDQ0PtoSKF1Po+SIwXJd2MGClmb13QvZra/anUu2HtX2OEpV04kgKxY3yVwvoKMEyXhQCssPnhpcx19HKUhZ8oL9vF/jq1oTQdZEfZ/G0dYpO94a8U95JGLbiUN2lO/qn9je5CH1O012nPiZ9s/3jg8NnewdP9x4/uTh4fnzw9PjJ0fj50yf/0WmAsTCC55tlaq9b9gWMwU5f9oX246N2QBcw420THEzSCUPx6ILvR5h8gBQI7ksK16hScmUnXGF09bRpaumO45BJsQHG2dTopQWTQMjZICDCEV2KKav4XCRtSzW2jm/vxlKbK6nmlxh21OtUfa+JZjQXi3MFq0KUbF0mstCl2OcFtoxoUrcafz2J2nfJVzeK2qa5jcCm46Fe6IxnspDOy8xKXmvs/Wt0DY3rKymypF0U9EcJmw12C3jAdhubUJS6FQI6npdcrbxulIHH3t84X52ch75KFykINDR2pgPTCl7syhHeWCHgP4go6BDlpwiFojT5i0Cs2korr60H8Y5ZKYpNCIvjSVzJC+iya4SLdhiPocayL+woSeuZClZDmSHoaR+NGiMKwxw1RBAC1EYsKyT04AqPcpXHmKU0LhTKcMC1vaqggWtRsNOzIO2dbqCX1WSEKg8HLUQR0qi2AAYBnp4xZ+S15EWxGjGlWcmdg7wTEbm3dDAZNyIfsekqxtKkUx3z8XScjfPJXW7/mzTBGPapvChimtrpmcU91irp+pxesPthOeebBeXQcwPpOkQ8VJ0hxohkWikKIJpF+xhFORgx5ybH8BFrsZd387zFnuQyhjh6LRAjTDNtkq7AP2rDLk7OYmceYJoRTIQtE9J/JgRJJaHUw/lf31J05Xc2lMwP6vLJWQLLGCbBii0xJrY7E1WhLVY9fITta4emKxuaDwJXoBgYxjNXB18qBtgJU7KdON4OFiyeRW0vhUJ1ALehxhf8TNp/cPn2E50CK6FyrRkyNtuZIl0HMaTz1gQcuknBKmjEJkIHy238VqusuV7gSae3hwZrUNuU4miG9KcXt3EP/eghlZSePMHh98MS2p1N8DbEc8/lS66czELMOyVLiQ/YnIj4WXNR8TeoWV34x66lX678QyRWR8UyYeB+1uQrBV5l4hwzXhSBV4X2+Rl3Yq7NCpkV5alZJ4uCCQUt7eCxNRknHmEz6VVXGpZXldGVkdyJYnWXOxNy8m2pQ2jDx2Z3uDFRdGCuY2Aw5VTOa13bYoXUDO9EVQca/duotIPHgHs2PmI8lMPD0jFQRE97Ohkz9tcGs1RGMa0QgqfK3+ljdgDS/WRMX1DqaluNU14yNHmFeY1RYnjdm3j5AyVoxgjWZMRy4UUWZJKG8tJNuz6QM7LbyfG+07r+DPlcUPy8yYgjZws1cobz0zdrPG+HfeOiboHso0rNIDQ4fqdx1EMk20Mk20Mk20Mk20Mk21cdyfaRgWS7/UiyEEfWUBZePztuWnZ6dn3kvzg9u37WKB4dWfvZAtCGot8+LXnsjLLGPkawt21iG+QhrQVCQ+GOtUt8KF75ULzyoXgleyhe+bUVr6TSIvBcYkELX90S7BQKk3TtMS79TZuBfkJeFyLgltyyTBcFNHy+JaBpJlVORZ4CdUJeNpJlrMQV5vZPhpiBzc0FolqIUhhebLHcxqswR8qeNCmAAfzv5AzEPfQAt4+6tZZknrSEAMuOZTwz2lpmBLirqHrNhAaE05draLDk+qrfc340e3pwMGsrNNs4Trt91hyq29VKoSEVIe4vmawSeAKL2DF01UIdpfmX/EpYJh2rtLVyin6iSDpxaCChJPURaVaJHkENtZkINnvj96kSRgqVgW/K2lpYtAv6sYzI/QKon1djvkdHehw3dIaXOSbuN8EMcOUKxI52M6nm0OmYeoT1djR/8r14KqYzccDFs+zoh+8f51Pxw+zg8PsjfvjsyffT6fPHR9/PbitRcP8NJAKFN7G0dP4HwmnTW1R8EQJsifZBGoHPI1Z3KPTSwn1qqSN6mutUGAsaSgRWYRriC4qB/z0WTscbn2r5KWWrQgR1pIinDcRb2vikwGJnBJ7fxlxaZ+S09isPFadwb00Nbo8ocRbaOjtMvmilD1ZpWizDoiy0lE5oAGVxQwq1nrFXBbdOZuRDStAMS6Dc3yCmUd+urROmdStC/8WfBXe2P4S0Hju5mPG6cFATqIpu0IgvBz2agSPHMeWMKc3CGLH7x0AZwnQNe2nSaRIV4LZijKEeMzB+h07/PuHqdzpd8GJwbVJiOerHA3K2xSS9RAcumSgMYSVrOCUM0iQFw6lrQ9cmxlGHOuKgseLApLXxQ/Up099b27G9QPPdfwsBou0NiT6Vls7T35WGh0G1A33FuD81GLwtHLY37+g8182UPJJfv7TY+PE4rWyArpeW+td8c4P2h0/d7ogLvh2ACg0B++3Ko+2REo/bLb621FNEDrcv0iNEvq0Hj9AX4hHC/SDDUVpIqGc9+mxuIQTpwS304Ba6H5Ae3EKb4+zBLfTgFvqq3EJYD+9rcwsR1GzbbqHNpft2fEMD63zwDT34hh58Q+zBN/S1+YZqgxyLDAPv372Gj+utAu/fvQ73eOpEyWxdQUlNTHjzEzkAp+IG9vL9u9dULY+ejOHuC8GmRnBMndBLxaRymtlsITxzwcvSCPKz6H3NApvfxAIwdJu7v0Pzki7nhG5TjGK1/p3lcjkmo9Q40zttsyzkzGQcDAWAz5KvMEiagni9RoCl/QCvGFRerJo8Wd5eGqM8GzD5QkMEK0YUXd8UkwbtdK5jWxO6xZMhoKcNtpfQwuvM8Hm5vc5Nu17aJpa12hSMzxyV5ph8O0kQ7XS10zF2Tr6dhOYk1IsFFW4CusMztphmfjpDUenpH0xCsvT7SWk5EFhdW9Hs1iqxvWD5hrguqaBNIEj4yYgtFwLC+12rHYsRmVbWmRoMjp56MHI8GH/ahqdUjRnoNtbe/uOjoyf7aF79l9//1DK3fut0uyztcHOg+xRW2OwG1kj9gYBEbMxHiqvtq9JvtaOIdKkGioOO0loweTydUBQ1bOYI02u4TbeHZ5DwVug5XfD8q9JSOvFvtXVNKH8oDesZ29rmOjF/K74Wh+Xg71xyGwEdtRjvoOf3ozbWj7bm546eb22yk/e952c0/GATzAYGty0F6Qwa+rTmTngQIWhnfMtt427pr8mNozfl0dGTfnro0ZPW/JDmta0z6PksTED0Gu0WAC/+ggUGBtcQSd6jr0NXPXb+L8DOxQcoBJy0cUhngVQVFKaxp5bS/l04jIlhHKs2JbDDqy5UdOIw37R28alRMhkuFkM14oixm1JZuQYeAB2fnNDbHQdcy8PMpsIthWgkOiRTLTXqCR2ZhQrStvb2HEZfT+7ASHY6LBXTYCfHg6IX4V3Dknq68pYvsGmkQcJHUghaGrG9PdPwgtTtnqtsuJAPPIoiCPoDi2se5TIpZ2332Y9JIQx+jXYgAVbg9E7iv5HC0lEIdzlsoOMWXMFrMg/pq0F7jwm3JBThmIFvkrBU3iWs6u9oAvmKrB9fgeHj723zeDB33Gru+OIsHV+skcMKc8nn4faTcHbWfLsBf8cxApdv4jL9fZ6qC4XqFVGyEHAX/npHpYUWekltSJdiGuNGIGwmqTeJ5SO48dpCHUEN+sXmLBn7SXyuk0yzdbdEni1CYMDn6pKUUAiirgfUOZ9xIz/n3fW9og29bscONcQ14KP/QxYF3386PmDfIRr/iZ2cvSeUsl/O2eHjy0NsVBlqpD1iL6qqEL+K6V+k23928HR8OD58GtnJd3/5+eLN6xG+85PIrvQjRtFM+4ePxwfsjZ7KQuwfPn11ePSc8LT/7KBbIvah6PQg1A9Fpx+KTn8axP9ti05vF9R/63PdNaLBc8Fv9vwkx2wqoAUPaQ1/xk+tcf8ZXj8JhodMl6VW8F4MeQzXBFAjC6r6QQWiv1kTvwiQddomDC3+xl4ItL7WyB6ysZOl+KOJ1sOBeSGjWbPibnFMN9HOw6WcG47zOVOL9ui4ltawevqbyGIDbPhweetK/jnKq4hZ2LHQZwrQSVGhbQigl30LgEZFWjvJK/9Sp1glVJTJc0kVfbyWDnGqFFMP88TaXukesuGI8HU7eANYDWhJyHVrI3vU0d9ET0TpczfuHww6SHb9gQdp9MbRIcxVgKEi5DFsStoXEnM5pGhybPwliM5pVug6bw7qif8YrBwQjc4pIW0A02/oV9S8s9ar1pOAyEPqB8/zS3jgMgwZirxpkx7l1qrhhXFltCf95uIf+Q39svfhZhpNFVt6xdPjT1rPC4ErJgr5lr3wm4VZTkWeHsoYGCQcH0fAYKm37PbgwzfudjJH2LEm4e7maWLGU3z+zjNtQMCduTal4mQ2Sh66TI75zZPRC+PkhU3nIjEiC+lWlxsw75vf2nRWorRNN65H5ZvOg9F8G83RerQ7PvGDXGdXQKXEEF6GzwOHC3+D9J5u0gb95o+2XWjjLlH+HLMZL6xHJVfZQpsw315kBmvEegSLDUqndVKEJFIa4DKMpgRVw68MbseaqUo+78uuW2fzb6VH6Y6zdt7cbNKPn67gU1FYzzIvfnn5i9eglsxpVvLK81kr/qUHS0udYTerNOxm0X7qccUQhHGgXC9PG7r9GT8NDHLq9ZGEWsnI618POY3jhEChj/sQeZLEeHVynqboyJhzIzI7XpXFmJ7DtG1uKNBZq73mzY4RF0G/mdLXb03L0hqGmGpdCK42RO+swQh495pt78+r7Xhay6I/ZX9Ho+DeOXz+8vDgh53NwPnlnMEM7cYoQ4BkOheD5+AmWKwzwmWLzYEJs4R+o5ECr+qpv/Bjzg3R4V/S7wbGbX6PylZbc2oGZSkV3sxVm5du5awtoG+muS7GK50Ps507HeYEA5WmBtSDU9UDPPxjZzrTOXt/+rI/EeQGVDy7v0U1I/Yn03mP5X/iZMEs1p8M2eXtbHmziYj/l7zqzwRuGKyGeV/TJUMOz2kEpN1Z4e4Xoc24a9Cai6rQK4iRu9eJm3HXTAxZ1bO6uPclJwOvmfoWreNjJ47D3jrtsIr16fPiuMTOmxYevQYeA+OG0u+Ri8fL4xDXTduD3IXlig+bKnmhhnqvIwRbr/z/pgt9Jfker53Opc30dXoV+N/4K3tJv6xY+hxLbri32goGhkplHsERh1xn7KPnxmhQaZtB72ApCxZOzCtjehYBSOycw3PKm+yr62xmPFuQX3IB5t7oLW6XUxcyVKP2SMhZXmMjdseNq6uWqRLUTm1KTM2Ltj7wjFfc8FI4AcWGpgKsc37foDG6wEgu/MJ/xMAtmQNoVlxDJZ6KG2cxWOn0bMTS5g8yH0E0APhjWiBxlWMbArDADaGQ6sVVRud15u6OyAvKg8WzS8N4pSyu7aZpP5pcWtPu2mi6/y6Z+dEtUyetBO84MzUJTNKAcfkJLdhYr6WbNR3gCAkMd579/bvXbOGvelCJAaYjagVIbkJ6VpuON6J9KVkz668xajusD0tEIInTBY7XbiGUC/36KZo32jjBtdAwsp0T9DUsBDcOHA4UyrzT4V1r2A49vZZ5rzXIw6z0dtsIv01DuN+3MGmnAslAWMGnT9LanWFJ/qmafGs2iC37TU/Z6UvGLUaKTlfN7g6sNyfm2IMi3cYeDBfa8SIJe2dOWDc0VncvWStYs/X1QETz4NwvAzuXipUyM9qKTKvcDuiFaZwru0VLqE0x7r3Q1Q422pIXlDFTmyKErkLdo9A6ZOKyajJiE1dAc9aFc/6jFxLwt50MbFNiCdlkIZ30no9cSOoLDGFGKDZp573MpNziUloL+Q9ylhTgag0XX/I0eXo2sEpZ9dYo19Jgx1JzdiOUpylUbUiC92nUGg9ShWRF6U1NVDi1u9DFtciZrGJ6VDCeUVMhdJkNX1VadG/E77U0Iu/ty8cYA1Xu+b42fhMCn8PKXNe8kDl37bKLDjoqJSGo/XvGQmRXl11W8BGgvWBOXwkVFDynGWdWlnXhuBJQ3IZJda2vRB5iTGc4uYVslaQWGeTOpDnsVCHKPxxkYKh69/LtOQY6j78JEtDWZckhsSGIwDeEKPplQ8nXjMNul3w7Z+1MqoJbRy58UUrnGpWW40IoCDvuIWIiCdXOodCGHQF2bIId6RZsUuoc2EMxGe/cIlQHNlYqJ+ZJucFb5U9zW4iAUfHBOsuEyBMrbOPFWPZFzv1NPOOyEHncdDqwyaZ71gZVs+pqww1vxthgwxtQk4laJu71O/LFsvr75tcN66xV433AxlRr2KdxfdTcqKhEZSHwWcyIg62kVFm4hgchMP576S6BPensyj5NCPX8l5O/nD9l0MF9U9YUxhjG0ZpNSSeKpSLbKFhHsXfelc5Jfn3OCr4ShmFXOWdkhXEem+4G9YAa3JIuILcAAwDJUrQIRljHp4W0CzQphCZf15IHtPmHiAX1hotVNpsormQQp1uoH3deH1o2u4kQ2U3E2Fv8eoIMFOmKxO634/dKqMyssP4RbNuGZOmK9Ua+dffshjJaBHkbC82EcXIGteculXaXoP1cTsUsLXEX4MjTOqkdUF5xU0h/tYFWn9wl1ambLdy16YSojsCM4w0Bg+T0O8H1mrt7hOrvfn4XXOV2wa/E1k7wTCp/fD2ocbLkYBZG8HyVHFDK7O4NnLTJ+1IOanD6O1elCs7FxdkdjTk0wjDi16k3fpq7Hc7G4sY2UG+SQHv2scoNVauHC3mwiRBq7v0wAEI+7TSEu9rHHYb/26OkSDqUI8xm0lgHJTG9ukdbCPlGpPMtjb+UqKRVefMf9ma0QT0k6zcilSDXZpxM2jlkvQF7h651yHqPY7awnDWThZRhP7wHaapzyGyFCricVUbM5IcRGGoHTpn/j+4Roew92NFWncIJDkxewHFV+07T2SYNgGBxGp1/OQJ9aLJAapce0nunN51uUlsB59iioWWWCJTVV6AAjQ+UwLZICf7Ii0tiAx9FCTfSgaU6v6ijUKmRlPMMcIw+p1gnpr9EsTw0WaDwy4XgeUvl+wQ0t3WdwONThIOftLsLHvkDzB3FgD+biZSAKzLtVov7Q7/6iIQbbj5f+85BB1vlxh93779dPzXCGSmuRR59mWQuBNAYwTYeBg4Y0r1z7xS84OMOhNNp6Qx9ZMD22BvOJS2o2+2aGXdOlJUbs1cqpyYoWKYr8vPeaLnM0RjaEhhfsmz4UqiabgkyK9NbwunJm7MNbwf0JrvL7eD0jFWQj77RxYCYTz9S7k524be4S3LG/OLYq2yh39HAwP/uw6oYR2bvEob5TlSeHtpa/4Y6/33bE4PxJkt325+/O1lssjvvuJ8isPaPsdwkVa/YBrfDzuOfdDuEWol4xu+DRjo2kpNPvRXes41zkM2nds4Os77DNa4x7X8pzG8L1+wbMNpce/wn60TVYA8qenmW2Ebvl4Ko/x8AAP//8fy1Vg==" } diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index 91b4ebe85ee..0387ce5fe1b 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -33,10 +33,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -51,15 +51,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -68,11 +68,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -96,10 +96,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cloud]] @@ -112,11 +112,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -190,7 +190,7 @@ Contains common fields available in all event types. [float] -== coredump fields +=== coredump Fields used by systemd-coredump kernel helper. @@ -199,39 +199,39 @@ Fields used by systemd-coredump kernel helper. *`coredump.unit`*:: + -- -type: keyword - Annotations of messages containing coredumps from system units. +type: keyword + -- *`coredump.user_unit`*:: + -- -type: keyword - Annotations of messages containing coredumps from user units. +type: keyword + -- [float] -== journald fields +=== journald Fields provided by journald. [float] -== object fields +=== object Fields to log on behalf of a different program. [float] -== audit fields +=== audit Audit fields of event. @@ -240,111 +240,111 @@ Audit fields of event. *`journald.object.audit.login_uid`*:: + -- +The login UID of the object process. + + type: long example: 1000 required: False -The login UID of the object process. - - -- *`journald.object.audit.session`*:: + -- +The audit session of the object process. + + type: long example: 3 required: False -The audit session of the object process. - - -- *`journald.object.cmd`*:: + -- +The command line of the process. + + type: keyword example: /lib/systemd/systemd --user required: False -The command line of the process. - - -- *`journald.object.name`*:: + -- +Name of the executable. + + type: keyword example: /lib/systemd/systemd required: False -Name of the executable. - - -- *`journald.object.executable`*:: + -- +Path to the the executable. + + type: keyword example: /lib/systemd/systemd required: False -Path to the the executable. - - -- *`journald.object.uid`*:: + -- -type: long +UID of the object process. -required: False -UID of the object process. +type: long +required: False -- *`journald.object.gid`*:: + -- -type: long +GID of the object process. -required: False -GID of the object process. +type: long +required: False -- *`journald.object.pid`*:: + -- -type: long +PID of the object process. -required: False -PID of the object process. +type: long +required: False -- [float] -== systemd fields +=== systemd Systemd fields of event. @@ -353,53 +353,53 @@ Systemd fields of event. *`journald.object.systemd.owner_uid`*:: + -- -type: long +The UID of the owner. -required: False -The UID of the owner. +type: long +required: False -- *`journald.object.systemd.session`*:: + -- -type: keyword +The ID of the systemd session. -required: False -The ID of the systemd session. +type: keyword +required: False -- *`journald.object.systemd.unit`*:: + -- -type: keyword +The name of the systemd unit. -required: False -The name of the systemd unit. +type: keyword +required: False -- *`journald.object.systemd.user_unit`*:: + -- -type: keyword +The name of the systemd user unit. -required: False -The name of the systemd user unit. +type: keyword +required: False -- [float] -== kernel fields +=== kernel Fields to log on behalf of a different program. @@ -408,65 +408,65 @@ Fields to log on behalf of a different program. *`journald.kernel.device`*:: + -- -type: keyword +The kernel device name. -required: False -The kernel device name. +type: keyword +required: False -- *`journald.kernel.subsystem`*:: + -- -type: keyword +The kernel subsystem name. -required: False -The kernel subsystem name. +type: keyword +required: False -- *`journald.kernel.device_symlinks`*:: + -- -type: keyword +Additional symlink names pointing to the device node in /dev. -required: False -Additional symlink names pointing to the device node in /dev. +type: keyword +required: False -- *`journald.kernel.device_node_path`*:: + -- -type: keyword +The device node path of this device in /dev. -required: False -The device node path of this device in /dev. +type: keyword +required: False -- *`journald.kernel.device_name`*:: + -- -type: keyword +The kernel device name as it shows up in the device tree below /sys. -required: False -The kernel device name as it shows up in the device tree below /sys. +type: keyword +required: False -- [float] -== code fields +=== code Fields of the code generating the event. @@ -475,54 +475,54 @@ Fields of the code generating the event. *`journald.code.file`*:: + -- +The name of the source file where the log is generated. + + type: keyword example: ../src/core/manager.c required: False -The name of the source file where the log is generated. - - -- *`journald.code.function`*:: + -- +The name of the function which generated the log message. + + type: keyword example: job_log_status_message required: False -The name of the function which generated the log message. - - -- *`journald.code.line`*:: + -- +The line number of the code which generated the log message. + + type: long example: 123 required: False -The line number of the code which generated the log message. - - -- [float] -== process fields +=== process Fields to log on behalf of a different program. [float] -== audit fields +=== audit Audit fields of event. @@ -531,127 +531,127 @@ Audit fields of event. *`journald.process.audit.loginuid`*:: + -- +The login UID of the source process. + + type: long example: 1000 required: False -The login UID of the source process. - - -- *`journald.process.audit.session`*:: + -- +The audit session of the source process. + + type: long example: 3 required: False -The audit session of the source process. - - -- *`journald.process.cmd`*:: + -- +The command line of the process. + + type: keyword example: /lib/systemd/systemd --user required: False -The command line of the process. - - -- *`journald.process.name`*:: + -- +Name of the executable. + + type: keyword example: /lib/systemd/systemd required: False -Name of the executable. - - -- *`journald.process.executable`*:: + -- +Path to the the executable. + + type: keyword example: /lib/systemd/systemd required: False -Path to the the executable. - - -- *`journald.process.pid`*:: + -- +The ID of the process which logged the message. + + type: long example: 1 required: False -The ID of the process which logged the message. - - -- *`journald.process.gid`*:: + -- +The ID of the group which runs the process. + + type: long example: 1 required: False -The ID of the group which runs the process. - - -- *`journald.process.uid`*:: + -- +The ID of the user which runs the process. + + type: long example: 1 required: False -The ID of the user which runs the process. - - -- *`journald.process.capabilites`*:: + -- -required: False - The effective capabilites of the process. +required: False + -- [float] -== systemd fields +=== systemd Fields of systemd. @@ -660,125 +660,125 @@ Fields of systemd. *`systemd.invocation_id`*:: + -- +The invocation ID for the runtime cycle of the unit the message was generated in. + + type: keyword example: 8450f1672de646c88cd133aadd4f2d70 required: False -The invocation ID for the runtime cycle of the unit the message was generated in. - - -- *`systemd.cgroup`*:: + -- +The control group path in the systemd hierarchy. + + type: keyword example: /user.slice/user-1234.slice/session-2.scope required: False -The control group path in the systemd hierarchy. - - -- *`systemd.owner_uid`*:: + -- -type: long +The owner UID of the systemd user unit or systemd session. -required: False -The owner UID of the systemd user unit or systemd session. +type: long +required: False -- *`systemd.session`*:: + -- -type: keyword +The ID of the systemd session. -required: False -The ID of the systemd session. +type: keyword +required: False -- *`systemd.slice`*:: + -- +The systemd slice unit. + + type: keyword example: user-1234.slice required: False -The systemd slice unit. - - -- *`systemd.user_slice`*:: + -- -type: keyword +The systemd user slice unit. -required: False -The systemd user slice unit. +type: keyword +required: False -- *`systemd.unit`*:: + -- +The name of the systemd unit. + + type: keyword example: nginx.service required: False -The name of the systemd unit. - - -- *`systemd.user_unit`*:: + -- +The name of the systemd user unit. + + type: keyword example: user-1234.slice required: False -The name of the systemd user unit. - - -- *`systemd.transport`*:: + -- +How the log message was received by journald. + + type: keyword example: syslog required: True -How the log message was received by journald. - - -- [float] -== host fields +=== host Fields of the host. @@ -787,19 +787,19 @@ Fields of the host. *`host.boot_id`*:: + -- -type: keyword +The boot ID for the boot the log was generated in. -example: dd8c974asdf01dbe2ef26d7fasdf264c9 -required: False +type: keyword -The boot ID for the boot the log was generated in. +example: dd8c974asdf01dbe2ef26d7fasdf264c9 +required: False -- [float] -== syslog fields +=== syslog Fields of the code generating the event. @@ -808,54 +808,54 @@ Fields of the code generating the event. *`syslog.priority`*:: + -- +The priority of the message. A syslog compatibility field. + + type: long example: 1 required: False -The priority of the message. A syslog compatibility field. - - -- *`syslog.facility`*:: + -- +The facility of the message. A syslog compatibility field. + + type: long example: 1 required: False -The facility of the message. A syslog compatibility field. - - -- *`syslog.identifier`*:: + -- +The identifier of the message. A syslog compatibility field. + + type: keyword example: su required: False -The identifier of the message. A syslog compatibility field. - - -- *`custom`*:: + -- -type: nested +Arbitrary fields coming from processes. -required: False -Arbitrary fields coming from processes. +type: nested +required: False -- @@ -873,11 +873,11 @@ alias to: event.created *`container.log.tag`*:: + -- -type: keyword - User defined tag of a container. +type: keyword + -- [[exported-fields-docker-processor]] @@ -918,11 +918,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -934,58 +934,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -994,65 +994,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -1062,234 +1062,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -1297,81 +1297,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -1380,61 +1380,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -1443,234 +1443,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -1678,19 +1678,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -1699,32 +1699,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -1733,203 +1733,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -1938,136 +1938,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -2076,95 +2076,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -2172,23 +2172,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -2197,299 +2197,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -2497,124 +2497,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -2622,30 +2622,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -2654,48 +2654,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -2707,91 +2703,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -2800,227 +2800,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -3029,23 +3029,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -3053,71 +3053,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -3126,101 +3126,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -3230,14 +3230,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -3247,234 +3247,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -3483,78 +3483,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -3563,234 +3563,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -3798,111 +3798,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -3911,73 +3911,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -3986,111 +3986,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-host-processor]] @@ -4104,34 +4104,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -4145,71 +4145,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kubernetes-processor]] @@ -4223,111 +4223,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-process]] diff --git a/libbeat/scripts/generate_fields_docs.py b/libbeat/scripts/generate_fields_docs.py index 4355fe32ba0..06fdd2399ea 100644 --- a/libbeat/scripts/generate_fields_docs.py +++ b/libbeat/scripts/generate_fields_docs.py @@ -13,11 +13,15 @@ def document_fields(output, section, sections, path): output.write("{}\n".format(section["prefix"])) # Intermediate level titles - if "description" in section and "prefix" not in section and "anchor" not in section: + if ("description" in section and "prefix" not in section and + "anchor" not in section): output.write("[float]\n") if "description" in section: - output.write("== {} fields\n\n".format(section["name"])) + if "anchor" in section: + output.write("== {} fields\n\n".format(section["name"])) + else: + output.write("=== {}\n\n".format(section["name"])) output.write("{}\n\n".format(section["description"])) if "fields" not in section or not section["fields"]: @@ -51,6 +55,8 @@ def document_field(output, field, field_path): if "deprecated" in field: output.write("\ndeprecated[{}]\n\n".format(field["deprecated"])) + if "description" in field: + output.write("{}\n\n".format(field["description"])) if "type" in field: output.write("type: {}\n\n".format(field["type"])) if "example" in field: @@ -61,8 +67,6 @@ def document_field(output, field, field_path): output.write("required: {}\n\n".format(field["required"])) if "path" in field: output.write("alias to: {}\n\n".format(field["path"])) - if "description" in field: - output.write("{}\n\n".format(field["description"])) if "index" in field: if not field["index"]: @@ -72,10 +76,12 @@ def document_field(output, field, field_path): if not field["enabled"]: output.write("{}\n\n".format("Object is not enabled.")) + output.write("--\n\n") + if "multi_fields" in field: for subfield in field["multi_fields"]: - document_field(output, subfield, field_path + "." + subfield["name"]) - output.write("--\n\n") + document_field(output, subfield, field_path + "." + + subfield["name"]) def fields_to_asciidoc(input, output, beat): @@ -113,8 +119,9 @@ def fields_to_asciidoc(input, output, beat): for field in section["fields"]: name = field["name"] if name in fields: - assert field["type"] == fields[name]["type"], 'field "{}" redefined with different type "{}"'.format( - name, field["type"]) + assert field["type"] == (fields[name]["type"], + 'field "{}" redefined with different type "{}"'.format( + name, field["type"])) fields[name].update(field) else: fields[name] = field @@ -146,8 +153,10 @@ def fields_to_asciidoc(input, output, beat): description="Generates the documentation for a Beat.") parser.add_argument("fields", help="Path to fields.yml") parser.add_argument("beattitle", help="The beat title") - parser.add_argument("es_beats", help="The path to the general beats folder") - parser.add_argument("--output_path", default="", dest="output_path", help="Output path, if different from path") + parser.add_argument("es_beats", + help="The path to the general beats folder") + parser.add_argument("--output_path", default="", dest="output_path", + help="Output path, if different from path") args = parser.parse_args() diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index ea36c19f5b7..6740b504d58 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -72,27 +72,27 @@ Aerospike module [float] -== aerospike fields +=== aerospike [float] -== namespace fields +=== namespace namespace [float] -== client fields +=== client Client stats. [float] -== delete fields +=== delete Client delete transactions stats. @@ -101,45 +101,45 @@ Client delete transactions stats. *`aerospike.namespace.client.delete.error`*:: + -- -type: long - Number of client delete transactions that failed with an error. +type: long + -- *`aerospike.namespace.client.delete.not_found`*:: + -- -type: long - Number of client delete transactions that resulted in a not found. +type: long + -- *`aerospike.namespace.client.delete.success`*:: + -- -type: long - Number of successful client delete transactions. +type: long + -- *`aerospike.namespace.client.delete.timeout`*:: + -- -type: long - Number of client delete transactions that timed out. +type: long + -- [float] -== read fields +=== read Client read transactions stats. @@ -148,45 +148,45 @@ Client read transactions stats. *`aerospike.namespace.client.read.error`*:: + -- -type: long - Number of client read transaction errors. +type: long + -- *`aerospike.namespace.client.read.not_found`*:: + -- -type: long - Number of client read transaction that resulted in not found. +type: long + -- *`aerospike.namespace.client.read.success`*:: + -- -type: long - Number of successful client read transactions. +type: long + -- *`aerospike.namespace.client.read.timeout`*:: + -- -type: long - Number of client read transaction that timed out. +type: long + -- [float] -== write fields +=== write Client write transactions stats. @@ -195,35 +195,35 @@ Client write transactions stats. *`aerospike.namespace.client.write.error`*:: + -- -type: long - Number of client write transactions that failed with an error. +type: long + -- *`aerospike.namespace.client.write.success`*:: + -- -type: long - Number of successful client write transactions. +type: long + -- *`aerospike.namespace.client.write.timeout`*:: + -- -type: long - Number of client write transactions that timed out. +type: long + -- [float] -== device fields +=== device Disk storage stats @@ -232,63 +232,63 @@ Disk storage stats *`aerospike.namespace.device.available.pct`*:: + -- -type: scaled_float +Measures the minimum contiguous disk space across all disks in a namespace. -format: percent -Measures the minimum contiguous disk space across all disks in a namespace. +type: scaled_float +format: percent -- *`aerospike.namespace.device.free.pct`*:: + -- -type: scaled_float +Percentage of disk capacity free for this namespace. -format: percent -Percentage of disk capacity free for this namespace. +type: scaled_float +format: percent -- *`aerospike.namespace.device.total.bytes`*:: + -- -type: long +Total bytes of disk space allocated to this namespace on this node. -format: bytes -Total bytes of disk space allocated to this namespace on this node. +type: long +format: bytes -- *`aerospike.namespace.device.used.bytes`*:: + -- -type: long +Total bytes of disk space used by this namespace on this node. -format: bytes -Total bytes of disk space used by this namespace on this node. +type: long +format: bytes -- *`aerospike.namespace.hwm_breached`*:: + -- -type: boolean - If true, Aerospike has breached 'high-water-[disk|memory]-pct' for this namespace. +type: boolean + -- [float] -== memory fields +=== memory Memory storage stats. @@ -297,95 +297,95 @@ Memory storage stats. *`aerospike.namespace.memory.free.pct`*:: + -- -type: scaled_float +Percentage of memory capacity free for this namespace on this node. -format: percent -Percentage of memory capacity free for this namespace on this node. +type: scaled_float +format: percent -- *`aerospike.namespace.memory.used.data.bytes`*:: + -- -type: long +Amount of memory occupied by data for this namespace on this node. -format: bytes -Amount of memory occupied by data for this namespace on this node. +type: long +format: bytes -- *`aerospike.namespace.memory.used.index.bytes`*:: + -- -type: long +Amount of memory occupied by the index for this namespace on this node. -format: bytes -Amount of memory occupied by the index for this namespace on this node. +type: long +format: bytes -- *`aerospike.namespace.memory.used.sindex.bytes`*:: + -- -type: long +Amount of memory occupied by secondary indexes for this namespace on this node. -format: bytes -Amount of memory occupied by secondary indexes for this namespace on this node. +type: long +format: bytes -- *`aerospike.namespace.memory.used.total.bytes`*:: + -- -type: long +Total bytes of memory used by this namespace on this node. -format: bytes -Total bytes of memory used by this namespace on this node. +type: long +format: bytes -- *`aerospike.namespace.name`*:: + -- -type: keyword - Namespace name +type: keyword + -- *`aerospike.namespace.node.host`*:: + -- -type: keyword - Node host +type: keyword + -- *`aerospike.namespace.node.name`*:: + -- -type: keyword - Node name +type: keyword + -- [float] -== objects fields +=== objects Records stats. @@ -394,31 +394,31 @@ Records stats. *`aerospike.namespace.objects.master`*:: + -- -type: long - Number of records on this node which are active masters. +type: long + -- *`aerospike.namespace.objects.total`*:: + -- -type: long - Number of records in this namespace for this node. +type: long + -- *`aerospike.namespace.stop_writes`*:: + -- -type: boolean - If true this namespace is currently not allowing writes. +type: boolean + -- [[exported-fields-apache]] @@ -429,14 +429,14 @@ Apache HTTPD server metricsets collected from the Apache web server. [float] -== apache fields +=== apache `apache` contains the metrics that were scraped from Apache. [float] -== status fields +=== status `status` contains the metrics that were scraped from the Apache status page. @@ -445,85 +445,85 @@ Apache HTTPD server metricsets collected from the Apache web server. *`apache.status.hostname`*:: + -- -type: keyword - Apache hostname. +type: keyword + -- *`apache.status.total_accesses`*:: + -- -type: long - Total number of access requests. +type: long + -- *`apache.status.total_kbytes`*:: + -- -type: long - Total number of kilobytes served. +type: long + -- *`apache.status.requests_per_sec`*:: + -- -type: scaled_float - Requests per second. +type: scaled_float + -- *`apache.status.bytes_per_sec`*:: + -- -type: scaled_float - Bytes per second. +type: scaled_float + -- *`apache.status.bytes_per_request`*:: + -- -type: scaled_float - Bytes per request. +type: scaled_float + -- *`apache.status.workers.busy`*:: + -- -type: long - Number of busy workers. +type: long + -- *`apache.status.workers.idle`*:: + -- -type: long - Number of idle workers. +type: long + -- [float] -== uptime fields +=== uptime Uptime stats. @@ -532,25 +532,25 @@ Uptime stats. *`apache.status.uptime.server_uptime`*:: + -- -type: long - Server uptime in seconds. +type: long + -- *`apache.status.uptime.uptime`*:: + -- -type: long - Server uptime. +type: long + -- [float] -== cpu fields +=== cpu CPU stats. @@ -559,55 +559,55 @@ CPU stats. *`apache.status.cpu.load`*:: + -- -type: scaled_float - CPU Load. +type: scaled_float + -- *`apache.status.cpu.user`*:: + -- -type: scaled_float - CPU user load. +type: scaled_float + -- *`apache.status.cpu.system`*:: + -- -type: scaled_float - System cpu. +type: scaled_float + -- *`apache.status.cpu.children_user`*:: + -- -type: scaled_float - CPU of children user. +type: scaled_float + -- *`apache.status.cpu.children_system`*:: + -- -type: scaled_float - CPU of children system. +type: scaled_float + -- [float] -== connections fields +=== connections Connection stats. @@ -616,45 +616,45 @@ Connection stats. *`apache.status.connections.total`*:: + -- -type: long - Total connections. +type: long + -- *`apache.status.connections.async.writing`*:: + -- -type: long - Async connection writing. +type: long + -- *`apache.status.connections.async.keep_alive`*:: + -- -type: long - Async keeped alive connections. +type: long + -- *`apache.status.connections.async.closing`*:: + -- -type: long - Async closed connections. +type: long + -- [float] -== load fields +=== load Load averages. @@ -663,35 +663,35 @@ Load averages. *`apache.status.load.1`*:: + -- -type: scaled_float - Load average for the last minute. +type: scaled_float + -- *`apache.status.load.5`*:: + -- -type: scaled_float - Load average for the last 5 minutes. +type: scaled_float + -- *`apache.status.load.15`*:: + -- -type: scaled_float - Load average for the last 15 minutes. +type: scaled_float + -- [float] -== scoreboard fields +=== scoreboard Scoreboard metrics. @@ -700,121 +700,121 @@ Scoreboard metrics. *`apache.status.scoreboard.starting_up`*:: + -- -type: long - Starting up. +type: long + -- *`apache.status.scoreboard.reading_request`*:: + -- -type: long - Reading requests. +type: long + -- *`apache.status.scoreboard.sending_reply`*:: + -- -type: long - Sending Reply. +type: long + -- *`apache.status.scoreboard.keepalive`*:: + -- -type: long - Keep alive. +type: long + -- *`apache.status.scoreboard.dns_lookup`*:: + -- -type: long - Dns Lookups. +type: long + -- *`apache.status.scoreboard.closing_connection`*:: + -- -type: long - Closing connections. +type: long + -- *`apache.status.scoreboard.logging`*:: + -- -type: long - Logging +type: long + -- *`apache.status.scoreboard.gracefully_finishing`*:: + -- -type: long - Gracefully finishing. +type: long + -- *`apache.status.scoreboard.idle_cleanup`*:: + -- -type: long - Idle cleanups. +type: long + -- *`apache.status.scoreboard.open_slot`*:: + -- -type: long - Open slots. +type: long + -- *`apache.status.scoreboard.waiting_for_connection`*:: + -- -type: long - Waiting for connections. +type: long + -- *`apache.status.scoreboard.total`*:: + -- -type: long - Total. +type: long + -- [[exported-fields-aws]] @@ -825,13 +825,13 @@ Total. [float] -== aws fields +=== aws [float] -== cloudwatch fields +=== cloudwatch `cloudwatch` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by different namespaces. @@ -840,35 +840,35 @@ Total. *`aws.cloudwatch.namespace`*:: + -- -type: keyword - The namespace specified when query cloudwatch api. +type: keyword + -- *`aws.cloudwatch.metrics.*`*:: + -- -type: object - Metrics that returned from Cloudwatch api query. +type: object + -- *`aws.cloudwatch.dimensions.*`*:: + -- -type: object - Cloudwatch metric dimensions. +type: object + -- [float] -== ec2 fields +=== ec2 `ec2` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS EC2. @@ -877,273 +877,273 @@ Cloudwatch metric dimensions. *`aws.ec2.cpu.total.pct`*:: + -- -type: scaled_float - The percentage of allocated EC2 compute units that are currently in use on the instance. +type: scaled_float + -- *`aws.ec2.cpu.credit_usage`*:: + -- -type: long - The number of CPU credits spent by the instance for CPU utilization. +type: long + -- *`aws.ec2.cpu.credit_balance`*:: + -- -type: long - The number of earned CPU credits that an instance has accrued since it was launched or started. +type: long + -- *`aws.ec2.cpu.surplus_credit_balance`*:: + -- -type: long - The number of surplus credits that have been spent by an unlimited instance when its CPUCreditBalance value is zero. +type: long + -- *`aws.ec2.cpu.surplus_credits_charged`*:: + -- -type: long - The number of spent surplus credits that are not paid down by earned CPU credits, and which thus incur an additional charge. +type: long + -- *`aws.ec2.network.in.packets`*:: + -- -type: long - The number of packets received on all network interfaces by the instance. +type: long + -- *`aws.ec2.network.out.packets`*:: + -- -type: long - The number of packets sent out on all network interfaces by the instance. +type: long + -- *`aws.ec2.network.in.bytes`*:: + -- -type: long +The number of bytes received on all network interfaces by the instance. -format: bytes -The number of bytes received on all network interfaces by the instance. +type: long +format: bytes -- *`aws.ec2.network.out.bytes`*:: + -- -type: long +The number of bytes sent out on all network interfaces by the instance. -format: bytes -The number of bytes sent out on all network interfaces by the instance. +type: long +format: bytes -- *`aws.ec2.diskio.read.bytes`*:: + -- -type: long +Bytes read from all instance store volumes available to the instance. -format: bytes -Bytes read from all instance store volumes available to the instance. +type: long +format: bytes -- *`aws.ec2.diskio.write.bytes`*:: + -- -type: long +Bytes written to all instance store volumes available to the instance. -format: bytes -Bytes written to all instance store volumes available to the instance. +type: long +format: bytes -- *`aws.ec2.diskio.read.ops`*:: + -- -type: long - Completed read operations from all instance store volumes available to the instance in a specified period of time. +type: long + -- *`aws.ec2.diskio.write.ops`*:: + -- -type: long - Completed write operations to all instance store volumes available to the instance in a specified period of time. +type: long + -- *`aws.ec2.status.check_failed`*:: + -- -type: long - Reports whether the instance has passed both the instance status check and the system status check in the last minute. +type: long + -- *`aws.ec2.status.check_failed_system`*:: + -- -type: long - Reports whether the instance has passed the system status check in the last minute. +type: long + -- *`aws.ec2.status.check_failed_instance`*:: + -- -type: long - Reports whether the instance has passed the instance status check in the last minute. +type: long + -- *`aws.ec2.instance.core.count`*:: + -- -type: integer - The number of CPU cores for the instance. +type: integer + -- *`aws.ec2.instance.image.id`*:: + -- -type: keyword - The ID of the image used to launch the instance. +type: keyword + -- *`aws.ec2.instance.monitoring.state`*:: + -- -type: keyword - Indicates whether detailed monitoring is enabled. +type: keyword + -- *`aws.ec2.instance.private.dns_name`*:: + -- -type: keyword - The private DNS name of the network interface. +type: keyword + -- *`aws.ec2.instance.private.ip`*:: + -- -type: ip - The private IPv4 address associated with the network interface. +type: ip + -- *`aws.ec2.instance.public.dns_name`*:: + -- -type: keyword - The public DNS name of the instance. +type: keyword + -- *`aws.ec2.instance.public.ip`*:: + -- -type: ip - The address of the Elastic IP address (IPv4) bound to the network interface. +type: ip + -- *`aws.ec2.instance.state.code`*:: + -- -type: integer - The state of the instance, as a 16-bit unsigned integer. +type: integer + -- *`aws.ec2.instance.state.name`*:: + -- -type: keyword - The state of the instance (pending | running | shutting-down | terminated | stopping | stopped). +type: keyword + -- *`aws.ec2.instance.threads_per_core`*:: + -- -type: integer - The number of threads per CPU core. +type: integer + -- [float] -== s3_daily_storage fields +=== s3_daily_storage `s3_daily_storage` contains the daily storage metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3. @@ -1152,37 +1152,37 @@ The number of threads per CPU core. *`aws.s3_daily_storage.bucket.name`*:: + -- -type: keyword - Name of a S3 bucket. +type: keyword + -- *`aws.s3_daily_storage.bucket.size.bytes`*:: + -- -type: long +The amount of data in bytes stored in a bucket. -format: bytes -The amount of data in bytes stored in a bucket. +type: long +format: bytes -- *`aws.s3_daily_storage.number_of_objects`*:: + -- -type: long - The total number of objects stored in a bucket for all storage classes. +type: long + -- [float] -== s3_request fields +=== s3_request `s3_request` contains request metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS S3. @@ -1191,187 +1191,187 @@ The total number of objects stored in a bucket for all storage classes. *`aws.s3_request.bucket.name`*:: + -- -type: keyword - Name of a S3 bucket. +type: keyword + -- *`aws.s3_request.requests.total`*:: + -- -type: long - The total number of HTTP requests made to an Amazon S3 bucket, regardless of type. +type: long + -- *`aws.s3_request.requests.get`*:: + -- -type: long - The number of HTTP GET requests made for objects in an Amazon S3 bucket. +type: long + -- *`aws.s3_request.requests.put`*:: + -- -type: long - The number of HTTP PUT requests made for objects in an Amazon S3 bucket. +type: long + -- *`aws.s3_request.requests.delete`*:: + -- -type: long - The number of HTTP DELETE requests made for objects in an Amazon S3 bucket. +type: long + -- *`aws.s3_request.requests.head`*:: + -- -type: long - The number of HTTP HEAD requests made to an Amazon S3 bucket. +type: long + -- *`aws.s3_request.requests.post`*:: + -- -type: long - The number of HTTP POST requests made to an Amazon S3 bucket. +type: long + -- *`aws.s3_request.requests.select`*:: + -- -type: long - The number of Amazon S3 SELECT Object Content requests made for objects in an Amazon S3 bucket. +type: long + -- *`aws.s3_request.requests.select_scanned.bytes`*:: + -- -type: long +The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. -format: bytes -The number of bytes of data scanned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. +type: long +format: bytes -- *`aws.s3_request.requests.select_returned.bytes`*:: + -- -type: long +The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. -format: bytes -The number of bytes of data returned with Amazon S3 SELECT Object Content requests in an Amazon S3 bucket. +type: long +format: bytes -- *`aws.s3_request.requests.list`*:: + -- -type: long - The number of HTTP requests that list the contents of a bucket. +type: long + -- *`aws.s3_request.downloaded.bytes`*:: + -- -type: long +The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body. -format: bytes -The number bytes downloaded for requests made to an Amazon S3 bucket, where the response includes a body. +type: long +format: bytes -- *`aws.s3_request.uploaded.bytes`*:: + -- -type: long +The number bytes uploaded that contain a request body, made to an Amazon S3 bucket. -format: bytes -The number bytes uploaded that contain a request body, made to an Amazon S3 bucket. +type: long +format: bytes -- *`aws.s3_request.errors.4xx`*:: + -- -type: long - The number of HTTP 4xx client error status code requests made to an Amazon S3 bucket with a value of either 0 or 1. +type: long + -- *`aws.s3_request.errors.5xx`*:: + -- -type: long - The number of HTTP 5xx server error status code requests made to an Amazon S3 bucket with a value of either 0 or 1. +type: long + -- *`aws.s3_request.latency.first_byte.ms`*:: + -- -type: long +The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned. -format: duration -The per-request time from the complete request being received by an Amazon S3 bucket to when the response starts to be returned. +type: long +format: duration -- *`aws.s3_request.latency.total_request.ms`*:: + -- -type: long +The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket. -format: duration -The elapsed per-request time from the first byte received to the last byte sent to an Amazon S3 bucket. +type: long +format: duration -- [float] -== sqs fields +=== sqs `sqs` contains the metrics that were scraped from AWS CloudWatch which contains monitoring metrics sent by AWS SQS. @@ -1380,105 +1380,105 @@ The elapsed per-request time from the first byte received to the last byte sent *`aws.sqs.oldest_message_age.sec`*:: + -- -type: long +The approximate age of the oldest non-deleted message in the queue. -format: duration -The approximate age of the oldest non-deleted message in the queue. +type: long +format: duration -- *`aws.sqs.messages.delayed`*:: + -- -type: long - TThe number of messages in the queue that are delayed and not available for reading immediately. +type: long + -- *`aws.sqs.messages.not_visible`*:: + -- -type: long - The number of messages that are in flight. +type: long + -- *`aws.sqs.messages.visible`*:: + -- -type: long - The number of messages available for retrieval from the queue. +type: long + -- *`aws.sqs.messages.deleted`*:: + -- -type: long - The number of messages deleted from the queue. +type: long + -- *`aws.sqs.messages.received`*:: + -- -type: long - The number of messages returned by calls to the ReceiveMessage action. +type: long + -- *`aws.sqs.messages.sent`*:: + -- -type: long - The number of messages added to a queue. +type: long + -- *`aws.sqs.empty_receives`*:: + -- -type: long - The number of ReceiveMessage API calls that did not return a message. +type: long + -- *`aws.sqs.sent_message_size.bytes`*:: + -- -type: long +The size of messages added to a queue. -format: bytes -The size of messages added to a queue. +type: long +format: bytes -- *`aws.sqs.queue.name`*:: + -- -type: keyword - SQS queue name +type: keyword + -- [[exported-fields-beat]] @@ -1491,10 +1491,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -1509,15 +1509,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -1526,11 +1526,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -1554,10 +1554,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-ceph]] @@ -1568,14 +1568,14 @@ Ceph module [float] -== ceph fields +=== ceph `ceph` contains the metrics that were scraped from CEPH. [float] -== cluster_disk fields +=== cluster_disk cluster_disk @@ -1584,41 +1584,41 @@ cluster_disk *`ceph.cluster_disk.available.bytes`*:: + -- -type: long +Available bytes of the cluster -format: bytes -Available bytes of the cluster +type: long +format: bytes -- *`ceph.cluster_disk.total.bytes`*:: + -- -type: long +Total bytes of the cluster -format: bytes -Total bytes of the cluster +type: long +format: bytes -- *`ceph.cluster_disk.used.bytes`*:: + -- -type: long +Used bytes of the cluster -format: bytes -Used bytes of the cluster +type: long +format: bytes -- [float] -== cluster_health fields +=== cluster_health cluster_health @@ -1627,45 +1627,45 @@ cluster_health *`ceph.cluster_health.overall_status`*:: + -- -type: keyword - Overall status of the cluster +type: keyword + -- *`ceph.cluster_health.timechecks.epoch`*:: + -- -type: long - Map version +type: long + -- *`ceph.cluster_health.timechecks.round.value`*:: + -- -type: long - timecheck round +type: long + -- *`ceph.cluster_health.timechecks.round.status`*:: + -- -type: keyword - Status of the round +type: keyword + -- [float] -== cluster_status fields +=== cluster_status cluster_status @@ -1674,271 +1674,271 @@ cluster_status *`ceph.cluster_status.version`*:: + -- -type: long - Ceph Status version +type: long + -- *`ceph.cluster_status.traffic.read_bytes`*:: + -- -type: long +Cluster read throughput per second -format: bytes -Cluster read throughput per second +type: long +format: bytes -- *`ceph.cluster_status.traffic.write_bytes`*:: + -- -type: long +Cluster write throughput per second -format: bytes -Cluster write throughput per second +type: long +format: bytes -- *`ceph.cluster_status.traffic.read_op_per_sec`*:: + -- -type: long - Cluster read iops per second +type: long + -- *`ceph.cluster_status.traffic.write_op_per_sec`*:: + -- -type: long - Cluster write iops per second +type: long + -- *`ceph.cluster_status.misplace.total`*:: + -- -type: long - Cluster misplace pg number +type: long + -- *`ceph.cluster_status.misplace.objects`*:: + -- -type: long - Cluster misplace objects number +type: long + -- *`ceph.cluster_status.misplace.ratio`*:: + -- -type: scaled_float +Cluster misplace ratio -format: percent -Cluster misplace ratio +type: scaled_float +format: percent -- *`ceph.cluster_status.degraded.total`*:: + -- -type: long - Cluster degraded pg number +type: long + -- *`ceph.cluster_status.degraded.objects`*:: + -- -type: long - Cluster degraded objects number +type: long + -- *`ceph.cluster_status.degraded.ratio`*:: + -- -type: scaled_float +Cluster degraded ratio -format: percent -Cluster degraded ratio +type: scaled_float +format: percent -- *`ceph.cluster_status.pg.data_bytes`*:: + -- -type: long +Cluster pg data bytes -format: bytes -Cluster pg data bytes +type: long +format: bytes -- *`ceph.cluster_status.pg.avail_bytes`*:: + -- -type: long +Cluster available bytes -format: bytes -Cluster available bytes +type: long +format: bytes -- *`ceph.cluster_status.pg.total_bytes`*:: + -- -type: long +Cluster total bytes -format: bytes -Cluster total bytes +type: long +format: bytes -- *`ceph.cluster_status.pg.used_bytes`*:: + -- -type: long +Cluster used bytes -format: bytes -Cluster used bytes +type: long +format: bytes -- *`ceph.cluster_status.pg_state.state_name`*:: + -- -type: long - Pg state description +type: long + -- *`ceph.cluster_status.pg_state.count`*:: + -- -type: long - Shows how many pgs are in state of pg_state.state_name +type: long + -- *`ceph.cluster_status.pg_state.version`*:: + -- -type: long - Cluster status version +type: long + -- *`ceph.cluster_status.osd.full`*:: + -- -type: boolean - Is osd full +type: boolean + -- *`ceph.cluster_status.osd.nearfull`*:: + -- -type: boolean - Is osd near full +type: boolean + -- *`ceph.cluster_status.osd.num_osds`*:: + -- -type: long - Shows how many osds in the cluster +type: long + -- *`ceph.cluster_status.osd.num_up_osds`*:: + -- -type: long - Shows how many osds are on the state of UP +type: long + -- *`ceph.cluster_status.osd.num_in_osds`*:: + -- -type: long - Shows how many osds are on the state of IN +type: long + -- *`ceph.cluster_status.osd.num_remapped_pgs`*:: + -- -type: long - Shows how many osds are on the state of REMAPPED +type: long + -- *`ceph.cluster_status.osd.epoch`*:: + -- -type: long - epoch number +type: long + -- [float] -== monitor_health fields +=== monitor_health monitor_health stats data @@ -1947,133 +1947,133 @@ monitor_health stats data *`ceph.monitor_health.available.pct`*:: + -- -type: long - Available percent of the MON +type: long + -- *`ceph.monitor_health.health`*:: + -- -type: keyword - Health of the MON +type: keyword + -- *`ceph.monitor_health.available.kb`*:: + -- -type: long - Available KB of the MON +type: long + -- *`ceph.monitor_health.total.kb`*:: + -- -type: long - Total KB of the MON +type: long + -- *`ceph.monitor_health.used.kb`*:: + -- -type: long - Used KB of the MON +type: long + -- *`ceph.monitor_health.last_updated`*:: + -- -type: date - Time when was updated +type: date + -- *`ceph.monitor_health.name`*:: + -- -type: keyword - Name of the MON +type: keyword + -- *`ceph.monitor_health.store_stats.log.bytes`*:: + -- -type: long +Log bytes of MON -format: bytes -Log bytes of MON +type: long +format: bytes -- *`ceph.monitor_health.store_stats.misc.bytes`*:: + -- -type: long +Misc bytes of MON -format: bytes -Misc bytes of MON +type: long +format: bytes -- *`ceph.monitor_health.store_stats.sst.bytes`*:: + -- -type: long +SST bytes of MON -format: bytes -SST bytes of MON +type: long +format: bytes -- *`ceph.monitor_health.store_stats.total.bytes`*:: + -- -type: long +Total bytes of MON -format: bytes -Total bytes of MON +type: long +format: bytes -- *`ceph.monitor_health.store_stats.last_updated`*:: + -- -type: long - Last updated +type: long + -- [float] -== osd_df fields +=== osd_df ceph osd disk usage information @@ -2082,93 +2082,93 @@ ceph osd disk usage information *`ceph.osd_df.id`*:: + -- -type: long - osd node id +type: long + -- *`ceph.osd_df.name`*:: + -- -type: keyword - osd node name +type: keyword + -- *`ceph.osd_df.device_class`*:: + -- -type: keyword - osd node type, illegal type include hdd, ssd etc. +type: keyword + -- *`ceph.osd_df.total.byte`*:: + -- -type: long +osd disk total volume -format: bytes -osd disk total volume +type: long +format: bytes -- *`ceph.osd_df.used.byte`*:: + -- +osd disk usage volume + + type: long format: bytes -osd disk usage volume - - -- *`ceph.osd_df.available.bytes`*:: + -- -type: long +osd disk available volume -format: bytes -osd disk available volume +type: long +format: bytes -- *`ceph.osd_df.pg_num`*:: + -- -type: long - shows how many pg located on this osd +type: long + -- *`ceph.osd_df.used.pct`*:: + -- -type: scaled_float +osd disk usage percentage -format: percent -osd disk usage percentage +type: scaled_float +format: percent -- [float] -== osd_tree fields +=== osd_tree ceph osd tree info @@ -2177,135 +2177,135 @@ ceph osd tree info *`ceph.osd_tree.id`*:: + -- -type: long - osd or bucket node id +type: long + -- *`ceph.osd_tree.name`*:: + -- -type: keyword - osd or bucket node name +type: keyword + -- *`ceph.osd_tree.type`*:: + -- -type: keyword - osd or bucket node type, illegal type include osd, host, root etc. +type: keyword + -- *`ceph.osd_tree.type_id`*:: + -- -type: long - osd or bucket node typeID +type: long + -- *`ceph.osd_tree.children`*:: + -- -type: keyword - bucket children list, separated by comma. +type: keyword + -- *`ceph.osd_tree.crush_weight`*:: + -- -type: float - osd node crush weight +type: float + -- *`ceph.osd_tree.depth`*:: + -- -type: long - node depth +type: long + -- *`ceph.osd_tree.exists`*:: + -- -type: boolean - is node still exist or not(1-yes, 0-no) +type: boolean + -- *`ceph.osd_tree.primary_affinity`*:: + -- -type: float - the weight of reading data from primary osd +type: float + -- *`ceph.osd_tree.reweight`*:: + -- -type: long - the reweight of osd +type: long + -- *`ceph.osd_tree.status`*:: + -- -type: keyword - status of osd, it should be up or down +type: keyword + -- *`ceph.osd_tree.device_class`*:: + -- -type: keyword - the device class of osd, like hdd, ssd etc. +type: keyword + -- *`ceph.osd_tree.father`*:: + -- -type: keyword - the parent node of this osd or bucket node +type: keyword + -- [float] -== pool_disk fields +=== pool_disk pool_disk @@ -2314,65 +2314,65 @@ pool_disk *`ceph.pool_disk.id`*:: + -- -type: long - Id of the pool +type: long + -- *`ceph.pool_disk.name`*:: + -- -type: keyword - Name of the pool +type: keyword + -- *`ceph.pool_disk.stats.available.bytes`*:: + -- -type: long +Available bytes of the pool -format: bytes -Available bytes of the pool +type: long +format: bytes -- *`ceph.pool_disk.stats.objects`*:: + -- -type: long - Number of objects of the pool +type: long + -- *`ceph.pool_disk.stats.used.bytes`*:: + -- -type: long +Used bytes of the pool -format: bytes -Used bytes of the pool +type: long +format: bytes -- *`ceph.pool_disk.stats.used.kb`*:: + -- -type: long - Used kb of the pool +type: long + -- [[exported-fields-cloud]] @@ -2385,11 +2385,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -2465,12 +2465,12 @@ Contains common fields available in all event types. *`metricset.module`*:: + -- -type: alias +The name of the module that generated the event. -alias to: event.module -The name of the module that generated the event. +type: alias +alias to: event.module -- @@ -2485,11 +2485,11 @@ The name of the metricset that generated the event. *`process.pgid`*:: + -- -type: long - Process group id. +type: long + -- *`service.address`*:: @@ -2511,12 +2511,12 @@ Host name of the machine where the service is running. *`type`*:: + -- -example: metricsets +The document type. Always set to "doc". -required: True -The document type. Always set to "doc". +example: metricsets +required: True -- @@ -2529,7 +2529,7 @@ Consul module [float] -== agent fields +=== agent Agent Metricset fetches metrics information from a Consul instance running as Agent @@ -2539,14 +2539,14 @@ Agent Metricset fetches metrics information from a Consul instance running as Ag *`consul.agent.autopilot.healthy`*:: + -- -type: boolean - Overall health of the local server cluster +type: boolean + -- [float] -== runtime fields +=== runtime Runtime related metrics @@ -2555,51 +2555,51 @@ Runtime related metrics *`consul.agent.runtime.sys.bytes`*:: + -- -type: long - Number of bytes of memory obtained from the OS. +type: long + -- *`consul.agent.runtime.malloc_count`*:: + -- -type: long - Heap objects allocated +type: long + -- *`consul.agent.runtime.heap_objects`*:: + -- -type: long - Objects allocated on the heap and is a general memory pressure indicator. This may burst from time to time but should return to a steady state value. +type: long + -- *`consul.agent.runtime.goroutines`*:: + -- -type: long - Running goroutines and is a general load pressure indicator. This may burst from time to time but should return to a steady state value. +type: long + -- *`consul.agent.runtime.alloc.bytes`*:: + -- -type: long - Bytes allocated by the Consul process. +type: long + -- [float] -== garbage_collector fields +=== garbage_collector Garbage collector metrics @@ -2607,14 +2607,14 @@ Garbage collector metrics *`consul.agent.runtime.garbage_collector.runs`*:: + -- -type: long - Garbage collector total executions +type: long + -- [float] -== pause fields +=== pause Time that the garbage collector has paused the app @@ -2623,20 +2623,20 @@ Time that the garbage collector has paused the app *`consul.agent.runtime.garbage_collector.pause.current.ns`*:: + -- -type: long - Garbage collector pause time in nanoseconds +type: long + -- *`consul.agent.runtime.garbage_collector.pause.total.ns`*:: + -- -type: long - Nanoseconds consumed by stop-the-world garbage collection pauses since Consul started. +type: long + -- [[exported-fields-coredns]] @@ -2647,14 +2647,14 @@ coredns Module [float] -== coredns fields +=== coredns `coredns` contains statistics that were read from coreDNS [float] -== stats fields +=== stats Contains statistics related to the coreDNS service @@ -2663,223 +2663,223 @@ Contains statistics related to the coreDNS service *`coredns.stats.panic.count`*:: + -- -type: long - Total number of panics +type: long + -- *`coredns.stats.dns.request.count`*:: + -- -type: long - Total query count +type: long + -- *`coredns.stats.dns.request.duration.ns.bucket.*`*:: + -- -type: object - Request duration histogram buckets in nanoseconds +type: object + -- *`coredns.stats.dns.request.duration.ns.sum`*:: + -- -type: long +Requests duration, sum of durations in nanoseconds -format: duration -Requests duration, sum of durations in nanoseconds +type: long +format: duration -- *`coredns.stats.dns.request.duration.ns.count`*:: + -- -type: long - Requests duration, number of requests +type: long + -- *`coredns.stats.dns.request.size.bytes.bucket.*`*:: + -- -type: object - Request Size histogram buckets +type: object + -- *`coredns.stats.dns.request.size.bytes.sum`*:: + -- -type: long - Request Size histogram sum +type: long + -- *`coredns.stats.dns.request.size.bytes.count`*:: + -- -type: long - Request Size histogram count +type: long + -- *`coredns.stats.dns.request.do.count`*:: + -- -type: long - Number of queries that have the DO bit set +type: long + -- *`coredns.stats.dns.request.type.count`*:: + -- -type: long - Counter of queries per zone and type +type: long + -- *`coredns.stats.type`*:: + -- -type: keyword - Holds the query type of the request +type: keyword + -- *`coredns.stats.dns.response.rcode.count`*:: + -- -type: long - Counter of responses per zone and rcode +type: long + -- *`coredns.stats.rcode`*:: + -- -type: keyword - Holds the rcode of the response +type: keyword + -- *`coredns.stats.family`*:: + -- -type: keyword - The address family of the transport (1 = IP (IP version 4), 2 = IP6 (IP version 6)) +type: keyword + -- *`coredns.stats.dns.response.size.bytes.bucket.*`*:: + -- -type: object - Response Size histogram buckets +type: object + -- *`coredns.stats.dns.response.size.bytes.sum`*:: + -- -type: long - Response Size histogram sum +type: long + -- *`coredns.stats.dns.response.size.bytes.count`*:: + -- -type: long - Response Size histogram count +type: long + -- *`coredns.stats.server`*:: + -- -type: keyword - The server responsible for the request +type: keyword + -- *`coredns.stats.zone`*:: + -- -type: keyword - The zonename used for the request/response +type: keyword + -- *`coredns.stats.proto`*:: + -- -type: keyword - The transport of the response ("udp" or "tcp") +type: keyword + -- *`coredns.stats.dns.cache.hits.count`*:: + -- -type: long - Cache hits count for the cache plugin +type: long + -- *`coredns.stats.dns.cache.misses.count`*:: + -- -type: long - Cache misses count for the cache plugin +type: long + -- [[exported-fields-couchbase]] @@ -2890,14 +2890,14 @@ Metrics collected from Couchbase servers. [float] -== couchbase fields +=== couchbase `couchbase` contains the metrics that were scraped from Couchbase. [float] -== bucket fields +=== bucket Couchbase bucket metrics. @@ -2906,115 +2906,115 @@ Couchbase bucket metrics. *`couchbase.bucket.name`*:: + -- -type: keyword - Name of the bucket. +type: keyword + -- *`couchbase.bucket.type`*:: + -- -type: keyword - Type of the bucket. +type: keyword + -- *`couchbase.bucket.data.used.bytes`*:: + -- -type: long +Size of user data within buckets of the specified state that are resident in RAM. -format: bytes -Size of user data within buckets of the specified state that are resident in RAM. +type: long +format: bytes -- *`couchbase.bucket.disk.fetches`*:: + -- -type: long - Number of disk fetches. +type: long + -- *`couchbase.bucket.disk.used.bytes`*:: + -- -type: long +Amount of disk used (bytes). -format: bytes -Amount of disk used (bytes). +type: long +format: bytes -- *`couchbase.bucket.memory.used.bytes`*:: + -- -type: long +Amount of memory used by the bucket (bytes). -format: bytes -Amount of memory used by the bucket (bytes). +type: long +format: bytes -- *`couchbase.bucket.quota.ram.bytes`*:: + -- -type: long +Amount of RAM used by the bucket (bytes). -format: bytes -Amount of RAM used by the bucket (bytes). +type: long +format: bytes -- *`couchbase.bucket.quota.use.pct`*:: + -- -type: scaled_float +Percentage of RAM used (for active objects) against the configured bucket size (%). -format: percent -Percentage of RAM used (for active objects) against the configured bucket size (%). +type: scaled_float +format: percent -- *`couchbase.bucket.ops_per_sec`*:: + -- -type: long - Number of operations per second. +type: long + -- *`couchbase.bucket.item_count`*:: + -- -type: long - Number of items associated with the bucket. +type: long + -- [float] -== cluster fields +=== cluster Couchbase cluster metrics. @@ -3023,179 +3023,179 @@ Couchbase cluster metrics. *`couchbase.cluster.hdd.free.bytes`*:: + -- -type: long +Free hard drive space in the cluster (bytes). -format: bytes -Free hard drive space in the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.hdd.quota.total.bytes`*:: + -- -type: long +Hard drive quota total for the cluster (bytes). -format: bytes -Hard drive quota total for the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.hdd.total.bytes`*:: + -- -type: long +Total hard drive space available to the cluster (bytes). -format: bytes -Total hard drive space available to the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.hdd.used.value.bytes`*:: + -- -type: long +Hard drive space used by the cluster (bytes). -format: bytes -Hard drive space used by the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.hdd.used.by_data.bytes`*:: + -- -type: long +Hard drive space used by the data in the cluster (bytes). -format: bytes -Hard drive space used by the data in the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.max_bucket_count`*:: + -- -type: long - Max bucket count setting. +type: long + -- *`couchbase.cluster.quota.index_memory.mb`*:: + -- -type: long - Memory quota setting for the Index service (Mbyte). +type: long + -- *`couchbase.cluster.quota.memory.mb`*:: + -- -type: long - Memory quota setting for the cluster (Mbyte). +type: long + -- *`couchbase.cluster.ram.quota.total.value.bytes`*:: + -- -type: long +RAM quota total for the cluster (bytes). -format: bytes -RAM quota total for the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.ram.quota.total.per_node.bytes`*:: + -- -type: long +RAM quota used by the current node in the cluster (bytes). -format: bytes -RAM quota used by the current node in the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.ram.quota.used.value.bytes`*:: + -- -type: long +RAM quota used by the cluster (bytes). -format: bytes -RAM quota used by the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.ram.quota.used.per_node.bytes`*:: + -- -type: long +Ram quota used by the current node in the cluster (bytes) -format: bytes -Ram quota used by the current node in the cluster (bytes) +type: long +format: bytes -- *`couchbase.cluster.ram.total.bytes`*:: + -- -type: long +Total RAM available to cluster (bytes). -format: bytes -Total RAM available to cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.ram.used.value.bytes`*:: + -- -type: long +RAM used by the cluster (bytes). -format: bytes -RAM used by the cluster (bytes). +type: long +format: bytes -- *`couchbase.cluster.ram.used.by_data.bytes`*:: + -- -type: long +RAM used by the data in the cluster (bytes). -format: bytes -RAM used by the data in the cluster (bytes). +type: long +format: bytes -- [float] -== node fields +=== node Couchbase node metrics. @@ -3204,237 +3204,237 @@ Couchbase node metrics. *`couchbase.node.cmd_get`*:: + -- -type: long - Number of get commands +type: long + -- *`couchbase.node.couch.docs.disk_size.bytes`*:: + -- -type: long +Amount of disk space used by Couch docs (bytes). -format: bytes -Amount of disk space used by Couch docs (bytes). +type: long +format: bytes -- *`couchbase.node.couch.docs.data_size.bytes`*:: + -- -type: long +Data size of Couch docs associated with a node (bytes). -format: bytes -Data size of Couch docs associated with a node (bytes). +type: long +format: bytes -- *`couchbase.node.couch.spatial.data_size.bytes`*:: + -- -type: long - Size of object data for spatial views (bytes). +type: long + -- *`couchbase.node.couch.spatial.disk_size.bytes`*:: + -- -type: long - Amount of disk space used by spatial views (bytes). +type: long + -- *`couchbase.node.couch.views.disk_size.bytes`*:: + -- -type: long - Amount of disk space used by Couch views (bytes). +type: long + -- *`couchbase.node.couch.views.data_size.bytes`*:: + -- -type: long - Size of object data for Couch views (bytes). +type: long + -- *`couchbase.node.cpu_utilization_rate.pct`*:: + -- -type: scaled_float - The CPU utilization rate (%). +type: scaled_float + -- *`couchbase.node.current_items.value`*:: + -- -type: long - Number of current items. +type: long + -- *`couchbase.node.current_items.total`*:: + -- -type: long - Total number of items associated with the node. +type: long + -- *`couchbase.node.ep_bg_fetched`*:: + -- -type: long - Number of disk fetches performed since the server was started. +type: long + -- *`couchbase.node.get_hits`*:: + -- -type: long - Number of get hits. +type: long + -- *`couchbase.node.hostname`*:: + -- -type: keyword - The hostname of the node. +type: keyword + -- *`couchbase.node.mcd_memory.allocated.bytes`*:: + -- -type: long +Amount of memcached memory allocated (bytes). -format: bytes -Amount of memcached memory allocated (bytes). +type: long +format: bytes -- *`couchbase.node.mcd_memory.reserved.bytes`*:: + -- -type: long - Amount of memcached memory reserved (bytes). +type: long + -- *`couchbase.node.memory.free.bytes`*:: + -- -type: long - Amount of memory free for the node (bytes). +type: long + -- *`couchbase.node.memory.total.bytes`*:: + -- -type: long - Total memory available to the node (bytes). +type: long + -- *`couchbase.node.memory.used.bytes`*:: + -- -type: long - Memory used by the node (bytes). +type: long + -- *`couchbase.node.ops`*:: + -- -type: long - Number of operations performed on Couchbase. +type: long + -- *`couchbase.node.swap.total.bytes`*:: + -- -type: long - Total swap size allocated (bytes). +type: long + -- *`couchbase.node.swap.used.bytes`*:: + -- -type: long - Amount of swap space used (bytes). +type: long + -- *`couchbase.node.uptime.sec`*:: + -- -type: long - Time during which the node was in operation (sec). +type: long + -- *`couchbase.node.vb_replica_curr_items`*:: + -- -type: long - Number of items/documents that are replicas. +type: long + -- [[exported-fields-couchdb]] @@ -3445,20 +3445,20 @@ couchdb module [float] -== couchdb fields +=== couchdb [float] -== server fields +=== server Contains CouchDB server stats [float] -== httpd fields +=== httpd HTTP statistics @@ -3467,55 +3467,55 @@ HTTP statistics *`couchdb.server.httpd.view_reads`*:: + -- -type: long - Number of view reads +type: long + -- *`couchdb.server.httpd.bulk_requests`*:: + -- -type: long - Number of bulk requests +type: long + -- *`couchdb.server.httpd.clients_requesting_changes`*:: + -- -type: long - Number of clients for continuous _changes +type: long + -- *`couchdb.server.httpd.temporary_view_reads`*:: + -- -type: long - Number of temporary view reads +type: long + -- *`couchdb.server.httpd.requests`*:: + -- -type: long - Number of HTTP requests +type: long + -- [float] -== httpd_request_methods fields +=== httpd_request_methods HTTP request methods @@ -3524,65 +3524,65 @@ HTTP request methods *`couchdb.server.httpd_request_methods.COPY`*:: + -- -type: long - Number of HTTP COPY requests +type: long + -- *`couchdb.server.httpd_request_methods.HEAD`*:: + -- -type: long - Number of HTTP HEAD requests +type: long + -- *`couchdb.server.httpd_request_methods.POST`*:: + -- -type: long - Number of HTTP POST requests +type: long + -- *`couchdb.server.httpd_request_methods.DELETE`*:: + -- -type: long - Number of HTTP DELETE requests +type: long + -- *`couchdb.server.httpd_request_methods.GET`*:: + -- -type: long - Number of HTTP GET requests +type: long + -- *`couchdb.server.httpd_request_methods.PUT`*:: + -- -type: long - Number of HTTP PUT requests +type: long + -- [float] -== httpd_status_codes fields +=== httpd_status_codes HTTP status codes statistics @@ -3591,135 +3591,135 @@ HTTP status codes statistics *`couchdb.server.httpd_status_codes.200`*:: + -- -type: long - Number of HTTP 200 OK responses +type: long + -- *`couchdb.server.httpd_status_codes.201`*:: + -- -type: long - Number of HTTP 201 Created responses +type: long + -- *`couchdb.server.httpd_status_codes.202`*:: + -- -type: long - Number of HTTP 202 Accepted responses +type: long + -- *`couchdb.server.httpd_status_codes.301`*:: + -- -type: long - Number of HTTP 301 Moved Permanently responses +type: long + -- *`couchdb.server.httpd_status_codes.304`*:: + -- -type: long - Number of HTTP 304 Not Modified responses +type: long + -- *`couchdb.server.httpd_status_codes.400`*:: + -- -type: long - Number of HTTP 400 Bad Request responses +type: long + -- *`couchdb.server.httpd_status_codes.401`*:: + -- -type: long - Number of HTTP 401 Unauthorized responses +type: long + -- *`couchdb.server.httpd_status_codes.403`*:: + -- -type: long - Number of HTTP 403 Forbidden responses +type: long + -- *`couchdb.server.httpd_status_codes.404`*:: + -- -type: long - Number of HTTP 404 Not Found responses +type: long + -- *`couchdb.server.httpd_status_codes.405`*:: + -- -type: long - Number of HTTP 405 Method Not Allowed responses +type: long + -- *`couchdb.server.httpd_status_codes.409`*:: + -- -type: long - Number of HTTP 409 Conflict responses +type: long + -- *`couchdb.server.httpd_status_codes.412`*:: + -- -type: long - Number of HTTP 412 Precondition Failed responses +type: long + -- *`couchdb.server.httpd_status_codes.500`*:: + -- -type: long - Number of HTTP 500 Internal Server Error responses +type: long + -- [float] -== couchdb fields +=== couchdb couchdb statistics @@ -3728,71 +3728,71 @@ couchdb statistics *`couchdb.server.couchdb.database_writes`*:: + -- -type: long - Number of times a database was changed +type: long + -- *`couchdb.server.couchdb.open_databases`*:: + -- -type: long - Number of open databases +type: long + -- *`couchdb.server.couchdb.auth_cache_misses`*:: + -- -type: long - Number of authentication cache misses +type: long + -- *`couchdb.server.couchdb.request_time`*:: + -- -type: long - Length of a request inside CouchDB without MochiWeb +type: long + -- *`couchdb.server.couchdb.database_reads`*:: + -- -type: long - Number of times a document was read from a database +type: long + -- *`couchdb.server.couchdb.auth_cache_hits`*:: + -- -type: long - Number of authentication cache hits +type: long + -- *`couchdb.server.couchdb.open_os_files`*:: + -- -type: long - Number of file descriptors CouchDB has open +type: long + -- [[exported-fields-docker-processor]] @@ -3833,11 +3833,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-docker]] @@ -3848,14 +3848,14 @@ Docker stats collected from Docker. [float] -== docker fields +=== docker Information and statistics about docker's running containers. [float] -== container fields +=== container Docker container metrics. @@ -3864,45 +3864,45 @@ Docker container metrics. *`docker.container.command`*:: + -- -type: keyword - Command that was executed in the Docker container. +type: keyword + -- *`docker.container.created`*:: + -- -type: date - Date when the container was created. +type: date + -- *`docker.container.status`*:: + -- -type: keyword - Container status. +type: keyword + -- *`docker.container.ip_addresses`*:: + -- -type: ip - Container IP addresses. +type: ip + -- [float] -== size fields +=== size Container size metrics. @@ -3911,35 +3911,35 @@ Container size metrics. *`docker.container.size.root_fs`*:: + -- -type: long - Total size of all the files in the container. +type: long + -- *`docker.container.size.rw`*:: + -- -type: long - Size of the files that have been created or changed since creation. +type: long + -- *`docker.container.tags`*:: + -- -type: keyword - Image tags. +type: keyword + -- [float] -== cpu fields +=== cpu Runtime CPU metrics. @@ -3948,112 +3948,112 @@ Runtime CPU metrics. *`docker.cpu.kernel.pct`*:: + -- -type: scaled_float +Percentage of time in kernel space. -format: percentage -Percentage of time in kernel space. +type: scaled_float +format: percentage -- *`docker.cpu.kernel.ticks`*:: + -- -type: long - CPU ticks in kernel space. +type: long + -- *`docker.cpu.system.pct`*:: + -- -type: scaled_float +Percentage of total CPU time in the system. -format: percentage -Percentage of total CPU time in the system. +type: scaled_float +format: percentage -- *`docker.cpu.system.ticks`*:: + -- -type: long - CPU system ticks. +type: long + -- *`docker.cpu.user.pct`*:: + -- -type: scaled_float +Percentage of time in user space. -format: percentage -Percentage of time in user space. +type: scaled_float +format: percentage -- *`docker.cpu.user.ticks`*:: + -- -type: long - CPU ticks in user space. +type: long + -- *`docker.cpu.total.pct`*:: + -- -type: scaled_float +Total CPU usage. -format: percentage -Total CPU usage. +type: scaled_float +format: percentage -- *`docker.cpu.core.*.pct`*:: + -- -type: object +Percentage of CPU time in this core. -format: percentage -Percentage of CPU time in this core. +type: object +format: percentage -- *`docker.cpu.core.*.ticks`*:: + -- -type: object - Number of CPU ticks in this core. +type: object + -- [float] -== diskio fields +=== diskio Disk I/O metrics. [float] -== read fields +=== read Accumulated reads during the life of the container @@ -4062,33 +4062,33 @@ Accumulated reads during the life of the container *`docker.diskio.read.ops`*:: + -- -type: long - Number of reads during the life of the container +type: long + -- *`docker.diskio.read.bytes`*:: + -- -type: long +Bytes read during the life of the container -format: bytes -Bytes read during the life of the container +type: long +format: bytes -- *`docker.diskio.read.rate`*:: + -- -type: long - Number of current reads per second +type: long + -- *`docker.diskio.reads`*:: @@ -4097,15 +4097,15 @@ Number of current reads per second deprecated[6.4] -type: scaled_float - Number of current reads per second +type: scaled_float + -- [float] -== write fields +=== write Accumulated writes during the life of the container @@ -4114,33 +4114,33 @@ Accumulated writes during the life of the container *`docker.diskio.write.ops`*:: + -- -type: long - Number of writes during the life of the container +type: long + -- *`docker.diskio.write.bytes`*:: + -- -type: long +Bytes written during the life of the container -format: bytes -Bytes written during the life of the container +type: long +format: bytes -- *`docker.diskio.write.rate`*:: + -- -type: long - Number of current writes per second +type: long + -- *`docker.diskio.writes`*:: @@ -4149,15 +4149,15 @@ Number of current writes per second deprecated[6.4] -type: scaled_float - Number of current writes per second +type: scaled_float + -- [float] -== summary fields +=== summary Accumulated reads and writes during the life of the container @@ -4166,33 +4166,33 @@ Accumulated reads and writes during the life of the container *`docker.diskio.summary.ops`*:: + -- -type: long - Number of I/O operations during the life of the container +type: long + -- *`docker.diskio.summary.bytes`*:: + -- -type: long +Bytes read and written during the life of the container -format: bytes -Bytes read and written during the life of the container +type: long +format: bytes -- *`docker.diskio.summary.rate`*:: + -- -type: long - Number of current operations per second +type: long + -- *`docker.diskio.total`*:: @@ -4201,15 +4201,15 @@ Number of current operations per second deprecated[6.4] -type: scaled_float - Number of reads and writes per second +type: scaled_float + -- [float] -== event fields +=== event Docker event @@ -4218,55 +4218,55 @@ Docker event *`docker.event.status`*:: + -- -type: keyword - Event status +type: keyword + -- *`docker.event.id`*:: + -- -type: keyword - Event id when available +type: keyword + -- *`docker.event.from`*:: + -- -type: keyword - Event source +type: keyword + -- *`docker.event.type`*:: + -- -type: keyword - The type of object emitting the event +type: keyword + -- *`docker.event.action`*:: + -- -type: keyword - The type of event +type: keyword + -- [float] -== actor fields +=== actor Actor @@ -4275,25 +4275,25 @@ Actor *`docker.event.actor.id`*:: + -- -type: keyword - The ID of the object emitting the event +type: keyword + -- *`docker.event.actor.attributes`*:: + -- -type: object - Various key/value attributes of the object, depending on its type +type: object + -- [float] -== healthcheck fields +=== healthcheck Docker healthcheck metrics. Healthcheck data will only be available from docker containers where the docker `HEALTHCHECK` instruction has been used to build the docker image. @@ -4303,25 +4303,25 @@ Healthcheck data will only be available from docker containers where the docker *`docker.healthcheck.failingstreak`*:: + -- -type: integer - concurent failed check +type: integer + -- *`docker.healthcheck.status`*:: + -- -type: keyword - Healthcheck status code +type: keyword + -- [float] -== event fields +=== event event fields. @@ -4330,52 +4330,52 @@ event fields. *`docker.healthcheck.event.end_date`*:: + -- -type: date - Healthcheck end date +type: date + -- *`docker.healthcheck.event.start_date`*:: + -- -type: date - Healthcheck start date +type: date + -- *`docker.healthcheck.event.output`*:: + -- -type: keyword - Healthcheck output +type: keyword + -- *`docker.healthcheck.event.exit_code`*:: + -- -type: integer - Healthcheck status code +type: integer + -- [float] -== image fields +=== image Docker image metrics. [float] -== id fields +=== id The image layers identifier. @@ -4384,35 +4384,35 @@ The image layers identifier. *`docker.image.id.current`*:: + -- -type: keyword - Unique image identifier given upon its creation. +type: keyword + -- *`docker.image.id.parent`*:: + -- -type: keyword - Identifier of the image, if it exists, from which the current image directly descends. +type: keyword + -- *`docker.image.created`*:: + -- -type: date - Date and time when the image was created. +type: date + -- [float] -== size fields +=== size Image size layers. @@ -4421,52 +4421,52 @@ Image size layers. *`docker.image.size.virtual`*:: + -- -type: long - Size of the image. +type: long + -- *`docker.image.size.regular`*:: + -- -type: long - Total size of the all cached images associated to the current image. +type: long + -- *`docker.image.labels`*:: + -- -type: object - Image labels. +type: object + -- *`docker.image.tags`*:: + -- -type: keyword - Image tags. +type: keyword + -- [float] -== info fields +=== info Info metrics based on https://docs.docker.com/engine/reference/api/docker_remote_api_v1.24/#/display-system-wide-information. [float] -== containers fields +=== containers Overall container stats. @@ -4475,65 +4475,65 @@ Overall container stats. *`docker.info.containers.paused`*:: + -- -type: long - Total number of paused containers. +type: long + -- *`docker.info.containers.running`*:: + -- -type: long - Total number of running containers. +type: long + -- *`docker.info.containers.stopped`*:: + -- -type: long - Total number of stopped containers. +type: long + -- *`docker.info.containers.total`*:: + -- -type: long - Total number of existing containers. +type: long + -- *`docker.info.id`*:: + -- -type: keyword - Unique Docker host identifier. +type: keyword + -- *`docker.info.images`*:: + -- -type: long - Total number of existing images. +type: long + -- [float] -== memory fields +=== memory Memory metrics. @@ -4542,27 +4542,27 @@ Memory metrics. *`docker.memory.fail.count`*:: + -- -type: scaled_float - Fail counter. +type: scaled_float + -- *`docker.memory.limit`*:: + -- -type: long +Memory limit. -format: bytes -Memory limit. +type: long +format: bytes -- [float] -== rss fields +=== rss RSS memory stats. @@ -4571,29 +4571,29 @@ RSS memory stats. *`docker.memory.rss.total`*:: + -- -type: long +Total memory resident set size. -format: bytes -Total memory resident set size. +type: long +format: bytes -- *`docker.memory.rss.pct`*:: + -- -type: scaled_float +Memory resident set size percentage. -format: percentage -Memory resident set size percentage. +type: scaled_float +format: percentage -- [float] -== usage fields +=== usage Usage memory stats. @@ -4602,41 +4602,41 @@ Usage memory stats. *`docker.memory.usage.max`*:: + -- -type: long +Max memory usage. -format: bytes -Max memory usage. +type: long +format: bytes -- *`docker.memory.usage.pct`*:: + -- -type: scaled_float +Memory usage percentage. -format: percentage -Memory usage percentage. +type: scaled_float +format: percentage -- *`docker.memory.usage.total`*:: + -- -type: long +Total memory usage. -format: bytes -Total memory usage. +type: long +format: bytes -- [float] -== network fields +=== network Network metrics. @@ -4645,15 +4645,15 @@ Network metrics. *`docker.network.interface`*:: + -- -type: keyword - Network interface name. +type: keyword + -- [float] -== in fields +=== in Incoming network stats per second. @@ -4662,47 +4662,47 @@ Incoming network stats per second. *`docker.network.in.bytes`*:: + -- -type: long +Total number of incoming bytes. -format: bytes -Total number of incoming bytes. +type: long +format: bytes -- *`docker.network.in.dropped`*:: + -- -type: scaled_float - Total number of dropped incoming packets. +type: scaled_float + -- *`docker.network.in.errors`*:: + -- -type: long - Total errors on incoming packets. +type: long + -- *`docker.network.in.packets`*:: + -- -type: long - Total number of incoming packets. +type: long + -- [float] -== out fields +=== out Outgoing network stats per second. @@ -4711,47 +4711,47 @@ Outgoing network stats per second. *`docker.network.out.bytes`*:: + -- -type: long +Total number of outgoing bytes. -format: bytes -Total number of outgoing bytes. +type: long +format: bytes -- *`docker.network.out.dropped`*:: + -- -type: scaled_float - Total number of dropped outgoing packets. +type: scaled_float + -- *`docker.network.out.errors`*:: + -- -type: long - Total errors on outgoing packets. +type: long + -- *`docker.network.out.packets`*:: + -- -type: long - Total number of outgoing packets. +type: long + -- [float] -== inbound fields +=== inbound Incoming network stats since the container started. @@ -4760,47 +4760,47 @@ Incoming network stats since the container started. *`docker.network.inbound.bytes`*:: + -- -type: long +Total number of incoming bytes. -format: bytes -Total number of incoming bytes. +type: long +format: bytes -- *`docker.network.inbound.dropped`*:: + -- -type: long - Total number of dropped incoming packets. +type: long + -- *`docker.network.inbound.errors`*:: + -- -type: long - Total errors on incoming packets. +type: long + -- *`docker.network.inbound.packets`*:: + -- -type: long - Total number of incoming packets. +type: long + -- [float] -== outbound fields +=== outbound Outgoing network stats since the container started. @@ -4809,43 +4809,43 @@ Outgoing network stats since the container started. *`docker.network.outbound.bytes`*:: + -- -type: long +Total number of outgoing bytes. -format: bytes -Total number of outgoing bytes. +type: long +format: bytes -- *`docker.network.outbound.dropped`*:: + -- -type: long - Total number of dropped outgoing packets. +type: long + -- *`docker.network.outbound.errors`*:: + -- -type: long - Total errors on outgoing packets. +type: long + -- *`docker.network.outbound.packets`*:: + -- -type: long - Total number of outgoing packets. +type: long + -- [[exported-fields-dropwizard]] @@ -4856,7 +4856,7 @@ Stats collected from Dropwizard. [float] -== dropwizard fields +=== dropwizard @@ -4870,58 +4870,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -4930,65 +4930,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -4998,234 +4998,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -5233,81 +5233,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -5316,61 +5316,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -5379,234 +5379,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -5614,19 +5614,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -5635,32 +5635,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -5669,203 +5669,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- -type: keyword - -example: user-management - Event category. This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. +type: keyword + +example: user-management + -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -5874,136 +5874,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -6012,95 +6012,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -6108,23 +6108,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -6133,299 +6133,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -6433,124 +6433,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -6558,30 +6558,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -6590,48 +6590,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -6643,91 +6639,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -6736,227 +6736,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -6965,23 +6965,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -6989,71 +6989,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -7062,101 +7062,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -7166,14 +7166,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -7183,234 +7183,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -7419,78 +7419,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -7499,234 +7499,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -7734,111 +7734,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -7847,73 +7847,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -7922,111 +7922,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-elasticsearch]] @@ -8037,7 +8037,7 @@ Elasticsearch module [float] -== elasticsearch fields +=== elasticsearch @@ -8045,55 +8045,55 @@ Elasticsearch module *`elasticsearch.cluster.name`*:: + -- -type: keyword - Elasticsearch cluster name. +type: keyword + -- *`elasticsearch.cluster.id`*:: + -- -type: keyword - Elasticsearch cluster id. +type: keyword + -- *`elasticsearch.cluster.state.id`*:: + -- -type: keyword - Elasticsearch state id. +type: keyword + -- *`elasticsearch.node.id`*:: + -- -type: keyword - Node ID +type: keyword + -- *`elasticsearch.node.name`*:: + -- -type: keyword - Node name. +type: keyword + -- [float] -== ccr fields +=== ccr Cross-cluster replication stats @@ -8103,76 +8103,76 @@ Cross-cluster replication stats *`elasticsearch.ccr.leader.index`*:: + -- -type: keyword - Name of leader index +type: keyword + -- *`elasticsearch.ccr.leader.max_seq_no`*:: + -- -type: long - Maximum sequence number of operation on the leader shard +type: long + -- *`elasticsearch.ccr.follower.index`*:: + -- -type: keyword - Name of follower index +type: keyword + -- *`elasticsearch.ccr.follower.shard.number`*:: + -- -type: long - Number of the shard within the index +type: long + -- *`elasticsearch.ccr.follower.operations_written`*:: + -- -type: long - Number of operations indexed (replicated) into the follower shard from the leader shard +type: long + -- *`elasticsearch.ccr.follower.time_since_last_read.ms`*:: + -- -type: long - Time, in ms, since the follower last fetched from the leader +type: long + -- *`elasticsearch.ccr.follower.global_checkpoint`*:: + -- -type: long - Global checkpoint value on follower shard +type: long + -- [float] -== cluster.stats fields +=== cluster.stats Cluster stats @@ -8181,15 +8181,15 @@ Cluster stats *`elasticsearch.cluster.stats.status`*:: + -- -type: keyword - Cluster status (green, yellow, red). +type: keyword + -- [float] -== nodes fields +=== nodes Nodes statistics. @@ -8198,35 +8198,35 @@ Nodes statistics. *`elasticsearch.cluster.stats.nodes.count`*:: + -- -type: long - Total number of nodes in cluster. +type: long + -- *`elasticsearch.cluster.stats.nodes.master`*:: + -- -type: long - Number of master-eligible nodes in cluster. +type: long + -- *`elasticsearch.cluster.stats.nodes.data`*:: + -- -type: long - Number of data nodes in cluster. +type: long + -- [float] -== indices fields +=== indices Indices statistics. @@ -8235,15 +8235,15 @@ Indices statistics. *`elasticsearch.cluster.stats.indices.count`*:: + -- -type: long - Total number of indices in cluster. +type: long + -- [float] -== shards fields +=== shards Shard statistics. @@ -8252,35 +8252,35 @@ Shard statistics. *`elasticsearch.cluster.stats.indices.shards.count`*:: + -- -type: long - Total number of shards in cluster. +type: long + -- *`elasticsearch.cluster.stats.indices.shards.primaries`*:: + -- -type: long - Total number of primary shards in cluster. +type: long + -- *`elasticsearch.cluster.stats.indices.fielddata.memory.bytes`*:: + -- -type: long - Memory used for fielddata. +type: long + -- [float] -== index fields +=== index index @@ -8289,70 +8289,70 @@ index *`elasticsearch.index.name`*:: + -- -type: keyword - Index name. +type: keyword + -- *`elasticsearch.index.total.docs.count`*:: + -- -type: long - Total number of documents in the index. +type: long + -- *`elasticsearch.index.total.docs.deleted`*:: + -- -type: long - Total number of deleted documents in the index. +type: long + -- *`elasticsearch.index.total.store.size.bytes`*:: + -- -type: long +Total size of the index in bytes. -format: bytes -Total size of the index in bytes. +type: long +format: bytes -- *`elasticsearch.index.total.segments.count`*:: + -- -type: long - Total number of index segments. +type: long + -- *`elasticsearch.index.total.segments.memory.bytes`*:: + -- -type: long +Total number of memory used by the segments in bytes. -format: bytes -Total number of memory used by the segments in bytes. +type: long +format: bytes -- [float] -== index.recovery fields +=== index.recovery index @@ -8361,105 +8361,105 @@ index *`elasticsearch.index.recovery.id`*:: + -- -type: long - Shard recovery id. +type: long + -- *`elasticsearch.index.recovery.type`*:: + -- -type: keyword - Shard recovery type. +type: keyword + -- *`elasticsearch.index.recovery.primary`*:: + -- -type: boolean - True if primary shard. +type: boolean + -- *`elasticsearch.index.recovery.stage`*:: + -- -type: keyword - Recovery stage. +type: keyword + -- *`elasticsearch.index.recovery.target.id`*:: + -- -type: keyword - Target node id. +type: keyword + -- *`elasticsearch.index.recovery.target.host`*:: + -- -type: keyword - Target node host address (could be IP address or hostname). +type: keyword + -- *`elasticsearch.index.recovery.target.name`*:: + -- -type: keyword - Target node name. +type: keyword + -- *`elasticsearch.index.recovery.source.id`*:: + -- -type: keyword - Source node id. +type: keyword + -- *`elasticsearch.index.recovery.source.host`*:: + -- -type: keyword - Source node host address (could be IP address or hostname). +type: keyword + -- *`elasticsearch.index.recovery.source.name`*:: + -- -type: keyword - Source node name. +type: keyword + -- [float] -== index.summary fields +=== index.summary index @@ -8469,54 +8469,54 @@ index *`elasticsearch.index.summary.primaries.docs.count`*:: + -- -type: long - Total number of documents in the index. +type: long + -- *`elasticsearch.index.summary.primaries.docs.deleted`*:: + -- -type: long - Total number of deleted documents in the index. +type: long + -- *`elasticsearch.index.summary.primaries.store.size.bytes`*:: + -- -type: long +Total size of the index in bytes. -format: bytes -Total size of the index in bytes. +type: long +format: bytes -- *`elasticsearch.index.summary.primaries.segments.count`*:: + -- -type: long - Total number of index segments. +type: long + -- *`elasticsearch.index.summary.primaries.segments.memory.bytes`*:: + -- -type: long +Total number of memory used by the segments in bytes. -format: bytes -Total number of memory used by the segments in bytes. +type: long +format: bytes -- @@ -8524,59 +8524,59 @@ Total number of memory used by the segments in bytes. *`elasticsearch.index.summary.total.docs.count`*:: + -- -type: long - Total number of documents in the index. +type: long + -- *`elasticsearch.index.summary.total.docs.deleted`*:: + -- -type: long - Total number of deleted documents in the index. +type: long + -- *`elasticsearch.index.summary.total.store.size.bytes`*:: + -- -type: long +Total size of the index in bytes. -format: bytes -Total size of the index in bytes. +type: long +format: bytes -- *`elasticsearch.index.summary.total.segments.count`*:: + -- -type: long - Total number of index segments. +type: long + -- *`elasticsearch.index.summary.total.segments.memory.bytes`*:: + -- -type: long +Total number of memory used by the segments in bytes. -format: bytes -Total number of memory used by the segments in bytes. +type: long +format: bytes -- [float] -== ml.job fields +=== ml.job ml @@ -8585,45 +8585,45 @@ ml *`elasticsearch.ml.job.id`*:: + -- -type: keyword - Unique ml job id. +type: keyword + -- *`elasticsearch.ml.job.state`*:: + -- -type: keyword - Job state. +type: keyword + -- *`elasticsearch.ml.job.data_counts.processed_record_count`*:: + -- -type: long - Processed data events. +type: long + -- *`elasticsearch.ml.job.data_counts.invalid_date_count`*:: + -- -type: long - The number of records with either a missing date field or a date that could not be parsed. +type: long + -- [float] -== node fields +=== node node @@ -8632,15 +8632,15 @@ node *`elasticsearch.node.version`*:: + -- -type: keyword - Node version. +type: keyword + -- [float] -== jvm fields +=== jvm JVM Info. @@ -8649,80 +8649,80 @@ JVM Info. *`elasticsearch.node.jvm.version`*:: + -- -type: keyword - JVM version. +type: keyword + -- *`elasticsearch.node.jvm.memory.heap.init.bytes`*:: + -- -type: long +Heap init used by the JVM in bytes. -format: bytes -Heap init used by the JVM in bytes. +type: long +format: bytes -- *`elasticsearch.node.jvm.memory.heap.max.bytes`*:: + -- -type: long +Heap max used by the JVM in bytes. -format: bytes -Heap max used by the JVM in bytes. +type: long +format: bytes -- *`elasticsearch.node.jvm.memory.nonheap.init.bytes`*:: + -- -type: long +Non-Heap init used by the JVM in bytes. -format: bytes -Non-Heap init used by the JVM in bytes. +type: long +format: bytes -- *`elasticsearch.node.jvm.memory.nonheap.max.bytes`*:: + -- -type: long +Non-Heap max used by the JVM in bytes. -format: bytes -Non-Heap max used by the JVM in bytes. +type: long +format: bytes -- *`elasticsearch.node.process.mlockall`*:: + -- -type: boolean - If process locked in memory. +type: boolean + -- [float] -== node.stats fields +=== node.stats node_stats [float] -== indices fields +=== indices Node indices stats @@ -8731,64 +8731,64 @@ Node indices stats *`elasticsearch.node.stats.indices.docs.count`*:: + -- -type: long - Total number of existing documents. +type: long + -- *`elasticsearch.node.stats.indices.docs.deleted`*:: + -- -type: long - Total number of deleted documents. +type: long + -- *`elasticsearch.node.stats.indices.segments.count`*:: + -- -type: long - Total number of segments. +type: long + -- *`elasticsearch.node.stats.indices.segments.memory.bytes`*:: + -- -type: long +Total size of segments in bytes. -format: bytes -Total size of segments in bytes. +type: long +format: bytes -- *`elasticsearch.node.stats.indices.store.size.bytes`*:: + -- -type: long - Total size of the store in bytes. +type: long + -- [float] -== jvm.mem.pools fields +=== jvm.mem.pools JVM memory pool stats [float] -== old fields +=== old Old memory pool stats. @@ -8797,49 +8797,49 @@ Old memory pool stats. *`elasticsearch.node.stats.jvm.mem.pools.old.max.bytes`*:: + -- +Max bytes. + type: long format: bytes -Max bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.old.peak.bytes`*:: + -- +Peak bytes. + type: long format: bytes -Peak bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.old.peak_max.bytes`*:: + -- +Peak max bytes. + type: long format: bytes -Peak max bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.old.used.bytes`*:: + -- +Used bytes. + type: long format: bytes -Used bytes. - -- [float] -== young fields +=== young Young memory pool stats. @@ -8848,49 +8848,49 @@ Young memory pool stats. *`elasticsearch.node.stats.jvm.mem.pools.young.max.bytes`*:: + -- +Max bytes. + type: long format: bytes -Max bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.young.peak.bytes`*:: + -- +Peak bytes. + type: long format: bytes -Peak bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.young.peak_max.bytes`*:: + -- +Peak max bytes. + type: long format: bytes -Peak max bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.young.used.bytes`*:: + -- +Used bytes. + type: long format: bytes -Used bytes. - -- [float] -== survivor fields +=== survivor Survivor memory pool stats. @@ -8899,56 +8899,56 @@ Survivor memory pool stats. *`elasticsearch.node.stats.jvm.mem.pools.survivor.max.bytes`*:: + -- +Max bytes. + type: long format: bytes -Max bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.survivor.peak.bytes`*:: + -- +Peak bytes. + type: long format: bytes -Peak bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.survivor.peak_max.bytes`*:: + -- +Peak max bytes. + type: long format: bytes -Peak max bytes. - -- *`elasticsearch.node.stats.jvm.mem.pools.survivor.used.bytes`*:: + -- +Used bytes. + type: long format: bytes -Used bytes. - -- [float] -== jvm.gc.collectors fields +=== jvm.gc.collectors GC collector stats. [float] -== old.collection fields +=== old.collection Old collection gc. @@ -8957,23 +8957,23 @@ Old collection gc. *`elasticsearch.node.stats.jvm.gc.collectors.old.collection.count`*:: + -- -type: long +type: long -- *`elasticsearch.node.stats.jvm.gc.collectors.old.collection.ms`*:: + -- -type: long +type: long -- [float] -== young.collection fields +=== young.collection Young collection gc. @@ -8982,23 +8982,23 @@ Young collection gc. *`elasticsearch.node.stats.jvm.gc.collectors.young.collection.count`*:: + -- -type: long +type: long -- *`elasticsearch.node.stats.jvm.gc.collectors.young.collection.ms`*:: + -- -type: long +type: long -- [float] -== fs.summary fields +=== fs.summary File system summary @@ -9007,38 +9007,38 @@ File system summary *`elasticsearch.node.stats.fs.summary.total.bytes`*:: + -- -type: long -format: bytes +type: long +format: bytes -- *`elasticsearch.node.stats.fs.summary.free.bytes`*:: + -- -type: long -format: bytes +type: long +format: bytes -- *`elasticsearch.node.stats.fs.summary.available.bytes`*:: + -- -type: long -format: bytes +type: long +format: bytes -- [float] -== cluster.pending_task fields +=== cluster.pending_task `cluster.pending_task` contains a pending task description. @@ -9047,45 +9047,45 @@ format: bytes *`elasticsearch.cluster.pending_task.insert_order`*:: + -- -type: long - Insert order +type: long + -- *`elasticsearch.cluster.pending_task.priority`*:: + -- -type: long - Priority +type: long + -- *`elasticsearch.cluster.pending_task.source`*:: + -- -type: keyword - Source. For example: put-mapping +type: keyword + -- *`elasticsearch.cluster.pending_task.time_in_queue.ms`*:: + -- -type: long - Time in queue +type: long + -- [float] -== shard fields +=== shard shard fields @@ -9094,41 +9094,41 @@ shard fields *`elasticsearch.shard.primary`*:: + -- -type: boolean - True if this is the primary shard. +type: boolean + -- *`elasticsearch.shard.number`*:: + -- -type: long - The number of this shard. +type: long + -- *`elasticsearch.shard.state`*:: + -- -type: keyword - The state of this shard. +type: keyword + -- *`elasticsearch.shard.relocating_node.name`*:: + -- -type: keyword - The node the shard was relocated from. +type: keyword + -- [[exported-fields-envoyproxy]] @@ -9139,13 +9139,13 @@ envoyproxy module [float] -== envoyproxy fields +=== envoyproxy [float] -== server fields +=== server Contains envoy proxy server stats @@ -9155,153 +9155,153 @@ Contains envoy proxy server stats *`envoyproxy.server.cluster_manager.active_clusters`*:: + -- -type: integer - Number of currently active (warmed) clusters +type: integer + -- *`envoyproxy.server.cluster_manager.cluster_added`*:: + -- -type: integer - Total clusters added (either via static config or CDS) +type: integer + -- *`envoyproxy.server.cluster_manager.cluster_modified`*:: + -- -type: integer - Total clusters modified (via CDS) +type: integer + -- *`envoyproxy.server.cluster_manager.cluster_removed`*:: + -- -type: integer - Total clusters removed (via CDS) +type: integer + -- *`envoyproxy.server.cluster_manager.warming_clusters`*:: + -- -type: integer - Number of currently warming (not active) clusters +type: integer + -- *`envoyproxy.server.filesystem.flushed_by_timer`*:: + -- -type: integer - Total number of times internal flush buffers are written to a file due to flush timeout +type: integer + -- *`envoyproxy.server.filesystem.reopen_failed`*:: + -- -type: integer - Total number of times a file was failed to be opened +type: integer + -- *`envoyproxy.server.filesystem.write_buffered`*:: + -- -type: integer - Total number of times file data is moved to Envoys internal flush buffer +type: integer + -- *`envoyproxy.server.filesystem.write_completed`*:: + -- -type: integer - Total number of times a file was written +type: integer + -- *`envoyproxy.server.filesystem.write_total_buffered`*:: + -- -type: integer - Current total size of internal flush buffer in bytes +type: integer + -- *`envoyproxy.server.runtime.load_error`*:: + -- -type: integer - Total number of load attempts that resulted in an error +type: integer + -- *`envoyproxy.server.runtime.load_success`*:: + -- -type: integer - Total number of load attempts that were successful +type: integer + -- *`envoyproxy.server.runtime.num_keys`*:: + -- -type: integer - Number of keys currently loaded +type: integer + -- *`envoyproxy.server.runtime.override_dir_exists`*:: + -- -type: integer - Total number of loads that did use an override directory +type: integer + -- *`envoyproxy.server.runtime.override_dir_not_exists`*:: + -- -type: integer - Total number of loads that did not use an override directory +type: integer + -- *`envoyproxy.server.runtime.admin_overrides_active`*:: @@ -9315,173 +9315,173 @@ type: integer *`envoyproxy.server.listener_manager.listener_added`*:: + -- -type: integer - Total listeners added (either via static config or LDS) +type: integer + -- *`envoyproxy.server.listener_manager.listener_create_failure`*:: + -- -type: integer - Total failed listener object additions to workers +type: integer + -- *`envoyproxy.server.listener_manager.listener_create_success`*:: + -- -type: integer - Total listener objects successfully added to workers +type: integer + -- *`envoyproxy.server.listener_manager.listener_modified`*:: + -- -type: integer - Total listeners modified (via LDS) +type: integer + -- *`envoyproxy.server.listener_manager.listener_removed`*:: + -- -type: integer - Total listeners removed (via LDS) +type: integer + -- *`envoyproxy.server.listener_manager.total_listeners_active`*:: + -- -type: integer - Number of currently active listeners +type: integer + -- *`envoyproxy.server.listener_manager.total_listeners_draining`*:: + -- -type: integer - Number of currently draining listeners +type: integer + -- *`envoyproxy.server.listener_manager.total_listeners_warming`*:: + -- -type: integer - Number of currently warming listeners +type: integer + -- *`envoyproxy.server.stats.overflow`*:: + -- -type: integer - Total number of times Envoy cannot allocate a statistic due to a shortage of shared memory +type: integer + -- *`envoyproxy.server.server.days_until_first_cert_expiring`*:: + -- -type: integer - Number of days until the next certificate being managed will expire +type: integer + -- *`envoyproxy.server.server.live`*:: + -- -type: integer - 1 if the server is not currently draining, 0 otherwise +type: integer + -- *`envoyproxy.server.server.memory_allocated`*:: + -- -type: integer - Current amount of allocated memory in bytes +type: integer + -- *`envoyproxy.server.server.memory_heap_size`*:: + -- -type: integer - Current reserved heap size in bytes +type: integer + -- *`envoyproxy.server.server.parent_connections`*:: + -- -type: integer - Total connections of the old Envoy process on hot restart +type: integer + -- *`envoyproxy.server.server.total_connections`*:: + -- -type: integer - Total connections of both new and old Envoy processes +type: integer + -- *`envoyproxy.server.server.uptime`*:: + -- -type: integer - Current server uptime in seconds +type: integer + -- *`envoyproxy.server.server.version`*:: + -- -type: integer - Integer represented version number based on SCM revision +type: integer + -- *`envoyproxy.server.server.watchdog_mega_miss`*:: @@ -9501,82 +9501,82 @@ type: integer *`envoyproxy.server.server.hot_restart_epoch`*:: + -- -type: integer - Current hot restart epoch +type: integer + -- *`envoyproxy.server.http2.header_overflow`*:: + -- -type: integer - Total number of connections reset due to the headers being larger than Envoy::Http::Http2::ConnectionImpl::StreamImpl::MAX_HEADER_SIZE (63k) +type: integer + -- *`envoyproxy.server.http2.headers_cb_no_stream`*:: + -- -type: integer - Total number of errors where a header callback is called without an associated stream. This tracks an unexpected occurrence due to an as yet undiagnosed bug +type: integer + -- *`envoyproxy.server.http2.rx_messaging_error`*:: + -- -type: integer - Total number of invalid received frames that violated section 8 of the HTTP/2 spec. This will result in a tx_reset +type: integer + -- *`envoyproxy.server.http2.rx_reset`*:: + -- -type: integer - Total number of reset stream frames received by Envoy +type: integer + -- *`envoyproxy.server.http2.too_many_header_frames`*:: + -- -type: integer - Total number of times an HTTP2 connection is reset due to receiving too many headers frames. Envoy currently supports proxying at most one header frame for 100-Continue one non-100 response code header frame and one frame with trailers +type: integer + -- *`envoyproxy.server.http2.trailers`*:: + -- -type: integer - Total number of trailers seen on requests coming from downstream +type: integer + -- *`envoyproxy.server.http2.tx_reset`*:: + -- -type: integer - Total number of reset stream frames transmitted by Envoy +type: integer + -- [[exported-fields-etcd]] @@ -9587,7 +9587,7 @@ etcd Module [float] -== etcd fields +=== etcd `etcd` contains statistics that were read from Etcd @@ -9596,22 +9596,22 @@ etcd Module *`etcd.api_version`*:: + -- -type: keyword - Etcd API version for metrics retrieval +type: keyword + -- [float] -== leader fields +=== leader Contains etcd leader statistics. [float] -== followers.counts fields +=== followers.counts The number of failed and successful Raft RPC requests. @@ -9620,23 +9620,23 @@ The number of failed and successful Raft RPC requests. *`etcd.leader.followers.counts.followers.counts.success`*:: + -- -type: integer - successful Raft RPC requests +type: integer + -- *`etcd.leader.followers.counts.followers.counts.fail`*:: + -- -type: integer - failed Raft RPC requests +type: integer + -- [float] -== followers.latency fields +=== followers.latency latency to each peer in the cluster @@ -9680,14 +9680,14 @@ type: scaled_float *`etcd.leader.leader`*:: + -- -type: keyword - ID of actual leader +type: keyword + -- [float] -== server fields +=== server Server metrics from the Etcd V3 /metrics endpoint @@ -9696,75 +9696,75 @@ Server metrics from the Etcd V3 /metrics endpoint *`etcd.server.has_leader`*:: + -- -type: byte - Whether a leader exists in the cluster +type: byte + -- *`etcd.server.leader_changes.count`*:: + -- -type: long - Number of leader changes seen at the cluster +type: long + -- *`etcd.server.proposals_committed.count`*:: + -- -type: long - Number of consensus proposals commited +type: long + -- *`etcd.server.proposals_pending.count`*:: + -- -type: long - Number of consensus proposals pending +type: long + -- *`etcd.server.proposals_failed.count`*:: + -- -type: long - Number of consensus proposals failed +type: long + -- *`etcd.server.grpc_started.count`*:: + -- -type: long - Number of sent gRPC requests +type: long + -- *`etcd.server.grpc_handled.count`*:: + -- -type: long - Number of received gRPC requests +type: long + -- [float] -== disk fields +=== disk Disk metrics from the Etcd V3 /metrics endpoint @@ -9773,77 +9773,77 @@ Disk metrics from the Etcd V3 /metrics endpoint *`etcd.disk.mvcc_db_total_size.bytes`*:: + -- -type: long +Size of stored data at MVCC -format: bytes -Size of stored data at MVCC +type: long +format: bytes -- *`etcd.disk.wal_fsync_duration.ns.bucket.*`*:: + -- -type: object - Latency for writing ahead logs to disk +type: object + -- *`etcd.disk.wal_fsync_duration.ns.count`*:: + -- -type: long - Write ahead logs count +type: long + -- *`etcd.disk.wal_fsync_duration.ns.sum`*:: + -- -type: long - Write ahead logs latency sum +type: long + -- *`etcd.disk.backend_commit_duration.ns.bucket.*`*:: + -- -type: object - Latency for writing backend changes to disk +type: object + -- *`etcd.disk.backend_commit_duration.ns.count`*:: + -- -type: long - Backend commits count +type: long + -- *`etcd.disk.backend_commit_duration.ns.sum`*:: + -- -type: long - Backend commits latency sum +type: long + -- [float] -== memory fields +=== memory Memory metrics from the Etcd V3 /metrics endpoint @@ -9852,17 +9852,17 @@ Memory metrics from the Etcd V3 /metrics endpoint *`etcd.memory.go_memstats_alloc.bytes`*:: + -- -type: long +Memory allocated bytes as of MemStats Go -format: bytes -Memory allocated bytes as of MemStats Go +type: long +format: bytes -- [float] -== network fields +=== network Network metrics from the Etcd V3 /metrics endpoint @@ -9871,29 +9871,29 @@ Network metrics from the Etcd V3 /metrics endpoint *`etcd.network.client_grpc_sent.bytes`*:: + -- -type: long +gRPC sent bytes total -format: bytes -gRPC sent bytes total +type: long +format: bytes -- *`etcd.network.client_grpc_received.bytes`*:: + -- -type: long +gRPC received bytes total -format: bytes -gRPC received bytes total +type: long +format: bytes -- [float] -== self fields +=== self Contains etcd self statistics. @@ -9902,135 +9902,135 @@ Contains etcd self statistics. *`etcd.self.id`*:: + -- -type: keyword - the unique identifier for the member +type: keyword + -- *`etcd.self.leaderinfo.leader`*:: + -- -type: keyword - id of the current leader member +type: keyword + -- *`etcd.self.leaderinfo.starttime`*:: + -- -type: keyword - the time when this node was started +type: keyword + -- *`etcd.self.leaderinfo.uptime`*:: + -- -type: keyword - amount of time the leader has been leader +type: keyword + -- *`etcd.self.name`*:: + -- -type: keyword - this member's name +type: keyword + -- *`etcd.self.recv.appendrequest.count`*:: + -- -type: integer - number of append requests this node has processed +type: integer + -- *`etcd.self.recv.bandwidthrate`*:: + -- -type: scaled_float - number of bytes per second this node is receiving (follower only) +type: scaled_float + -- *`etcd.self.recv.pkgrate`*:: + -- -type: scaled_float - number of requests per second this node is receiving (follower only) +type: scaled_float + -- *`etcd.self.send.appendrequest.count`*:: + -- -type: integer - number of requests that this node has sent +type: integer + -- *`etcd.self.send.bandwidthrate`*:: + -- -type: scaled_float - number of bytes per second this node is sending (leader only). This value is undefined on single member clusters. +type: scaled_float + -- *`etcd.self.send.pkgrate`*:: + -- -type: scaled_float - number of requests per second this node is sending (leader only). This value is undefined on single member clusters. +type: scaled_float + -- *`etcd.self.starttime`*:: + -- -type: keyword - the time when this node was started +type: keyword + -- *`etcd.self.state`*:: + -- -type: keyword - either leader or follower +type: keyword + -- [float] -== store fields +=== store The store statistics include information about the operations that this node has handled. @@ -10156,13 +10156,13 @@ Golang module [float] -== golang fields +=== golang [float] -== expvar fields +=== expvar expvar @@ -10171,15 +10171,15 @@ expvar *`golang.expvar.cmdline`*:: + -- -type: keyword - The cmdline of this Go program start with. +type: keyword + -- [float] -== heap fields +=== heap The Go program heap information exposed by expvar. @@ -10188,22 +10188,22 @@ The Go program heap information exposed by expvar. *`golang.heap.cmdline`*:: + -- -type: keyword - The cmdline of this Go program start with. +type: keyword + -- [float] -== gc fields +=== gc Garbage collector summary. [float] -== total_pause fields +=== total_pause Total GC pause duration over lifetime of process. @@ -10212,47 +10212,47 @@ Total GC pause duration over lifetime of process. *`golang.heap.gc.total_pause.ns`*:: + -- -type: long - Duration in Ns. +type: long + -- *`golang.heap.gc.total_count`*:: + -- -type: long - Total number of GC was happened. +type: long + -- *`golang.heap.gc.next_gc_limit`*:: + -- -type: long +Next collection will happen when HeapAlloc > this amount. -format: bytes -Next collection will happen when HeapAlloc > this amount. +type: long +format: bytes -- *`golang.heap.gc.cpu_fraction`*:: + -- -type: float - Fraction of CPU time used by GC. +type: float + -- [float] -== pause fields +=== pause Last GC pause durations during the monitoring period. @@ -10261,15 +10261,15 @@ Last GC pause durations during the monitoring period. *`golang.heap.gc.pause.count`*:: + -- -type: long - Count of GC pause duration during this collect period. +type: long + -- [float] -== sum fields +=== sum Total GC pause duration during this collect period. @@ -10278,15 +10278,15 @@ Total GC pause duration during this collect period. *`golang.heap.gc.pause.sum.ns`*:: + -- -type: long - Duration in Ns. +type: long + -- [float] -== max fields +=== max Max GC pause duration during this collect period. @@ -10295,15 +10295,15 @@ Max GC pause duration during this collect period. *`golang.heap.gc.pause.max.ns`*:: + -- -type: long - Duration in Ns. +type: long + -- [float] -== avg fields +=== avg Average GC pause duration during this collect period. @@ -10312,15 +10312,15 @@ Average GC pause duration during this collect period. *`golang.heap.gc.pause.avg.ns`*:: + -- -type: long - Duration in Ns. +type: long + -- [float] -== system fields +=== system Heap summary,which bytes was obtained from system. @@ -10329,53 +10329,53 @@ Heap summary,which bytes was obtained from system. *`golang.heap.system.total`*:: + -- -type: long +Total bytes obtained from system (sum of XxxSys below). -format: bytes -Total bytes obtained from system (sum of XxxSys below). +type: long +format: bytes -- *`golang.heap.system.obtained`*:: + -- -type: long +Via HeapSys, bytes obtained from system. heap_sys = heap_idle + heap_inuse. -format: bytes -Via HeapSys, bytes obtained from system. heap_sys = heap_idle + heap_inuse. +type: long +format: bytes -- *`golang.heap.system.stack`*:: + -- -type: long +Bytes used by stack allocator, and these bytes was obtained from system. -format: bytes -Bytes used by stack allocator, and these bytes was obtained from system. +type: long +format: bytes -- *`golang.heap.system.released`*:: + -- -type: long +Bytes released to the OS. -format: bytes -Bytes released to the OS. +type: long +format: bytes -- [float] -== allocations fields +=== allocations Heap allocations summary. @@ -10384,78 +10384,78 @@ Heap allocations summary. *`golang.heap.allocations.mallocs`*:: + -- -type: long - Number of mallocs. +type: long + -- *`golang.heap.allocations.frees`*:: + -- -type: long - Number of frees. +type: long + -- *`golang.heap.allocations.objects`*:: + -- -type: long - Total number of allocated objects. +type: long + -- *`golang.heap.allocations.total`*:: + -- -type: long +Bytes allocated (even if freed) throughout the lifetime. -format: bytes -Bytes allocated (even if freed) throughout the lifetime. +type: long +format: bytes -- *`golang.heap.allocations.allocated`*:: + -- -type: long +Bytes allocated and not yet freed (same as Alloc above). -format: bytes -Bytes allocated and not yet freed (same as Alloc above). +type: long +format: bytes -- *`golang.heap.allocations.idle`*:: + -- -type: long +Bytes in idle spans. -format: bytes -Bytes in idle spans. +type: long +format: bytes -- *`golang.heap.allocations.active`*:: + -- -type: long +Bytes in non-idle span. -format: bytes -Bytes in non-idle span. +type: long +format: bytes -- @@ -10467,13 +10467,13 @@ graphite Module [float] -== graphite fields +=== graphite [float] -== server fields +=== server server @@ -10482,11 +10482,11 @@ server *`graphite.server.example`*:: + -- -type: keyword - Example field +type: keyword + -- [[exported-fields-haproxy]] @@ -10497,14 +10497,14 @@ HAProxy Module [float] -== haproxy fields +=== haproxy HAProxy metrics. [float] -== info fields +=== info General information about HAProxy processes. @@ -10513,93 +10513,93 @@ General information about HAProxy processes. *`haproxy.info.processes`*:: + -- -type: long - Number of processes. +type: long + -- *`haproxy.info.process_num`*:: + -- -type: long - Process number. +type: long + -- *`haproxy.info.pid`*:: + -- -type: alias +Process ID. -alias to: process.pid -Process ID. +type: alias +alias to: process.pid -- *`haproxy.info.run_queue`*:: + -- -type: long +type: long -- *`haproxy.info.tasks`*:: + -- -type: long +type: long -- *`haproxy.info.uptime.sec`*:: + -- -type: long - Current uptime in seconds. +type: long + -- *`haproxy.info.memory.max.bytes`*:: + -- -type: long +Maximum amount of memory usage in bytes (the 'Memmax_MB' value converted to bytes). -format: bytes -Maximum amount of memory usage in bytes (the 'Memmax_MB' value converted to bytes). +type: long +format: bytes -- *`haproxy.info.ulimit_n`*:: + -- -type: long - Maximum number of open files for the process. +type: long + -- [float] -== compress fields +=== compress [float] -== bps fields +=== bps @@ -10607,38 +10607,38 @@ Maximum number of open files for the process. *`haproxy.info.compress.bps.in`*:: + -- -type: long +type: long -- *`haproxy.info.compress.bps.out`*:: + -- -type: long +type: long -- *`haproxy.info.compress.bps.rate_limit`*:: + -- -type: long +type: long -- [float] -== connection fields +=== connection [float] -== rate fields +=== rate @@ -10646,128 +10646,128 @@ type: long *`haproxy.info.connection.rate.value`*:: + -- -type: long +type: long -- *`haproxy.info.connection.rate.limit`*:: + -- -type: long +type: long -- *`haproxy.info.connection.rate.max`*:: + -- -type: long +type: long -- *`haproxy.info.connection.current`*:: + -- -type: long - Current connections. +type: long + -- *`haproxy.info.connection.total`*:: + -- -type: long - Total connections. +type: long + -- *`haproxy.info.connection.ssl.current`*:: + -- -type: long - Current SSL connections. +type: long + -- *`haproxy.info.connection.ssl.total`*:: + -- -type: long - Total SSL connections. +type: long + -- *`haproxy.info.connection.ssl.max`*:: + -- -type: long - Maximum SSL connections. +type: long + -- *`haproxy.info.connection.max`*:: + -- -type: long - Maximum connections. +type: long + -- *`haproxy.info.connection.hard_max`*:: + -- -type: long +type: long -- *`haproxy.info.requests.total`*:: + -- -type: long +type: long -- *`haproxy.info.sockets.max`*:: + -- -type: long +type: long -- *`haproxy.info.requests.max`*:: + -- -type: long +type: long -- [float] -== pipes fields +=== pipes @@ -10775,32 +10775,32 @@ type: long *`haproxy.info.pipes.used`*:: + -- -type: integer +type: integer -- *`haproxy.info.pipes.free`*:: + -- -type: integer +type: integer -- *`haproxy.info.pipes.max`*:: + -- -type: integer +type: integer -- [float] -== session fields +=== session None @@ -10808,32 +10808,32 @@ None *`haproxy.info.session.rate.value`*:: + -- -type: integer +type: integer -- *`haproxy.info.session.rate.limit`*:: + -- -type: integer +type: integer -- *`haproxy.info.session.rate.max`*:: + -- -type: integer +type: integer -- [float] -== ssl fields +=== ssl None @@ -10841,32 +10841,32 @@ None *`haproxy.info.ssl.rate.value`*:: + -- -type: integer - None +type: integer + -- *`haproxy.info.ssl.rate.limit`*:: + -- -type: integer - None +type: integer + -- *`haproxy.info.ssl.rate.max`*:: + -- -type: integer - None +type: integer + -- [float] -== frontend fields +=== frontend None @@ -10874,34 +10874,34 @@ None *`haproxy.info.ssl.frontend.key_rate.value`*:: + -- -type: integer - None +type: integer + -- *`haproxy.info.ssl.frontend.key_rate.max`*:: + -- -type: integer - None +type: integer + -- *`haproxy.info.ssl.frontend.session_reuse.pct`*:: + -- +None + type: scaled_float format: percent -None - -- [float] -== backend fields +=== backend None @@ -10909,41 +10909,41 @@ None *`haproxy.info.ssl.backend.key_rate.value`*:: + -- -type: integer - None +type: integer + -- *`haproxy.info.ssl.backend.key_rate.max`*:: + -- -type: integer - MaxConnRate +type: integer + -- *`haproxy.info.ssl.cached_lookups`*:: + -- -type: long - None +type: long + -- *`haproxy.info.ssl.cache_misses`*:: + -- -type: long - None +type: long + -- [float] -== zlib_mem_usage fields +=== zlib_mem_usage @@ -10951,34 +10951,34 @@ None *`haproxy.info.zlib_mem_usage.value`*:: + -- -type: integer +type: integer -- *`haproxy.info.zlib_mem_usage.max`*:: + -- -type: integer +type: integer -- *`haproxy.info.idle.pct`*:: + -- -type: scaled_float -format: percent +type: scaled_float +format: percent -- [float] -== stat fields +=== stat Stats collected from HAProxy processes. @@ -10987,201 +10987,199 @@ Stats collected from HAProxy processes. *`haproxy.stat.status`*:: + -- -type: keyword - Status (UP, DOWN, NOLB, MAINT, or MAINT(via)...). +type: keyword + -- *`haproxy.stat.weight`*:: + -- -type: long - Total weight (for backends), or server weight (for servers). +type: long + -- *`haproxy.stat.downtime`*:: + -- -type: long - Total downtime (in seconds). For backends, this value is the downtime for the whole backend, not the sum of the downtime for the servers. +type: long + -- *`haproxy.stat.component_type`*:: + -- -type: integer - Component type (0=frontend, 1=backend, 2=server, or 3=socket/listener). +type: integer + -- *`haproxy.stat.process_id`*:: + -- -type: alias +Process ID (0 for first instance, 1 for second, and so on). -alias to: process.pid -Process ID (0 for first instance, 1 for second, and so on). +type: alias +alias to: process.pid -- *`haproxy.stat.service_name`*:: + -- -type: keyword - Service name (FRONTEND for frontend, BACKEND for backend, or any name for server/listener). +type: keyword + -- *`haproxy.stat.in.bytes`*:: + -- -type: long +Bytes in. -format: bytes -Bytes in. +type: long +format: bytes -- *`haproxy.stat.out.bytes`*:: + -- -type: long +Bytes out. -format: bytes -Bytes out. +type: long +format: bytes -- *`haproxy.stat.last_change`*:: + -- -type: integer - Number of seconds since the last UP->DOWN or DOWN->UP transition. +type: integer + -- *`haproxy.stat.throttle.pct`*:: + -- -type: scaled_float +Current throttle percentage for the server when slowstart is active, or no value if slowstart is inactive. -format: percentage -Current throttle percentage for the server when slowstart is active, or no value if slowstart is inactive. +type: scaled_float +format: percentage -- *`haproxy.stat.selected.total`*:: + -- -type: long - Total number of times a server was selected, either for new sessions, or when re-dispatching. For servers, this field reports the the number of times the server was selected. +type: long + -- *`haproxy.stat.tracked.id`*:: + -- -type: long - ID of the proxy/server if tracking is enabled. +type: long + -- *`haproxy.stat.connection.total`*:: + -- -type: long - Cumulative number of connections. +type: long + -- *`haproxy.stat.connection.retried`*:: + -- -type: long - Number of times a connection to a server was retried. +type: long + -- *`haproxy.stat.connection.time.avg`*:: + -- -type: long - Average connect time in ms over the last 1024 requests. +type: long + -- *`haproxy.stat.request.denied`*:: + -- -type: long - Requests denied because of security concerns. * For TCP this is because of a matched tcp-request content rule. * For HTTP this is because of a matched http-request or tarpit rule. +type: long + -- *`haproxy.stat.request.queued.current`*:: + -- -type: long - Current queued requests. For backends, this field reports the number of requests queued without a server assigned. +type: long + -- *`haproxy.stat.request.queued.max`*:: + -- -type: long - Maximum value of queued.current. +type: long + -- *`haproxy.stat.request.errors`*:: + -- -type: long - Request errors. Some of the possible causes are: * early termination from the client, before the request has been sent @@ -11192,30 +11190,32 @@ Request errors. Some of the possible causes are: * request was tarpitted. +type: long + -- *`haproxy.stat.request.redispatched`*:: + -- -type: long - Number of times a request was redispatched to another server. For servers, this field reports the number of times the server was switched away from. +type: long + -- *`haproxy.stat.request.connection.errors`*:: + -- -type: long - Number of requests that encountered an error trying to connect to a server. For backends, this field reports the sum of the stat for all backend servers, plus any connection errors not associated with a particular server (such as the backend having no active servers). +type: long + -- [float] -== rate fields +=== rate @@ -11223,67 +11223,67 @@ Number of requests that encountered an error trying to connect to a server. For *`haproxy.stat.request.rate.value`*:: + -- -type: long - Number of HTTP requests per second over the last elapsed second. +type: long + -- *`haproxy.stat.request.rate.max`*:: + -- -type: long - Maximum number of HTTP requests per second. +type: long + -- *`haproxy.stat.request.total`*:: + -- -type: long - Total number of HTTP requests received. +type: long + -- *`haproxy.stat.response.errors`*:: + -- -type: long - Number of response errors. This value includes the number of data transfers aborted by the server (haproxy.stat.server.aborted). Some other errors are: * write errors on the client socket (won't be counted for the server stat) * failure applying filters to the response +type: long + -- *`haproxy.stat.response.time.avg`*:: + -- -type: long - Average response time in ms over the last 1024 requests (0 for TCP). +type: long + -- *`haproxy.stat.response.denied`*:: + -- -type: integer - Responses denied because of security concerns. For HTTP this is because of a matched http-request rule, or "option checkcache". +type: integer + -- [float] -== http fields +=== http @@ -11291,127 +11291,127 @@ Responses denied because of security concerns. For HTTP this is because of a mat *`haproxy.stat.response.http.1xx`*:: + -- -type: long - HTTP responses with 1xx code. +type: long + -- *`haproxy.stat.response.http.2xx`*:: + -- -type: long - HTTP responses with 2xx code. +type: long + -- *`haproxy.stat.response.http.3xx`*:: + -- -type: long - HTTP responses with 3xx code. +type: long + -- *`haproxy.stat.response.http.4xx`*:: + -- -type: long - HTTP responses with 4xx code. +type: long + -- *`haproxy.stat.response.http.5xx`*:: + -- -type: long - HTTP responses with 5xx code. +type: long + -- *`haproxy.stat.response.http.other`*:: + -- -type: long - HTTP responses with other codes (protocol error). +type: long + -- *`haproxy.stat.session.current`*:: + -- -type: long - Number of current sessions. +type: long + -- *`haproxy.stat.session.max`*:: + -- -type: long - Maximum number of sessions. +type: long + -- *`haproxy.stat.session.limit`*:: + -- -type: long - Configured session limit. +type: long + -- *`haproxy.stat.session.rate.value`*:: + -- -type: integer - Number of sessions per second over the last elapsed second. +type: integer + -- *`haproxy.stat.session.rate.limit`*:: + -- -type: integer - Configured limit on new sessions per second. +type: integer + -- *`haproxy.stat.session.rate.max`*:: + -- -type: integer - Maximum number of new sessions per second. +type: integer + -- [float] -== check fields +=== check @@ -11419,8 +11419,6 @@ Maximum number of new sessions per second. *`haproxy.stat.check.status`*:: + -- -type: keyword - Status of the last health check. One of: UNK -> unknown @@ -11441,89 +11439,91 @@ Status of the last health check. One of: L7STS -> layer 7 response error, for example HTTP 5xx +type: keyword + -- *`haproxy.stat.check.code`*:: + -- -type: long - Layer 5-7 code, if available. +type: long + -- *`haproxy.stat.check.duration`*:: + -- -type: long - Time in ms that it took to finish the last health check. +type: long + -- *`haproxy.stat.check.health.last`*:: + -- -type: keyword - The result of the last health check. +type: keyword + -- *`haproxy.stat.check.health.fail`*:: + -- -type: long - Number of failed checks. +type: long + -- *`haproxy.stat.check.agent.last`*:: + -- -type: integer +type: integer -- *`haproxy.stat.check.failed`*:: + -- -type: long - Number of checks that failed while the server was up. +type: long + -- *`haproxy.stat.check.down`*:: + -- -type: long - Number of UP->DOWN transitions. For backends, this value is the number of transitions to the whole backend being down, rather than the sum of the transitions for each server. +type: long + -- *`haproxy.stat.client.aborted`*:: + -- -type: integer - Number of data transfers aborted by the client. +type: integer + -- [float] -== server fields +=== server @@ -11531,45 +11531,45 @@ Number of data transfers aborted by the client. *`haproxy.stat.server.id`*:: + -- -type: integer - Server ID (unique inside a proxy). +type: integer + -- *`haproxy.stat.server.aborted`*:: + -- -type: integer - Number of data transfers aborted by the server. This value is included in haproxy.stat.response.errors. +type: integer + -- *`haproxy.stat.server.active`*:: + -- -type: integer - Number of backend servers that are active, meaning that they are healthy and can receive requests from the load balancer. +type: integer + -- *`haproxy.stat.server.backup`*:: + -- -type: integer - Number of backend servers that are backup servers. +type: integer + -- [float] -== compressor fields +=== compressor @@ -11577,53 +11577,53 @@ Number of backend servers that are backup servers. *`haproxy.stat.compressor.in.bytes`*:: + -- -type: long +Number of HTTP response bytes fed to the compressor. -format: bytes -Number of HTTP response bytes fed to the compressor. +type: long +format: bytes -- *`haproxy.stat.compressor.out.bytes`*:: + -- -type: integer +Number of HTTP response bytes emitted by the compressor. -format: bytes -Number of HTTP response bytes emitted by the compressor. +type: integer +format: bytes -- *`haproxy.stat.compressor.bypassed.bytes`*:: + -- -type: long +Number of bytes that bypassed the HTTP compressor (CPU/BW limit). -format: bytes -Number of bytes that bypassed the HTTP compressor (CPU/BW limit). +type: long +format: bytes -- *`haproxy.stat.compressor.response.bytes`*:: + -- -type: long +Number of HTTP responses that were compressed. -format: bytes -Number of HTTP responses that were compressed. +type: long +format: bytes -- [float] -== proxy fields +=== proxy @@ -11631,25 +11631,25 @@ Number of HTTP responses that were compressed. *`haproxy.stat.proxy.id`*:: + -- -type: integer - Unique proxy ID. +type: integer + -- *`haproxy.stat.proxy.name`*:: + -- -type: keyword - Proxy name. +type: keyword + -- [float] -== queue fields +=== queue @@ -11657,21 +11657,21 @@ Proxy name. *`haproxy.stat.queue.limit`*:: + -- -type: integer - Configured queue limit (maxqueue) for the server, or nothing if the value of maxqueue is 0 (meaning no limit). +type: integer + -- *`haproxy.stat.queue.time.avg`*:: + -- -type: integer - The average queue time in ms over the last 1024 requests. +type: integer + -- [[exported-fields-host-processor]] @@ -11685,34 +11685,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -11724,13 +11724,13 @@ HTTP module [float] -== http fields +=== http [float] -== request fields +=== request HTTP request information @@ -11739,15 +11739,15 @@ HTTP request information *`http.request.headers`*:: + -- -type: object - The HTTP headers sent +type: object + -- [float] -== response fields +=== response HTTP response information @@ -11756,45 +11756,45 @@ HTTP response information *`http.response.headers`*:: + -- -type: object - The HTTP headers received +type: object + -- *`http.response.code`*:: + -- -type: keyword +The HTTP status code -example: 404 -The HTTP status code +type: keyword +example: 404 -- *`http.response.phrase`*:: + -- -type: keyword +The HTTP status phrase -example: Not found -The HTTP status phrase +type: keyword +example: Not found -- [float] -== json fields +=== json json metricset [float] -== server fields +=== server server @@ -11807,7 +11807,7 @@ Jolokia module [float] -== jolokia fields +=== jolokia jolokia contains metrics exposed via jolokia agent @@ -11823,71 +11823,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kafka]] @@ -11898,13 +11898,13 @@ Kafka module [float] -== kafka fields +=== kafka [float] -== broker fields +=== broker Broker Consumer Group Information have been read from (Broker handling the consumer group). @@ -11913,80 +11913,80 @@ Broker Consumer Group Information have been read from (Broker handling the consu *`kafka.broker.id`*:: + -- -type: long - Broker id +type: long + -- *`kafka.broker.address`*:: + -- -type: keyword - Broker advertised address +type: keyword + -- *`kafka.topic.name`*:: + -- -type: keyword - Topic name +type: keyword + -- *`kafka.topic.error.code`*:: + -- -type: long - Topic error code. +type: long + -- *`kafka.partition.id`*:: + -- -type: long - Partition id. +type: long + -- *`kafka.partition.topic_id`*:: + -- -type: keyword - Unique id of the partition in the topic. +type: keyword + -- *`kafka.partition.topic_broker_id`*:: + -- -type: keyword - Unique id of the partition in the topic and the broker. +type: keyword + -- [float] -== consumergroup fields +=== consumergroup consumergroup [float] -== broker fields +=== broker Broker Consumer Group Information have been read from (Broker handling the consumer group). @@ -11995,30 +11995,30 @@ Broker Consumer Group Information have been read from (Broker handling the consu *`kafka.consumergroup.broker.id`*:: + -- -type: long - Broker id +type: long + -- *`kafka.consumergroup.broker.address`*:: + -- -type: keyword - Broker address +type: keyword + -- *`kafka.consumergroup.id`*:: + -- -type: keyword - Consumer Group ID +type: keyword + -- *`kafka.consumergroup.topic`*:: @@ -12027,10 +12027,10 @@ Consumer Group ID deprecated[6.5] -type: keyword - Topic name +type: keyword + -- *`kafka.consumergroup.partition`*:: @@ -12039,42 +12039,42 @@ Topic name deprecated[6.5] -type: long - Partition ID +type: long + -- *`kafka.consumergroup.offset`*:: + -- -type: long - consumer offset into partition being read +type: long + -- *`kafka.consumergroup.meta`*:: + -- -type: keyword - custom consumer meta data string +type: keyword + -- *`kafka.consumergroup.error.code`*:: + -- -type: long - kafka consumer/partition error code. +type: long + -- [float] -== client fields +=== client Assigned client reading events from partition @@ -12083,39 +12083,39 @@ Assigned client reading events from partition *`kafka.consumergroup.client.id`*:: + -- -type: keyword - Client ID (kafka setting client.id) +type: keyword + -- *`kafka.consumergroup.client.host`*:: + -- -type: keyword - Client host +type: keyword + -- *`kafka.consumergroup.client.member_id`*:: + -- -type: keyword - internal consumer group member ID +type: keyword + -- [float] -== partition fields +=== partition partition [float] -== offset fields +=== offset Available offsets of the given partition. @@ -12124,25 +12124,25 @@ Available offsets of the given partition. *`kafka.partition.offset.newest`*:: + -- -type: long - Newest offset of the partition. +type: long + -- *`kafka.partition.offset.oldest`*:: + -- -type: long - Oldest offset of the partition. +type: long + -- [float] -== partition fields +=== partition Partition data. @@ -12154,71 +12154,71 @@ Partition data. deprecated[6.5] -type: long - Partition id. +type: long + -- *`kafka.partition.partition.leader`*:: + -- -type: long - Leader id (broker). +type: long + -- *`kafka.partition.partition.isr`*:: + -- -type: keyword - List of isr ids. +type: keyword + -- *`kafka.partition.partition.replica`*:: + -- -type: long - Replica id (broker). +type: long + -- *`kafka.partition.partition.insync_replica`*:: + -- -type: boolean - Indicates if replica is included in the in-sync replicate set (ISR). +type: boolean + -- *`kafka.partition.partition.is_leader`*:: + -- -type: boolean - Indicates if replica is the leader +type: boolean + -- *`kafka.partition.partition.error.code`*:: + -- -type: long - Error code from fetching partition. +type: long + -- *`kafka.partition.topic.error.code`*:: @@ -12227,11 +12227,11 @@ Error code from fetching partition. deprecated[6.5] -type: long - topic error code. +type: long + -- *`kafka.partition.topic.name`*:: @@ -12240,11 +12240,11 @@ topic error code. deprecated[6.5] -type: keyword - Topic name +type: keyword + -- *`kafka.partition.broker.id`*:: @@ -12253,11 +12253,11 @@ Topic name deprecated[6.5] -type: long - Broker id +type: long + -- *`kafka.partition.broker.address`*:: @@ -12266,11 +12266,11 @@ Broker id deprecated[6.5] -type: keyword - Broker address +type: keyword + -- [[exported-fields-kibana]] @@ -12281,13 +12281,13 @@ Kibana module [float] -== kibana fields +=== kibana [float] -== stats fields +=== stats Kibana stats and run-time metrics. @@ -12296,101 +12296,101 @@ Kibana stats and run-time metrics. *`kibana.stats.uuid`*:: + -- -type: alias +Kibana instance UUID -alias to: service.id -Kibana instance UUID +type: alias +alias to: service.id -- *`kibana.stats.name`*:: + -- -type: keyword - Kibana instance name +type: keyword + -- *`kibana.stats.index`*:: + -- -type: keyword - Name of Kibana's internal index +type: keyword + -- *`kibana.stats.host.name`*:: + -- -type: keyword - Kibana instance hostname +type: keyword + -- *`kibana.stats.transport_address`*:: + -- +Kibana server's hostname and port + + type: alias alias to: service.address -Kibana server's hostname and port - - -- *`kibana.stats.version`*:: + -- -type: alias +Kibana version -alias to: service.version -Kibana version +type: alias +alias to: service.version -- *`kibana.stats.snapshot`*:: + -- -type: boolean - Whether the Kibana build is a snapshot build +type: boolean + -- *`kibana.stats.status`*:: + -- -type: keyword - Kibana instance's health status +type: keyword + -- *`kibana.stats.concurrent_connections`*:: + -- -type: long - Number of client connections made to the server. Note that browsers can send multiple simultaneous connections to request multiple server assets at once, and they can re-use established connections. +type: long + -- [float] -== process fields +=== process Process metrics @@ -12399,15 +12399,15 @@ Process metrics *`kibana.stats.process.event_loop_delay.ms`*:: + -- -type: scaled_float - Event loop delay in milliseconds +type: scaled_float + -- [float] -== memory.heap fields +=== memory.heap Process heap metrics @@ -12416,51 +12416,51 @@ Process heap metrics *`kibana.stats.process.memory.heap.total.bytes`*:: + -- -type: long +Total heap allocated to process in bytes -format: bytes -Total heap allocated to process in bytes +type: long +format: bytes -- *`kibana.stats.process.memory.heap.used.bytes`*:: + -- -type: long +Heap used by process in bytes -format: bytes -Heap used by process in bytes +type: long +format: bytes -- *`kibana.stats.process.memory.heap.size_limit.bytes`*:: + -- -type: long +Max. old space size allocated to Node.js process, in bytes -format: bytes -Max. old space size allocated to Node.js process, in bytes +type: long +format: bytes -- *`kibana.stats.process.memory.heap.uptime.ms`*:: + -- -type: long - Uptime of process in milliseconds +type: long + -- [float] -== request fields +=== request Request count metrics @@ -12469,25 +12469,25 @@ Request count metrics *`kibana.stats.request.disconnects`*:: + -- -type: long - Number of requests that were disconnected +type: long + -- *`kibana.stats.request.total`*:: + -- -type: long - Total number of requests +type: long + -- [float] -== response_time fields +=== response_time Response times metrics @@ -12496,25 +12496,25 @@ Response times metrics *`kibana.stats.response_time.avg.ms`*:: + -- -type: long - Average response time in milliseconds +type: long + -- *`kibana.stats.response_time.max.ms`*:: + -- -type: long - Maximum response time in milliseconds +type: long + -- [float] -== status fields +=== status Status fields @@ -12523,49 +12523,49 @@ Status fields *`kibana.status.name`*:: + -- -type: keyword - Kibana instance name. +type: keyword + -- *`kibana.status.uuid`*:: + -- -type: alias +Kibana instance uuid. -alias to: service.id -Kibana instance uuid. +type: alias +alias to: service.id -- *`kibana.status.version.number`*:: + -- -type: alias +Kibana version number. -alias to: service.version -Kibana version number. +type: alias +alias to: service.version -- *`kibana.status.status.overall.state`*:: + -- -type: keyword - Kibana overall state. +type: keyword + -- [float] -== metrics fields +=== metrics Metrics fields @@ -12574,15 +12574,15 @@ Metrics fields *`kibana.status.metrics.concurrent_connections`*:: + -- -type: long - Current concurrent connections. +type: long + -- [float] -== requests fields +=== requests Request statistics. @@ -12591,21 +12591,21 @@ Request statistics. *`kibana.status.metrics.requests.disconnects`*:: + -- -type: long - Total number of disconnected connections. +type: long + -- *`kibana.status.metrics.requests.total`*:: + -- -type: long - Total number of connections. +type: long + -- [[exported-fields-kubernetes-processor]] @@ -12619,111 +12619,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-kubernetes]] @@ -12734,14 +12734,14 @@ Kubernetes metrics [float] -== kubernetes fields +=== kubernetes Information and statistics of pods managed by kubernetes. [float] -== apiserver fields +=== apiserver Kubernetes API server metrics @@ -12750,95 +12750,95 @@ Kubernetes API server metrics *`kubernetes.apiserver.request.client`*:: + -- -type: keyword - Client doing the requests +type: keyword + -- *`kubernetes.apiserver.request.resource`*:: + -- -type: keyword - Requested resource +type: keyword + -- *`kubernetes.apiserver.request.subresource`*:: + -- -type: keyword - Requested subresource +type: keyword + -- *`kubernetes.apiserver.request.scope`*:: + -- -type: keyword - Request scope (cluster, namespace, resource) +type: keyword + -- *`kubernetes.apiserver.request.verb`*:: + -- -type: keyword - Request HTTP verb +type: keyword + -- *`kubernetes.apiserver.request.count`*:: + -- -type: long - Total number of requests +type: long + -- *`kubernetes.apiserver.request.latency.sum`*:: + -- -type: long - Requests latency, sum of latencies in microseconds +type: long + -- *`kubernetes.apiserver.request.latency.count`*:: + -- -type: long - Request latency, number of requests +type: long + -- *`kubernetes.apiserver.request.latency.bucket.*`*:: + -- -type: object - Request latency histogram buckets +type: object + -- [float] -== container fields +=== container kubernetes container metrics @@ -12847,15 +12847,15 @@ kubernetes container metrics *`kubernetes.container.start_time`*:: + -- -type: date - Start time +type: date + -- [float] -== cpu fields +=== cpu CPU usage metrics @@ -12866,49 +12866,49 @@ CPU usage metrics *`kubernetes.container.cpu.usage.core.ns`*:: + -- -type: long - Container CPU Core usage nanoseconds +type: long + -- *`kubernetes.container.cpu.usage.nanocores`*:: + -- -type: long - CPU used nanocores +type: long + -- *`kubernetes.container.cpu.usage.node.pct`*:: + -- -type: scaled_float +CPU usage as a percentage of the total node allocatable CPU -format: percentage -CPU usage as a percentage of the total node allocatable CPU +type: scaled_float +format: percentage -- *`kubernetes.container.cpu.usage.limit.pct`*:: + -- -type: scaled_float +CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited) -format: percentage -CPU usage as a percentage of the defined limit for the container (or total node allocatable CPU if unlimited) +type: scaled_float +format: percentage -- [float] -== logs fields +=== logs Logs info @@ -12918,12 +12918,12 @@ Logs info *`kubernetes.container.logs.available.bytes`*:: + -- -type: long +Logs available capacity in bytes -format: bytes -Logs available capacity in bytes +type: long +format: bytes -- @@ -12931,12 +12931,12 @@ Logs available capacity in bytes *`kubernetes.container.logs.capacity.bytes`*:: + -- -type: long +Logs total capacity in bytes -format: bytes -Logs total capacity in bytes +type: long +format: bytes -- @@ -12944,12 +12944,12 @@ Logs total capacity in bytes *`kubernetes.container.logs.used.bytes`*:: + -- -type: long +Logs used capacity in bytes -format: bytes -Logs used capacity in bytes +type: long +format: bytes -- @@ -12957,31 +12957,31 @@ Logs used capacity in bytes *`kubernetes.container.logs.inodes.count`*:: + -- -type: long - Total available inodes +type: long + -- *`kubernetes.container.logs.inodes.free`*:: + -- -type: long - Total free inodes +type: long + -- *`kubernetes.container.logs.inodes.used`*:: + -- -type: long - Total used inodes +type: long + -- @@ -12989,12 +12989,12 @@ Total used inodes *`kubernetes.container.memory.available.bytes`*:: + -- -type: long +Total available memory -format: bytes -Total available memory +type: long +format: bytes -- @@ -13002,36 +13002,36 @@ Total available memory *`kubernetes.container.memory.usage.bytes`*:: + -- -type: long +Total memory usage -format: bytes -Total memory usage +type: long +format: bytes -- *`kubernetes.container.memory.usage.node.pct`*:: + -- -type: scaled_float +Memory usage as a percentage of the total node allocatable memory -format: percentage -Memory usage as a percentage of the total node allocatable memory +type: scaled_float +format: percentage -- *`kubernetes.container.memory.usage.limit.pct`*:: + -- -type: scaled_float +Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) -format: percentage -Memory usage as a percentage of the defined limit for the container (or total node allocatable memory if unlimited) +type: scaled_float +format: percentage -- @@ -13039,46 +13039,46 @@ Memory usage as a percentage of the defined limit for the container (or total no *`kubernetes.container.memory.rss.bytes`*:: + -- +RSS memory usage + + type: long format: bytes -RSS memory usage - - -- *`kubernetes.container.memory.workingset.bytes`*:: + -- -type: long +Working set memory usage -format: bytes -Working set memory usage +type: long +format: bytes -- *`kubernetes.container.memory.pagefaults`*:: + -- -type: long - Number of page faults +type: long + -- *`kubernetes.container.memory.majorpagefaults`*:: + -- -type: long - Number of major page faults +type: long + -- @@ -13086,12 +13086,12 @@ Number of major page faults *`kubernetes.container.rootfs.capacity.bytes`*:: + -- -type: long +Root filesystem total capacity in bytes -format: bytes -Root filesystem total capacity in bytes +type: long +format: bytes -- @@ -13099,12 +13099,12 @@ Root filesystem total capacity in bytes *`kubernetes.container.rootfs.available.bytes`*:: + -- -type: long +Root filesystem total available in bytes -format: bytes -Root filesystem total available in bytes +type: long +format: bytes -- @@ -13112,12 +13112,12 @@ Root filesystem total available in bytes *`kubernetes.container.rootfs.used.bytes`*:: + -- -type: long +Root filesystem total used in bytes -format: bytes -Root filesystem total used in bytes +type: long +format: bytes -- @@ -13125,15 +13125,15 @@ Root filesystem total used in bytes *`kubernetes.container.rootfs.inodes.used`*:: + -- -type: long - Used inodes +type: long + -- [float] -== event fields +=== event The Kubernetes events metricset collects events that are generated by objects running inside of Kubernetes @@ -13142,66 +13142,66 @@ The Kubernetes events metricset collects events that are generated by objects ru *`kubernetes.event.count`*:: + -- -type: long - Count field records the number of times the particular event has occurred +type: long + -- *`kubernetes.event.timestamp.first_occurrence`*:: + -- -type: date - Timestamp of first occurrence of event +type: date + -- *`kubernetes.event.timestamp.last_occurrence`*:: + -- -type: date - Timestamp of last occurrence of event +type: date + -- *`kubernetes.event.message`*:: + -- -type: keyword - Message recorded for the given event +type: keyword + -- *`kubernetes.event.reason`*:: + -- -type: keyword - Reason recorded for the given event +type: keyword + -- *`kubernetes.event.type`*:: + -- -type: keyword - Type of the given event +type: keyword + -- [float] -== metadata fields +=== metadata Metadata associated with the given event @@ -13211,65 +13211,65 @@ Metadata associated with the given event *`kubernetes.event.metadata.timestamp.created`*:: + -- -type: date - Timestamp of creation of the given event +type: date + -- *`kubernetes.event.metadata.name`*:: + -- -type: keyword - Name of the event +type: keyword + -- *`kubernetes.event.metadata.namespace`*:: + -- -type: keyword - Namespace in which event was generated +type: keyword + -- *`kubernetes.event.metadata.resource_version`*:: + -- -type: keyword - Version of the event resource +type: keyword + -- *`kubernetes.event.metadata.uid`*:: + -- -type: keyword - Unique identifier to the event object +type: keyword + -- *`kubernetes.event.metadata.self_link`*:: + -- -type: keyword - URL representing the event +type: keyword + -- [float] -== involved_object fields +=== involved_object Metadata associated with the given involved object @@ -13278,55 +13278,55 @@ Metadata associated with the given involved object *`kubernetes.event.involved_object.api_version`*:: + -- -type: keyword - API version of the object +type: keyword + -- *`kubernetes.event.involved_object.kind`*:: + -- -type: keyword - API kind of the object +type: keyword + -- *`kubernetes.event.involved_object.name`*:: + -- -type: keyword - name of the object +type: keyword + -- *`kubernetes.event.involved_object.resource_version`*:: + -- -type: keyword - resource version of the object +type: keyword + -- *`kubernetes.event.involved_object.uid`*:: + -- -type: keyword - UUID version of the object +type: keyword + -- [float] -== node fields +=== node kubernetes node metrics @@ -13335,15 +13335,15 @@ kubernetes node metrics *`kubernetes.node.start_time`*:: + -- -type: date - Start time +type: date + -- [float] -== cpu fields +=== cpu CPU usage metrics @@ -13354,21 +13354,21 @@ CPU usage metrics *`kubernetes.node.cpu.usage.core.ns`*:: + -- -type: long - Node CPU Core usage nanoseconds +type: long + -- *`kubernetes.node.cpu.usage.nanocores`*:: + -- -type: long - CPU used nanocores +type: long + -- @@ -13376,12 +13376,12 @@ CPU used nanocores *`kubernetes.node.memory.available.bytes`*:: + -- -type: long +Total available memory -format: bytes -Total available memory +type: long +format: bytes -- @@ -13389,12 +13389,12 @@ Total available memory *`kubernetes.node.memory.usage.bytes`*:: + -- -type: long +Total memory usage -format: bytes -Total memory usage +type: long +format: bytes -- @@ -13402,12 +13402,12 @@ Total memory usage *`kubernetes.node.memory.rss.bytes`*:: + -- -type: long +RSS memory usage -format: bytes -RSS memory usage +type: long +format: bytes -- @@ -13415,33 +13415,33 @@ RSS memory usage *`kubernetes.node.memory.workingset.bytes`*:: + -- -type: long +Working set memory usage -format: bytes -Working set memory usage +type: long +format: bytes -- *`kubernetes.node.memory.pagefaults`*:: + -- -type: long - Number of page faults +type: long + -- *`kubernetes.node.memory.majorpagefaults`*:: + -- -type: long - Number of major page faults +type: long + -- @@ -13449,46 +13449,46 @@ Number of major page faults *`kubernetes.node.network.rx.bytes`*:: + -- -type: long +Received bytes -format: bytes -Received bytes +type: long +format: bytes -- *`kubernetes.node.network.rx.errors`*:: + -- -type: long - Rx errors +type: long + -- *`kubernetes.node.network.tx.bytes`*:: + -- -type: long +Transmitted bytes -format: bytes -Transmitted bytes +type: long +format: bytes -- *`kubernetes.node.network.tx.errors`*:: + -- -type: long - Tx errors +type: long + -- @@ -13496,12 +13496,12 @@ Tx errors *`kubernetes.node.fs.capacity.bytes`*:: + -- -type: long +Filesystem total capacity in bytes -format: bytes -Filesystem total capacity in bytes +type: long +format: bytes -- @@ -13509,12 +13509,12 @@ Filesystem total capacity in bytes *`kubernetes.node.fs.available.bytes`*:: + -- -type: long +Filesystem total available in bytes -format: bytes -Filesystem total available in bytes +type: long +format: bytes -- @@ -13522,12 +13522,12 @@ Filesystem total available in bytes *`kubernetes.node.fs.used.bytes`*:: + -- -type: long +Filesystem total used in bytes -format: bytes -Filesystem total used in bytes +type: long +format: bytes -- @@ -13535,31 +13535,31 @@ Filesystem total used in bytes *`kubernetes.node.fs.inodes.used`*:: + -- -type: long - Number of used inodes +type: long + -- *`kubernetes.node.fs.inodes.count`*:: + -- -type: long - Number of inodes +type: long + -- *`kubernetes.node.fs.inodes.free`*:: + -- -type: long - Number of free inodes +type: long + -- @@ -13568,12 +13568,12 @@ Number of free inodes *`kubernetes.node.runtime.imagefs.capacity.bytes`*:: + -- -type: long +Image filesystem total capacity in bytes -format: bytes -Image filesystem total capacity in bytes +type: long +format: bytes -- @@ -13581,12 +13581,12 @@ Image filesystem total capacity in bytes *`kubernetes.node.runtime.imagefs.available.bytes`*:: + -- -type: long +Image filesystem total available in bytes -format: bytes -Image filesystem total available in bytes +type: long +format: bytes -- @@ -13594,17 +13594,17 @@ Image filesystem total available in bytes *`kubernetes.node.runtime.imagefs.used.bytes`*:: + -- -type: long +Image filesystem total used in bytes -format: bytes -Image filesystem total used in bytes +type: long +format: bytes -- [float] -== pod fields +=== pod kubernetes pod metrics @@ -13613,11 +13613,11 @@ kubernetes pod metrics *`kubernetes.pod.start_time`*:: + -- -type: date - Start time +type: date + -- @@ -13625,50 +13625,50 @@ Start time *`kubernetes.pod.network.rx.bytes`*:: + -- -type: long +Received bytes -format: bytes -Received bytes +type: long +format: bytes -- *`kubernetes.pod.network.rx.errors`*:: + -- -type: long - Rx errors +type: long + -- *`kubernetes.pod.network.tx.bytes`*:: + -- -type: long +Transmitted bytes -format: bytes -Transmitted bytes +type: long +format: bytes -- *`kubernetes.pod.network.tx.errors`*:: + -- -type: long - Tx errors +type: long + -- [float] -== cpu fields +=== cpu CPU usage metrics @@ -13678,35 +13678,35 @@ CPU usage metrics *`kubernetes.pod.cpu.usage.nanocores`*:: + -- -type: long - CPU used nanocores +type: long + -- *`kubernetes.pod.cpu.usage.node.pct`*:: + -- -type: scaled_float +CPU usage as a percentage of the total node CPU -format: percentage -CPU usage as a percentage of the total node CPU +type: scaled_float +format: percentage -- *`kubernetes.pod.cpu.usage.limit.pct`*:: + -- +CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if unlimited) + + type: scaled_float format: percentage -CPU usage as a percentage of the defined limit for the pod containers (or total node CPU if unlimited) - - -- @@ -13714,36 +13714,36 @@ CPU usage as a percentage of the defined limit for the pod containers (or total *`kubernetes.pod.memory.usage.bytes`*:: + -- -type: long +Total memory usage -format: bytes -Total memory usage +type: long +format: bytes -- *`kubernetes.pod.memory.usage.node.pct`*:: + -- -type: scaled_float +Memory usage as a percentage of the total node allocatable memory -format: percentage -Memory usage as a percentage of the total node allocatable memory +type: scaled_float +format: percentage -- *`kubernetes.pod.memory.usage.limit.pct`*:: + -- -type: scaled_float +Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) -format: percentage -Memory usage as a percentage of the defined limit for the pod containers (or total node allocatable memory if unlimited) +type: scaled_float +format: percentage -- @@ -13751,12 +13751,12 @@ Memory usage as a percentage of the defined limit for the pod containers (or tot *`kubernetes.pod.memory.available.bytes`*:: + -- -type: long +Total memory available -format: bytes -Total memory available +type: long +format: bytes -- @@ -13764,12 +13764,12 @@ Total memory available *`kubernetes.pod.memory.working_set.bytes`*:: + -- -type: long +Total working set memory -format: bytes -Total working set memory +type: long +format: bytes -- @@ -13777,37 +13777,37 @@ Total working set memory *`kubernetes.pod.memory.rss.bytes`*:: + -- -type: long +Total resident set size memory -format: bytes -Total resident set size memory +type: long +format: bytes -- *`kubernetes.pod.memory.page_faults`*:: + -- -type: long - Total page faults +type: long + -- *`kubernetes.pod.memory.major_page_faults`*:: + -- -type: long - Total major page faults +type: long + -- [float] -== container fields +=== container kubernetes container metrics @@ -13816,72 +13816,72 @@ kubernetes container metrics *`kubernetes.container.id`*:: + -- -type: keyword - Container id +type: keyword + -- *`kubernetes.container.status.phase`*:: + -- -type: keyword - Container phase (running, waiting, terminated) +type: keyword + -- *`kubernetes.container.status.ready`*:: + -- -type: boolean - Container ready status +type: boolean + -- *`kubernetes.container.status.restarts`*:: + -- -type: integer - Container restarts count +type: integer + -- *`kubernetes.container.status.reason`*:: + -- -type: keyword - Waiting (ContainerCreating, CrashLoopBackoff, ErrImagePull, ImagePullBackoff) or termination (Completed, ContainerCannotRun, Error, OOMKilled) reason. +type: keyword + -- *`kubernetes.container.cpu.limit.cores`*:: + -- -type: float - Container CPU cores limit +type: float + -- *`kubernetes.container.cpu.request.cores`*:: + -- -type: float - Container CPU requested cores +type: float + -- *`kubernetes.container.cpu.limit.nanocores`*:: @@ -13890,11 +13890,11 @@ Container CPU requested cores deprecated[6.4] -type: long - Container CPU nanocores limit +type: long + -- *`kubernetes.container.cpu.request.nanocores`*:: @@ -13903,40 +13903,40 @@ Container CPU nanocores limit deprecated[6.4] -type: long - Container CPU requested nanocores +type: long + -- *`kubernetes.container.memory.limit.bytes`*:: + -- -type: long +Container memory limit in bytes -format: bytes -Container memory limit in bytes +type: long +format: bytes -- *`kubernetes.container.memory.request.bytes`*:: + -- -type: long +Container requested memory in bytes -format: bytes -Container requested memory in bytes +type: long +format: bytes -- [float] -== deployment fields +=== deployment kubernetes deployment metrics @@ -13945,15 +13945,15 @@ kubernetes deployment metrics *`kubernetes.deployment.paused`*:: + -- -type: boolean - Kubernetes deployment paused status +type: boolean + -- [float] -== replicas fields +=== replicas Kubernetes deployment replicas info @@ -13962,45 +13962,45 @@ Kubernetes deployment replicas info *`kubernetes.deployment.replicas.desired`*:: + -- -type: integer - Deployment number of desired replicas (spec) +type: integer + -- *`kubernetes.deployment.replicas.available`*:: + -- -type: integer - Deployment available replicas +type: integer + -- *`kubernetes.deployment.replicas.unavailable`*:: + -- -type: integer - Deployment unavailable replicas +type: integer + -- *`kubernetes.deployment.replicas.updated`*:: + -- -type: integer - Deployment updated replicas +type: integer + -- [float] -== node fields +=== node kubernetes node metrics @@ -14010,66 +14010,66 @@ kubernetes node metrics *`kubernetes.node.status.ready`*:: + -- -type: keyword - Node ready status (true, false or unknown) +type: keyword + -- *`kubernetes.node.status.unschedulable`*:: + -- -type: boolean - Node unschedulable status +type: boolean + -- *`kubernetes.node.cpu.allocatable.cores`*:: + -- -type: float - Node CPU allocatable cores +type: float + -- *`kubernetes.node.cpu.capacity.cores`*:: + -- -type: long - Node CPU capacity cores +type: long + -- *`kubernetes.node.memory.allocatable.bytes`*:: + -- -type: long +Node allocatable memory in bytes -format: bytes -Node allocatable memory in bytes +type: long +format: bytes -- *`kubernetes.node.memory.capacity.bytes`*:: + -- -type: long +Node memory capacity in bytes -format: bytes -Node memory capacity in bytes +type: long +format: bytes -- @@ -14077,25 +14077,25 @@ Node memory capacity in bytes *`kubernetes.node.pod.allocatable.total`*:: + -- -type: long - Node allocatable pods +type: long + -- *`kubernetes.node.pod.capacity.total`*:: + -- -type: long - Node pod capacity +type: long + -- [float] -== pod fields +=== pod kubernetes pod metrics @@ -14104,25 +14104,25 @@ kubernetes pod metrics *`kubernetes.pod.ip`*:: + -- -type: ip - Kubernetes pod IP +type: ip + -- *`kubernetes.pod.host_ip`*:: + -- -type: ip - Kubernetes pod host IP +type: ip + -- [float] -== status fields +=== status Kubernetes pod status metrics @@ -14131,42 +14131,42 @@ Kubernetes pod status metrics *`kubernetes.pod.status.phase`*:: + -- -type: keyword - Kubernetes pod phase (Running, Pending...) +type: keyword + -- *`kubernetes.pod.status.ready`*:: + -- -type: keyword - Kubernetes pod ready status (true, false or unknown) +type: keyword + -- *`kubernetes.pod.status.scheduled`*:: + -- -type: keyword - Kubernetes pod scheduled status (true, false, unknown) +type: keyword + -- [float] -== replicaset fields +=== replicaset kubernetes replica set metrics [float] -== replicas fields +=== replicas Kubernetes replica set paused status @@ -14175,55 +14175,55 @@ Kubernetes replica set paused status *`kubernetes.replicaset.replicas.available`*:: + -- -type: long - The number of replicas per ReplicaSet +type: long + -- *`kubernetes.replicaset.replicas.desired`*:: + -- -type: long - The number of replicas per ReplicaSet +type: long + -- *`kubernetes.replicaset.replicas.ready`*:: + -- -type: long - The number of ready replicas per ReplicaSet +type: long + -- *`kubernetes.replicaset.replicas.observed`*:: + -- -type: long - The generation observed by the ReplicaSet controller +type: long + -- *`kubernetes.replicaset.replicas.labeled`*:: + -- -type: long - The number of fully labeled replicas per ReplicaSet +type: long + -- [float] -== statefulset fields +=== statefulset kubernetes stateful set metrics @@ -14232,15 +14232,15 @@ kubernetes stateful set metrics *`kubernetes.statefulset.created`*:: + -- -type: long - The creation timestamp (epoch) for StatefulSet +type: long + -- [float] -== replicas fields +=== replicas Kubernetes stateful set replicas status @@ -14249,25 +14249,25 @@ Kubernetes stateful set replicas status *`kubernetes.statefulset.replicas.observed`*:: + -- -type: long - The number of observed replicas per StatefulSet +type: long + -- *`kubernetes.statefulset.replicas.desired`*:: + -- -type: long - The number of desired replicas per StatefulSet +type: long + -- [float] -== generation fields +=== generation Kubernetes stateful set generation information @@ -14276,25 +14276,25 @@ Kubernetes stateful set generation information *`kubernetes.statefulset.generation.observed`*:: + -- -type: long - The observed generation per StatefulSet +type: long + -- *`kubernetes.statefulset.generation.desired`*:: + -- -type: long - The desired generation per StatefulSet +type: long + -- [float] -== system fields +=== system kubernetes system containers metrics @@ -14303,25 +14303,25 @@ kubernetes system containers metrics *`kubernetes.system.container`*:: + -- -type: keyword - Container name +type: keyword + -- *`kubernetes.system.start_time`*:: + -- -type: date - Start time +type: date + -- [float] -== cpu fields +=== cpu CPU usage metrics @@ -14332,21 +14332,21 @@ CPU usage metrics *`kubernetes.system.cpu.usage.core.ns`*:: + -- -type: long - CPU Core usage nanoseconds +type: long + -- *`kubernetes.system.cpu.usage.nanocores`*:: + -- -type: long - CPU used nanocores +type: long + -- @@ -14354,12 +14354,12 @@ CPU used nanocores *`kubernetes.system.memory.usage.bytes`*:: + -- -type: long +Total memory usage -format: bytes -Total memory usage +type: long +format: bytes -- @@ -14367,12 +14367,12 @@ Total memory usage *`kubernetes.system.memory.rss.bytes`*:: + -- -type: long +RSS memory usage -format: bytes -RSS memory usage +type: long +format: bytes -- @@ -14380,37 +14380,37 @@ RSS memory usage *`kubernetes.system.memory.workingset.bytes`*:: + -- -type: long +Working set memory usage -format: bytes -Working set memory usage +type: long +format: bytes -- *`kubernetes.system.memory.pagefaults`*:: + -- -type: long - Number of page faults +type: long + -- *`kubernetes.system.memory.majorpagefaults`*:: + -- -type: long - Number of major page faults +type: long + -- [float] -== volume fields +=== volume kubernetes volume metrics @@ -14419,24 +14419,24 @@ kubernetes volume metrics *`kubernetes.volume.name`*:: + -- -type: keyword - Volume name --- +type: keyword + +-- *`kubernetes.volume.fs.capacity.bytes`*:: + -- -type: long +Filesystem total capacity in bytes -format: bytes -Filesystem total capacity in bytes +type: long +format: bytes -- @@ -14444,12 +14444,12 @@ Filesystem total capacity in bytes *`kubernetes.volume.fs.available.bytes`*:: + -- -type: long +Filesystem total available in bytes -format: bytes -Filesystem total available in bytes +type: long +format: bytes -- @@ -14457,12 +14457,12 @@ Filesystem total available in bytes *`kubernetes.volume.fs.used.bytes`*:: + -- -type: long +Filesystem total used in bytes -format: bytes -Filesystem total used in bytes +type: long +format: bytes -- @@ -14470,31 +14470,31 @@ Filesystem total used in bytes *`kubernetes.volume.fs.inodes.used`*:: + -- -type: long - Used inodes +type: long + -- *`kubernetes.volume.fs.inodes.free`*:: + -- -type: long - Free inodes +type: long + -- *`kubernetes.volume.fs.inodes.count`*:: + -- -type: long - Total inodes +type: long + -- [[exported-fields-kvm]] @@ -14505,20 +14505,20 @@ kvm module [float] -== kvm fields +=== kvm [float] -== dommemstat fields +=== dommemstat dommemstat [float] -== stat fields +=== stat Memory stat @@ -14527,41 +14527,41 @@ Memory stat *`kvm.dommemstat.stat.name`*:: + -- -type: keyword - Memory stat name +type: keyword + -- *`kvm.dommemstat.stat.value`*:: + -- -type: long - Memory stat value +type: long + -- *`kvm.dommemstat.id`*:: + -- -type: long - Domain id +type: long + -- *`kvm.dommemstat.name`*:: + -- -type: keyword - Domain name +type: keyword + -- [[exported-fields-logstash]] @@ -14572,13 +14572,13 @@ Logstash module [float] -== logstash fields +=== logstash [float] -== node fields +=== node node @@ -14587,29 +14587,29 @@ node *`logstash.node.host`*:: + -- -type: alias +Host name -alias to: host.hostname -Host name +type: alias +alias to: host.hostname -- *`logstash.node.version`*:: + -- -type: alias +Logstash Version -alias to: service.version -Logstash Version +type: alias +alias to: service.version -- [float] -== jvm fields +=== jvm JVM Info @@ -14618,34 +14618,34 @@ JVM Info *`logstash.node.jvm.version`*:: + -- -type: keyword - Version +type: keyword + -- *`logstash.node.jvm.pid`*:: + -- -type: alias +Process ID -alias to: process.pid -Process ID +type: alias +alias to: process.pid -- [float] -== node.stats fields +=== node.stats node_stats metrics. [float] -== events fields +=== events Events stats @@ -14654,31 +14654,31 @@ Events stats *`logstash.node.stats.events.in`*:: + -- -type: long - Incoming events counter. +type: long + -- *`logstash.node.stats.events.out`*:: + -- -type: long - Outgoing events counter. +type: long + -- *`logstash.node.stats.events.filtered`*:: + -- -type: long - Filtered events counter. +type: long + -- [[exported-fields-memcached]] @@ -14689,13 +14689,13 @@ Memcached module [float] -== memcached fields +=== memcached [float] -== stats fields +=== stats stats @@ -14704,161 +14704,161 @@ stats *`memcached.stats.pid`*:: + -- -type: long - Current process ID of the Memcached task. +type: long + -- *`memcached.stats.uptime.sec`*:: + -- -type: long - Memcached server uptime. +type: long + -- *`memcached.stats.threads`*:: + -- -type: long - Number of threads used by the current Memcached server process. +type: long + -- *`memcached.stats.connections.current`*:: + -- -type: long - Number of open connections to this Memcached server, should be the same value on all servers during normal operation. +type: long + -- *`memcached.stats.connections.total`*:: + -- -type: long - Numer of successful connect attempts to this server since it has been started. +type: long + -- *`memcached.stats.get.hits`*:: + -- -type: long - Number of successful "get" commands (cache hits) since startup, divide them by the "cmd_get" value to get the cache hitrate. +type: long + -- *`memcached.stats.get.misses`*:: + -- -type: long - Number of failed "get" requests because nothing was cached for this key or the cached value was too old. +type: long + -- *`memcached.stats.cmd.get`*:: + -- -type: long - Number of "get" commands received since server startup not counting if they were successful or not. +type: long + -- *`memcached.stats.cmd.set`*:: + -- -type: long - Number of "set" commands serviced since startup. +type: long + -- *`memcached.stats.read.bytes`*:: + -- -type: long - Total number of bytes received from the network by this server. +type: long + -- *`memcached.stats.written.bytes`*:: + -- -type: long - Total number of bytes send to the network by this server. +type: long + -- *`memcached.stats.items.current`*:: + -- -type: long - Number of items currently in this server's cache. +type: long + -- *`memcached.stats.items.total`*:: + -- -type: long - Number of items stored ever stored on this server. This is no "maximum item count" value but a counted increased by every new item stored in the cache. +type: long + -- *`memcached.stats.evictions`*:: + -- -type: long - Number of objects removed from the cache to free up memory for new items because Memcached reached it's maximum memory setting (limit_maxbytes). +type: long + -- *`memcached.stats.bytes.current`*:: + -- -type: long - Number of bytes currently used for caching items. +type: long + -- *`memcached.stats.bytes.limit`*:: + -- -type: long - Number of bytes this server is allowed to use for storage. +type: long + -- [[exported-fields-mongodb]] @@ -14869,14 +14869,14 @@ Metrics collected from MongoDB servers. [float] -== mongodb fields +=== mongodb MongoDB metrics. [float] -== collstats fields +=== collstats MongoDB collection statistics metrics. @@ -14885,216 +14885,216 @@ MongoDB collection statistics metrics. *`mongodb.collstats.db`*:: + -- -type: keyword - Database name. +type: keyword + -- *`mongodb.collstats.collection`*:: + -- -type: keyword - Collection name. +type: keyword + -- *`mongodb.collstats.name`*:: + -- -type: keyword - Combination of database and collection name. +type: keyword + -- *`mongodb.collstats.total.time.us`*:: + -- -type: long - Total waiting time for locks in microseconds. +type: long + -- *`mongodb.collstats.total.count`*:: + -- -type: long - Total number of lock wait events. +type: long + -- *`mongodb.collstats.lock.read.time.us`*:: + -- -type: long - Time waiting for read locks in microseconds. +type: long + -- *`mongodb.collstats.lock.read.count`*:: + -- -type: long - Number of read lock wait events. +type: long + -- *`mongodb.collstats.lock.write.time.us`*:: + -- -type: long - Time waiting for write locks in microseconds. +type: long + -- *`mongodb.collstats.lock.write.count`*:: + -- -type: long - Number of write lock wait events. +type: long + -- *`mongodb.collstats.queries.time.us`*:: + -- -type: long - Time running queries in microseconds. +type: long + -- *`mongodb.collstats.queries.count`*:: + -- -type: long - Number of queries executed. +type: long + -- *`mongodb.collstats.getmore.time.us`*:: + -- -type: long - Time asking for more cursor rows in microseconds. +type: long + -- *`mongodb.collstats.getmore.count`*:: + -- -type: long - Number of times a cursor asked for more data. +type: long + -- *`mongodb.collstats.insert.time.us`*:: + -- -type: long - Time inserting new documents in microseconds. +type: long + -- *`mongodb.collstats.insert.count`*:: + -- -type: long - Number of document insert events. +type: long + -- *`mongodb.collstats.update.time.us`*:: + -- -type: long - Time updating documents in microseconds. +type: long + -- *`mongodb.collstats.update.count`*:: + -- -type: long - Number of document update events. +type: long + -- *`mongodb.collstats.remove.time.us`*:: + -- -type: long - Time deleting documents in microseconds. +type: long + -- *`mongodb.collstats.remove.count`*:: + -- -type: long - Number of document delete events. +type: long + -- *`mongodb.collstats.commands.time.us`*:: + -- -type: long - Time executing database commands in microseconds. +type: long + -- *`mongodb.collstats.commands.count`*:: + -- -type: long - Number of database commands executed. +type: long + -- [float] -== dbstats fields +=== dbstats dbstats provides an overview of a particular mongo database. This document is most concerned with data volumes of a database. @@ -15220,14 +15220,14 @@ format: bytes -- [float] -== metrics fields +=== metrics Statistics that reflect the current use and state of a running `mongod` instance for more information, take a look at https://docs.mongodb.com/manual/reference/command/serverStatus/#serverstatus.metrics [float] -== commands fields +=== commands Reports on the use of database commands. The fields in metrics.commands are the names of database commands and each value is a document that reports the total number of commands executed as well as the number of failed executions. metrics.commands..failed shows the number of times failed on this mongod. metrics.commands..total shows the number of times executed on this mongod. @@ -15685,7 +15685,7 @@ type: long -- [float] -== cursor fields +=== cursor Contains data regarding cursor state and use. @@ -15694,15 +15694,15 @@ Contains data regarding cursor state and use. *`mongodb.metrics.cursor.timed_out`*:: + -- -type: long - The total number of cursors that have timed out since the server process started. +type: long + -- [float] -== open fields +=== open Contains data regarding open cursors. @@ -15711,35 +15711,35 @@ Contains data regarding open cursors. *`mongodb.metrics.cursor.open.no_timeout`*:: + -- -type: long - The number of open cursors with the option DBQuery.Option.noTimeout set to prevent timeout. +type: long + -- *`mongodb.metrics.cursor.open.pinned`*:: + -- -type: long - The number of `pinned` open cursors. +type: long + -- *`mongodb.metrics.cursor.open.total`*:: + -- -type: long - The number of cursors that MongoDB is maintaining for clients. +type: long + -- [float] -== document fields +=== document Reflects document access and modification patterns. @@ -15748,45 +15748,45 @@ Reflects document access and modification patterns. *`mongodb.metrics.document.deleted`*:: + -- -type: long - The total number of documents deleted. +type: long + -- *`mongodb.metrics.document.inserted`*:: + -- -type: long - The total number of documents inserted. +type: long + -- *`mongodb.metrics.document.returned`*:: + -- -type: long - The total number of documents returned by queries. +type: long + -- *`mongodb.metrics.document.updated`*:: + -- -type: long - The total number of documents updated. +type: long + -- [float] -== get_last_error fields +=== get_last_error Returns the error status of the preceding write operation on the current connection. @@ -15795,35 +15795,35 @@ Returns the error status of the preceding write operation on the current connect *`mongodb.metrics.get_last_error.write_wait.ms`*:: + -- -type: long - The total amount of time in milliseconds that the mongod has spent performing getLastError operations with write concern (i.e. w) greater than 1. +type: long + -- *`mongodb.metrics.get_last_error.write_wait.count`*:: + -- -type: long - The total number of getLastError operations with a specified write concern (i.e. w) greater than 1. +type: long + -- *`mongodb.metrics.get_last_error.write_timeouts`*:: + -- -type: long - The number of times that write concern operations have timed out as a result of the wtimeout threshold to getLastError. +type: long + -- [float] -== operation fields +=== operation Holds counters for several types of update and query operations that MongoDB handles using special operation types. @@ -15832,25 +15832,25 @@ Holds counters for several types of update and query operations that MongoDB han *`mongodb.metrics.operation.scan_and_order`*:: + -- -type: long - The total number of queries that return sorted numbers that cannot perform the sort operation using an index. +type: long + -- *`mongodb.metrics.operation.write_conflicts`*:: + -- -type: long - The total number of queries that encountered write conflicts. +type: long + -- [float] -== query_executor fields +=== query_executor Reports data from the query execution system. @@ -15859,32 +15859,32 @@ Reports data from the query execution system. *`mongodb.metrics.query_executor.scanned_indexes`*:: + -- -type: long - The total number of index items scanned during queries and query-plan evaluation. +type: long + -- *`mongodb.metrics.query_executor.scanned_documents`*:: + -- -type: long - The total number of documents scanned during queries and query-plan evaluation. +type: long + -- [float] -== replication fields +=== replication Reports metrics related to the replication process. metrics.replication appears on all mongod instances, even those that aren't members of replica sets. [float] -== executor fields +=== executor Reports on various statistics for the replication executor. @@ -16035,7 +16035,7 @@ type: keyword -- [float] -== apply fields +=== apply Reports on the application of operations from the replication oplog. @@ -16049,7 +16049,7 @@ type: long -- [float] -== batches fields +=== batches Reports on the oplog application process on secondaries members of replica sets. @@ -16058,35 +16058,35 @@ Reports on the oplog application process on secondaries members of replica sets. *`mongodb.metrics.replication.apply.batches.count`*:: + -- -type: long - The total number of batches applied across all databases. +type: long + -- *`mongodb.metrics.replication.apply.batches.time.ms`*:: + -- -type: long - The total amount of time in milliseconds the mongod has spent applying operations from the oplog. +type: long + -- *`mongodb.metrics.replication.apply.ops`*:: + -- -type: long - The total number of oplog operations applied. +type: long + -- [float] -== buffer fields +=== buffer MongoDB buffers oplog operations from the replication sync source buffer before applying oplog entries in a batch. metrics.replication.buffer provides a way to track the oplog buffer. @@ -16095,35 +16095,35 @@ MongoDB buffers oplog operations from the replication sync source buffer before *`mongodb.metrics.replication.buffer.count`*:: + -- -type: long - The current number of operations in the oplog buffer. +type: long + -- *`mongodb.metrics.replication.buffer.max_size.bytes`*:: + -- -type: long - The maximum size of the buffer. This value is a constant setting in the mongod, and is not configurable. +type: long + -- *`mongodb.metrics.replication.buffer.size.bytes`*:: + -- -type: long - The current size of the contents of the oplog buffer. +type: long + -- [float] -== initial_sync fields +=== initial_sync Report initial sync status @@ -16151,7 +16151,7 @@ type: long -- [float] -== network fields +=== network Reports network use by the replication process. @@ -16160,15 +16160,15 @@ Reports network use by the replication process. *`mongodb.metrics.replication.network.bytes`*:: + -- -type: long - The total amount of data read from the replication sync source. +type: long + -- [float] -== getmores fields +=== getmores Reports on the getmore operations, which are requests for additional results from the oplog cursor as part of the oplog replication process. @@ -16177,52 +16177,52 @@ Reports on the getmore operations, which are requests for additional results fro *`mongodb.metrics.replication.network.getmores.count`*:: + -- -type: long - The total number of getmore operations +type: long + -- *`mongodb.metrics.replication.network.getmores.time.ms`*:: + -- -type: long - The total amount of time required to collect data from getmore operations. +type: long + -- *`mongodb.metrics.replication.network.ops`*:: + -- -type: long - The total number of operations read from the replication source. +type: long + -- *`mongodb.metrics.replication.network.reders_created`*:: + -- -type: long - The total number of oplog query processes created. +type: long + -- [float] -== preload fields +=== preload Reports on the `pre-fetch` stage, where MongoDB loads documents and indexes into RAM to improve replication throughput. [float] -== docs fields +=== docs Reports on the documents loaded into memory during the pre-fetch stage. @@ -16231,11 +16231,11 @@ Reports on the documents loaded into memory during the pre-fetch stage. *`mongodb.metrics.replication.preload.docs.count`*:: + -- -type: long - The total number of documents loaded during the pre-fetch stage of replication. +type: long + -- *`mongodb.metrics.replication.preload.docs.time.ms`*:: @@ -16246,7 +16246,7 @@ type: long -- [float] -== indexes fields +=== indexes Reports on the index items loaded into memory during the pre-fetch stage of replication. @@ -16255,56 +16255,56 @@ Reports on the index items loaded into memory during the pre-fetch stage of repl *`mongodb.metrics.replication.preload.indexes.count`*:: + -- -type: long - The total number of index entries loaded by members before updating documents as part of the pre-fetch stage of replication. +type: long + -- *`mongodb.metrics.replication.preload.indexes.time.ms`*:: + -- -type: long - The total amount of time, in milliseconds, spent loading index entries as part of the pre-fetch stage of replication. +type: long + -- *`mongodb.metrics.storage.free_list.search.bucket_exhausted`*:: + -- -type: long - The number of times that mongod has checked the free list without finding a suitably large record allocation. +type: long + -- *`mongodb.metrics.storage.free_list.search.requests`*:: + -- -type: long - The number of times mongod has searched for available record allocations. +type: long + -- *`mongodb.metrics.storage.free_list.search.scanned`*:: + -- -type: long - The number of available record allocations mongod has searched. +type: long + -- [float] -== ttl fields +=== ttl Reports on the operation of the resource use of the ttl index process. @@ -16313,32 +16313,32 @@ Reports on the operation of the resource use of the ttl index process. *`mongodb.metrics.ttl.deleted_documents`*:: + -- -type: long - The total number of documents deleted from collections with a ttl index. +type: long + -- *`mongodb.metrics.ttl.passes`*:: + -- -type: long - The number of times the background process removes documents from collections with a ttl index. +type: long + -- [float] -== replstatus fields +=== replstatus replstatus provides an overview of replica set status. [float] -== oplog fields +=== oplog oplog provides an overview of replication oplog status, which is retrieved from db.getReplicationInfo(). @@ -16347,110 +16347,110 @@ oplog provides an overview of replication oplog status, which is retrieved from *`mongodb.replstatus.oplog.size.allocated`*:: + -- -type: long +The total amount of space used by the replstatus in bytes. -format: bytes -The total amount of space used by the replstatus in bytes. +type: long +format: bytes -- *`mongodb.replstatus.oplog.size.used`*:: + -- -type: long +total amount of space allocated to the replstatus in bytes. -format: bytes -total amount of space allocated to the replstatus in bytes. +type: long +format: bytes -- *`mongodb.replstatus.oplog.first.timestamp`*:: + -- -type: long - Timestamp of the first (i.e. earliest) operation in the replstatus +type: long + -- *`mongodb.replstatus.oplog.last.timestamp`*:: + -- -type: long - Timestamp of the last (i.e. latest) operation in the replstatus +type: long + -- *`mongodb.replstatus.oplog.window`*:: + -- -type: long - The difference between the first and last operation in the replstatus. +type: long + -- *`mongodb.replstatus.set_name`*:: + -- -type: keyword - The name of the replica set. +type: keyword + -- *`mongodb.replstatus.server_date`*:: + -- -type: date - Reflects the current time according to the server that processed the replSetGetStatus command. +type: date + -- *`mongodb.replstatus.optimes.last_committed`*:: + -- -type: long - Information, from the viewpoint of this member, regarding the most recent operation that has been written to a majority of replica set members. +type: long + -- *`mongodb.replstatus.optimes.applied`*:: + -- -type: long - Information, from the viewpoint of this member, regarding the most recent operation that has been applied to this member of the replica set. +type: long + -- *`mongodb.replstatus.optimes.durable`*:: + -- -type: long - Information, from the viewpoint of this member, regarding the most recent operation that has been written to the journal of this member of the replica set. +type: long + -- [float] -== lag fields +=== lag Delay between a write operation on the primary and its copy to a secondary @@ -16459,29 +16459,29 @@ Delay between a write operation on the primary and its copy to a secondary *`mongodb.replstatus.lag.max`*:: + -- -type: long +Difference between optime of primary and slowest secondary -format: duration -Difference between optime of primary and slowest secondary +type: long +format: duration -- *`mongodb.replstatus.lag.min`*:: + -- -type: long +Difference between optime of primary and fastest secondary -format: duration -Difference between optime of primary and fastest secondary +type: long +format: duration -- [float] -== headroom fields +=== headroom Difference between the primary's oplog window and the replication lag of the secondary @@ -16490,29 +16490,29 @@ Difference between the primary's oplog window and the replication lag of the sec *`mongodb.replstatus.headroom.max`*:: + -- -type: long +Difference between primary's oplog window and the replication lag of the fastest secondary -format: duration -Difference between primary's oplog window and the replication lag of the fastest secondary +type: long +format: duration -- *`mongodb.replstatus.headroom.min`*:: + -- -type: long +Difference between primary's oplog window and the replication lag of the slowest secondary -format: duration -Difference between primary's oplog window and the replication lag of the slowest secondary +type: long +format: duration -- [float] -== members fields +=== members Provides information about members of replica set grouped by their state @@ -16521,41 +16521,41 @@ Provides information about members of replica set grouped by their state *`mongodb.replstatus.members.primary.host`*:: + -- -type: keyword - Host address of the primary +type: keyword + -- *`mongodb.replstatus.members.primary.optime`*:: + -- -type: keyword - Optime of primary +type: keyword + -- *`mongodb.replstatus.members.secondary.hosts`*:: + -- -type: keyword - List of secondary hosts +type: keyword + -- *`mongodb.replstatus.members.secondary.optimes`*:: + -- -type: keyword - Optimes of secondaries +type: keyword + -- *`mongodb.replstatus.members.secondary.count`*:: @@ -16568,145 +16568,145 @@ type: long *`mongodb.replstatus.members.recovering.hosts`*:: + -- -type: keyword - List of recovering members hosts +type: keyword + -- *`mongodb.replstatus.members.recovering.count`*:: + -- -type: long - Count of members in the `recovering` state +type: long + -- *`mongodb.replstatus.members.unknown.hosts`*:: + -- -type: keyword - List of members' hosts in the `unknown` state +type: keyword + -- *`mongodb.replstatus.members.unknown.count`*:: + -- -type: long - Count of members with `unknown` state +type: long + -- *`mongodb.replstatus.members.startup2.hosts`*:: + -- -type: keyword - List of initializing members hosts +type: keyword + -- *`mongodb.replstatus.members.startup2.count`*:: + -- -type: long - Count of members in the `startup2` state +type: long + -- *`mongodb.replstatus.members.arbiter.hosts`*:: + -- -type: keyword - List of arbiters hosts +type: keyword + -- *`mongodb.replstatus.members.arbiter.count`*:: + -- -type: long - Count of arbiters +type: long + -- *`mongodb.replstatus.members.down.hosts`*:: + -- -type: keyword - List of `down` members hosts +type: keyword + -- *`mongodb.replstatus.members.down.count`*:: + -- -type: long - Count of `down` members +type: long + -- *`mongodb.replstatus.members.rollback.hosts`*:: + -- -type: keyword - List of members in the `rollback` state +type: keyword + -- *`mongodb.replstatus.members.rollback.count`*:: + -- -type: long - Count of members in the `rollback` state +type: long + -- *`mongodb.replstatus.members.unhealthy.hosts`*:: + -- -type: keyword - List of members' hosts with healthy = false +type: keyword + -- *`mongodb.replstatus.members.unhealthy.count`*:: + -- -type: long - Count of unhealthy members +type: long + -- [float] -== status fields +=== status MongoDB server status metrics. @@ -16715,99 +16715,99 @@ MongoDB server status metrics. *`mongodb.status.version`*:: + -- +Instance version. + + type: alias alias to: service.version -Instance version. - - -- *`mongodb.status.process`*:: + -- -type: alias +The current MongoDB process. Possible values are mongos or mongod. -alias to: process.name -The current MongoDB process. Possible values are mongos or mongod. +type: alias +alias to: process.name -- *`mongodb.status.uptime.ms`*:: + -- -type: long - Instance uptime in milliseconds. +type: long + -- *`mongodb.status.local_time`*:: + -- -type: date - Local time as reported by the MongoDB instance. +type: date + -- *`mongodb.status.asserts.regular`*:: + -- -type: long - Number of regular assertions produced by the server. +type: long + -- *`mongodb.status.asserts.warning`*:: + -- -type: long - Number of warning assertions produced by the server. +type: long + -- *`mongodb.status.asserts.msg`*:: + -- -type: long - Number of msg assertions produced by the server. +type: long + -- *`mongodb.status.asserts.user`*:: + -- -type: long - Number of user assertions produced by the server. +type: long + -- *`mongodb.status.asserts.rollovers`*:: + -- -type: long - Number of rollovers assertions produced by the server. +type: long + -- [float] -== connections fields +=== connections Data regarding the current status of incoming connections and availability of the database server. @@ -16816,35 +16816,35 @@ Data regarding the current status of incoming connections and availability of th *`mongodb.status.connections.current`*:: + -- -type: long - The number of connections to the database server from clients. This number includes the current shell session. Consider the value of `available` to add more context to this datum. +type: long + -- *`mongodb.status.connections.available`*:: + -- -type: long - The number of unused available incoming connections the database can provide. +type: long + -- *`mongodb.status.connections.total_created`*:: + -- -type: long - A count of all incoming connections created to the server. This number includes connections that have since closed. +type: long + -- [float] -== extra_info fields +=== extra_info Platform specific data. @@ -16853,27 +16853,27 @@ Platform specific data. *`mongodb.status.extra_info.heap_usage.bytes`*:: + -- -type: long +The total size in bytes of heap space used by the database process. Only available on Unix/Linux. -format: bytes -The total size in bytes of heap space used by the database process. Only available on Unix/Linux. +type: long +format: bytes -- *`mongodb.status.extra_info.page_faults`*:: + -- -type: long - The total number of page faults that require disk operations. Page faults refer to operations that require the database server to access data that isn't available in active memory. +type: long + -- [float] -== global_lock fields +=== global_lock Reports on lock state of the database. @@ -16882,15 +16882,15 @@ Reports on lock state of the database. *`mongodb.status.global_lock.total_time.us`*:: + -- -type: long - The time, in microseconds, since the database last started and created the globalLock. This is roughly equivalent to total server uptime. +type: long + -- [float] -== current_queue fields +=== current_queue The number of operations queued because of a lock. @@ -16899,35 +16899,35 @@ The number of operations queued because of a lock. *`mongodb.status.global_lock.current_queue.total`*:: + -- -type: long - The total number of operations queued waiting for the lock (i.e., the sum of current_queue.readers and current_queue.writers). +type: long + -- *`mongodb.status.global_lock.current_queue.readers`*:: + -- -type: long - The number of operations that are currently queued and waiting for the read lock. +type: long + -- *`mongodb.status.global_lock.current_queue.writers`*:: + -- -type: long - The number of operations that are currently queued and waiting for the write lock. +type: long + -- [float] -== active_clients fields +=== active_clients The number of connected clients and the read and write operations performed by these clients. @@ -16936,35 +16936,35 @@ The number of connected clients and the read and write operations performed by t *`mongodb.status.global_lock.active_clients.total`*:: + -- -type: long - Total number of the active client connections performing read or write operations. +type: long + -- *`mongodb.status.global_lock.active_clients.readers`*:: + -- -type: long - The number of the active client connections performing read operations. +type: long + -- *`mongodb.status.global_lock.active_clients.writers`*:: + -- -type: long - The number of the active client connections performing write operations. +type: long + -- [float] -== locks fields +=== locks A document that reports for each lock , data on lock s. The possible lock s are global, database, collection, metadata and oplog. The possible s are r, w, R and W which respresent shared, exclusive, intent shared and intent exclusive. locks..acquire.count. shows the number of times the lock was acquired in the specified mode. locks..wait.count. shows the number of times the locks.acquireCount lock acquisitions encountered waits because the locks were held in a conflicting mode. locks..wait.us. shows the cumulative wait time in microseconds for the lock acquisitions. locks..deadlock.count. shows the number of times the lock acquisitions encountered deadlocks. @@ -17537,7 +17537,7 @@ type: long -- [float] -== network fields +=== network Platform specific data. @@ -17546,39 +17546,39 @@ Platform specific data. *`mongodb.status.network.in.bytes`*:: + -- -type: long +The amount of network traffic, in bytes, received by this database. -format: bytes -The amount of network traffic, in bytes, received by this database. +type: long +format: bytes -- *`mongodb.status.network.out.bytes`*:: + -- -type: long +The amount of network traffic, in bytes, sent from this database. -format: bytes -The amount of network traffic, in bytes, sent from this database. +type: long +format: bytes -- *`mongodb.status.network.requests`*:: + -- -type: long - The total number of requests received by the server. +type: long + -- [float] -== ops.latencies fields +=== ops.latencies Operation latencies for the database as a whole. Only mongod instances report this metric. @@ -17587,65 +17587,65 @@ Operation latencies for the database as a whole. Only mongod instances report th *`mongodb.status.ops.latencies.reads.latency`*:: + -- -type: long - Total combined latency in microseconds. +type: long + -- *`mongodb.status.ops.latencies.reads.count`*:: + -- -type: long - Total number of read operations performed on the collection since startup. +type: long + -- *`mongodb.status.ops.latencies.writes.latency`*:: + -- -type: long - Total combined latency in microseconds. +type: long + -- *`mongodb.status.ops.latencies.writes.count`*:: + -- -type: long - Total number of write operations performed on the collection since startup. +type: long + -- *`mongodb.status.ops.latencies.commands.latency`*:: + -- -type: long - Total combined latency in microseconds. +type: long + -- *`mongodb.status.ops.latencies.commands.count`*:: + -- -type: long - Total number of commands performed on the collection since startup. +type: long + -- [float] -== ops.counters fields +=== ops.counters An overview of database operations by type. @@ -17654,65 +17654,65 @@ An overview of database operations by type. *`mongodb.status.ops.counters.insert`*:: + -- -type: long - The total number of insert operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.counters.query`*:: + -- -type: long - The total number of queries received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.counters.update`*:: + -- -type: long - The total number of update operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.counters.delete`*:: + -- -type: long - The total number of delete operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.counters.getmore`*:: + -- -type: long - The total number of getmore operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.counters.command`*:: + -- -type: long - The total number of commands issued to the database since the mongod instance last started. +type: long + -- [float] -== ops.replicated fields +=== ops.replicated An overview of database replication operations by type. @@ -17721,65 +17721,65 @@ An overview of database replication operations by type. *`mongodb.status.ops.replicated.insert`*:: + -- -type: long - The total number of replicated insert operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.replicated.query`*:: + -- -type: long - The total number of replicated queries received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.replicated.update`*:: + -- -type: long - The total number of replicated update operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.replicated.delete`*:: + -- -type: long - The total number of replicated delete operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.replicated.getmore`*:: + -- -type: long - The total number of replicated getmore operations received since the mongod instance last started. +type: long + -- *`mongodb.status.ops.replicated.command`*:: + -- -type: long - The total number of replicated commands issued to the database since the mongod instance last started. +type: long + -- [float] -== memory fields +=== memory Data about the current memory usage of the mongod server. @@ -17788,82 +17788,82 @@ Data about the current memory usage of the mongod server. *`mongodb.status.memory.bits`*:: + -- -type: long - Either 64 or 32, depending on which target architecture was specified during the mongod compilation process. +type: long + -- *`mongodb.status.memory.resident.mb`*:: + -- -type: long - The amount of RAM, in megabytes (MB), currently used by the database process. +type: long + -- *`mongodb.status.memory.virtual.mb`*:: + -- -type: long - The amount, in megabytes (MB), of virtual memory used by the mongod process. +type: long + -- *`mongodb.status.memory.mapped.mb`*:: + -- -type: long - The amount of mapped memory, in megabytes (MB), used by the database. Because MongoDB uses memory-mapped files, this value is likely to be to be roughly equivalent to the total size of your database or databases. +type: long + -- *`mongodb.status.memory.mapped_with_journal.mb`*:: + -- -type: long - The amount of mapped memory, in megabytes (MB), including the memory used for journaling. +type: long + -- *`mongodb.status.write_backs_queued`*:: + -- -type: boolean - True when there are operations from a mongos instance queued for retrying. +type: boolean + -- *`mongodb.status.storage_engine.name`*:: + -- -type: keyword - A string that represents the name of the current storage engine. +type: keyword + -- [float] -== wired_tiger fields +=== wired_tiger Statistics about the WiredTiger storage engine. [float] -== concurrent_transactions fields +=== concurrent_transactions Statistics about the transactions currently in progress. @@ -17872,65 +17872,65 @@ Statistics about the transactions currently in progress. *`mongodb.status.wired_tiger.concurrent_transactions.write.out`*:: + -- -type: long - Number of concurrent write transaction in progress. +type: long + -- *`mongodb.status.wired_tiger.concurrent_transactions.write.available`*:: + -- -type: long - Number of concurrent write tickets available. +type: long + -- *`mongodb.status.wired_tiger.concurrent_transactions.write.total_tickets`*:: + -- -type: long - Number of total write tickets. +type: long + -- *`mongodb.status.wired_tiger.concurrent_transactions.read.out`*:: + -- -type: long - Number of concurrent read transaction in progress. +type: long + -- *`mongodb.status.wired_tiger.concurrent_transactions.read.available`*:: + -- -type: long - Number of concurrent read tickets available. +type: long + -- *`mongodb.status.wired_tiger.concurrent_transactions.read.total_tickets`*:: + -- -type: long - Number of total read tickets. +type: long + -- [float] -== cache fields +=== cache Statistics about the cache and page evictions from the cache. @@ -17939,71 +17939,71 @@ Statistics about the cache and page evictions from the cache. *`mongodb.status.wired_tiger.cache.maximum.bytes`*:: + -- -type: long +Maximum cache size. -format: bytes -Maximum cache size. +type: long +format: bytes -- *`mongodb.status.wired_tiger.cache.used.bytes`*:: + -- -type: long +Size in byte of the data currently in cache. -format: bytes -Size in byte of the data currently in cache. +type: long +format: bytes -- *`mongodb.status.wired_tiger.cache.dirty.bytes`*:: + -- -type: long +Size in bytes of the dirty data in the cache. -format: bytes -Size in bytes of the dirty data in the cache. +type: long +format: bytes -- *`mongodb.status.wired_tiger.cache.pages.read`*:: + -- -type: long - Number of pages read into the cache. +type: long + -- *`mongodb.status.wired_tiger.cache.pages.write`*:: + -- -type: long - Number of pages written from the cache. +type: long + -- *`mongodb.status.wired_tiger.cache.pages.evicted`*:: + -- -type: long - Number of pages evicted from the cache. +type: long + -- [float] -== log fields +=== log Statistics about the write ahead log used by WiredTiger. @@ -18012,81 +18012,81 @@ Statistics about the write ahead log used by WiredTiger. *`mongodb.status.wired_tiger.log.size.bytes`*:: + -- -type: long +Total log size in bytes. -format: bytes -Total log size in bytes. +type: long +format: bytes -- *`mongodb.status.wired_tiger.log.write.bytes`*:: + -- -type: long +Number of bytes written into the log. -format: bytes -Number of bytes written into the log. +type: long +format: bytes -- *`mongodb.status.wired_tiger.log.max_file_size.bytes`*:: + -- -type: long +Maximum file size. -format: bytes -Maximum file size. +type: long +format: bytes -- *`mongodb.status.wired_tiger.log.flushes`*:: + -- -type: long - Number of flush operations. +type: long + -- *`mongodb.status.wired_tiger.log.writes`*:: + -- -type: long - Number of write operations. +type: long + -- *`mongodb.status.wired_tiger.log.scans`*:: + -- -type: long - Number of scan operations. +type: long + -- *`mongodb.status.wired_tiger.log.syncs`*:: + -- -type: long - Number of sync operations. +type: long + -- [float] -== background_flushing fields +=== background_flushing Data about the process MongoDB uses to write data to disk. This data is only available for instances that use the MMAPv1 storage engine. @@ -18095,55 +18095,55 @@ Data about the process MongoDB uses to write data to disk. This data is only ava *`mongodb.status.background_flushing.flushes`*:: + -- -type: long - A counter that collects the number of times the database has flushed all writes to disk. +type: long + -- *`mongodb.status.background_flushing.total.ms`*:: + -- -type: long - The total number of milliseconds (ms) that the mongod processes have spent writing (i.e. flushing) data to disk. Because this is an absolute value, consider the value of `flushes` and `average_ms` to provide better context for this datum. +type: long + -- *`mongodb.status.background_flushing.average.ms`*:: + -- -type: long - The average time spent flushing to disk per flush event. +type: long + -- *`mongodb.status.background_flushing.last.ms`*:: + -- -type: long - The amount of time, in milliseconds, that the last flush operation took to complete. +type: long + -- *`mongodb.status.background_flushing.last_finished`*:: + -- -type: date - A timestamp of the last completed flush operation. +type: date + -- [float] -== journaling fields +=== journaling Data about the journaling-related operations and performance. Journaling information only appears for mongod instances that use the MMAPv1 storage engine and have journaling enabled. @@ -18152,65 +18152,65 @@ Data about the journaling-related operations and performance. Journaling informa *`mongodb.status.journaling.commits`*:: + -- -type: long - The number of transactions written to the journal during the last journal group commit interval. +type: long + -- *`mongodb.status.journaling.journaled.mb`*:: + -- -type: long - The amount of data in megabytes (MB) written to journal during the last journal group commit interval. +type: long + -- *`mongodb.status.journaling.write_to_data_files.mb`*:: + -- -type: long - The amount of data in megabytes (MB) written from journal to the data files during the last journal group commit interval. +type: long + -- *`mongodb.status.journaling.compression`*:: + -- -type: long - The compression ratio of the data written to the journal. +type: long + -- *`mongodb.status.journaling.commits_in_write_lock`*:: + -- -type: long - Count of the commits that occurred while a write lock was held. Commits in a write lock indicate a MongoDB node under a heavy write load and call for further diagnosis. +type: long + -- *`mongodb.status.journaling.early_commits`*:: + -- -type: long - The number of times MongoDB requested a commit before the scheduled journal group commit interval. +type: long + -- [float] -== times fields +=== times Information about the performance of the mongod instance during the various phases of journaling in the last journal group commit interval. @@ -18219,71 +18219,71 @@ Information about the performance of the mongod instance during the various phas *`mongodb.status.journaling.times.dt.ms`*:: + -- -type: long - The amount of time over which MongoDB collected the times data. Use this field to provide context to the other times field values. +type: long + -- *`mongodb.status.journaling.times.prep_log_buffer.ms`*:: + -- -type: long - The amount of time spent preparing to write to the journal. Smaller values indicate better journal performance. +type: long + -- *`mongodb.status.journaling.times.write_to_journal.ms`*:: + -- -type: long - The amount of time spent actually writing to the journal. File system speeds and device interfaces can affect performance. +type: long + -- *`mongodb.status.journaling.times.write_to_data_files.ms`*:: + -- -type: long - The amount of time spent writing to data files after journaling. File system speeds and device interfaces can affect performance. +type: long + -- *`mongodb.status.journaling.times.remap_private_view.ms`*:: + -- -type: long - The amount of time spent remapping copy-on-write memory mapped views. Smaller values indicate better journal performance. +type: long + -- *`mongodb.status.journaling.times.commits.ms`*:: + -- -type: long - The amount of time spent for commits. +type: long + -- *`mongodb.status.journaling.times.commits_in_write_lock.ms`*:: + -- -type: long - The amount of time spent for commits that occurred while a write lock was held. +type: long + -- [[exported-fields-mssql]] @@ -18293,13 +18293,13 @@ MS SQL module [float] -== mssql fields +=== mssql The root field containing all MSSQL fields [float] -== database fields +=== database The database that the metrics is being referred to @@ -18307,23 +18307,23 @@ The database that the metrics is being referred to *`mssql.database.id`*:: + -- -type: long - Unique ID of the database inside MSSQL +type: long + -- *`mssql.database.name`*:: + -- -type: keyword - Name of the database +type: keyword + -- [float] -== performance fields +=== performance performance metricset fetches information about the Performance Counters @@ -18331,105 +18331,105 @@ performance metricset fetches information about the Performance Counters *`mssql.performance.page_splits_per_sec`*:: + -- -type: long - Number of page splits per second that occur as the result of overflowing index pages. +type: long + -- *`mssql.performance.lock_waits_per_sec`*:: + -- -type: long - Number of lock requests per second that required the caller to wait. +type: long + -- *`mssql.performance.user_connections`*:: + -- -type: long - Total number of user connections +type: long + -- *`mssql.performance.transactions`*:: + -- -type: long - Total number of transactions +type: long + -- *`mssql.performance.active_temp_tables`*:: + -- -type: long - Number of temporary tables/table variables in use. +type: long + -- *`mssql.performance.connections_reset_per_sec`*:: + -- -type: long - Total number of logins started from the connection pool. +type: long + -- *`mssql.performance.logins_per_sec`*:: + -- -type: long - Total number of logins started per second. This does not include pooled connections. +type: long + -- *`mssql.performance.logouts_per_sec`*:: + -- -type: long - Total number of logout operations started per second. +type: long + -- *`mssql.performance.recompilations_per_sec`*:: + -- -type: long - Number of statement recompiles per second. Counts the number of times statement recompiles are triggered. Generally, you want the recompiles to be low. +type: long + -- *`mssql.performance.compilations_per_sec`*:: + -- -type: long - Number of SQL compilations per second. Indicates the number of times the compile code path is entered. Includes compiles caused by statement-level recompilations in SQL Server. After SQL Server user activity is stable, this value reaches a steady state. +type: long + -- *`mssql.performance.batch_requests_per_sec`*:: + -- -type: long - Number of Transact-SQL command batches received per second. This statistic is affected by all constraints (such as I/O, number of users, cache size, complexity of requests, and so on). High batch requests mean good throughput. +type: long + -- [float] -== cache_hit fields +=== cache_hit Indicates the percentage of pages found in the buffer cache without having to read from disk. @@ -18437,14 +18437,14 @@ Indicates the percentage of pages found in the buffer cache without having to re *`mssql.performance.buffer.cache_hit.pct`*:: + -- -type: double - The ratio is the total number of cache hits divided by the total number of cache lookups over the last few thousand page accesses. After a long period of time, the ratio moves very little. Because reading from the cache is much less expensive than reading from disk, you want this ratio to be high +type: double + -- [float] -== page_life_expectancy fields +=== page_life_expectancy Indicates the number of seconds a page will stay in the buffer pool without references. @@ -18452,53 +18452,53 @@ Indicates the number of seconds a page will stay in the buffer pool without refe *`mssql.performance.buffer.page_life_expectancy.sec`*:: + -- -type: long - Indicates the number of seconds a page will stay in the buffer pool without references (in seconds). +type: long + -- *`mssql.performance.buffer.checkpoint_pages_per_sec`*:: + -- -type: long - Indicates the number of pages flushed to disk per second by a checkpoint or other operation that require all dirty pages to be flushed. +type: long + -- *`mssql.performance.buffer.database_pages`*:: + -- -type: long - Indicates the number of pages in the buffer pool with database content. +type: long + -- *`mssql.performance.buffer.target_pages`*:: + -- -type: long - Ideal number of pages in the buffer pool. +type: long + -- [float] -== transaction_log fields +=== transaction_log transaction_log metricset will fetch information about the operation and transaction log of each database from a MSSQL instance [float] -== space_usage fields +=== space_usage Space usage information for the transaction log [float] -== since_last_backup fields +=== since_last_backup The amount of space used since the last log backup @@ -18506,14 +18506,14 @@ The amount of space used since the last log backup *`mssql.transaction_log.space_usage.since_last_backup.bytes`*:: + -- -type: long - The amount of space used since the last log backup in bytes +type: long + -- [float] -== total fields +=== total The size of the log @@ -18521,14 +18521,14 @@ The size of the log *`mssql.transaction_log.space_usage.total.bytes`*:: + -- -type: long - The size of the log in bytes +type: long + -- [float] -== used fields +=== used The occupied size of the log @@ -18536,29 +18536,29 @@ The occupied size of the log *`mssql.transaction_log.space_usage.used.bytes`*:: + -- -type: long - The occupied size of the log in bytes +type: long + -- *`mssql.transaction_log.space_usage.used.pct`*:: + -- -type: float - A percentage of the occupied size of the log as a percent of the total log size +type: float + -- [float] -== stats fields +=== stats Returns summary level attributes and information on transaction log files of databases. Use this information for monitoring and diagnostics of transaction log health. [float] -== active_size fields +=== active_size Total active transaction log size. @@ -18566,23 +18566,23 @@ Total active transaction log size. *`mssql.transaction_log.stats.active_size.bytes`*:: + -- -type: long - Total active transaction log size in bytes +type: long + -- *`mssql.transaction_log.stats.backup_time`*:: + -- -type: date - Last transaction log backup time. +type: date + -- [float] -== recovery_size fields +=== recovery_size Log size since log recovery log sequence number (LSN). @@ -18590,14 +18590,14 @@ Log size since log recovery log sequence number (LSN). *`mssql.transaction_log.stats.recovery_size.bytes`*:: + -- -type: long - Log size in bytes since log recovery log sequence number (LSN). +type: long + -- [float] -== since_last_checkpoint fields +=== since_last_checkpoint Log size since last checkpoint log sequence number (LSN). @@ -18605,14 +18605,14 @@ Log size since last checkpoint log sequence number (LSN). *`mssql.transaction_log.stats.since_last_checkpoint.bytes`*:: + -- -type: long - Log size in bytes since last checkpoint log sequence number (LSN). +type: long + -- [float] -== total_size fields +=== total_size Total transaction log size. @@ -18620,10 +18620,10 @@ Total transaction log size. *`mssql.transaction_log.stats.total_size.bytes`*:: + -- -type: long - Total transaction log size in bytes. +type: long + -- [[exported-fields-munin]] @@ -18636,21 +18636,21 @@ Munin node metrics exporter *`munin.metrics.*`*:: + -- -type: object - Metrics exposed by a plugin of a munin node agent. +type: object + -- *`munin.plugin.name`*:: + -- -type: keyword - Name of the plugin collecting these metrics. +type: keyword + -- @@ -18662,21 +18662,21 @@ MySQL server status metrics collected from MySQL. [float] -== mysql fields +=== mysql `mysql` contains the metrics that were obtained from MySQL query. [float] -== galera_status fields +=== galera_status `galera_status` contains the metrics that were obtained by the status SQL query on Galera. [float] -== apply fields +=== apply Apply status fields. @@ -18685,35 +18685,35 @@ Apply status fields. *`mysql.galera_status.apply.oooe`*:: + -- -type: double - How often applier started write-set applying out-of-order (parallelization efficiency). +type: double + -- *`mysql.galera_status.apply.oool`*:: + -- -type: double - How often write-set was so slow to apply that write-set with higher seqno's were applied earlier. Values closer to 0 refer to a greater gap between slow and fast write-sets. +type: double + -- *`mysql.galera_status.apply.window`*:: + -- -type: double - Average distance between highest and lowest concurrently applied seqno. +type: double + -- [float] -== cert fields +=== cert Certification status fields. @@ -18722,35 +18722,35 @@ Certification status fields. *`mysql.galera_status.cert.deps_distance`*:: + -- -type: double - Average distance between highest and lowest seqno value that can be possibly applied in parallel (potential degree of parallelization). +type: double + -- *`mysql.galera_status.cert.index_size`*:: + -- -type: long - The number of entries in the certification index. +type: long + -- *`mysql.galera_status.cert.interval`*:: + -- -type: double - Average number of transactions received while a transaction replicates. +type: double + -- [float] -== cluster fields +=== cluster Cluster status fields. @@ -18759,35 +18759,35 @@ Cluster status fields. *`mysql.galera_status.cluster.conf_id`*:: + -- -type: long - Total number of cluster membership changes happened. +type: long + -- *`mysql.galera_status.cluster.size`*:: + -- -type: long - Current number of members in the cluster. +type: long + -- *`mysql.galera_status.cluster.status`*:: + -- -type: keyword - Status of this cluster component. That is, whether the node is part of a PRIMARY or NON_PRIMARY component. +type: keyword + -- [float] -== commit fields +=== commit Commit status fields. @@ -18796,35 +18796,35 @@ Commit status fields. *`mysql.galera_status.commit.oooe`*:: + -- -type: double - How often a transaction was committed out of order. +type: double + -- *`mysql.galera_status.commit.window`*:: + -- -type: long - Average distance between highest and lowest concurrently committed seqno. +type: long + -- *`mysql.galera_status.connected`*:: + -- -type: keyword - If the value is OFF, the node has not yet connected to any of the cluster components. This may be due to misconfiguration. Check the error log for proper diagnostics. +type: keyword + -- [float] -== evs fields +=== evs Evs Fields. @@ -18833,25 +18833,25 @@ Evs Fields. *`mysql.galera_status.evs.evict`*:: + -- -type: keyword - Lists the UUID's of all nodes evicted from the cluster. Evicted nodes cannot rejoin the cluster until you restart their mysqld processes. +type: keyword + -- *`mysql.galera_status.evs.state`*:: + -- -type: keyword - Shows the internal state of the EVS Protocol. +type: keyword + -- [float] -== flow_ctl fields +=== flow_ctl Flow Control fields. @@ -18860,55 +18860,55 @@ Flow Control fields. *`mysql.galera_status.flow_ctl.paused`*:: + -- -type: double - The fraction of time since the last FLUSH STATUS command that replication was paused due to flow control. In other words, how much the slave lag is slowing down the cluster. +type: double + -- *`mysql.galera_status.flow_ctl.paused_ns`*:: + -- -type: long - The total time spent in a paused state measured in nanoseconds. +type: long + -- *`mysql.galera_status.flow_ctl.recv`*:: + -- -type: long - Returns the number of FC_PAUSE events the node has received, including those the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query. +type: long + -- *`mysql.galera_status.flow_ctl.sent`*:: + -- -type: long - Returns the number of FC_PAUSE events the node has sent. Unlike most status variables, the counter for this one does not reset every time you run the query. +type: long + -- *`mysql.galera_status.last_committed`*:: + -- -type: long - The sequence number, or seqno, of the last committed transaction. +type: long + -- [float] -== local fields +=== local Node specific Cluster status fields. @@ -18917,35 +18917,35 @@ Node specific Cluster status fields. *`mysql.galera_status.local.bf_aborts`*:: + -- -type: long - Total number of local transactions that were aborted by slave transactions while in execution. +type: long + -- *`mysql.galera_status.local.cert_failures`*:: + -- -type: long - Total number of local transactions that failed certification test. +type: long + -- *`mysql.galera_status.local.commits`*:: + -- -type: long - Total number of local transactions committed. +type: long + -- [float] -== recv fields +=== recv Node specific recv fields. @@ -18954,55 +18954,55 @@ Node specific recv fields. *`mysql.galera_status.local.recv.queue`*:: + -- -type: long - Current (instantaneous) length of the recv queue. +type: long + -- *`mysql.galera_status.local.recv.queue_avg`*:: + -- -type: double - Recv queue length averaged over interval since the last FLUSH STATUS command. Values considerably larger than 0.0 mean that the node cannot apply write-sets as fast as they are received and will generate a lot of replication throttling. +type: double + -- *`mysql.galera_status.local.recv.queue_max`*:: + -- -type: long - The maximum length of the recv queue since the last FLUSH STATUS command. +type: long + -- *`mysql.galera_status.local.recv.queue_min`*:: + -- -type: long - The minimum length of the recv queue since the last FLUSH STATUS command. +type: long + -- *`mysql.galera_status.local.replays`*:: + -- -type: long - Total number of transaction replays due to asymmetric lock granularity. +type: long + -- [float] -== send fields +=== send Node specific sent fields. @@ -19011,65 +19011,65 @@ Node specific sent fields. *`mysql.galera_status.local.send.queue`*:: + -- -type: long - Current (instantaneous) length of the send queue. +type: long + -- *`mysql.galera_status.local.send.queue_avg`*:: + -- -type: double - Send queue length averaged over time since the last FLUSH STATUS command. Values considerably larger than 0.0 indicate replication throttling or network throughput issue. +type: double + -- *`mysql.galera_status.local.send.queue_max`*:: + -- -type: long - The maximum length of the send queue since the last FLUSH STATUS command. +type: long + -- *`mysql.galera_status.local.send.queue_min`*:: + -- -type: long - The minimum length of the send queue since the last FLUSH STATUS command. +type: long + -- *`mysql.galera_status.local.state`*:: + -- -type: keyword - Internal Galera Cluster FSM state number. +type: keyword + -- *`mysql.galera_status.ready`*:: + -- -type: keyword - Whether the server is ready to accept queries. +type: keyword + -- [float] -== received fields +=== received Write-Set receive status fields. @@ -19078,25 +19078,25 @@ Write-Set receive status fields. *`mysql.galera_status.received.count`*:: + -- -type: long - Total number of write-sets received from other nodes. +type: long + -- *`mysql.galera_status.received.bytes`*:: + -- -type: long - Total size of write-sets received from other nodes. +type: long + -- [float] -== repl fields +=== repl Replication status fields. @@ -19105,72 +19105,72 @@ Replication status fields. *`mysql.galera_status.repl.data_bytes`*:: + -- -type: long - Total size of data replicated. +type: long + -- *`mysql.galera_status.repl.keys`*:: + -- -type: long - Total number of keys replicated. +type: long + -- *`mysql.galera_status.repl.keys_bytes`*:: + -- -type: long - Total size of keys replicated. +type: long + -- *`mysql.galera_status.repl.other_bytes`*:: + -- -type: long - Total size of other bits replicated. +type: long + -- *`mysql.galera_status.repl.count`*:: + -- -type: long - Total number of write-sets replicated (sent to other nodes). +type: long + -- *`mysql.galera_status.repl.bytes`*:: + -- -type: long - Total size of write-sets replicated. +type: long + -- [float] -== status fields +=== status `status` contains the metrics that were obtained by the status SQL query. [float] -== aborted fields +=== aborted Aborted status fields. @@ -19179,25 +19179,25 @@ Aborted status fields. *`mysql.status.aborted.clients`*:: + -- -type: long - The number of connections that were aborted because the client died without closing the connection properly. +type: long + -- *`mysql.status.aborted.connects`*:: + -- -type: long - The number of failed attempts to connect to the MySQL server. +type: long + -- [float] -== binlog fields +=== binlog @@ -19205,23 +19205,23 @@ The number of failed attempts to connect to the MySQL server. *`mysql.status.binlog.cache.disk_use`*:: + -- -type: long +type: long -- *`mysql.status.binlog.cache.use`*:: + -- -type: long +type: long -- [float] -== bytes fields +=== bytes Bytes stats. @@ -19230,29 +19230,29 @@ Bytes stats. *`mysql.status.bytes.received`*:: + -- -type: long +The number of bytes received from all clients. -format: bytes -The number of bytes received from all clients. +type: long +format: bytes -- *`mysql.status.bytes.sent`*:: + -- -type: long +The number of bytes sent to all clients. -format: bytes -The number of bytes sent to all clients. +type: long +format: bytes -- [float] -== threads fields +=== threads Threads stats. @@ -19261,54 +19261,54 @@ Threads stats. *`mysql.status.threads.cached`*:: + -- -type: long - The number of cached threads. +type: long + -- *`mysql.status.threads.created`*:: + -- -type: long - The number of created threads. +type: long + -- *`mysql.status.threads.connected`*:: + -- -type: long - The number of connected threads. +type: long + -- *`mysql.status.threads.running`*:: + -- -type: long - The number of running threads. +type: long + -- *`mysql.status.connections`*:: + -- -type: long +type: long -- [float] -== created fields +=== created @@ -19316,32 +19316,32 @@ type: long *`mysql.status.created.tmp.disk_tables`*:: + -- -type: long +type: long -- *`mysql.status.created.tmp.files`*:: + -- -type: long +type: long -- *`mysql.status.created.tmp.tables`*:: + -- -type: long +type: long -- [float] -== delayed fields +=== delayed @@ -19349,50 +19349,50 @@ type: long *`mysql.status.delayed.errors`*:: + -- -type: long +type: long -- *`mysql.status.delayed.insert_threads`*:: + -- -type: long +type: long -- *`mysql.status.delayed.writes`*:: + -- -type: long +type: long -- *`mysql.status.flush_commands`*:: + -- -type: long +type: long -- *`mysql.status.max_used_connections`*:: + -- -type: long +type: long -- [float] -== open fields +=== open @@ -19400,41 +19400,41 @@ type: long *`mysql.status.open.files`*:: + -- -type: long +type: long -- *`mysql.status.open.streams`*:: + -- -type: long +type: long -- *`mysql.status.open.tables`*:: + -- -type: long +type: long -- *`mysql.status.opened_tables`*:: + -- -type: long +type: long -- [float] -== command fields +=== command @@ -19442,41 +19442,41 @@ type: long *`mysql.status.command.delete`*:: + -- -type: long - The number of DELETE queries since startup. +type: long + -- *`mysql.status.command.insert`*:: + -- -type: long - The number of INSERT queries since startup. +type: long + -- *`mysql.status.command.select`*:: + -- -type: long - The number of SELECT queries since startup. +type: long + -- *`mysql.status.command.update`*:: + -- -type: long - The number of UPDATE queries since startup. +type: long + -- [[exported-fields-nats]] @@ -19487,7 +19487,7 @@ nats Module [float] -== nats fields +=== nats `nats` contains statistics that were read from Nats @@ -19496,25 +19496,25 @@ nats Module *`nats.server.id`*:: + -- -type: keyword - The server ID +type: keyword + -- *`nats.server.time`*:: + -- -type: date - Server time of metric creation +type: date + -- [float] -== connections fields +=== connections Contains nats connection related metrics @@ -19523,15 +19523,15 @@ Contains nats connection related metrics *`nats.connections.total`*:: + -- -type: integer - The number of currently active clients +type: integer + -- [float] -== routes fields +=== routes Contains nats route related metrics @@ -19540,15 +19540,15 @@ Contains nats route related metrics *`nats.routes.total`*:: + -- -type: integer - The number of registered routes +type: integer + -- [float] -== stats fields +=== stats Contains nats var related metrics @@ -19557,71 +19557,71 @@ Contains nats var related metrics *`nats.stats.uptime`*:: + -- -type: long +The period the server is up (sec) -format: duration -The period the server is up (sec) +type: long +format: duration -- *`nats.stats.mem.bytes`*:: + -- -type: long +The current memory usage of NATS process -format: bytes -The current memory usage of NATS process +type: long +format: bytes -- *`nats.stats.cores`*:: + -- -type: integer - The number of logical cores the NATS process runs on +type: integer + -- *`nats.stats.cpu`*:: + -- -type: scaled_float +The current cpu usage of NATs process -format: percent -The current cpu usage of NATs process +type: scaled_float +format: percent -- *`nats.stats.total_connections`*:: + -- -type: long - The number of totally created clients +type: long + -- *`nats.stats.remotes`*:: + -- -type: integer - The number of registered remotes +type: integer + -- [float] -== in fields +=== in The amount of incoming data @@ -19630,27 +19630,27 @@ The amount of incoming data *`nats.stats.in.messages`*:: + -- -type: long - The amount of incoming messages +type: long + -- *`nats.stats.in.bytes`*:: + -- -type: long +The amount of incoming bytes -format: bytes -The amount of incoming bytes +type: long +format: bytes -- [float] -== out fields +=== out The amount of outgoing data @@ -19659,51 +19659,51 @@ The amount of outgoing data *`nats.stats.out.messages`*:: + -- -type: long - The amount of outgoing messages +type: long + -- *`nats.stats.out.bytes`*:: + -- -type: long +The amount of outgoing bytes -format: bytes -The amount of outgoing bytes +type: long +format: bytes -- *`nats.stats.slow_consumers`*:: + -- -type: long - The number of slow consumers currently on NATS +type: long + -- [float] -== http fields +=== http The http metrics of NATS server [float] -== req_stats fields +=== req_stats The requests statistics [float] -== uri fields +=== uri The request distribution on monitoring URIS @@ -19712,55 +19712,55 @@ The request distribution on monitoring URIS *`nats.stats.http.req_stats.uri.routez`*:: + -- -type: long - The number of hits on routez monitoring uri +type: long + -- *`nats.stats.http.req_stats.uri.connz`*:: + -- -type: long - The number of hits on connz monitoring uri +type: long + -- *`nats.stats.http.req_stats.uri.varz`*:: + -- -type: long - The number of hits on varz monitoring uri +type: long + -- *`nats.stats.http.req_stats.uri.subsz`*:: + -- -type: long - The number of hits on subsz monitoring uri +type: long + -- *`nats.stats.http.req_stats.uri.root`*:: + -- -type: long - The number of hits on root monitoring uri +type: long + -- [float] -== subscriptions fields +=== subscriptions Contains nats subscriptions related metrics @@ -19769,83 +19769,83 @@ Contains nats subscriptions related metrics *`nats.subscriptions.total`*:: + -- -type: integer - The number of active subscriptions +type: integer + -- *`nats.subscriptions.inserts`*:: + -- -type: long - The number of insert operations in subscriptions list +type: long + -- *`nats.subscriptions.removes`*:: + -- -type: long - The number of remove operations in subscriptions list +type: long + -- *`nats.subscriptions.matches`*:: + -- -type: long - The number of times a match is found for a subscription +type: long + -- *`nats.subscriptions.cache.size`*:: + -- -type: integer - The number of result sets in the cache +type: integer + -- *`nats.subscriptions.cache.hit_rate`*:: + -- -type: scaled_float +The rate matches are being retrieved from cache -format: percent -The rate matches are being retrieved from cache +type: scaled_float +format: percent -- *`nats.subscriptions.cache.fanout.max`*:: + -- -type: integer - The maximum fanout served by cache +type: integer + -- *`nats.subscriptions.cache.fanout.avg`*:: + -- -type: double - The average fanout served by cache +type: double + -- [[exported-fields-nginx]] @@ -19856,14 +19856,14 @@ Nginx server status metrics collected from various modules. [float] -== nginx fields +=== nginx `nginx` contains the metrics that were scraped from nginx. [float] -== stubstatus fields +=== stubstatus `stubstatus` contains the metrics that were scraped from the ngx_http_stub_status_module status page. @@ -19872,101 +19872,101 @@ Nginx server status metrics collected from various modules. *`nginx.stubstatus.hostname`*:: + -- -type: keyword - Nginx hostname. +type: keyword + -- *`nginx.stubstatus.active`*:: + -- -type: long - The current number of active client connections including Waiting connections. +type: long + -- *`nginx.stubstatus.accepts`*:: + -- -type: long - The total number of accepted client connections. +type: long + -- *`nginx.stubstatus.handled`*:: + -- -type: long - The total number of handled client connections. +type: long + -- *`nginx.stubstatus.dropped`*:: + -- -type: long - The total number of dropped client connections. +type: long + -- *`nginx.stubstatus.requests`*:: + -- -type: long - The total number of client requests. +type: long + -- *`nginx.stubstatus.current`*:: + -- -type: long - The current number of client requests. +type: long + -- *`nginx.stubstatus.reading`*:: + -- -type: long - The current number of connections where Nginx is reading the request header. +type: long + -- *`nginx.stubstatus.writing`*:: + -- -type: long - The current number of connections where Nginx is writing the response back to the client. +type: long + -- *`nginx.stubstatus.waiting`*:: + -- -type: long - The current number of idle client connections waiting for a request. +type: long + -- [[exported-fields-php_fpm]] @@ -19977,14 +19977,14 @@ PHP-FPM server status metrics collected from PHP-FPM. [float] -== php_fpm fields +=== php_fpm `php_fpm` contains the metrics that were obtained from PHP-FPM status page call. [float] -== pool fields +=== pool `pool` contains the metrics that were obtained from the PHP-FPM process pool. @@ -19993,15 +19993,15 @@ PHP-FPM server status metrics collected from PHP-FPM. *`php_fpm.pool.name`*:: + -- -type: keyword - The name of the pool. +type: keyword + -- [float] -== pool fields +=== pool `pool` contains the metrics that were obtained from the PHP-FPM process pool. @@ -20010,15 +20010,15 @@ The name of the pool. *`php_fpm.pool.process_manager`*:: + -- -type: keyword - Static, dynamic or ondemand. +type: keyword + -- [float] -== connections fields +=== connections Connection state specific statistics. @@ -20027,45 +20027,45 @@ Connection state specific statistics. *`php_fpm.pool.connections.accepted`*:: + -- -type: long - The number of incoming requests that the PHP-FPM server has accepted; when a connection is accepted it is removed from the listen queue. +type: long + -- *`php_fpm.pool.connections.queued`*:: + -- -type: long - The current number of connections that have been initiated, but not yet accepted. If this value is non-zero it typically means that all the available server processes are currently busy, and there are no processes available to serve the next request. Raising `pm.max_children` (provided the server can handle it) should help keep this number low. This property follows from the fact that PHP-FPM listens via a socket (TCP or file based), and thus inherits some of the characteristics of sockets. +type: long + -- *`php_fpm.pool.connections.max_listen_queue`*:: + -- -type: long - The maximum number of requests in the queue of pending connections since FPM has started. +type: long + -- *`php_fpm.pool.connections.listen_queue_len`*:: + -- -type: long - The size of the socket queue of pending connections. +type: long + -- [float] -== processes fields +=== processes Process state specific statistics. @@ -20074,87 +20074,87 @@ Process state specific statistics. *`php_fpm.pool.processes.idle`*:: + -- -type: long - The number of servers in the `waiting to process` state (i.e. not currently serving a page). This value should fall between the `pm.min_spare_servers` and `pm.max_spare_servers` values when the process manager is `dynamic`. +type: long + -- *`php_fpm.pool.processes.active`*:: + -- -type: long - The number of servers current processing a page - the minimum is `1` (so even on a fully idle server, the result will be not read `0`). +type: long + -- *`php_fpm.pool.processes.total`*:: + -- -type: long - The number of idle + active processes. +type: long + -- *`php_fpm.pool.processes.max_active`*:: + -- -type: long - The maximum number of active processes since FPM has started. +type: long + -- *`php_fpm.pool.processes.max_children_reached`*:: + -- -type: long - Number of times, the process limit has been reached, when pm tries to start more children (works only for pm 'dynamic' and 'ondemand'). +type: long + -- *`php_fpm.pool.slow_requests`*:: + -- -type: long - The number of times a request execution time has exceeded `request_slowlog_timeout`. +type: long + -- *`php_fpm.pool.start_since`*:: + -- -type: long - Number of seconds since FPM has started. +type: long + -- *`php_fpm.pool.start_time`*:: + -- -type: date +The date and time FPM has started. -format: epoch_second -The date and time FPM has started. +type: date +format: epoch_second -- [float] -== process fields +=== process process contains the metrics that were obtained from the PHP-FPM process. @@ -20163,143 +20163,143 @@ process contains the metrics that were obtained from the PHP-FPM process. *`php_fpm.process.pid`*:: + -- -type: alias +The PID of the process -alias to: process.pid -The PID of the process +type: alias +alias to: process.pid -- *`php_fpm.process.state`*:: + -- -type: keyword - The state of the process (Idle, Running, etc) +type: keyword + -- *`php_fpm.process.start_time`*:: + -- -type: date +The date and time the process has started -format: epoch_second -The date and time the process has started +type: date +format: epoch_second -- *`php_fpm.process.start_since`*:: + -- -type: integer - The number of seconds since the process has started +type: integer + -- *`php_fpm.process.requests`*:: + -- -type: integer - The number of requests the process has served +type: integer + -- *`php_fpm.process.request_duration`*:: + -- -type: integer - The duration in microseconds (1 million in a second) of the current request (my own definition) +type: integer + -- *`php_fpm.process.request_method`*:: + -- -type: alias +The request method (GET, POST, etc) (of the current request) -alias to: http.request.method -The request method (GET, POST, etc) (of the current request) +type: alias +alias to: http.request.method -- *`php_fpm.process.request_uri`*:: + -- -type: alias +The request URI with the query string (of the current request) -alias to: url.original -The request URI with the query string (of the current request) +type: alias +alias to: url.original -- *`php_fpm.process.content_length`*:: + -- -type: alias +The content length of the request (only with POST) (of the current request) -alias to: http.response.body.bytes -The content length of the request (only with POST) (of the current request) +type: alias +alias to: http.response.body.bytes -- *`php_fpm.process.user`*:: + -- -type: alias +The user (PHP_AUTH_USER) (or - if not set) (for the current request) -alias to: user.name -The user (PHP_AUTH_USER) (or - if not set) (for the current request) +type: alias +alias to: user.name -- *`php_fpm.process.script`*:: + -- -type: keyword - The main script called (or - if not set) (for the current request) +type: keyword + -- *`php_fpm.process.last_request_cpu`*:: + -- -type: long - The max amount of memory the last request consumed (it is always 0 if the process is not in Idle state because memory calculation is done when the request processing has terminated) +type: long + -- *`php_fpm.process.last_request_memory`*:: + -- -type: integer - The content length of the request (only with POST) (of the current request) +type: integer + -- [[exported-fields-postgresql]] @@ -20310,14 +20310,14 @@ Metrics collected from PostgreSQL servers. [float] -== postgresql fields +=== postgresql PostgreSQL metrics. [float] -== activity fields +=== activity One document per server process, showing information related to the current activity of that process, such as state and current query. Collected by querying pg_stat_activity. @@ -20326,41 +20326,41 @@ One document per server process, showing information related to the current acti *`postgresql.activity.database.oid`*:: + -- -type: long - OID of the database this backend is connected to. +type: long + -- *`postgresql.activity.database.name`*:: + -- -type: keyword - Name of the database this backend is connected to. +type: keyword + -- *`postgresql.activity.pid`*:: + -- -type: long - Process ID of this backend. +type: long + -- *`postgresql.activity.user.id`*:: + -- -type: long - OID of the user logged into this backend. +type: long + -- *`postgresql.activity.user.name`*:: @@ -20398,61 +20398,61 @@ Host name of the connected client, as reported by a reverse DNS lookup of client *`postgresql.activity.client.port`*:: + -- -type: long - TCP port number that the client is using for communication with this backend, or -1 if a Unix socket is used. +type: long + -- *`postgresql.activity.backend_start`*:: + -- -type: date - Time when this process was started, i.e., when the client connected to the server. +type: date + -- *`postgresql.activity.transaction_start`*:: + -- -type: date - Time when this process' current transaction was started. +type: date + -- *`postgresql.activity.query_start`*:: + -- -type: date - Time when the currently active query was started, or if state is not active, when the last query was started. +type: date + -- *`postgresql.activity.state_change`*:: + -- -type: date - Time when the state was last changed. +type: date + -- *`postgresql.activity.waiting`*:: + -- -type: boolean - True if this backend is currently waiting on a lock. +type: boolean + -- *`postgresql.activity.state`*:: @@ -20482,7 +20482,7 @@ Text of this backend's most recent query. If state is active this field shows th -- [float] -== bgwriter fields +=== bgwriter Statistics about the background writer process's activity. Collected using the pg_stat_bgwriter query. @@ -20491,115 +20491,115 @@ Statistics about the background writer process's activity. Collected using the p *`postgresql.bgwriter.checkpoints.scheduled`*:: + -- -type: long - Number of scheduled checkpoints that have been performed. +type: long + -- *`postgresql.bgwriter.checkpoints.requested`*:: + -- -type: long - Number of requested checkpoints that have been performed. +type: long + -- *`postgresql.bgwriter.checkpoints.times.write.ms`*:: + -- -type: float - Total amount of time that has been spent in the portion of checkpoint processing where files are written to disk, in milliseconds. +type: float + -- *`postgresql.bgwriter.checkpoints.times.sync.ms`*:: + -- -type: float - Total amount of time that has been spent in the portion of checkpoint processing where files are synchronized to disk, in milliseconds. +type: float + -- *`postgresql.bgwriter.buffers.checkpoints`*:: + -- -type: long - Number of buffers written during checkpoints. +type: long + -- *`postgresql.bgwriter.buffers.clean`*:: + -- -type: long - Number of buffers written by the background writer. +type: long + -- *`postgresql.bgwriter.buffers.clean_full`*:: + -- -type: long - Number of times the background writer stopped a cleaning scan because it had written too many buffers. +type: long + -- *`postgresql.bgwriter.buffers.backend`*:: + -- -type: long - Number of buffers written directly by a backend. +type: long + -- *`postgresql.bgwriter.buffers.backend_fsync`*:: + -- -type: long - Number of times a backend had to execute its own fsync call (normally the background writer handles those even when the backend does its own write) +type: long + -- *`postgresql.bgwriter.buffers.allocated`*:: + -- -type: long - Number of buffers allocated. +type: long + -- *`postgresql.bgwriter.stats_reset`*:: + -- -type: date - Time at which these statistics were last reset. +type: date + -- [float] -== database fields +=== database One row per database, showing database-wide statistics. Collected by querying pg_stat_database @@ -20608,195 +20608,195 @@ One row per database, showing database-wide statistics. Collected by querying pg *`postgresql.database.oid`*:: + -- -type: long - OID of the database this backend is connected to. +type: long + -- *`postgresql.database.name`*:: + -- -type: keyword - Name of the database this backend is connected to. +type: keyword + -- *`postgresql.database.number_of_backends`*:: + -- -type: long - Number of backends currently connected to this database. +type: long + -- *`postgresql.database.transactions.commit`*:: + -- -type: long - Number of transactions in this database that have been committed. +type: long + -- *`postgresql.database.transactions.rollback`*:: + -- -type: long - Number of transactions in this database that have been rolled back. +type: long + -- *`postgresql.database.blocks.read`*:: + -- -type: long - Number of disk blocks read in this database. +type: long + -- *`postgresql.database.blocks.hit`*:: + -- -type: long - Number of times disk blocks were found already in the buffer cache, so that a read was not necessary (this only includes hits in the PostgreSQL buffer cache, not the operating system's file system cache). +type: long + -- *`postgresql.database.blocks.time.read.ms`*:: + -- -type: long - Time spent reading data file blocks by backends in this database, in milliseconds. +type: long + -- *`postgresql.database.blocks.time.write.ms`*:: + -- -type: long - Time spent writing data file blocks by backends in this database, in milliseconds. +type: long + -- *`postgresql.database.rows.returned`*:: + -- -type: long - Number of rows returned by queries in this database. +type: long + -- *`postgresql.database.rows.fetched`*:: + -- -type: long - Number of rows fetched by queries in this database. +type: long + -- *`postgresql.database.rows.inserted`*:: + -- -type: long - Number of rows inserted by queries in this database. +type: long + -- *`postgresql.database.rows.updated`*:: + -- -type: long - Number of rows updated by queries in this database. +type: long + -- *`postgresql.database.rows.deleted`*:: + -- -type: long - Number of rows deleted by queries in this database. +type: long + -- *`postgresql.database.conflicts`*:: + -- -type: long - Number of queries canceled due to conflicts with recovery in this database. +type: long + -- *`postgresql.database.temporary.files`*:: + -- -type: long - Number of temporary files created by queries in this database. All temporary files are counted, regardless of why the temporary file was created (e.g., sorting or hashing), and regardless of the log_temp_files setting. +type: long + -- *`postgresql.database.temporary.bytes`*:: + -- -type: long - Total amount of data written to temporary files by queries in this database. All temporary files are counted, regardless of why the temporary file was created, and regardless of the log_temp_files setting. +type: long + -- *`postgresql.database.deadlocks`*:: + -- -type: long - Number of deadlocks detected in this database. +type: long + -- *`postgresql.database.stats_reset`*:: + -- -type: date - Time at which these statistics were last reset. +type: date + -- [float] -== statement fields +=== statement One document per query per user per database, showing information related invocation of that query, such as cpu usage and total time. Collected by querying pg_stat_statements. @@ -20805,31 +20805,31 @@ One document per query per user per database, showing information related invoca *`postgresql.statement.user.id`*:: + -- -type: long - OID of the user logged into the backend that ran the query. +type: long + -- *`postgresql.statement.database.oid`*:: + -- -type: long - OID of the database the query was run on. +type: long + -- *`postgresql.statement.query.id`*:: + -- -type: long - ID of the statement. +type: long + -- *`postgresql.statement.query.text`*:: @@ -20843,171 +20843,171 @@ Query text *`postgresql.statement.query.calls`*:: + -- -type: long - Number of times the query has been run. +type: long + -- *`postgresql.statement.query.rows`*:: + -- -type: long - Total number of rows returned by query. +type: long + -- *`postgresql.statement.query.time.total.ms`*:: + -- -type: float - Total number of milliseconds spent running query. +type: float + -- *`postgresql.statement.query.time.min.ms`*:: + -- -type: float - Minimum number of milliseconds spent running query. +type: float + -- *`postgresql.statement.query.time.max.ms`*:: + -- -type: float - Maximum number of milliseconds spent running query. +type: float + -- *`postgresql.statement.query.time.mean.ms`*:: + -- -type: long - Mean number of milliseconds spent running query. +type: long + -- *`postgresql.statement.query.time.stddev.ms`*:: + -- -type: long - Population standard deviation of time spent running query, in milliseconds. +type: long + -- *`postgresql.statement.query.memory.shared.hit`*:: + -- -type: long - Total number of shared block cache hits by the query. +type: long + -- *`postgresql.statement.query.memory.shared.read`*:: + -- -type: long - Total number of shared block cache read by the query. +type: long + -- *`postgresql.statement.query.memory.shared.dirtied`*:: + -- -type: long - Total number of shared block cache dirtied by the query. +type: long + -- *`postgresql.statement.query.memory.shared.written`*:: + -- -type: long - Total number of shared block cache written by the query. +type: long + -- *`postgresql.statement.query.memory.local.hit`*:: + -- -type: long - Total number of local block cache hits by the query. +type: long + -- *`postgresql.statement.query.memory.local.read`*:: + -- -type: long - Total number of local block cache read by the query. +type: long + -- *`postgresql.statement.query.memory.local.dirtied`*:: + -- -type: long - Total number of local block cache dirtied by the query. +type: long + -- *`postgresql.statement.query.memory.local.written`*:: + -- -type: long - Total number of local block cache written by the query. +type: long + -- *`postgresql.statement.query.memory.temp.read`*:: + -- -type: long - Total number of temp block cache read by the query. +type: long + -- *`postgresql.statement.query.memory.temp.written`*:: + -- -type: long - Total number of temp block cache written by the query. +type: long + -- [[exported-fields-process]] @@ -21037,21 +21037,21 @@ Stats scraped from a Prometheus endpoint. *`prometheus.labels.*`*:: + -- -type: object - Prometheus metric labels +type: object + -- *`prometheus.metrics.*`*:: + -- -type: object - Prometheus metric - release: ga +type: object + -- [[exported-fields-rabbitmq]] @@ -21062,7 +21062,7 @@ RabbitMQ module [float] -== rabbitmq fields +=== rabbitmq @@ -21070,15 +21070,15 @@ RabbitMQ module *`rabbitmq.vhost`*:: + -- -type: keyword - Virtual host name with non-ASCII characters escaped as in C. +type: keyword + -- [float] -== connection fields +=== connection connection @@ -21087,183 +21087,183 @@ connection *`rabbitmq.connection.name`*:: + -- -type: keyword - The name of the connection with non-ASCII characters escaped as in C. +type: keyword + -- *`rabbitmq.connection.vhost`*:: + -- -type: alias +Virtual host name with non-ASCII characters escaped as in C. -alias to: rabbitmq.vhost -Virtual host name with non-ASCII characters escaped as in C. +type: alias +alias to: rabbitmq.vhost -- *`rabbitmq.connection.user`*:: + -- -type: alias +User name. -alias to: user.name -User name. +type: alias +alias to: user.name -- *`rabbitmq.connection.node`*:: + -- -type: alias +Node name. -alias to: rabbitmq.node.name -Node name. +type: alias +alias to: rabbitmq.node.name -- *`rabbitmq.connection.channels`*:: + -- -type: long - The number of channels on the connection. +type: long + -- *`rabbitmq.connection.channel_max`*:: + -- -type: long - The maximum number of channels allowed on the connection. +type: long + -- *`rabbitmq.connection.frame_max`*:: + -- -type: long +Maximum permissible size of a frame (in bytes) to negotiate with clients. -format: bytes -Maximum permissible size of a frame (in bytes) to negotiate with clients. +type: long +format: bytes -- *`rabbitmq.connection.type`*:: + -- -type: keyword - Type of the connection. +type: keyword + -- *`rabbitmq.connection.host`*:: + -- -type: keyword - Server hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was disabled. +type: keyword + -- *`rabbitmq.connection.peer.host`*:: + -- -type: keyword - Peer hostname obtained via reverse DNS, or its IP address if reverse DNS failed or was not enabled. +type: keyword + -- *`rabbitmq.connection.port`*:: + -- -type: long - Server port. +type: long + -- *`rabbitmq.connection.peer.port`*:: + -- -type: long - Peer port. +type: long + -- *`rabbitmq.connection.packet_count.sent`*:: + -- -type: long - Number of packets sent on the connection. +type: long + -- *`rabbitmq.connection.packet_count.received`*:: + -- -type: long - Number of packets received on the connection. +type: long + -- *`rabbitmq.connection.packet_count.pending`*:: + -- -type: long - Number of packets pending on the connection. +type: long + -- *`rabbitmq.connection.octet_count.sent`*:: + -- -type: long - Number of octets sent on the connection. +type: long + -- *`rabbitmq.connection.octet_count.received`*:: + -- -type: long - Number of octets received on the connection. +type: long + -- [float] -== exchange fields +=== exchange exchange @@ -21272,109 +21272,109 @@ exchange *`rabbitmq.exchange.name`*:: + -- -type: keyword - The name of the queue with non-ASCII characters escaped as in C. +type: keyword + -- *`rabbitmq.exchange.vhost`*:: + -- -type: alias +Virtual host name with non-ASCII characters escaped as in C. -alias to: rabbitmq.vhost -Virtual host name with non-ASCII characters escaped as in C. +type: alias +alias to: rabbitmq.vhost -- *`rabbitmq.exchange.durable`*:: + -- -type: boolean - Whether or not the queue survives server restarts. +type: boolean + -- *`rabbitmq.exchange.auto_delete`*:: + -- -type: boolean - Whether the queue will be deleted automatically when no longer used. +type: boolean + -- *`rabbitmq.exchange.internal`*:: + -- -type: boolean - Whether the exchange is internal, i.e. cannot be directly published to by a client. +type: boolean + -- *`rabbitmq.exchange.user`*:: + -- -type: alias +User who created the exchange. -alias to: user.name -User who created the exchange. +type: alias +alias to: user.name -- *`rabbitmq.exchange.messages.publish_in.count`*:: + -- -type: long - Count of messages published "in" to an exchange, i.e. not taking account of routing. +type: long + -- *`rabbitmq.exchange.messages.publish_in.details.rate`*:: + -- -type: float - How much the exchange publish-in count has changed per second in the most recent sampling interval. +type: float + -- *`rabbitmq.exchange.messages.publish_out.count`*:: + -- -type: long - Count of messages published "out" of an exchange, i.e. taking account of routing. +type: long + -- *`rabbitmq.exchange.messages.publish_out.details.rate`*:: + -- -type: float - How much the exchange publish-out count has changed per second in the most recent sampling interval. +type: float + -- [float] -== node fields +=== node node @@ -21383,386 +21383,386 @@ node *`rabbitmq.node.disk.free.bytes`*:: + -- -type: long +Disk free space in bytes. -format: bytes -Disk free space in bytes. +type: long +format: bytes -- *`rabbitmq.node.disk.free.limit.bytes`*:: + -- -type: long +Point at which the disk alarm will go off. -format: bytes -Point at which the disk alarm will go off. +type: long +format: bytes -- *`rabbitmq.node.fd.total`*:: + -- -type: long - File descriptors available. +type: long + -- *`rabbitmq.node.fd.used`*:: + -- -type: long - Used file descriptors. +type: long + -- *`rabbitmq.node.gc.num.count`*:: + -- -type: long - Number of GC operations. +type: long + -- *`rabbitmq.node.gc.reclaimed.bytes`*:: + -- -type: long +GC bytes reclaimed. -format: bytes -GC bytes reclaimed. +type: long +format: bytes -- *`rabbitmq.node.io.file_handle.open_attempt.avg.ms`*:: + -- -type: long - File handle open avg time +type: long + -- *`rabbitmq.node.io.file_handle.open_attempt.count`*:: + -- -type: long - File handle open attempts +type: long + -- *`rabbitmq.node.io.read.avg.ms`*:: + -- -type: long - File handle read avg time +type: long + -- *`rabbitmq.node.io.read.bytes`*:: + -- -type: long +Data read in bytes -format: bytes -Data read in bytes +type: long +format: bytes -- *`rabbitmq.node.io.read.count`*:: + -- -type: long - Data read operations +type: long + -- *`rabbitmq.node.io.reopen.count`*:: + -- -type: long - Data reopen operations +type: long + -- *`rabbitmq.node.io.seek.avg.ms`*:: + -- -type: long - Data seek avg time +type: long + -- *`rabbitmq.node.io.seek.count`*:: + -- -type: long - Data seek operations +type: long + -- *`rabbitmq.node.io.sync.avg.ms`*:: + -- -type: long - Data sync avg time +type: long + -- *`rabbitmq.node.io.sync.count`*:: + -- -type: long - Data sync operations +type: long + -- *`rabbitmq.node.io.write.avg.ms`*:: + -- -type: long - Data write avg time +type: long + -- *`rabbitmq.node.io.write.bytes`*:: + -- -type: long +Data write in bytes -format: bytes -Data write in bytes +type: long +format: bytes -- *`rabbitmq.node.io.write.count`*:: + -- -type: long - Data write operations +type: long + -- *`rabbitmq.node.mem.limit.bytes`*:: + -- -type: long +Point at which the memory alarm will go off. -format: bytes -Point at which the memory alarm will go off. +type: long +format: bytes -- *`rabbitmq.node.mem.used.bytes`*:: + -- -type: long - Memory used in bytes. +type: long + -- *`rabbitmq.node.mnesia.disk.tx.count`*:: + -- -type: long - Number of Mnesia transactions which have been performed that required writes to disk. +type: long + -- *`rabbitmq.node.mnesia.ram.tx.count`*:: + -- -type: long - Number of Mnesia transactions which have been performed that did not require writes to disk. +type: long + -- *`rabbitmq.node.msg.store_read.count`*:: + -- -type: long - Number of messages which have been read from the message store. +type: long + -- *`rabbitmq.node.msg.store_write.count`*:: + -- -type: long - Number of messages which have been written to the message store. +type: long + -- *`rabbitmq.node.name`*:: + -- -type: keyword - Node name +type: keyword + -- *`rabbitmq.node.proc.total`*:: + -- -type: long - Maximum number of Erlang processes. +type: long + -- *`rabbitmq.node.proc.used`*:: + -- -type: long - Number of Erlang processes in use. +type: long + -- *`rabbitmq.node.processors`*:: + -- -type: long - Number of cores detected and usable by Erlang. +type: long + -- *`rabbitmq.node.queue.index.journal_write.count`*:: + -- -type: long - Number of records written to the queue index journal. +type: long + -- *`rabbitmq.node.queue.index.read.count`*:: + -- -type: long - Number of records read from the queue index. +type: long + -- *`rabbitmq.node.queue.index.write.count`*:: + -- -type: long - Number of records written to the queue index. +type: long + -- *`rabbitmq.node.run.queue`*:: + -- -type: long - Average number of Erlang processes waiting to run. +type: long + -- *`rabbitmq.node.socket.total`*:: + -- -type: long - File descriptors available for use as sockets. +type: long + -- *`rabbitmq.node.socket.used`*:: + -- -type: long - File descriptors used as sockets. +type: long + -- *`rabbitmq.node.type`*:: + -- -type: keyword - Node type. +type: keyword + -- *`rabbitmq.node.uptime`*:: + -- -type: long - Node uptime. +type: long + -- [float] -== queue fields +=== queue queue @@ -21771,209 +21771,209 @@ queue *`rabbitmq.queue.name`*:: + -- -type: keyword - The name of the queue with non-ASCII characters escaped as in C. +type: keyword + -- *`rabbitmq.queue.vhost`*:: + -- -type: alias +Virtual host name with non-ASCII characters escaped as in C. -alias to: rabbitmq.vhost -Virtual host name with non-ASCII characters escaped as in C. +type: alias +alias to: rabbitmq.vhost -- *`rabbitmq.queue.durable`*:: + -- -type: boolean - Whether or not the queue survives server restarts. +type: boolean + -- *`rabbitmq.queue.auto_delete`*:: + -- -type: boolean - Whether the queue will be deleted automatically when no longer used. +type: boolean + -- *`rabbitmq.queue.exclusive`*:: + -- -type: boolean - Whether the queue is exclusive (i.e. has owner_pid). +type: boolean + -- *`rabbitmq.queue.node`*:: + -- -type: alias +Node name. -alias to: rabbitmq.node.name -Node name. +type: alias +alias to: rabbitmq.node.name -- *`rabbitmq.queue.state`*:: + -- -type: keyword - The state of the queue. Normally 'running', but may be "{syncing, MsgCount}" if the queue is synchronising. Queues which are located on cluster nodes that are currently down will be shown with a status of 'down'. +type: keyword + -- *`rabbitmq.queue.arguments.max_priority`*:: + -- -type: long - Maximum number of priority levels for the queue to support. +type: long + -- *`rabbitmq.queue.consumers.count`*:: + -- -type: long - Number of consumers. +type: long + -- *`rabbitmq.queue.consumers.utilisation.pct`*:: + -- -type: long +Fraction of the time (between 0.0 and 1.0) that the queue is able to immediately deliver messages to consumers. This can be less than 1.0 if consumers are limited by network congestion or prefetch count. -format: percentage -Fraction of the time (between 0.0 and 1.0) that the queue is able to immediately deliver messages to consumers. This can be less than 1.0 if consumers are limited by network congestion or prefetch count. +type: long +format: percentage -- *`rabbitmq.queue.messages.total.count`*:: + -- -type: long - Sum of ready and unacknowledged messages (queue depth). +type: long + -- *`rabbitmq.queue.messages.total.details.rate`*:: + -- -type: float - How much the queue depth has changed per second in the most recent sampling interval. +type: float + -- *`rabbitmq.queue.messages.ready.count`*:: + -- -type: long - Number of messages ready to be delivered to clients. +type: long + -- *`rabbitmq.queue.messages.ready.details.rate`*:: + -- -type: float - How much the count of messages ready has changed per second in the most recent sampling interval. +type: float + -- *`rabbitmq.queue.messages.unacknowledged.count`*:: + -- -type: long - Number of messages delivered to clients but not yet acknowledged. +type: long + -- *`rabbitmq.queue.messages.unacknowledged.details.rate`*:: + -- -type: float - How much the count of unacknowledged messages has changed per second in the most recent sampling interval. +type: float + -- *`rabbitmq.queue.messages.persistent.count`*:: + -- -type: long - Total number of persistent messages in the queue (will always be 0 for transient queues). +type: long + -- *`rabbitmq.queue.memory.bytes`*:: + -- -type: long +Bytes of memory consumed by the Erlang process associated with the queue, including stack, heap and internal structures. -format: bytes -Bytes of memory consumed by the Erlang process associated with the queue, including stack, heap and internal structures. +type: long +format: bytes -- *`rabbitmq.queue.disk.reads.count`*:: + -- -type: long - Total number of times messages have been read from disk by this queue since it started. +type: long + -- *`rabbitmq.queue.disk.writes.count`*:: + -- -type: long - Total number of times messages have been written to disk by this queue since it started. +type: long + -- [[exported-fields-redis]] @@ -21984,21 +21984,21 @@ Redis metrics collected from Redis. [float] -== redis fields +=== redis `redis` contains the information and statistics from Redis. [float] -== info fields +=== info `info` contains the information and statistics returned by the `INFO` command. [float] -== clients fields +=== clients Redis client stats. @@ -22007,11 +22007,11 @@ Redis client stats. *`redis.info.clients.connected`*:: + -- -type: long - Number of client connections (excluding connections from slaves). +type: long + -- *`redis.info.clients.longest_output_list`*:: @@ -22020,21 +22020,21 @@ Number of client connections (excluding connections from slaves). deprecated[6.5.0] -type: long - Longest output list among current client connections (replaced by max_output_buffer). +type: long + -- *`redis.info.clients.max_output_buffer`*:: + -- -type: long - Longest output list among current client connections. +type: long + -- *`redis.info.clients.biggest_input_buf`*:: @@ -22043,35 +22043,35 @@ Longest output list among current client connections. deprecated[6.5.0] -type: long - Biggest input buffer among current client connections (replaced by max_input_buffer). +type: long + -- *`redis.info.clients.max_input_buffer`*:: + -- -type: long - Biggest input buffer among current client connections (on redis 5.0). +type: long + -- *`redis.info.clients.blocked`*:: + -- -type: long - Number of clients pending on a blocking call (BLPOP, BRPOP, BRPOPLPUSH). +type: long + -- [float] -== cluster fields +=== cluster Redis cluster information. @@ -22080,15 +22080,15 @@ Redis cluster information. *`redis.info.cluster.enabled`*:: + -- -type: boolean - Indicates that the Redis cluster is enabled. +type: boolean + -- [float] -== cpu fields +=== cpu Redis CPU stats @@ -22097,45 +22097,45 @@ Redis CPU stats *`redis.info.cpu.used.sys`*:: + -- -type: scaled_float - System CPU consumed by the Redis server. +type: scaled_float + -- *`redis.info.cpu.used.sys_children`*:: + -- -type: scaled_float - User CPU consumed by the Redis server. +type: scaled_float + -- *`redis.info.cpu.used.user`*:: + -- -type: scaled_float - System CPU consumed by the background processes. +type: scaled_float + -- *`redis.info.cpu.used.user_children`*:: + -- -type: scaled_float - User CPU consumed by the background processes. +type: scaled_float + -- [float] -== memory fields +=== memory Redis memory stats. @@ -22144,209 +22144,209 @@ Redis memory stats. *`redis.info.memory.used.value`*:: + -- -type: long -format: bytes Total number of bytes allocated by Redis. +type: long +format: bytes Total number of bytes allocated by Redis. -- *`redis.info.memory.used.rss`*:: + -- -type: long +Number of bytes that Redis allocated as seen by the operating system (a.k.a resident set size). -format: bytes -Number of bytes that Redis allocated as seen by the operating system (a.k.a resident set size). +type: long +format: bytes -- *`redis.info.memory.used.peak`*:: + -- -type: long +Peak memory consumed by Redis. -format: bytes -Peak memory consumed by Redis. +type: long +format: bytes -- *`redis.info.memory.used.lua`*:: + -- -type: long +Used memory by the Lua engine. -format: bytes -Used memory by the Lua engine. +type: long +format: bytes -- *`redis.info.memory.used.dataset`*:: + -- -type: long +The size in bytes of the dataset -format: bytes -The size in bytes of the dataset +type: long +format: bytes -- *`redis.info.memory.max.value`*:: + -- -type: long +Memory limit. -format: bytes -Memory limit. +type: long +format: bytes -- *`redis.info.memory.max.policy`*:: + -- -type: keyword - Eviction policy to use when memory limit is reached. +type: keyword + -- *`redis.info.memory.fragmentation.ratio`*:: + -- -type: float - Ratio between used_memory_rss and used_memory +type: float + -- *`redis.info.memory.fragmentation.bytes`*:: + -- -type: long +Bytes between used_memory_rss and used_memory -format: bytes -Bytes between used_memory_rss and used_memory +type: long +format: bytes -- *`redis.info.memory.active_defrag.is_running`*:: + -- -type: boolean - Flag indicating if active defragmentation is active +type: boolean + -- *`redis.info.memory.allocator`*:: + -- -type: keyword - Memory allocator. +type: keyword + -- *`redis.info.memory.allocator_stats.allocated`*:: + -- -type: long +Allocated memory -format: bytes -Allocated memory +type: long +format: bytes -- *`redis.info.memory.allocator_stats.active`*:: + -- -type: long +Active memeory -format: bytes -Active memeory +type: long +format: bytes -- *`redis.info.memory.allocator_stats.resident`*:: + -- -type: long +Resident memory -format: bytes -Resident memory +type: long +format: bytes -- *`redis.info.memory.allocator_stats.fragmentation.ratio`*:: + -- -type: float - Fragmentation ratio +type: float + -- *`redis.info.memory.allocator_stats.fragmentation.bytes`*:: + -- -type: long +Fragmented bytes -format: bytes -Fragmented bytes +type: long +format: bytes -- *`redis.info.memory.allocator_stats.rss.ratio`*:: + -- -type: float - Resident ratio +type: float + -- *`redis.info.memory.allocator_stats.rss.bytes`*:: + -- -type: long +Resident bytes -format: bytes -Resident bytes +type: long +format: bytes -- [float] -== persistence fields +=== persistence Redis CPU stats. @@ -22355,15 +22355,15 @@ Redis CPU stats. *`redis.info.persistence.loading`*:: + -- -type: boolean - Flag indicating if the load of a dump file is on-going +type: boolean + -- [float] -== rdb fields +=== rdb Provides information about RDB persistence @@ -22372,81 +22372,81 @@ Provides information about RDB persistence *`redis.info.persistence.rdb.last_save.changes_since`*:: + -- -type: long - Number of changes since the last dump +type: long + -- *`redis.info.persistence.rdb.last_save.time`*:: + -- -type: long - Epoch-based timestamp of last successful RDB save +type: long + -- *`redis.info.persistence.rdb.bgsave.in_progress`*:: + -- -type: boolean - Flag indicating a RDB save is on-going +type: boolean + -- *`redis.info.persistence.rdb.bgsave.last_status`*:: + -- -type: keyword - Status of the last RDB save operation +type: keyword + -- *`redis.info.persistence.rdb.bgsave.last_time.sec`*:: + -- +Duration of the last RDB save operation in seconds + + type: long format: duration -Duration of the last RDB save operation in seconds - - -- *`redis.info.persistence.rdb.bgsave.current_time.sec`*:: + -- -type: long +Duration of the on-going RDB save operation if any -format: duration -Duration of the on-going RDB save operation if any +type: long +format: duration -- *`redis.info.persistence.rdb.copy_on_write.last_size`*:: + -- -type: long +The size in bytes of copy-on-write allocations during the last RBD save operation -format: bytes -The size in bytes of copy-on-write allocations during the last RBD save operation +type: long +format: bytes -- [float] -== aof fields +=== aof Provides information about AOF persitence @@ -22455,159 +22455,159 @@ Provides information about AOF persitence *`redis.info.persistence.aof.enabled`*:: + -- -type: boolean - Flag indicating AOF logging is activated +type: boolean + -- *`redis.info.persistence.aof.rewrite.in_progress`*:: + -- -type: boolean - Flag indicating a AOF rewrite operation is on-going +type: boolean + -- *`redis.info.persistence.aof.rewrite.scheduled`*:: + -- -type: boolean - Flag indicating an AOF rewrite operation will be scheduled once the on-going RDB save is complete. +type: boolean + -- *`redis.info.persistence.aof.rewrite.last_time.sec`*:: + -- -type: long +Duration of the last AOF rewrite operation in seconds -format: duration -Duration of the last AOF rewrite operation in seconds +type: long +format: duration -- *`redis.info.persistence.aof.rewrite.current_time.sec`*:: + -- -type: long +Duration of the on-going AOF rewrite operation if any -format: duration -Duration of the on-going AOF rewrite operation if any +type: long +format: duration -- *`redis.info.persistence.aof.rewrite.buffer.size`*:: + -- -type: long +Size of the AOF rewrite buffer -format: bytes -Size of the AOF rewrite buffer +type: long +format: bytes -- *`redis.info.persistence.aof.bgrewrite.last_status`*:: + -- -type: keyword - Status of the last AOF rewrite operatio +type: keyword + -- *`redis.info.persistence.aof.write.last_status`*:: + -- -type: keyword - Status of the last write operation to the AOF +type: keyword + -- *`redis.info.persistence.aof.copy_on_write.last_size`*:: + -- -type: long +The size in bytes of copy-on-write allocations during the last RBD save operation -format: bytes -The size in bytes of copy-on-write allocations during the last RBD save operation +type: long +format: bytes -- *`redis.info.persistence.aof.buffer.size`*:: + -- -type: long +Size of the AOF buffer -format: bytes -Size of the AOF buffer +type: long +format: bytes -- *`redis.info.persistence.aof.size.current`*:: + -- -type: long +AOF current file size -format: bytes -AOF current file size +type: long +format: bytes -- *`redis.info.persistence.aof.size.base`*:: + -- -type: long +AOF file size on latest startup or rewrite -format: bytes -AOF file size on latest startup or rewrite +type: long +format: bytes -- *`redis.info.persistence.aof.fsync.pending`*:: + -- -type: long - Number of fsync pending jobs in background I/O queue +type: long + -- *`redis.info.persistence.aof.fsync.delayed`*:: + -- -type: long - Delayed fsync counter +type: long + -- [float] -== replication fields +=== replication Replication @@ -22616,21 +22616,21 @@ Replication *`redis.info.replication.role`*:: + -- -type: keyword - Role of the instance (can be "master", or "slave"). +type: keyword + -- *`redis.info.replication.connected_slaves`*:: + -- -type: long - Number of connected slaves +type: long + -- *`redis.info.replication.master_offset`*:: @@ -22639,163 +22639,163 @@ Number of connected slaves deprecated[6.5] -type: long - The server's current replication offset +type: long + -- *`redis.info.replication.backlog.active`*:: + -- -type: long - Flag indicating replication backlog is active +type: long + -- *`redis.info.replication.backlog.size`*:: + -- -type: long +Total size in bytes of the replication backlog buffer -format: bytes -Total size in bytes of the replication backlog buffer +type: long +format: bytes -- *`redis.info.replication.backlog.first_byte_offset`*:: + -- -type: long - The master offset of the replication backlog buffer +type: long + -- *`redis.info.replication.backlog.histlen`*:: + -- -type: long - Size in bytes of the data in the replication backlog buffer +type: long + -- *`redis.info.replication.master.offset`*:: + -- -type: long - The server's current replication offset +type: long + -- *`redis.info.replication.master.second_offset`*:: + -- -type: long - The offset up to which replication IDs are accepted +type: long + -- *`redis.info.replication.master.link_status`*:: + -- -type: keyword - Status of the link (up/down) +type: keyword + -- *`redis.info.replication.master.last_io_seconds_ago`*:: + -- -type: long +Number of seconds since the last interaction with master -format: duration -Number of seconds since the last interaction with master +type: long +format: duration -- *`redis.info.replication.master.sync.in_progress`*:: + -- -type: boolean - Indicate the master is syncing to the slave +type: boolean + -- *`redis.info.replication.master.sync.left_bytes`*:: + -- -type: long +Number of bytes left before syncing is complete -format: bytes -Number of bytes left before syncing is complete +type: long +format: bytes -- *`redis.info.replication.master.sync.last_io_seconds_ago`*:: + -- -type: long +Number of seconds since last transfer I/O during a SYNC operation -format: duration -Number of seconds since last transfer I/O during a SYNC operation +type: long +format: duration -- *`redis.info.replication.slave.offset`*:: + -- -type: long - The replication offset of the slave instance +type: long + -- *`redis.info.replication.slave.priority`*:: + -- -type: long - The priority of the instance as a candidate for failover +type: long + -- *`redis.info.replication.slave.is_readonly`*:: + -- -type: boolean - Flag indicating if the slave is read-only +type: boolean + -- [float] -== server fields +=== server Server info @@ -22804,155 +22804,155 @@ Server info *`redis.info.server.version`*:: + -- +None + type: alias alias to: service.version -None - -- *`redis.info.server.git_sha1`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.git_dirty`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.build_id`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.mode`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.os`*:: + -- +None + type: alias alias to: os.full -None - -- *`redis.info.server.arch_bits`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.multiplexing_api`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.gcc_version`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.process_id`*:: + -- +None + type: alias alias to: process.pid -None - -- *`redis.info.server.run_id`*:: + -- -type: keyword - None +type: keyword + -- *`redis.info.server.tcp_port`*:: + -- -type: long - None +type: long + -- *`redis.info.server.uptime`*:: + -- -type: long - None +type: long + -- *`redis.info.server.hz`*:: + -- -type: long - None +type: long + -- *`redis.info.server.lru_clock`*:: + -- -type: long - None +type: long + -- *`redis.info.server.config_file`*:: + -- -type: keyword - None +type: keyword + -- [float] -== stats fields +=== stats Redis stats. @@ -22961,250 +22961,250 @@ Redis stats. *`redis.info.stats.connections.received`*:: + -- -type: long - Total number of connections received. +type: long + -- *`redis.info.stats.connections.rejected`*:: + -- -type: long - Total number of connections rejected. +type: long + -- *`redis.info.stats.commands_processed`*:: + -- -type: long - Total number of commands processed. +type: long + -- *`redis.info.stats.net.input.bytes`*:: + -- -type: long - Total network input in bytes. +type: long + -- *`redis.info.stats.net.output.bytes`*:: + -- -type: long - Total network output in bytes. +type: long + -- *`redis.info.stats.instantaneous.ops_per_sec`*:: + -- -type: long - Number of commands processed per second +type: long + -- *`redis.info.stats.instantaneous.input_kbps`*:: + -- -type: scaled_float - The network's read rate per second in KB/sec +type: scaled_float + -- *`redis.info.stats.instantaneous.output_kbps`*:: + -- -type: scaled_float - The network's write rate per second in KB/sec --- +type: scaled_float + +-- *`redis.info.stats.sync.full`*:: + -- -type: long - The number of full resyncs with slaves +type: long + -- *`redis.info.stats.sync.partial.ok`*:: + -- -type: long - The number of accepted partial resync requests +type: long + -- *`redis.info.stats.sync.partial.err`*:: + -- -type: long - The number of denied partial resync requests +type: long + -- *`redis.info.stats.keys.expired`*:: + -- -type: long - Total number of key expiration events +type: long + -- *`redis.info.stats.keys.evicted`*:: + -- -type: long - Number of evicted keys due to maxmemory limit +type: long + -- *`redis.info.stats.keyspace.hits`*:: + -- -type: long - Number of successful lookup of keys in the main dictionary +type: long + -- *`redis.info.stats.keyspace.misses`*:: + -- -type: long - Number of failed lookup of keys in the main dictionary +type: long + -- *`redis.info.stats.pubsub.channels`*:: + -- -type: long - Global number of pub/sub channels with client subscriptions +type: long + -- *`redis.info.stats.pubsub.patterns`*:: + -- -type: long - Global number of pub/sub pattern with client subscriptions +type: long + -- *`redis.info.stats.latest_fork_usec`*:: + -- -type: long - Duration of the latest fork operation in microseconds +type: long + -- *`redis.info.stats.migrate_cached_sockets`*:: + -- -type: long - The number of sockets open for MIGRATE purposes +type: long + -- *`redis.info.stats.slave_expires_tracked_keys`*:: + -- -type: long - The number of keys tracked for expiry purposes (applicable only to writable slaves) +type: long + -- *`redis.info.stats.active_defrag.hits`*:: + -- -type: long - Number of value reallocations performed by active the defragmentation process +type: long + -- *`redis.info.stats.active_defrag.misses`*:: + -- -type: long - Number of aborted value reallocations started by the active defragmentation process +type: long + -- *`redis.info.stats.active_defrag.key_hits`*:: + -- -type: long - Number of keys that were actively defragmented +type: long + -- *`redis.info.stats.active_defrag.key_misses`*:: + -- -type: long - Number of keys that were skipped by the active defragmentation process +type: long + -- *`redis.info.slowlog.count`*:: + -- -type: long - Count of slow operations +type: long + -- [float] -== key fields +=== key `key` contains information about keys. @@ -23213,55 +23213,55 @@ Count of slow operations *`redis.key.name`*:: + -- -type: keyword - Key name. +type: keyword + -- *`redis.key.id`*:: + -- -type: keyword - Unique id for this key (With the form :). +type: keyword + -- *`redis.key.type`*:: + -- -type: keyword - Key type as shown by `TYPE` command. +type: keyword + -- *`redis.key.length`*:: + -- -type: long - Length of the key (Number of elements for lists, length for strings, cardinality for sets). +type: long + -- *`redis.key.expire.ttl`*:: + -- -type: long - Seconds to expire. +type: long + -- [float] -== keyspace fields +=== keyspace `keyspace` contains the information about the keyspaces returned by the `INFO` command. @@ -23270,39 +23270,39 @@ Seconds to expire. *`redis.keyspace.id`*:: + -- -type: keyword - Keyspace identifier. +type: keyword + -- *`redis.keyspace.avg_ttl`*:: + -- -type: long - Average ttl. +type: long + -- *`redis.keyspace.keys`*:: + -- -type: long - Number of keys in the keyspace. +type: long + -- *`redis.keyspace.expires`*:: + -- -type: long +type: long -- @@ -23314,14 +23314,14 @@ System status metrics, like CPU and memory usage, that are collected from the op [float] -== system fields +=== system `system` contains local system metrics. [float] -== core fields +=== core `system-core` contains CPU metrics for a single core of a multi-core system. @@ -23330,191 +23330,191 @@ System status metrics, like CPU and memory usage, that are collected from the op *`system.core.id`*:: + -- -type: long - CPU Core number. +type: long + -- *`system.core.user.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in user space. -format: percent -The percentage of CPU time spent in user space. +type: scaled_float +format: percent -- *`system.core.user.ticks`*:: + -- -type: long - The amount of CPU time spent in user space. +type: long + -- *`system.core.system.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in kernel space. -format: percent -The percentage of CPU time spent in kernel space. +type: scaled_float +format: percent -- *`system.core.system.ticks`*:: + -- -type: long - The amount of CPU time spent in kernel space. +type: long + -- *`system.core.nice.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent on low-priority processes. -format: percent -The percentage of CPU time spent on low-priority processes. +type: scaled_float +format: percent -- *`system.core.nice.ticks`*:: + -- -type: long - The amount of CPU time spent on low-priority processes. +type: long + -- *`system.core.idle.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent idle. -format: percent -The percentage of CPU time spent idle. +type: scaled_float +format: percent -- *`system.core.idle.ticks`*:: + -- -type: long - The amount of CPU time spent idle. +type: long + -- *`system.core.iowait.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in wait (on disk). -format: percent -The percentage of CPU time spent in wait (on disk). +type: scaled_float +format: percent -- *`system.core.iowait.ticks`*:: + -- -type: long - The amount of CPU time spent in wait (on disk). +type: long + -- *`system.core.irq.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent servicing and handling hardware interrupts. -format: percent -The percentage of CPU time spent servicing and handling hardware interrupts. +type: scaled_float +format: percent -- *`system.core.irq.ticks`*:: + -- -type: long - The amount of CPU time spent servicing and handling hardware interrupts. +type: long + -- *`system.core.softirq.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent servicing and handling software interrupts. -format: percent -The percentage of CPU time spent servicing and handling software interrupts. +type: scaled_float +format: percent -- *`system.core.softirq.ticks`*:: + -- -type: long - The amount of CPU time spent servicing and handling software interrupts. +type: long + -- *`system.core.steal.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -format: percent -The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. +type: scaled_float +format: percent -- *`system.core.steal.ticks`*:: + -- -type: long - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. +type: long + -- [float] -== cpu fields +=== cpu `cpu` contains local CPU stats. @@ -23523,311 +23523,311 @@ The amount of CPU time spent in involuntary wait by the virtual CPU while the hy *`system.cpu.cores`*:: + -- -type: long - The number of CPU cores present on the host. The non-normalized percentages will have a maximum value of `100% * cores`. The normalized percentages already take this value into account and have a maximum value of 100%. +type: long + -- *`system.cpu.user.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. -format: percent -The percentage of CPU time spent in user space. On multi-core systems, you can have percentages that are greater than 100%. For example, if 3 cores are at 60% use, then the `system.cpu.user.pct` will be 180%. +type: scaled_float +format: percent -- *`system.cpu.system.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in kernel space. -format: percent -The percentage of CPU time spent in kernel space. +type: scaled_float +format: percent -- *`system.cpu.nice.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent on low-priority processes. -format: percent -The percentage of CPU time spent on low-priority processes. +type: scaled_float +format: percent -- *`system.cpu.idle.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent idle. -format: percent -The percentage of CPU time spent idle. +type: scaled_float +format: percent -- *`system.cpu.iowait.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in wait (on disk). -format: percent -The percentage of CPU time spent in wait (on disk). +type: scaled_float +format: percent -- *`system.cpu.irq.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent servicing and handling hardware interrupts. -format: percent -The percentage of CPU time spent servicing and handling hardware interrupts. +type: scaled_float +format: percent -- *`system.cpu.softirq.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent servicing and handling software interrupts. -format: percent -The percentage of CPU time spent servicing and handling software interrupts. +type: scaled_float +format: percent -- *`system.cpu.steal.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -format: percent -The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. +type: scaled_float +format: percent -- *`system.cpu.total.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in states other than Idle and IOWait. -format: percent -The percentage of CPU time spent in states other than Idle and IOWait. +type: scaled_float +format: percent -- *`system.cpu.user.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in user space. -format: percent -The percentage of CPU time spent in user space. +type: scaled_float +format: percent -- *`system.cpu.system.norm.pct`*:: + -- +The percentage of CPU time spent in kernel space. + + type: scaled_float format: percent -The percentage of CPU time spent in kernel space. - - -- *`system.cpu.nice.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent on low-priority processes. -format: percent -The percentage of CPU time spent on low-priority processes. +type: scaled_float +format: percent -- *`system.cpu.idle.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent idle. -format: percent -The percentage of CPU time spent idle. +type: scaled_float +format: percent -- *`system.cpu.iowait.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in wait (on disk). -format: percent -The percentage of CPU time spent in wait (on disk). +type: scaled_float +format: percent -- *`system.cpu.irq.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent servicing and handling hardware interrupts. -format: percent -The percentage of CPU time spent servicing and handling hardware interrupts. +type: scaled_float +format: percent -- *`system.cpu.softirq.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent servicing and handling software interrupts. -format: percent -The percentage of CPU time spent servicing and handling software interrupts. +type: scaled_float +format: percent -- *`system.cpu.steal.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. -format: percent -The percentage of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. +type: scaled_float +format: percent -- *`system.cpu.total.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. -format: percent -The percentage of CPU time in states other than Idle and IOWait, normalised by the number of cores. +type: scaled_float +format: percent -- *`system.cpu.user.ticks`*:: + -- -type: long - The amount of CPU time spent in user space. +type: long + -- *`system.cpu.system.ticks`*:: + -- -type: long - The amount of CPU time spent in kernel space. +type: long + -- *`system.cpu.nice.ticks`*:: + -- -type: long - The amount of CPU time spent on low-priority processes. +type: long + -- *`system.cpu.idle.ticks`*:: + -- -type: long - The amount of CPU time spent idle. +type: long + -- *`system.cpu.iowait.ticks`*:: + -- -type: long - The amount of CPU time spent in wait (on disk). +type: long + -- *`system.cpu.irq.ticks`*:: + -- -type: long - The amount of CPU time spent servicing and handling hardware interrupts. +type: long + -- *`system.cpu.softirq.ticks`*:: + -- -type: long - The amount of CPU time spent servicing and handling software interrupts. +type: long + -- *`system.cpu.steal.ticks`*:: + -- -type: long - The amount of CPU time spent in involuntary wait by the virtual CPU while the hypervisor was servicing another processor. Available only on Unix. +type: long + -- [float] -== diskio fields +=== diskio `disk` contains disk IO metrics collected from the operating system. @@ -23836,235 +23836,235 @@ The amount of CPU time spent in involuntary wait by the virtual CPU while the hy *`system.diskio.name`*:: + -- -type: keyword +The disk name. -example: sda1 -The disk name. +type: keyword +example: sda1 -- *`system.diskio.serial_number`*:: + -- -type: keyword - The disk's serial number. This may not be provided by all operating systems. +type: keyword + -- *`system.diskio.read.count`*:: + -- -type: long - The total number of reads completed successfully. +type: long + -- *`system.diskio.write.count`*:: + -- -type: long - The total number of writes completed successfully. +type: long + -- *`system.diskio.read.bytes`*:: + -- -type: long +The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. -format: bytes -The total number of bytes read successfully. On Linux this is the number of sectors read multiplied by an assumed sector size of 512. +type: long +format: bytes -- *`system.diskio.write.bytes`*:: + -- -type: long +The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. -format: bytes -The total number of bytes written successfully. On Linux this is the number of sectors written multiplied by an assumed sector size of 512. +type: long +format: bytes -- *`system.diskio.read.time`*:: + -- -type: long - The total number of milliseconds spent by all reads. +type: long + -- *`system.diskio.write.time`*:: + -- -type: long - The total number of milliseconds spent by all writes. +type: long + -- *`system.diskio.io.time`*:: + -- -type: long - The total number of of milliseconds spent doing I/Os. +type: long + -- *`system.diskio.iostat.read.request.merges_per_sec`*:: + -- -type: float - The number of read requests merged per second that were queued to the device. +type: float + -- *`system.diskio.iostat.write.request.merges_per_sec`*:: + -- -type: float - The number of write requests merged per second that were queued to the device. +type: float + -- *`system.diskio.iostat.read.request.per_sec`*:: + -- -type: float - The number of read requests that were issued to the device per second +type: float + -- *`system.diskio.iostat.write.request.per_sec`*:: + -- -type: float - The number of write requests that were issued to the device per second +type: float + -- *`system.diskio.iostat.read.per_sec.bytes`*:: + -- -type: float +The number of Bytes read from the device per second. -format: bytes -The number of Bytes read from the device per second. +type: float +format: bytes -- *`system.diskio.iostat.read.await`*:: + -- -type: float - The average time spent for read requests issued to the device to be served. +type: float + -- *`system.diskio.iostat.write.per_sec.bytes`*:: + -- -type: float +The number of Bytes write from the device per second. -format: bytes -The number of Bytes write from the device per second. +type: float +format: bytes -- *`system.diskio.iostat.write.await`*:: + -- -type: float - The average time spent for write requests issued to the device to be served. +type: float + -- *`system.diskio.iostat.request.avg_size`*:: + -- -type: float - The average size (in sectors) of the requests that were issued to the device. +type: float + -- *`system.diskio.iostat.queue.avg_size`*:: + -- -type: float - The average queue length of the requests that were issued to the device. +type: float + -- *`system.diskio.iostat.await`*:: + -- -type: float - The average time spent for requests issued to the device to be served. +type: float + -- *`system.diskio.iostat.service_time`*:: + -- -type: float - The average service time (in milliseconds) for I/O requests that were issued to the device. +type: float + -- *`system.diskio.iostat.busy`*:: + -- -type: float - Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%. +type: float + -- [float] -== filesystem fields +=== filesystem `filesystem` contains local filesystem stats. @@ -24073,115 +24073,115 @@ Percentage of CPU time during which I/O requests were issued to the device (band *`system.filesystem.available`*:: + -- -type: long +The disk space available to an unprivileged user in bytes. -format: bytes -The disk space available to an unprivileged user in bytes. +type: long +format: bytes -- *`system.filesystem.device_name`*:: + -- -type: keyword - The disk name. For example: `/dev/disk1` +type: keyword + -- *`system.filesystem.type`*:: + -- -type: keyword - The disk type. For example: `ext4` +type: keyword + -- *`system.filesystem.mount_point`*:: + -- -type: keyword - The mounting point. For example: `/` +type: keyword + -- *`system.filesystem.files`*:: + -- -type: long - The total number of file nodes in the file system. +type: long + -- *`system.filesystem.free`*:: + -- -type: long +The disk space available in bytes. -format: bytes -The disk space available in bytes. +type: long +format: bytes -- *`system.filesystem.free_files`*:: + -- -type: long - The number of free file nodes in the file system. +type: long + -- *`system.filesystem.total`*:: + -- -type: long +The total disk space in bytes. -format: bytes -The total disk space in bytes. +type: long +format: bytes -- *`system.filesystem.used.bytes`*:: + -- -type: long +The used disk space in bytes. -format: bytes -The used disk space in bytes. +type: long +format: bytes -- *`system.filesystem.used.pct`*:: + -- -type: scaled_float +The percentage of used disk space. -format: percent -The percentage of used disk space. +type: scaled_float +format: percent -- [float] -== fsstat fields +=== fsstat `system.fsstat` contains filesystem metrics aggregated from all mounted filesystems. @@ -24190,23 +24190,23 @@ The percentage of used disk space. *`system.fsstat.count`*:: + -- -type: long - Number of file systems found. +type: long + -- *`system.fsstat.total_files`*:: + -- -type: long - Total number of files. +type: long + -- [float] -== total_size fields +=== total_size Nested file system docs. @@ -24214,41 +24214,41 @@ Nested file system docs. *`system.fsstat.total_size.free`*:: + -- -type: long +Total free space. -format: bytes -Total free space. +type: long +format: bytes -- *`system.fsstat.total_size.used`*:: + -- -type: long +Total used space. -format: bytes -Total used space. +type: long +format: bytes -- *`system.fsstat.total_size.total`*:: + -- -type: long +Total space (used plus free). -format: bytes -Total space (used plus free). +type: long +format: bytes -- [float] -== load fields +=== load CPU load averages. @@ -24257,75 +24257,75 @@ CPU load averages. *`system.load.1`*:: + -- -type: scaled_float - Load average for the last minute. +type: scaled_float + -- *`system.load.5`*:: + -- -type: scaled_float - Load average for the last 5 minutes. +type: scaled_float + -- *`system.load.15`*:: + -- -type: scaled_float - Load average for the last 15 minutes. +type: scaled_float + -- *`system.load.norm.1`*:: + -- -type: scaled_float - Load for the last minute divided by the number of cores. +type: scaled_float + -- *`system.load.norm.5`*:: + -- -type: scaled_float - Load for the last 5 minutes divided by the number of cores. +type: scaled_float + -- *`system.load.norm.15`*:: + -- -type: scaled_float - Load for the last 15 minutes divided by the number of cores. +type: scaled_float + -- *`system.load.cores`*:: + -- -type: long - The number of CPU cores present on the host. +type: long + -- [float] -== memory fields +=== memory `memory` contains local memory stats. @@ -24334,53 +24334,53 @@ The number of CPU cores present on the host. *`system.memory.total`*:: + -- -type: long +Total memory. -format: bytes -Total memory. +type: long +format: bytes -- *`system.memory.used.bytes`*:: + -- -type: long +Used memory. -format: bytes -Used memory. +type: long +format: bytes -- *`system.memory.free`*:: + -- -type: long +The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). -format: bytes -The total amount of free memory in bytes. This value does not include memory consumed by system caches and buffers (see system.memory.actual.free). +type: long +format: bytes -- *`system.memory.used.pct`*:: + -- -type: scaled_float +The percentage of used memory. -format: percent -The percentage of used memory. +type: scaled_float +format: percent -- [float] -== actual fields +=== actual Actual memory used and free. @@ -24389,41 +24389,41 @@ Actual memory used and free. *`system.memory.actual.used.bytes`*:: + -- -type: long +Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. -format: bytes -Actual used memory in bytes. It represents the difference between the total and the available memory. The available memory depends on the OS. For more details, please check `system.actual.free`. +type: long +format: bytes -- *`system.memory.actual.free`*:: + -- -type: long +Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. -format: bytes -Actual free memory in bytes. It is calculated based on the OS. On Linux it consists of the free memory plus caches and buffers. On OSX it is a sum of free memory and the inactive memory. On Windows, it is equal to `system.memory.free`. +type: long +format: bytes -- *`system.memory.actual.used.pct`*:: + -- -type: scaled_float +The percentage of actual used memory. -format: percent -The percentage of actual used memory. +type: scaled_float +format: percent -- [float] -== swap fields +=== swap This group contains statistics related to the swap memory usage on the system. @@ -24431,53 +24431,53 @@ This group contains statistics related to the swap memory usage on the system. *`system.memory.swap.total`*:: + -- -type: long +Total swap memory. -format: bytes -Total swap memory. +type: long +format: bytes -- *`system.memory.swap.used.bytes`*:: + -- -type: long +Used swap memory. -format: bytes -Used swap memory. +type: long +format: bytes -- *`system.memory.swap.free`*:: + -- -type: long +Available swap memory. -format: bytes -Available swap memory. +type: long +format: bytes -- *`system.memory.swap.used.pct`*:: + -- -type: scaled_float +The percentage of used swap memory. -format: percent -The percentage of used swap memory. +type: scaled_float +format: percent -- [float] -== hugepages fields +=== hugepages This group contains statistics related to huge pages usage on the system. @@ -24485,89 +24485,89 @@ This group contains statistics related to huge pages usage on the system. *`system.memory.hugepages.total`*:: + -- -type: long +Number of huge pages in the pool. -format: number -Number of huge pages in the pool. +type: long +format: number -- *`system.memory.hugepages.used.bytes`*:: + -- -type: long +Memory used in allocated huge pages. -format: bytes -Memory used in allocated huge pages. +type: long +format: bytes -- *`system.memory.hugepages.used.pct`*:: + -- -type: long +Percentage of huge pages used. -format: percent -Percentage of huge pages used. +type: long +format: percent -- *`system.memory.hugepages.free`*:: + -- -type: long +Number of available huge pages in the pool. -format: number -Number of available huge pages in the pool. +type: long +format: number -- *`system.memory.hugepages.reserved`*:: + -- -type: long +Number of reserved but not allocated huge pages in the pool. -format: number -Number of reserved but not allocated huge pages in the pool. +type: long +format: number -- *`system.memory.hugepages.surplus`*:: + -- -type: long +Number of overcommited huge pages. -format: number -Number of overcommited huge pages. +type: long +format: number -- *`system.memory.hugepages.default_size`*:: + -- -type: long +Default size for huge pages. -format: bytes -Default size for huge pages. +type: long +format: bytes -- [float] -== network fields +=== network `network` contains network IO metrics for a single network interface. @@ -24576,101 +24576,101 @@ Default size for huge pages. *`system.network.name`*:: + -- -type: keyword +The network interface name. -example: eth0 -The network interface name. +type: keyword +example: eth0 -- *`system.network.out.bytes`*:: + -- -type: long +The number of bytes sent. -format: bytes -The number of bytes sent. +type: long +format: bytes -- *`system.network.in.bytes`*:: + -- -type: long +The number of bytes received. -format: bytes -The number of bytes received. +type: long +format: bytes -- *`system.network.out.packets`*:: + -- -type: long - The number of packets sent. +type: long + -- *`system.network.in.packets`*:: + -- -type: long - The number or packets received. +type: long + -- *`system.network.in.errors`*:: + -- -type: long - The number of errors while receiving. +type: long + -- *`system.network.out.errors`*:: + -- -type: long - The number of errors while sending. +type: long + -- *`system.network.in.dropped`*:: + -- -type: long - The number of incoming packets that were dropped. +type: long + -- *`system.network.out.dropped`*:: + -- -type: long - The number of outgoing packets that were dropped. This value is always 0 on Darwin and BSD because it is not reported by the operating system. +type: long + -- [float] -== process fields +=== process `process` contains process metadata, CPU metrics, and memory metrics. @@ -24688,11 +24688,11 @@ alias to: process.name *`system.process.state`*:: + -- -type: keyword - The process state. For example: "running". +type: keyword + -- *`system.process.pid`*:: @@ -24725,11 +24725,11 @@ alias to: process.pgid *`system.process.cmdline`*:: + -- -type: keyword - The full command-line used to start the process, including the arguments separated by space. +type: keyword + -- *`system.process.username`*:: @@ -24753,15 +24753,15 @@ alias to: process.working_directory *`system.process.env`*:: + -- -type: object - The environment variables used to start the process. The data is available on FreeBSD, Linux, and OS X. +type: object + -- [float] -== cpu fields +=== cpu CPU-specific statistics per process. @@ -24769,79 +24769,79 @@ CPU-specific statistics per process. *`system.process.cpu.user.ticks`*:: + -- -type: long - The amount of CPU time the process spent in user space. +type: long + -- *`system.process.cpu.total.value`*:: + -- -type: long - The value of CPU usage since starting the process. +type: long + -- *`system.process.cpu.total.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. -format: percent -The percentage of CPU time spent by the process since the last update. Its value is similar to the %CPU value of the process displayed by the top command on Unix systems. +type: scaled_float +format: percent -- *`system.process.cpu.total.norm.pct`*:: + -- -type: scaled_float +The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. -format: percent -The percentage of CPU time spent by the process since the last event. This value is normalized by the number of CPU cores and it ranges from 0 to 100%. +type: scaled_float +format: percent -- *`system.process.cpu.system.ticks`*:: + -- -type: long - The amount of CPU time the process spent in kernel space. +type: long + -- *`system.process.cpu.total.ticks`*:: + -- -type: long - The total CPU time spent by the process. +type: long + -- *`system.process.cpu.start_time`*:: + -- -type: date - The time when the process was started. +type: date + -- [float] -== memory fields +=== memory Memory-specific statistics per process. @@ -24849,53 +24849,53 @@ Memory-specific statistics per process. *`system.process.memory.size`*:: + -- -type: long +The total virtual memory the process has. -format: bytes -The total virtual memory the process has. +type: long +format: bytes -- *`system.process.memory.rss.bytes`*:: + -- -type: long +The Resident Set Size. The amount of memory the process occupied in main memory (RAM). -format: bytes -The Resident Set Size. The amount of memory the process occupied in main memory (RAM). +type: long +format: bytes -- *`system.process.memory.rss.pct`*:: + -- -type: scaled_float +The percentage of memory the process occupied in main memory (RAM). -format: percent -The percentage of memory the process occupied in main memory (RAM). +type: scaled_float +format: percent -- *`system.process.memory.share`*:: + -- -type: long +The shared memory the process uses. -format: bytes -The shared memory the process uses. +type: long +format: bytes -- [float] -== fd fields +=== fd File descriptor usage metrics. This set of metrics is available for Linux and FreeBSD. @@ -24904,34 +24904,34 @@ File descriptor usage metrics. This set of metrics is available for Linux and Fr *`system.process.fd.open`*:: + -- -type: long - The number of file descriptors open by the process. +type: long + -- *`system.process.fd.limit.soft`*:: + -- -type: long - The soft limit on the number of file descriptors opened by the process. The soft limit can be changed by the process at any time. +type: long + -- *`system.process.fd.limit.hard`*:: + -- -type: long - The hard limit on the number of file descriptors opened by the process. The hard limit can only be raised by root. +type: long + -- [float] -== cgroup fields +=== cgroup Metrics and limits from the cgroup of which the task is a member. cgroup metrics are reported when the process has membership in a non-root cgroup. These metrics are only available on Linux. @@ -24940,25 +24940,25 @@ Metrics and limits from the cgroup of which the task is a member. cgroup metrics *`system.process.cgroup.id`*:: + -- -type: keyword - The ID common to all cgroups associated with this task. If there isn't a common ID used by all cgroups this field will be absent. +type: keyword + -- *`system.process.cgroup.path`*:: + -- -type: keyword - The path to the cgroup relative to the cgroup subsystem's mountpoint. If there isn't a common path used by all cgroups this field will be absent. +type: keyword + -- [float] -== cpu fields +=== cpu The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be controlled by two separate schedulers, CFS and RT. CFS stands for completely fair scheduler which proportionally divides the CPU time between cgroups based on weight. RT stands for real time scheduler which sets a maximum amount of CPU time that processes in the cgroup can consume during a given period. @@ -24967,104 +24967,104 @@ The cpu subsystem schedules CPU access for tasks in the cgroup. Access can be co *`system.process.cgroup.cpu.id`*:: + -- -type: keyword - ID of the cgroup. +type: keyword + -- *`system.process.cgroup.cpu.path`*:: + -- -type: keyword - Path to the cgroup relative to the cgroup subsystem's mountpoint. +type: keyword + -- *`system.process.cgroup.cpu.cfs.period.us`*:: + -- -type: long - Period of time in microseconds for how regularly a cgroup's access to CPU resources should be reallocated. +type: long + -- *`system.process.cgroup.cpu.cfs.quota.us`*:: + -- -type: long - Total amount of time in microseconds for which all tasks in a cgroup can run during one period (as defined by cfs.period.us). +type: long + -- *`system.process.cgroup.cpu.cfs.shares`*:: + -- -type: long - An integer value that specifies a relative share of CPU time available to the tasks in a cgroup. The value specified in the cpu.shares file must be 2 or higher. +type: long + -- *`system.process.cgroup.cpu.rt.period.us`*:: + -- -type: long - Period of time in microseconds for how regularly a cgroup's access to CPU resources is reallocated. +type: long + -- *`system.process.cgroup.cpu.rt.runtime.us`*:: + -- -type: long - Period of time in microseconds for the longest continuous period in which the tasks in a cgroup have access to CPU resources. +type: long + -- *`system.process.cgroup.cpu.stats.periods`*:: + -- -type: long - Number of period intervals (as specified in cpu.cfs.period.us) that have elapsed. +type: long + -- *`system.process.cgroup.cpu.stats.throttled.periods`*:: + -- -type: long - Number of times tasks in a cgroup have been throttled (that is, not allowed to run because they have exhausted all of the available time as specified by their quota). +type: long + -- *`system.process.cgroup.cpu.stats.throttled.ns`*:: + -- -type: long - The total time duration (in nanoseconds) for which tasks in a cgroup have been throttled. +type: long + -- [float] -== cpuacct fields +=== cpuacct CPU accounting metrics. @@ -25072,62 +25072,62 @@ CPU accounting metrics. *`system.process.cgroup.cpuacct.id`*:: + -- -type: keyword - ID of the cgroup. +type: keyword + -- *`system.process.cgroup.cpuacct.path`*:: + -- -type: keyword - Path to the cgroup relative to the cgroup subsystem's mountpoint. +type: keyword + -- *`system.process.cgroup.cpuacct.total.ns`*:: + -- -type: long - Total CPU time in nanoseconds consumed by all tasks in the cgroup. +type: long + -- *`system.process.cgroup.cpuacct.stats.user.ns`*:: + -- -type: long - CPU time consumed by tasks in user mode. +type: long + -- *`system.process.cgroup.cpuacct.stats.system.ns`*:: + -- -type: long - CPU time consumed by tasks in user (kernel) mode. +type: long + -- *`system.process.cgroup.cpuacct.percpu`*:: + -- -type: object - CPU time (in nanoseconds) consumed on each CPU by all tasks in this cgroup. +type: object + -- [float] -== memory fields +=== memory Memory limits and metrics. @@ -25135,390 +25135,390 @@ Memory limits and metrics. *`system.process.cgroup.memory.id`*:: + -- -type: keyword - ID of the cgroup. +type: keyword + -- *`system.process.cgroup.memory.path`*:: + -- -type: keyword - Path to the cgroup relative to the cgroup subsystem's mountpoint. +type: keyword + -- *`system.process.cgroup.memory.mem.usage.bytes`*:: + -- -type: long +Total memory usage by processes in the cgroup (in bytes). -format: bytes -Total memory usage by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.mem.usage.max.bytes`*:: + -- -type: long +The maximum memory used by processes in the cgroup (in bytes). -format: bytes -The maximum memory used by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.mem.limit.bytes`*:: + -- -type: long +The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. -format: bytes -The maximum amount of user memory in bytes (including file cache) that tasks in the cgroup are allowed to use. +type: long +format: bytes -- *`system.process.cgroup.memory.mem.failures`*:: + -- -type: long - The number of times that the memory limit (mem.limit.bytes) was reached. +type: long + -- *`system.process.cgroup.memory.memsw.usage.bytes`*:: + -- -type: long +The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). -format: bytes -The sum of current memory usage plus swap space used by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.memsw.usage.max.bytes`*:: + -- -type: long +The maximum amount of memory and swap space used by processes in the cgroup (in bytes). -format: bytes -The maximum amount of memory and swap space used by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.memsw.limit.bytes`*:: + -- -type: long +The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. -format: bytes -The maximum amount for the sum of memory and swap usage that tasks in the cgroup are allowed to use. +type: long +format: bytes -- *`system.process.cgroup.memory.memsw.failures`*:: + -- -type: long - The number of times that the memory plus swap space limit (memsw.limit.bytes) was reached. +type: long + -- *`system.process.cgroup.memory.kmem.usage.bytes`*:: + -- -type: long +Total kernel memory usage by processes in the cgroup (in bytes). -format: bytes -Total kernel memory usage by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.kmem.usage.max.bytes`*:: + -- -type: long +The maximum kernel memory used by processes in the cgroup (in bytes). -format: bytes -The maximum kernel memory used by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.kmem.limit.bytes`*:: + -- -type: long +The maximum amount of kernel memory that tasks in the cgroup are allowed to use. -format: bytes -The maximum amount of kernel memory that tasks in the cgroup are allowed to use. +type: long +format: bytes -- *`system.process.cgroup.memory.kmem.failures`*:: + -- -type: long - The number of times that the memory limit (kmem.limit.bytes) was reached. +type: long + -- *`system.process.cgroup.memory.kmem_tcp.usage.bytes`*:: + -- -type: long +Total memory usage for TCP buffers in bytes. -format: bytes -Total memory usage for TCP buffers in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.kmem_tcp.usage.max.bytes`*:: + -- -type: long +The maximum memory used for TCP buffers by processes in the cgroup (in bytes). -format: bytes -The maximum memory used for TCP buffers by processes in the cgroup (in bytes). +type: long +format: bytes -- *`system.process.cgroup.memory.kmem_tcp.limit.bytes`*:: + -- -type: long +The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. -format: bytes -The maximum amount of memory for TCP buffers that tasks in the cgroup are allowed to use. +type: long +format: bytes -- *`system.process.cgroup.memory.kmem_tcp.failures`*:: + -- -type: long - The number of times that the memory limit (kmem_tcp.limit.bytes) was reached. +type: long + -- *`system.process.cgroup.memory.stats.active_anon.bytes`*:: + -- -type: long +Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. -format: bytes -Anonymous and swap cache on active least-recently-used (LRU) list, including tmpfs (shmem), in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.active_file.bytes`*:: + -- +File-backed memory on active LRU list, in bytes. + type: long format: bytes -File-backed memory on active LRU list, in bytes. - -- *`system.process.cgroup.memory.stats.cache.bytes`*:: + -- +Page cache, including tmpfs (shmem), in bytes. + type: long format: bytes -Page cache, including tmpfs (shmem), in bytes. - -- *`system.process.cgroup.memory.stats.hierarchical_memory_limit.bytes`*:: + -- -type: long +Memory limit for the hierarchy that contains the memory cgroup, in bytes. -format: bytes -Memory limit for the hierarchy that contains the memory cgroup, in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.hierarchical_memsw_limit.bytes`*:: + -- -type: long +Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. -format: bytes -Memory plus swap limit for the hierarchy that contains the memory cgroup, in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.inactive_anon.bytes`*:: + -- -type: long +Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes -format: bytes -Anonymous and swap cache on inactive LRU list, including tmpfs (shmem), in bytes +type: long +format: bytes -- *`system.process.cgroup.memory.stats.inactive_file.bytes`*:: + -- -type: long +File-backed memory on inactive LRU list, in bytes. -format: bytes -File-backed memory on inactive LRU list, in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.mapped_file.bytes`*:: + -- -type: long +Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. -format: bytes -Size of memory-mapped mapped files, including tmpfs (shmem), in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.page_faults`*:: + -- -type: long - Number of times that a process in the cgroup triggered a page fault. +type: long + -- *`system.process.cgroup.memory.stats.major_page_faults`*:: + -- -type: long - Number of times that a process in the cgroup triggered a major fault. "Major" faults happen when the kernel actually has to read the data from disk. +type: long + -- *`system.process.cgroup.memory.stats.pages_in`*:: + -- -type: long - Number of pages paged into memory. This is a counter. +type: long + -- *`system.process.cgroup.memory.stats.pages_out`*:: + -- -type: long - Number of pages paged out of memory. This is a counter. +type: long + -- *`system.process.cgroup.memory.stats.rss.bytes`*:: + -- -type: long +Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. -format: bytes -Anonymous and swap cache (includes transparent hugepages), not including tmpfs (shmem), in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.rss_huge.bytes`*:: + -- -type: long +Number of bytes of anonymous transparent hugepages. -format: bytes -Number of bytes of anonymous transparent hugepages. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.swap.bytes`*:: + -- -type: long +Swap usage, in bytes. -format: bytes -Swap usage, in bytes. +type: long +format: bytes -- *`system.process.cgroup.memory.stats.unevictable.bytes`*:: + -- -type: long +Memory that cannot be reclaimed, in bytes. -format: bytes -Memory that cannot be reclaimed, in bytes. +type: long +format: bytes -- [float] -== blkio fields +=== blkio Block IO metrics. @@ -25526,46 +25526,46 @@ Block IO metrics. *`system.process.cgroup.blkio.id`*:: + -- -type: keyword - ID of the cgroup. +type: keyword + -- *`system.process.cgroup.blkio.path`*:: + -- -type: keyword - Path to the cgroup relative to the cgroup subsystems mountpoint. +type: keyword + -- *`system.process.cgroup.blkio.total.bytes`*:: + -- -type: long +Total number of bytes transferred to and from all block devices by processes in the cgroup. -format: bytes -Total number of bytes transferred to and from all block devices by processes in the cgroup. +type: long +format: bytes -- *`system.process.cgroup.blkio.total.ios`*:: + -- -type: long - Total number of I/O operations performed on all devices by processes in the cgroup as seen by the throttling policy. +type: long + -- [float] -== process.summary fields +=== process.summary Summary metrics for the processes running on the host. @@ -25574,85 +25574,85 @@ Summary metrics for the processes running on the host. *`system.process.summary.total`*:: + -- -type: long - Total number of processes on this host. +type: long + -- *`system.process.summary.running`*:: + -- -type: long - Number of running processes on this host. +type: long + -- *`system.process.summary.idle`*:: + -- -type: long - Number of idle processes on this host. +type: long + -- *`system.process.summary.sleeping`*:: + -- -type: long - Number of sleeping processes on this host. +type: long + -- *`system.process.summary.stopped`*:: + -- -type: long - Number of stopped processes on this host. +type: long + -- *`system.process.summary.zombie`*:: + -- -type: long - Number of zombie processes on this host. +type: long + -- *`system.process.summary.dead`*:: + -- -type: long - Number of dead processes on this host. It's very unlikely that it will appear but in some special situations it may happen. +type: long + -- *`system.process.summary.unknown`*:: + -- -type: long - Number of processes for which the state couldn't be retrieved or is unknown. +type: long + -- [float] -== raid fields +=== raid raid @@ -25661,115 +25661,115 @@ raid *`system.raid.name`*:: + -- -type: keyword - Name of the device. +type: keyword + -- *`system.raid.status`*:: + -- -type: keyword - activity-state of the device. +type: keyword + -- *`system.raid.level`*:: + -- -type: keyword - The raid level of the device +type: keyword + -- *`system.raid.sync_action`*:: + -- -type: keyword - Current sync action, if the RAID array is redundant +type: keyword + -- *`system.raid.disks.active`*:: + -- -type: long - Number of active disks. +type: long + -- *`system.raid.disks.total`*:: + -- -type: long - Total number of disks the device consists of. +type: long + -- *`system.raid.disks.spare`*:: + -- -type: long - Number of spared disks. +type: long + -- *`system.raid.disks.failed`*:: + -- -type: long - Number of failed disks. +type: long + -- *`system.raid.disks.states.*`*:: + -- -type: object - map of raw disk states +type: object + -- *`system.raid.blocks.total`*:: + -- -type: long - Number of blocks the device holds, in 1024-byte blocks. +type: long + -- *`system.raid.blocks.synced`*:: + -- -type: long - Number of blocks on the device that are in sync, in 1024-byte blocks. +type: long + -- [float] -== socket fields +=== socket TCP sockets that are active. @@ -25796,83 +25796,83 @@ alias to: network.type *`system.socket.local.ip`*:: + -- -type: ip +Local IP address. This can be an IPv4 or IPv6 address. -example: 192.0.2.1 or 2001:0DB8:ABED:8536::1 -Local IP address. This can be an IPv4 or IPv6 address. +type: ip +example: 192.0.2.1 or 2001:0DB8:ABED:8536::1 -- *`system.socket.local.port`*:: + -- -type: long +Local port. -example: 22 -Local port. +type: long +example: 22 -- *`system.socket.remote.ip`*:: + -- -type: ip +Remote IP address. This can be an IPv4 or IPv6 address. -example: 192.0.2.1 or 2001:0DB8:ABED:8536::1 -Remote IP address. This can be an IPv4 or IPv6 address. +type: ip +example: 192.0.2.1 or 2001:0DB8:ABED:8536::1 -- *`system.socket.remote.port`*:: + -- -type: long +Remote port. -example: 22 -Remote port. +type: long +example: 22 -- *`system.socket.remote.host`*:: + -- -type: keyword +PTR record associated with the remote IP. It is obtained via reverse IP lookup. -example: 76-211-117-36.nw.example.com. -PTR record associated with the remote IP. It is obtained via reverse IP lookup. +type: keyword +example: 76-211-117-36.nw.example.com. -- *`system.socket.remote.etld_plus_one`*:: + -- -type: keyword +The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. -example: example.com. -The effective top-level domain (eTLD) of the remote host plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. +type: keyword +example: example.com. -- *`system.socket.remote.host_error`*:: + -- -type: keyword - Error describing the cause of the reverse lookup failure. +type: keyword + -- *`system.socket.process.pid`*:: @@ -25896,11 +25896,11 @@ alias to: process.name *`system.socket.process.cmdline`*:: + -- -type: keyword - Full command line +type: keyword + -- *`system.socket.process.exe`*:: @@ -25931,14 +25931,14 @@ alias to: user.full_name -- [float] -== socket.summary fields +=== socket.summary Summary metrics of open sockets in the host system [float] -== all fields +=== all All connections @@ -25947,25 +25947,25 @@ All connections *`system.socket.summary.all.count`*:: + -- -type: integer - All open connections +type: integer + -- *`system.socket.summary.all.listening`*:: + -- -type: integer - All listening ports +type: integer + -- [float] -== tcp fields +=== tcp All TCP connections @@ -25974,17 +25974,17 @@ All TCP connections *`system.socket.summary.tcp.memory`*:: + -- -type: integer +Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. -format: bytes -Memory used by TCP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/tcp_mem. Only available on Linux. +type: integer +format: bytes -- [float] -== all fields +=== all All TCP connections @@ -25993,65 +25993,65 @@ All TCP connections *`system.socket.summary.tcp.all.orphan`*:: + -- -type: integer - A count of all orphaned tcp sockets. Only available on Linux. +type: integer + -- *`system.socket.summary.tcp.all.count`*:: + -- -type: integer - All open TCP connections +type: integer + -- *`system.socket.summary.tcp.all.listening`*:: + -- -type: integer - All TCP listening ports +type: integer + -- *`system.socket.summary.tcp.all.established`*:: + -- -type: integer - Number of established TCP connections +type: integer + -- *`system.socket.summary.tcp.all.close_wait`*:: + -- -type: integer - Number of TCP connections in _close_wait_ state +type: integer + -- *`system.socket.summary.tcp.all.time_wait`*:: + -- -type: integer - Number of TCP connections in _time_wait_ state +type: integer + -- [float] -== udp fields +=== udp All UDP connections @@ -26060,17 +26060,17 @@ All UDP connections *`system.socket.summary.udp.memory`*:: + -- -type: integer +Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. -format: bytes -Memory used by UDP sockets in bytes, based on number of allocated pages and system page size. Corresponds to limits set in /proc/sys/net/ipv4/udp_mem. Only available on Linux. +type: integer +format: bytes -- [float] -== all fields +=== all All UDP connections @@ -26079,15 +26079,15 @@ All UDP connections *`system.socket.summary.udp.all.count`*:: + -- -type: integer - All open UDP connections +type: integer + -- [float] -== uptime fields +=== uptime `uptime` contains the operating system uptime metric. @@ -26096,12 +26096,12 @@ All open UDP connections *`system.uptime.duration.ms`*:: + -- -type: long +The OS uptime in milliseconds. -format: duration -The OS uptime in milliseconds. +type: long +format: duration -- @@ -26113,14 +26113,14 @@ Traefik reverse proxy / load balancer metrics [float] -== traefik fields +=== traefik Traefik reverse proxy / load balancer metrics [float] -== health fields +=== health Metrics obtained from Traefik's health API endpoint @@ -26129,15 +26129,15 @@ Metrics obtained from Traefik's health API endpoint *`traefik.health.uptime.sec`*:: + -- -type: long - Uptime of Traefik instance in seconds +type: long + -- [float] -== response fields +=== response Response metrics @@ -26146,31 +26146,31 @@ Response metrics *`traefik.health.response.count`*:: + -- -type: long - Number of responses +type: long + -- *`traefik.health.response.avg_time.us`*:: + -- -type: long - Average response time in microseconds +type: long + -- *`traefik.health.response.status_codes.*`*:: + -- -type: object - Number of responses per status code +type: object + -- [[exported-fields-uwsgi]] @@ -26181,13 +26181,13 @@ uwsgi module [float] -== uwsgi fields +=== uwsgi [float] -== status fields +=== status uwsgi.status metricset fields @@ -26196,291 +26196,291 @@ uwsgi.status metricset fields *`uwsgi.status.total.requests`*:: + -- -type: long - Total requests handled +type: long + -- *`uwsgi.status.total.exceptions`*:: + -- -type: long - Total exceptions +type: long + -- *`uwsgi.status.total.write_errors`*:: + -- -type: long - Total requests write errors +type: long + -- *`uwsgi.status.total.read_errors`*:: + -- -type: long - Total read errors +type: long + -- *`uwsgi.status.total.pid`*:: + -- -type: long - Process id +type: long + -- *`uwsgi.status.worker.id`*:: + -- -type: long - Worker id +type: long + -- *`uwsgi.status.worker.pid`*:: + -- -type: long - Worker process id +type: long + -- *`uwsgi.status.worker.accepting`*:: + -- -type: long - State of worker, 1 if still accepting new requests otherwise 0 +type: long + -- *`uwsgi.status.worker.requests`*:: + -- -type: long - Number of requests served by this worker +type: long + -- *`uwsgi.status.worker.delta_requests`*:: + -- -type: long - Number of requests served by this worker after worker is reloaded when reached MAX_REQUESTS +type: long + -- *`uwsgi.status.worker.exceptions`*:: + -- -type: long - Exceptions raised +type: long + -- *`uwsgi.status.worker.harakiri_count`*:: + -- -type: long - Dropped requests by timeout +type: long + -- *`uwsgi.status.worker.signals`*:: + -- -type: long - Emitted signals count +type: long + -- *`uwsgi.status.worker.signal_queue`*:: + -- -type: long - Number of signals waiting to be handled +type: long + -- *`uwsgi.status.worker.status`*:: + -- -type: keyword - Worker status (cheap, pause, sig, busy, idle) +type: keyword + -- *`uwsgi.status.worker.rss`*:: + -- -type: keyword - Resident Set Size. memory currently used by a process. if always zero try `--memory-report` option of uwsgi +type: keyword + -- *`uwsgi.status.worker.vsz`*:: + -- -type: long - Virtual Set Size. memory size assigned to a process. if always zero try `--memory-report` option of uwsgi +type: long + -- *`uwsgi.status.worker.running_time`*:: + -- -type: long - Process running time +type: long + -- *`uwsgi.status.worker.respawn_count`*:: + -- -type: long - Respawn count +type: long + -- *`uwsgi.status.worker.tx`*:: + -- -type: long - Transmitted size +type: long + -- *`uwsgi.status.worker.avg_rt`*:: + -- -type: long - Average response time +type: long + -- *`uwsgi.status.core.id`*:: + -- -type: long - worker ID +type: long + -- *`uwsgi.status.core.worker_pid`*:: + -- -type: long - Parent worker PID +type: long + -- *`uwsgi.status.core.requests.total`*:: + -- -type: long - Number of total requests served +type: long + -- *`uwsgi.status.core.requests.static`*:: + -- -type: long - Number of static file serves +type: long + -- *`uwsgi.status.core.requests.routed`*:: + -- -type: long - Routed requests +type: long + -- *`uwsgi.status.core.requests.offloaded`*:: + -- -type: long - Offloaded requests +type: long + -- *`uwsgi.status.core.write_errors`*:: + -- -type: long - Number of failed writes +type: long + -- *`uwsgi.status.core.read_errors`*:: + -- -type: long - Number of failed reads +type: long + -- [[exported-fields-vsphere]] @@ -26491,13 +26491,13 @@ vSphere module [float] -== vsphere fields +=== vsphere [float] -== datastore fields +=== datastore datastore @@ -26506,73 +26506,73 @@ datastore *`vsphere.datastore.name`*:: + -- -type: keyword - Datastore name +type: keyword + -- *`vsphere.datastore.fstype`*:: + -- -type: keyword - Filesystem type +type: keyword + -- *`vsphere.datastore.capacity.total.bytes`*:: + -- -type: long +Total bytes of the datastore -format: bytes -Total bytes of the datastore +type: long +format: bytes -- *`vsphere.datastore.capacity.free.bytes`*:: + -- -type: long +Free bytes of the datastore -format: bytes -Free bytes of the datastore +type: long +format: bytes -- *`vsphere.datastore.capacity.used.bytes`*:: + -- -type: long +Used bytes of the datastore -format: bytes -Used bytes of the datastore +type: long +format: bytes -- *`vsphere.datastore.capacity.used.pct`*:: + -- -type: long +Used percent of the datastore -format: percent -Used percent of the datastore +type: long +format: percent -- [float] -== host fields +=== host host @@ -26581,91 +26581,91 @@ host *`vsphere.host.name`*:: + -- -type: keyword - Host name +type: keyword + -- *`vsphere.host.cpu.used.mhz`*:: + -- -type: long - Used CPU in Mhz +type: long + -- *`vsphere.host.cpu.total.mhz`*:: + -- -type: long - Total CPU in Mhz +type: long + -- *`vsphere.host.cpu.free.mhz`*:: + -- -type: long - Free CPU in Mhz +type: long + -- *`vsphere.host.memory.used.bytes`*:: + -- -type: long +Used Memory in bytes -format: bytes -Used Memory in bytes +type: long +format: bytes -- *`vsphere.host.memory.total.bytes`*:: + -- -type: long +Total Memory in bytes -format: bytes -Total Memory in bytes +type: long +format: bytes -- *`vsphere.host.memory.free.bytes`*:: + -- -type: long +Free Memory in bytes -format: bytes -Free Memory in bytes +type: long +format: bytes -- *`vsphere.host.network_names`*:: + -- -type: keyword - Network names +type: keyword + -- [float] -== virtualmachine fields +=== virtualmachine virtualmachine @@ -26674,99 +26674,99 @@ virtualmachine *`vsphere.virtualmachine.host`*:: + -- -type: keyword - Host name +type: keyword + -- *`vsphere.virtualmachine.name`*:: + -- -type: keyword - Virtual Machine name +type: keyword + -- *`vsphere.virtualmachine.cpu.used.mhz`*:: + -- -type: long - Used CPU in Mhz +type: long + -- *`vsphere.virtualmachine.memory.used.guest.bytes`*:: + -- -type: long +Used Memory of Guest in bytes -format: bytes -Used Memory of Guest in bytes +type: long +format: bytes -- *`vsphere.virtualmachine.memory.used.host.bytes`*:: + -- -type: long +Used Memory of Host in bytes -format: bytes -Used Memory of Host in bytes +type: long +format: bytes -- *`vsphere.virtualmachine.memory.total.guest.bytes`*:: + -- -type: long +Total Memory of Guest in bytes -format: bytes -Total Memory of Guest in bytes +type: long +format: bytes -- *`vsphere.virtualmachine.memory.free.guest.bytes`*:: + -- -type: long +Free Memory of Guest in bytes -format: bytes -Free Memory of Guest in bytes +type: long +format: bytes -- *`vsphere.virtualmachine.custom_fields`*:: + -- -type: object - Custom fields +type: object + -- *`vsphere.virtualmachine.network_names`*:: + -- -type: keyword - Network names +type: keyword + -- [[exported-fields-windows]] @@ -26777,13 +26777,13 @@ Module for Windows [float] -== windows fields +=== windows [float] -== service fields +=== service `service` contains the status for Windows services. @@ -26792,114 +26792,114 @@ Module for Windows *`windows.service.id`*:: + -- -type: keyword +A unique ID for the service. It is a hash of the machine's GUID and the service name. -example: hW3NJFc1Ap -A unique ID for the service. It is a hash of the machine's GUID and the service name. +type: keyword +example: hW3NJFc1Ap -- *`windows.service.name`*:: + -- -type: keyword +The service name. -example: Wecsvc -The service name. +type: keyword +example: Wecsvc -- *`windows.service.display_name`*:: + -- -type: keyword +The display name of the service. -example: Windows Event Collector -The display name of the service. +type: keyword +example: Windows Event Collector -- *`windows.service.start_type`*:: + -- -type: keyword - The startup type of the service. The possible values are `Automatic`, `Boot`, `Disabled`, `Manual`, and `System`. +type: keyword + -- *`windows.service.start_name`*:: + -- -type: keyword +Account name under which a service runs. -example: NT AUTHORITY\LocalService -Account name under which a service runs. +type: keyword +example: NT AUTHORITY\LocalService -- *`windows.service.path_name`*:: + -- -type: keyword +Fully qualified path to the file that implements the service, including arguments. -example: C:\WINDOWS\system32\svchost.exe -k LocalService -p -Fully qualified path to the file that implements the service, including arguments. +type: keyword +example: C:\WINDOWS\system32\svchost.exe -k LocalService -p -- *`windows.service.state`*:: + -- -type: keyword - The actual state of the service. The possible values are `Continuing`, `Pausing`, `Paused`, `Running`, `Starting`, `Stopping`, and `Stopped`. +type: keyword + -- *`windows.service.exit_code`*:: + -- -type: keyword - For `Stopped` services this is the error code that service reports when starting to stopping. This will be the generic Windows service error code unless the service provides a service-specific error code. +type: keyword + -- *`windows.service.pid`*:: + -- -type: long +For `Running` services this is the associated process PID. -example: 1092 -For `Running` services this is the associated process PID. +type: long +example: 1092 -- *`windows.service.uptime.ms`*:: + -- -type: long +The service's uptime specified in milliseconds. -format: duration -The service's uptime specified in milliseconds. +type: long +format: duration -- @@ -26911,14 +26911,14 @@ ZooKeeper metrics collected by the four-letter monitoring commands. [float] -== zookeeper fields +=== zookeeper `zookeeper` contains the metrics reported by ZooKeeper commands. [float] -== connection fields +=== connection connections @@ -26927,45 +26927,45 @@ connections *`zookeeper.connection.interest_ops`*:: + -- -type: long - Interest ops +type: long + -- *`zookeeper.connection.queued`*:: + -- -type: long - Queued connections +type: long + -- *`zookeeper.connection.received`*:: + -- -type: long - Received connections +type: long + -- *`zookeeper.connection.sent`*:: + -- -type: long - Connections sent +type: long + -- [float] -== mntr fields +=== mntr `mntr` contains the metrics reported by the four-letter `mntr` command. @@ -26974,197 +26974,197 @@ Connections sent *`zookeeper.mntr.hostname`*:: + -- -type: keyword - ZooKeeper hostname. +type: keyword + -- *`zookeeper.mntr.approximate_data_size`*:: + -- -type: long - Approximate size of ZooKeeper data. +type: long + -- *`zookeeper.mntr.latency.avg`*:: + -- -type: long - Average latency between ensemble hosts in milliseconds. +type: long + -- *`zookeeper.mntr.ephemerals_count`*:: + -- -type: long - Number of ephemeral znodes. +type: long + -- *`zookeeper.mntr.followers`*:: + -- -type: long - Number of followers seen by the current host. +type: long + -- *`zookeeper.mntr.max_file_descriptor_count`*:: + -- -type: long - Maximum number of file descriptors allowed for the ZooKeeper process. +type: long + -- *`zookeeper.mntr.latency.max`*:: + -- -type: long - Maximum latency in milliseconds. +type: long + -- *`zookeeper.mntr.latency.min`*:: + -- -type: long - Minimum latency in milliseconds. +type: long + -- *`zookeeper.mntr.num_alive_connections`*:: + -- -type: long - Number of connections to ZooKeeper that are currently alive. +type: long + -- *`zookeeper.mntr.open_file_descriptor_count`*:: + -- -type: long - Number of file descriptors open by the ZooKeeper process. +type: long + -- *`zookeeper.mntr.outstanding_requests`*:: + -- -type: long - Number of outstanding requests that need to be processed by the cluster. +type: long + -- *`zookeeper.mntr.packets.received`*:: + -- -type: long - Number of ZooKeeper network packets received. +type: long + -- *`zookeeper.mntr.packets.sent`*:: + -- -type: long - Number of ZooKeeper network packets sent. +type: long + -- *`zookeeper.mntr.pending_syncs`*:: + -- -type: long - Number of pending syncs to carry out to ZooKeeper ensemble followers. +type: long + -- *`zookeeper.mntr.server_state`*:: + -- -type: keyword - Role in the ZooKeeper ensemble. +type: keyword + -- *`zookeeper.mntr.synced_followers`*:: + -- -type: long - Number of synced followers reported when a node server_state is leader. +type: long + -- *`zookeeper.mntr.version`*:: + -- -type: alias +ZooKeeper version and build string reported. -alias to: service.version -ZooKeeper version and build string reported. +type: alias +alias to: service.version -- *`zookeeper.mntr.watch_count`*:: + -- -type: long - Number of watches currently set on the local ZooKeeper process. +type: long + -- *`zookeeper.mntr.znode_count`*:: + -- -type: long - Number of znodes reported by the local ZooKeeper process. +type: long + -- [float] -== server fields +=== server server contains the metrics reported by the four-letter `srvr` command. @@ -27172,118 +27172,118 @@ server contains the metrics reported by the four-letter `srvr` command. *`zookeeper.server.connections`*:: + -- -type: long - Number of clients currently connected to the server +type: long + -- *`zookeeper.server.latency.avg`*:: + -- -type: long - Average amount of time taken for the server to respond to a client request +type: long + -- *`zookeeper.server.latency.max`*:: + -- -type: long - Maximum amount of time taken for the server to respond to a client request +type: long + -- *`zookeeper.server.latency.min`*:: + -- -type: long - Minimum amount of time taken for the server to respond to a client request +type: long + -- *`zookeeper.server.mode`*:: + -- -type: keyword - Mode of the server. In an ensemble, this may either be leader or follower. Otherwise, it is standalone +type: keyword + -- *`zookeeper.server.node_count`*:: + -- -type: long - Total number of nodes +type: long + -- *`zookeeper.server.outstanding`*:: + -- -type: long - Number of requests queued at the server. This exceeds zero when the server receives more requests than it is able to process +type: long + -- *`zookeeper.server.received`*:: + -- -type: long - Number of requests received by the server +type: long + -- *`zookeeper.server.sent`*:: + -- -type: long - Number of requests sent by the server +type: long + -- *`zookeeper.server.version_date`*:: + -- -type: date - Date of the Zookeeper release currently in use +type: date + -- *`zookeeper.server.zxid`*:: + -- -type: keyword - Unique value of the Zookeeper transaction ID. The zxid consists of an epoch and a counter. It is established by the leader and is used to determine the temporal ordering of changes +type: keyword + -- *`zookeeper.server.count`*:: + -- -type: long - Total transactions of the leader in epoch +type: long + -- *`zookeeper.server.epoch`*:: + -- -type: long - Epoch value of the Zookeeper transaction ID. An epoch signifies the period in which a server is a leader +type: long + -- diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 4315fad0aa8..2017d93e115 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -51,115 +51,115 @@ AMQP specific event fields. *`amqp.reply-code`*:: + -- -type: long +AMQP reply code to an error, similar to http reply-code -example: 404 -AMQP reply code to an error, similar to http reply-code +type: long +example: 404 -- *`amqp.reply-text`*:: + -- -type: keyword - Text explaining the error. +type: keyword + -- *`amqp.class-id`*:: + -- -type: long - Failing method class. +type: long + -- *`amqp.method-id`*:: + -- -type: long - Failing method ID. +type: long + -- *`amqp.exchange`*:: + -- -type: keyword - Name of the exchange. +type: keyword + -- *`amqp.exchange-type`*:: + -- -type: keyword +Exchange type. -example: fanout -Exchange type. +type: keyword +example: fanout -- *`amqp.passive`*:: + -- -type: boolean - If set, do not create exchange/queue. +type: boolean + -- *`amqp.durable`*:: + -- -type: boolean - If set, request a durable exchange/queue. +type: boolean + -- *`amqp.exclusive`*:: + -- -type: boolean - If set, request an exclusive queue. +type: boolean + -- *`amqp.auto-delete`*:: + -- -type: boolean - If set, auto-delete queue when unused. +type: boolean + -- *`amqp.no-wait`*:: + -- -type: boolean - If set, the server will not respond to the method. +type: boolean + -- *`amqp.consumer-tag`*:: @@ -173,273 +173,273 @@ Identifier for the consumer, valid within the current channel. *`amqp.delivery-tag`*:: + -- -type: long - The server-assigned and channel-specific delivery tag. +type: long + -- *`amqp.message-count`*:: + -- -type: long - The number of messages in the queue, which will be zero for newly-declared queues. +type: long + -- *`amqp.consumer-count`*:: + -- -type: long - The number of consumers of a queue. +type: long + -- *`amqp.routing-key`*:: + -- -type: keyword - Message routing key. +type: keyword + -- *`amqp.no-ack`*:: + -- -type: boolean - If set, the server does not expect acknowledgements for messages. +type: boolean + -- *`amqp.no-local`*:: + -- -type: boolean - If set, the server will not send messages to the connection that published them. +type: boolean + -- *`amqp.if-unused`*:: + -- -type: boolean - Delete only if unused. +type: boolean + -- *`amqp.if-empty`*:: + -- -type: boolean - Delete only if empty. +type: boolean + -- *`amqp.queue`*:: + -- -type: keyword - The queue name identifies the queue within the vhost. +type: keyword + -- *`amqp.redelivered`*:: + -- -type: boolean - Indicates that the message has been previously delivered to this or another client. +type: boolean + -- *`amqp.multiple`*:: + -- -type: boolean - Acknowledge multiple messages. +type: boolean + -- *`amqp.arguments`*:: + -- -type: object - Optional additional arguments passed to some methods. Can be of various types. +type: object + -- *`amqp.mandatory`*:: + -- -type: boolean - Indicates mandatory routing. +type: boolean + -- *`amqp.immediate`*:: + -- -type: boolean - Request immediate delivery. +type: boolean + -- *`amqp.content-type`*:: + -- -type: keyword +MIME content type. -example: text/plain -MIME content type. +type: keyword +example: text/plain -- *`amqp.content-encoding`*:: + -- -type: keyword - MIME content encoding. +type: keyword + -- *`amqp.headers`*:: + -- -type: object - Message header field table. +type: object + -- *`amqp.delivery-mode`*:: + -- -type: keyword - Non-persistent (1) or persistent (2). +type: keyword + -- *`amqp.priority`*:: + -- -type: long - Message priority, 0 to 9. +type: long + -- *`amqp.correlation-id`*:: + -- -type: keyword - Application correlation identifier. +type: keyword + -- *`amqp.reply-to`*:: + -- -type: keyword - Address to reply to. +type: keyword + -- *`amqp.expiration`*:: + -- -type: keyword - Message expiration specification. +type: keyword + -- *`amqp.message-id`*:: + -- -type: keyword - Application message identifier. +type: keyword + -- *`amqp.timestamp`*:: + -- -type: keyword - Message timestamp. +type: keyword + -- *`amqp.type`*:: + -- -type: keyword - Message type name. +type: keyword + -- *`amqp.user-id`*:: + -- -type: keyword - Creating user id. +type: keyword + -- *`amqp.app-id`*:: + -- -type: keyword - Creating application id. +type: keyword + -- [[exported-fields-beat]] @@ -452,10 +452,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -470,15 +470,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -487,11 +487,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -515,10 +515,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cassandra]] @@ -537,7 +537,7 @@ alias to: cassandra.no_request -- [float] -== cassandra fields +=== cassandra Information about the Cassandra request and response. @@ -545,21 +545,21 @@ Information about the Cassandra request and response. *`cassandra.no_request`*:: + -- -type: boolean - Indicates that there is no request because this is a PUSH message. +type: boolean + -- [float] -== request fields +=== request Cassandra request. [float] -== headers fields +=== headers Cassandra request headers. @@ -567,65 +567,65 @@ Cassandra request headers. *`cassandra.request.headers.version`*:: + -- -type: long - The version of the protocol. +type: long + -- *`cassandra.request.headers.flags`*:: + -- -type: keyword - Flags applying to this frame. +type: keyword + -- *`cassandra.request.headers.stream`*:: + -- -type: keyword - A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. +type: keyword + -- *`cassandra.request.headers.op`*:: + -- -type: keyword - An operation type that distinguishes the actual message. +type: keyword + -- *`cassandra.request.headers.length`*:: + -- -type: long - A integer representing the length of the body of the frame (a frame is limited to 256MB in length). +type: long + -- *`cassandra.request.query`*:: + -- -type: keyword - The CQL query which client send to cassandra. +type: keyword + -- [float] -== response fields +=== response Cassandra response. [float] -== headers fields +=== headers Cassandra response headers, the structure is as same as request's header. @@ -633,50 +633,50 @@ Cassandra response headers, the structure is as same as request's header. *`cassandra.response.headers.version`*:: + -- -type: long - The version of the protocol. +type: long + -- *`cassandra.response.headers.flags`*:: + -- -type: keyword - Flags applying to this frame. +type: keyword + -- *`cassandra.response.headers.stream`*:: + -- -type: keyword - A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X. +type: keyword + -- *`cassandra.response.headers.op`*:: + -- -type: keyword - An operation type that distinguishes the actual message. +type: keyword + -- *`cassandra.response.headers.length`*:: + -- -type: long - A integer representing the length of the body of the frame (a frame is limited to 256MB in length). +type: long + -- [float] -== result fields +=== result Details about the returned result. @@ -684,14 +684,14 @@ Details about the returned result. *`cassandra.response.result.type`*:: + -- -type: keyword - Cassandra result type. +type: keyword + -- [float] -== rows fields +=== rows Details about the rows. @@ -699,14 +699,14 @@ Details about the rows. *`cassandra.response.result.rows.num_rows`*:: + -- -type: long - Representing the number of rows present in this result. +type: long + -- [float] -== meta fields +=== meta Composed of result metadata. @@ -714,68 +714,68 @@ Composed of result metadata. *`cassandra.response.result.rows.meta.keyspace`*:: + -- -type: keyword - Only present after set Global_tables_spec, the keyspace name. +type: keyword + -- *`cassandra.response.result.rows.meta.table`*:: + -- -type: keyword - Only present after set Global_tables_spec, the table name. +type: keyword + -- *`cassandra.response.result.rows.meta.flags`*:: + -- -type: keyword - Provides information on the formatting of the remaining information. +type: keyword + -- *`cassandra.response.result.rows.meta.col_count`*:: + -- -type: long - Representing the number of columns selected by the query that produced this result. +type: long + -- *`cassandra.response.result.rows.meta.pkey_columns`*:: + -- -type: long - Representing the PK columns index and counts. +type: long + -- *`cassandra.response.result.rows.meta.paging_state`*:: + -- -type: keyword - The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. +type: keyword + -- *`cassandra.response.result.keyspace`*:: + -- -type: keyword - Indicating the name of the keyspace that has been set. +type: keyword + -- [float] -== schema_change fields +=== schema_change The result to a schema_change message. @@ -783,68 +783,68 @@ The result to a schema_change message. *`cassandra.response.result.schema_change.change`*:: + -- -type: keyword - Representing the type of changed involved. +type: keyword + -- *`cassandra.response.result.schema_change.keyspace`*:: + -- -type: keyword - This describes which keyspace has changed. +type: keyword + -- *`cassandra.response.result.schema_change.table`*:: + -- -type: keyword - This describes which table has changed. +type: keyword + -- *`cassandra.response.result.schema_change.object`*:: + -- -type: keyword - This describes the name of said affected object (either the table, user type, function, or aggregate name). +type: keyword + -- *`cassandra.response.result.schema_change.target`*:: + -- -type: keyword - Target could be "FUNCTION" or "AGGREGATE", multiple arguments. +type: keyword + -- *`cassandra.response.result.schema_change.name`*:: + -- -type: keyword - The function/aggregate name. +type: keyword + -- *`cassandra.response.result.schema_change.args`*:: + -- -type: keyword - One string for each argument type (as CQL type). +type: keyword + -- [float] -== prepared fields +=== prepared The result to a PREPARE message. @@ -852,14 +852,14 @@ The result to a PREPARE message. *`cassandra.response.result.prepared.prepared_id`*:: + -- -type: keyword - Representing the prepared query ID. +type: keyword + -- [float] -== req_meta fields +=== req_meta This describes the request metadata. @@ -867,59 +867,59 @@ This describes the request metadata. *`cassandra.response.result.prepared.req_meta.keyspace`*:: + -- -type: keyword - Only present after set Global_tables_spec, the keyspace name. +type: keyword + -- *`cassandra.response.result.prepared.req_meta.table`*:: + -- -type: keyword - Only present after set Global_tables_spec, the table name. +type: keyword + -- *`cassandra.response.result.prepared.req_meta.flags`*:: + -- -type: keyword - Provides information on the formatting of the remaining information. +type: keyword + -- *`cassandra.response.result.prepared.req_meta.col_count`*:: + -- -type: long - Representing the number of columns selected by the query that produced this result. +type: long + -- *`cassandra.response.result.prepared.req_meta.pkey_columns`*:: + -- -type: long - Representing the PK columns index and counts. +type: long + -- *`cassandra.response.result.prepared.req_meta.paging_state`*:: + -- -type: keyword - The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. +type: keyword + -- [float] -== resp_meta fields +=== resp_meta This describes the metadata for the result set. @@ -927,68 +927,68 @@ This describes the metadata for the result set. *`cassandra.response.result.prepared.resp_meta.keyspace`*:: + -- -type: keyword - Only present after set Global_tables_spec, the keyspace name. +type: keyword + -- *`cassandra.response.result.prepared.resp_meta.table`*:: + -- -type: keyword - Only present after set Global_tables_spec, the table name. +type: keyword + -- *`cassandra.response.result.prepared.resp_meta.flags`*:: + -- -type: keyword - Provides information on the formatting of the remaining information. +type: keyword + -- *`cassandra.response.result.prepared.resp_meta.col_count`*:: + -- -type: long - Representing the number of columns selected by the query that produced this result. +type: long + -- *`cassandra.response.result.prepared.resp_meta.pkey_columns`*:: + -- -type: long - Representing the PK columns index and counts. +type: long + -- *`cassandra.response.result.prepared.resp_meta.paging_state`*:: + -- -type: keyword - The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query. +type: keyword + -- *`cassandra.response.supported`*:: + -- -type: object - Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message. +type: object + -- [float] -== authentication fields +=== authentication Indicates that the server requires authentication, and which authentication mechanism to use. @@ -996,23 +996,23 @@ Indicates that the server requires authentication, and which authentication mech *`cassandra.response.authentication.class`*:: + -- -type: keyword - Indicates the full class name of the IAuthenticator in use +type: keyword + -- *`cassandra.response.warnings`*:: + -- -type: keyword - The text of the warnings, only occur when Warning flag was set. +type: keyword + -- [float] -== event fields +=== event Event pushed by the server. A client will only receive events for the types it has REGISTERed to. @@ -1020,41 +1020,41 @@ Event pushed by the server. A client will only receive events for the types it h *`cassandra.response.event.type`*:: + -- -type: keyword - Representing the event type. +type: keyword + -- *`cassandra.response.event.change`*:: + -- -type: keyword - The message corresponding respectively to the type of change followed by the address of the new/removed node. +type: keyword + -- *`cassandra.response.event.host`*:: + -- -type: keyword - Representing the node ip. +type: keyword + -- *`cassandra.response.event.port`*:: + -- -type: long - Representing the node port. +type: long + -- [float] -== schema_change fields +=== schema_change The events details related to schema change. @@ -1062,68 +1062,68 @@ The events details related to schema change. *`cassandra.response.event.schema_change.change`*:: + -- -type: keyword - Representing the type of changed involved. +type: keyword + -- *`cassandra.response.event.schema_change.keyspace`*:: + -- -type: keyword - This describes which keyspace has changed. +type: keyword + -- *`cassandra.response.event.schema_change.table`*:: + -- -type: keyword - This describes which table has changed. +type: keyword + -- *`cassandra.response.event.schema_change.object`*:: + -- -type: keyword - This describes the name of said affected object (either the table, user type, function, or aggregate name). +type: keyword + -- *`cassandra.response.event.schema_change.target`*:: + -- -type: keyword - Target could be "FUNCTION" or "AGGREGATE", multiple arguments. +type: keyword + -- *`cassandra.response.event.schema_change.name`*:: + -- -type: keyword - The function/aggregate name. +type: keyword + -- *`cassandra.response.event.schema_change.args`*:: + -- -type: keyword - One string for each argument type (as CQL type). +type: keyword + -- [float] -== error fields +=== error Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow. @@ -1131,32 +1131,32 @@ Indicates an error processing a request. The body of the message will be an err *`cassandra.response.error.code`*:: + -- -type: long - The error code of the Cassandra response. +type: long + -- *`cassandra.response.error.msg`*:: + -- -type: keyword - The error message of the Cassandra response. +type: keyword + -- *`cassandra.response.error.type`*:: + -- -type: keyword - The error type of the Cassandra response. +type: keyword + -- [float] -== details fields +=== details The details of the error. @@ -1164,118 +1164,118 @@ The details of the error. *`cassandra.response.error.details.read_consistency`*:: + -- -type: keyword - Representing the consistency level of the query that triggered the exception. +type: keyword + -- *`cassandra.response.error.details.required`*:: + -- -type: long - Representing the number of nodes that should be alive to respect consistency level. +type: long + -- *`cassandra.response.error.details.alive`*:: + -- -type: long - Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered). +type: long + -- *`cassandra.response.error.details.received`*:: + -- -type: long - Representing the number of nodes having acknowledged the request. +type: long + -- *`cassandra.response.error.details.blockfor`*:: + -- -type: long - Representing the number of replicas whose acknowledgement is required to achieve consistency level. +type: long + -- *`cassandra.response.error.details.write_type`*:: + -- -type: keyword - Describe the type of the write that timed out. +type: keyword + -- *`cassandra.response.error.details.data_present`*:: + -- -type: boolean - It means the replica that was asked for data had responded. +type: boolean + -- *`cassandra.response.error.details.keyspace`*:: + -- -type: keyword - The keyspace of the failed function. +type: keyword + -- *`cassandra.response.error.details.table`*:: + -- -type: keyword - The keyspace of the failed function. +type: keyword + -- *`cassandra.response.error.details.stmt_id`*:: + -- -type: keyword - Representing the unknown ID. +type: keyword + -- *`cassandra.response.error.details.num_failures`*:: + -- -type: keyword - Representing the number of nodes that experience a failure while executing the request. +type: keyword + -- *`cassandra.response.error.details.function`*:: + -- -type: keyword - The name of the failed function. +type: keyword + -- *`cassandra.response.error.details.arg_types`*:: + -- -type: keyword - One string for each argument type (as CQL type) of the failed function. +type: keyword + -- [[exported-fields-cloud]] @@ -1288,11 +1288,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -1368,11 +1368,11 @@ These fields contain data about the environment in which the transaction or flow *`type`*:: + -- -required: True - The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows. +required: True + -- *`server.process.name`*:: @@ -1458,25 +1458,25 @@ The time the client process started. *`real_ip`*:: + -- -type: alias - -alias to: network.forwarded_ip - If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default `X-Forwarded-For`. Unless this field is disabled, it always has a value, and it matches the `client_ip` for non proxy clients. +type: alias + +alias to: network.forwarded_ip + -- *`transport`*:: + -- -type: alias +The transport protocol used for the transaction. If not specified, then tcp is assumed. -alias to: network.transport -The transport protocol used for the transaction. If not specified, then tcp is assumed. +type: alias +alias to: network.transport -- @@ -1490,206 +1490,204 @@ DHCPv4 event fields *`dhcpv4.transaction_id`*:: + -- -type: keyword - Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server. +type: keyword + -- *`dhcpv4.seconds`*:: + -- -type: long - Number of seconds elapsed since client began address acquisition or renewal process. +type: long + -- *`dhcpv4.flags`*:: + -- -type: keyword - Flags are set by the client to indicate how the DHCP server should its reply -- either unicast or broadcast. +type: keyword + -- *`dhcpv4.client_ip`*:: + -- -type: ip - The current IP address of the client. +type: ip + -- *`dhcpv4.assigned_ip`*:: + -- -type: ip - The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address. +type: ip + -- *`dhcpv4.server_ip`*:: + -- -type: ip - The IP address of the DHCP server that the client should use for the next step in the bootstrap process. +type: ip + -- *`dhcpv4.relay_ip`*:: + -- -type: ip - The relay IP address used by the client to contact the server (i.e. a DHCP relay server). +type: ip + -- *`dhcpv4.client_mac`*:: + -- -type: keyword - The client's MAC address (layer two). +type: keyword + -- *`dhcpv4.server_name`*:: + -- -type: keyword - The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages. +type: keyword + -- *`dhcpv4.op_code`*:: + -- -type: keyword +The message op code (bootrequest or bootreply). -example: bootreply -The message op code (bootrequest or bootreply). +type: keyword +example: bootreply -- *`dhcpv4.hops`*:: + -- -type: long - The number of hops the DHCP message went through. +type: long + -- *`dhcpv4.hardware_type`*:: + -- -type: keyword - The type of hardware used for the local network (Ethernet, LocalTalk, etc). +type: keyword + -- *`dhcpv4.option.message_type`*:: + -- -type: keyword - -example: ack - The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform). +type: keyword + +example: ack + -- *`dhcpv4.option.parameter_request_list`*:: + -- -type: keyword - This option is used by a DHCP client to request values for specified configuration parameters. +type: keyword + -- *`dhcpv4.option.requested_ip_address`*:: + -- -type: ip - This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned. +type: ip + -- *`dhcpv4.option.server_identifier`*:: + -- -type: ip - IP address of the individual DHCP server which handled this message. +type: ip + -- *`dhcpv4.option.broadcast_address`*:: + -- -type: ip - This option specifies the broadcast address in use on the client's subnet. +type: ip + -- *`dhcpv4.option.max_dhcp_message_size`*:: + -- -type: long - This option specifies the maximum length DHCP message that the client is willing to accept. +type: long + -- *`dhcpv4.option.class_identifier`*:: + -- -type: keyword - This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey @@ -1698,165 +1696,167 @@ about a client. For example, the identifier may encode the client's hardware configuration. +type: keyword + -- *`dhcpv4.option.domain_name`*:: + -- -type: keyword - This option specifies the domain name that client should use when resolving hostnames via the Domain Name System. +type: keyword + -- *`dhcpv4.option.dns_servers`*:: + -- -type: ip - The domain name server option specifies a list of Domain Name System servers available to the client. +type: ip + -- *`dhcpv4.option.vendor_identifying_options`*:: + -- -type: object - A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925. +type: object + -- *`dhcpv4.option.subnet_mask`*:: + -- -type: ip - The subnet mask that the client should use on the currnet network. +type: ip + -- *`dhcpv4.option.utc_time_offset_sec`*:: + -- -type: long - The time offset field specifies the offset of the client's subnet in seconds from Coordinated Universal Time (UTC). +type: long + -- *`dhcpv4.option.router`*:: + -- -type: ip - The router option specifies a list of IP addresses for routers on the client's subnet. +type: ip + -- *`dhcpv4.option.time_servers`*:: + -- -type: ip - The time server option specifies a list of RFC 868 time servers available to the client. +type: ip + -- *`dhcpv4.option.ntp_servers`*:: + -- -type: ip - This option specifies a list of IP addresses indicating NTP servers available to the client. +type: ip + -- *`dhcpv4.option.hostname`*:: + -- -type: keyword - This option specifies the name of the client. +type: keyword + -- *`dhcpv4.option.ip_address_lease_time_sec`*:: + -- -type: long - This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. +type: long + -- *`dhcpv4.option.message`*:: + -- -type: text - This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters. +type: text + -- *`dhcpv4.option.renewal_time_sec`*:: + -- -type: long - This option specifies the time interval from address assignment until the client transitions to the RENEWING state. +type: long + -- *`dhcpv4.option.rebinding_time_sec`*:: + -- -type: long - This option specifies the time interval from address assignment until the client transitions to the REBINDING state. +type: long + -- *`dhcpv4.option.boot_file_name`*:: + -- -type: keyword - This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options. +type: keyword + -- [[exported-fields-dns]] @@ -1869,184 +1869,184 @@ DNS-specific event fields. *`dns.id`*:: + -- -type: long - The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +type: long + -- *`dns.op_code`*:: + -- -example: QUERY - The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response. +example: QUERY + -- *`dns.flags.authoritative`*:: + -- -type: boolean - A DNS flag specifying that the responding server is an authority for the domain name used in the question. +type: boolean + -- *`dns.flags.recursion_available`*:: + -- -type: boolean - A DNS flag specifying whether recursive query support is available in the name server. +type: boolean + -- *`dns.flags.recursion_desired`*:: + -- -type: boolean - A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional. +type: boolean + -- *`dns.flags.authentic_data`*:: + -- -type: boolean - A DNS flag specifying that the recursive server considers the response authentic. +type: boolean + -- *`dns.flags.checking_disabled`*:: + -- -type: boolean - A DNS flag specifying that the client disables the server signature validation of the query. +type: boolean + -- *`dns.flags.truncated_response`*:: + -- -type: boolean - A DNS flag specifying that only the first 512 bytes of the reply were returned. +type: boolean + -- *`dns.response_code`*:: + -- -example: NOERROR - The DNS status code. +example: NOERROR + -- *`dns.question.name`*:: + -- -example: www.google.com. - The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \t, \r, and \n respectively. +example: www.google.com. + -- *`dns.question.type`*:: + -- -example: AAAA - The type of records being queried. +example: AAAA + -- *`dns.question.class`*:: + -- -example: IN - The class of of records being queried. +example: IN + -- *`dns.question.etld_plus_one`*:: + -- -example: amazon.co.uk. - The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org. +example: amazon.co.uk. + -- *`dns.answers`*:: + -- -type: object - An array containing a dictionary about each answer section returned by the server. +type: object + -- *`dns.answers_count`*:: + -- -type: long - The number of resource records contained in the `dns.answers` field. +type: long + -- *`dns.answers.name`*:: + -- -example: example.com. - The domain name to which this resource record pertains. +example: example.com. + -- *`dns.answers.type`*:: + -- -example: MX - The type of data contained in this resource record. +example: MX + -- *`dns.answers.class`*:: + -- -example: IN - The class of DNS data contained in this resource record. +example: IN + -- *`dns.answers.ttl`*:: + -- -type: long - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +type: long + -- *`dns.answers.data`*:: @@ -2060,105 +2060,105 @@ The data describing the resource. The meaning of this data depends on the type a *`dns.authorities`*:: + -- -type: object - An array containing a dictionary for each authority section from the answer. +type: object + -- *`dns.authorities_count`*:: + -- -type: long - The number of resource records contained in the `dns.authorities` field. The `dns.authorities` field may or may not be included depending on the configuration of Packetbeat. +type: long + -- *`dns.authorities.name`*:: + -- -example: example.com. - The domain name to which this resource record pertains. +example: example.com. + -- *`dns.authorities.type`*:: + -- -example: NS - The type of data contained in this resource record. +example: NS + -- *`dns.authorities.class`*:: + -- -example: IN - The class of DNS data contained in this resource record. +example: IN + -- *`dns.additionals`*:: + -- -type: object - An array containing a dictionary for each additional section from the answer. +type: object + -- *`dns.additionals_count`*:: + -- -type: long - The number of resource records contained in the `dns.additionals` field. The `dns.additionals` field may or may not be included depending on the configuration of Packetbeat. +type: long + -- *`dns.additionals.name`*:: + -- -example: example.com. - The domain name to which this resource record pertains. +example: example.com. + -- *`dns.additionals.type`*:: + -- -example: NS - The type of data contained in this resource record. +example: NS + -- *`dns.additionals.class`*:: + -- -example: IN - The class of DNS data contained in this resource record. +example: IN + -- *`dns.additionals.ttl`*:: + -- -type: long - The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached. +type: long + -- *`dns.additionals.data`*:: @@ -2172,37 +2172,37 @@ The data describing the resource. The meaning of this data depends on the type a *`dns.opt.version`*:: + -- -example: 0 - The EDNS version. +example: 0 + -- *`dns.opt.do`*:: + -- -type: boolean - If set, the transaction uses DNSSEC. +type: boolean + -- *`dns.opt.ext_rcode`*:: + -- -example: BADVERS - Extended response code field. +example: BADVERS + -- *`dns.opt.udp_size`*:: + -- -type: long - Requestor's UDP payload size (in bytes). +type: long + -- [[exported-fields-docker-processor]] @@ -2243,11 +2243,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -2259,58 +2259,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -2319,65 +2319,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -2387,234 +2387,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -2622,81 +2622,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -2705,61 +2705,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -2768,234 +2768,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -3003,19 +3003,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -3024,32 +3024,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -3058,203 +3058,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -3263,136 +3263,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -3401,95 +3401,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -3497,23 +3497,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -3522,299 +3522,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -3822,124 +3822,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -3947,30 +3947,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -3979,48 +3979,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -4032,91 +4028,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -4125,227 +4125,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -4354,23 +4354,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -4378,71 +4378,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -4451,101 +4451,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -4555,14 +4555,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -4572,234 +4572,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -4808,78 +4808,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -4888,234 +4888,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -5123,111 +5123,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -5236,73 +5236,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -5311,111 +5311,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-flows_event]] @@ -5428,11 +5428,11 @@ These fields contain data about the flow itself. *`flow.final`*:: + -- -type: boolean - Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only. +type: boolean + -- *`flow.id`*:: @@ -5446,11 +5446,11 @@ Internal flow ID based on connection meta data and address. *`flow.vlan`*:: + -- -type: long - VLAN identifier from the 802.1q frame. In case of a multi-tagged frame this field will be an array with the outer tag's VLAN identifier listed first. +type: long + -- *`flow_id`*:: @@ -5527,34 +5527,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -5565,13 +5565,13 @@ HTTP-specific event fields. [float] -== http fields +=== http Information about the HTTP request and response. [float] -== request fields +=== request HTTP request @@ -5579,11 +5579,11 @@ HTTP request *`http.request.headers`*:: + -- -type: object - A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. +type: object + -- *`http.request.params`*:: @@ -5596,7 +5596,7 @@ alias to: url.query -- [float] -== response fields +=== response HTTP response @@ -5604,20 +5604,20 @@ HTTP response *`http.response.status_phrase`*:: + -- -example: Not Found - The HTTP status phrase. +example: Not Found + -- *`http.response.headers`*:: + -- -type: object - A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas. +type: object + -- *`http.response.code`*:: @@ -5656,55 +5656,55 @@ The version of the ICMP protocol. *`icmp.request.message`*:: + -- -type: keyword - A human readable form of the request. +type: keyword + -- *`icmp.request.type`*:: + -- -type: long - The request type. +type: long + -- *`icmp.request.code`*:: + -- -type: long - The request code. +type: long + -- *`icmp.response.message`*:: + -- -type: keyword - A human readable form of the response. +type: keyword + -- *`icmp.response.type`*:: + -- -type: long - The response type. +type: long + -- *`icmp.response.code`*:: + -- -type: long - The response code. +type: long + -- [[exported-fields-jolokia-autodiscover]] @@ -5717,71 +5717,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kubernetes-processor]] @@ -5795,111 +5795,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-memcache]] @@ -5912,425 +5912,425 @@ Memcached-specific event fields *`memcache.protocol_type`*:: + -- -type: keyword - The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type. +type: keyword + -- *`memcache.request.line`*:: + -- -type: keyword - The raw command line for unknown commands ONLY. +type: keyword + -- *`memcache.request.command`*:: + -- -type: keyword - The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands. +type: keyword + -- *`memcache.response.command`*:: + -- -type: keyword - Either the text based protocol response message type or the name of the originating request if binary protocol is used. +type: keyword + -- *`memcache.request.type`*:: + -- -type: keyword - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". +type: keyword + -- *`memcache.response.type`*:: + -- -type: keyword - The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see `memcache.response.status` for binary protocol). +type: keyword + -- *`memcache.response.error_msg`*:: + -- -type: keyword - The optional error message in the memcache response (text based protocol only). +type: keyword + -- *`memcache.request.opcode`*:: + -- -type: keyword - The binary protocol message opcode name. +type: keyword + -- *`memcache.response.opcode`*:: + -- -type: keyword - The binary protocol message opcode name. +type: keyword + -- *`memcache.request.opcode_value`*:: + -- -type: long - The binary protocol message opcode value. +type: long + -- *`memcache.response.opcode_value`*:: + -- -type: long - The binary protocol message opcode value. +type: long + -- *`memcache.request.opaque`*:: + -- -type: long - The binary protocol opaque header value used for correlating request with response messages. +type: long + -- *`memcache.response.opaque`*:: + -- -type: long - The binary protocol opaque header value used for correlating request with response messages. +type: long + -- *`memcache.request.vbucket`*:: + -- -type: long - The vbucket index sent in the binary message. +type: long + -- *`memcache.response.status`*:: + -- -type: keyword - The textual representation of the response error code (binary protocol only). +type: keyword + -- *`memcache.response.status_code`*:: + -- -type: long - The status code value returned in the response (binary protocol only). +type: long + -- *`memcache.request.keys`*:: + -- -type: array - The list of keys sent in the store or load commands. +type: array + -- *`memcache.response.keys`*:: + -- -type: array - The list of keys returned for the load command (if present). +type: array + -- *`memcache.request.count_values`*:: + -- -type: long - The number of values found in the memcache request message. If the command does not send any data, this field is missing. +type: long + -- *`memcache.response.count_values`*:: + -- -type: long - The number of values found in the memcache response message. If the command does not send any data, this field is missing. +type: long + -- *`memcache.request.values`*:: + -- -type: array - The list of base64 encoded values sent with the request (if present). +type: array + -- *`memcache.response.values`*:: + -- -type: array - The list of base64 encoded values sent with the response (if present). +type: array + -- *`memcache.request.bytes`*:: + -- -type: long +The byte count of the values being transferred. -format: bytes -The byte count of the values being transferred. +type: long +format: bytes -- *`memcache.response.bytes`*:: + -- -type: long +The byte count of the values being transferred. -format: bytes -The byte count of the values being transferred. +type: long +format: bytes -- *`memcache.request.delta`*:: + -- -type: long - The counter increment/decrement delta value. +type: long + -- *`memcache.request.initial`*:: + -- -type: long - The counter increment/decrement initial value parameter (binary protocol only). +type: long + -- *`memcache.request.verbosity`*:: + -- -type: long - The value of the memcache "verbosity" command. +type: long + -- *`memcache.request.raw_args`*:: + -- -type: keyword - The text protocol raw arguments for the "stats ..." and "lru crawl ..." commands. +type: keyword + -- *`memcache.request.source_class`*:: + -- -type: long - The source class id in 'slab reassign' command. +type: long + -- *`memcache.request.dest_class`*:: + -- -type: long - The destination class id in 'slab reassign' command. +type: long + -- *`memcache.request.automove`*:: + -- -type: keyword - The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown. +type: keyword + -- *`memcache.request.flags`*:: + -- -type: long - The memcache command flags sent in the request (if present). +type: long + -- *`memcache.response.flags`*:: + -- -type: long - The memcache message flags sent in the response (if present). +type: long + -- *`memcache.request.exptime`*:: + -- -type: long - The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit). +type: long + -- *`memcache.request.sleep_us`*:: + -- -type: long - The sleep setting in microseconds for the 'lru_crawler sleep' command. +type: long + -- *`memcache.response.value`*:: + -- -type: long - The counter value returned by a counter operation. +type: long + -- *`memcache.request.noreply`*:: + -- -type: boolean - Set to true if noreply was set in the request. The `memcache.response` field will be missing. +type: boolean + -- *`memcache.request.quiet`*:: + -- -type: boolean - Set to true if the binary protocol message is to be treated as a quiet message. +type: boolean + -- *`memcache.request.cas_unique`*:: + -- -type: long - The CAS (compare-and-swap) identifier if present. +type: long + -- *`memcache.response.cas_unique`*:: + -- -type: long - The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present). +type: long + -- *`memcache.response.stats`*:: + -- -type: array - The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value". +type: array + -- *`memcache.response.version`*:: + -- -type: keyword - The returned memcache version string. +type: keyword + -- [[exported-fields-mongodb]] @@ -6360,31 +6360,31 @@ The full collection name. The full collection name is the concatenation of the d *`mongodb.numberToSkip`*:: + -- -type: long - Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query. +type: long + -- *`mongodb.numberToReturn`*:: + -- -type: long - The requested maximum number of documents to be returned. +type: long + -- *`mongodb.numberReturned`*:: + -- -type: long - The number of documents in the reply. +type: long + -- *`mongodb.startingFrom`*:: @@ -6446,11 +6446,11 @@ MySQL-specific event fields. *`mysql.affected_rows`*:: + -- -type: long - If the MySQL command is successful, this field contains the affected number of rows of the last statement. +type: long + -- *`mysql.insert_id`*:: @@ -6488,11 +6488,11 @@ The row mysql query as read from the transaction's request. *`mysql.error_code`*:: + -- -type: long - The error code returned by MySQL. +type: long + -- *`mysql.error_message`*:: @@ -6513,19 +6513,19 @@ NFS v4/3 specific event fields. *`nfs.version`*:: + -- -type: long - NFS protocol version number. +type: long + -- *`nfs.minor_version`*:: + -- -type: long - NFS protocol minor version number. +type: long + -- *`nfs.tag`*:: @@ -6551,7 +6551,7 @@ NFS operation reply status. -- [float] -== rpc fields +=== rpc ONC RPC specific event fields. @@ -6580,19 +6580,19 @@ RPC authentication flavor. *`rpc.cred.uid`*:: + -- -type: long - RPC caller's user id, in case of auth-unix. +type: long + -- *`rpc.cred.gid`*:: + -- -type: long - RPC caller's group id, in case of auth-unix. +type: long + -- *`rpc.cred.gids`*:: @@ -6605,10 +6605,10 @@ RPC caller's secondary group ids, in case of auth-unix. *`rpc.cred.stamp`*:: + -- -type: long - Arbitrary ID which the caller machine may generate. +type: long + -- *`rpc.cred.machinename`*:: @@ -6621,23 +6621,23 @@ The name of the caller's machine. *`rpc.call_size`*:: + -- +RPC call size with argument. + type: alias alias to: source.bytes -RPC call size with argument. - -- *`rpc.reply_size`*:: + -- +RPC reply size with argument. + type: alias alias to: destination.bytes -RPC reply size with argument. - -- [[exported-fields-pgsql]] @@ -6651,10 +6651,10 @@ PostgreSQL-specific event fields. *`pgsql.error_code`*:: + -- -type: long - The PostgreSQL error code. +type: long + -- *`pgsql.error_message`*:: @@ -6713,21 +6713,21 @@ These fields contain the raw transaction data. *`request`*:: + -- -type: text - For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request. +type: text + -- *`response`*:: + -- -type: text - For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request. +type: text + -- [[exported-fields-redis]] @@ -6805,88 +6805,88 @@ TLS-specific event fields. *`tls.version`*:: + -- -type: keyword +The version of the TLS protocol used. -example: TLS 1.3 -The version of the TLS protocol used. +type: keyword +example: TLS 1.3 -- *`tls.handshake_completed`*:: + -- -type: boolean - Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode. +type: boolean + -- *`tls.resumed`*:: + -- -type: boolean - If the TLS session has been resumed from a previous session. +type: boolean + -- *`tls.resumption_method`*:: + -- -type: keyword - If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension. +type: keyword + -- *`tls.client_certificate_requested`*:: + -- -type: boolean - Whether the server has requested the client to authenticate itself using a client certificate. +type: boolean + -- *`tls.client_hello.version`*:: + -- -type: keyword - The version of the TLS protocol by which the client wishes to communicate during this session. +type: keyword + -- *`tls.client_hello.supported_ciphers`*:: + -- -type: array - List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4 +type: array + -- *`tls.client_hello.supported_compression_methods`*:: + -- -type: array - The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml +type: array + -- [float] -== extensions fields +=== extensions The hello extensions provided by the client. @@ -6894,125 +6894,125 @@ The hello extensions provided by the client. *`tls.client_hello.extensions.server_name_indication`*:: + -- -type: keyword - List of hostnames +type: keyword + -- *`tls.client_hello.extensions.application_layer_protocol_negotiation`*:: + -- -type: keyword - List of application-layer protocols the client is willing to use. +type: keyword + -- *`tls.client_hello.extensions.session_ticket`*:: + -- -type: keyword - Length of the session ticket, if provided, or an empty string to advertise support for tickets. +type: keyword + -- *`tls.client_hello.extensions.supported_versions`*:: + -- -type: keyword - List of TLS versions that the client is willing to use. +type: keyword + -- *`tls.client_hello.extensions.supported_groups`*:: + -- -type: keyword - List of Elliptic Curve Cryptography (ECC) curve groups supported by the client. +type: keyword + -- *`tls.client_hello.extensions.signature_algorithms`*:: + -- -type: keyword - List of signature algorithms that may be use in digital signatures. +type: keyword + -- *`tls.client_hello.extensions.ec_points_formats`*:: + -- -type: keyword - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the client can parse. +type: keyword + -- *`tls.client_hello.extensions._unparsed_`*:: + -- -type: keyword - List of extensions that were left unparsed by Packetbeat. +type: keyword + -- *`tls.server_hello.version`*:: + -- -type: keyword - The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello. +type: keyword + -- *`tls.server_hello.selected_cipher`*:: + -- -type: keyword - The cipher suite selected by the server from the list provided by in the client hello. +type: keyword + -- *`tls.server_hello.selected_compression_method`*:: + -- -type: keyword - The compression method selected by the server from the list provided in the client hello. +type: keyword + -- *`tls.server_hello.session_id`*:: + -- -type: keyword - Unique number to identify the session for the corresponding connection with the client. +type: keyword + -- [float] -== extensions fields +=== extensions The hello extensions provided by the server. @@ -7020,54 +7020,54 @@ The hello extensions provided by the server. *`tls.server_hello.extensions.application_layer_protocol_negotiation`*:: + -- -type: array - Negotiated application layer protocol +type: array + -- *`tls.server_hello.extensions.session_ticket`*:: + -- -type: keyword - Used to announce that a session ticket will be provided by the server. Always an empty string. +type: keyword + -- *`tls.server_hello.extensions.supported_versions`*:: + -- -type: keyword - Negotiated TLS version to be used. +type: keyword + -- *`tls.server_hello.extensions.ec_points_formats`*:: + -- -type: keyword - List of Elliptic Curve (EC) point formats. Indicates the set of point formats that the server can parse. +type: keyword + -- *`tls.server_hello.extensions._unparsed_`*:: + -- -type: keyword - List of extensions that were left unparsed by Packetbeat. +type: keyword + -- [float] -== client_certificate fields +=== client_certificate Certificate provided by the client for authentication. @@ -7075,88 +7075,88 @@ Certificate provided by the client for authentication. *`tls.client_certificate.version`*:: + -- -type: long - X509 format version. +type: long + -- *`tls.client_certificate.serial_number`*:: + -- -type: keyword - The certificate's serial number. +type: keyword + -- *`tls.client_certificate.not_before`*:: + -- -type: date - Date before which the certificate is not valid. +type: date + -- *`tls.client_certificate.not_after`*:: + -- -type: date - Date after which the certificate expires. +type: date + -- *`tls.client_certificate.public_key_algorithm`*:: + -- -type: keyword - The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. +type: keyword + -- *`tls.client_certificate.public_key_size`*:: + -- -type: long - Size of the public key. +type: long + -- *`tls.client_certificate.signature_algorithm`*:: + -- -type: keyword - The algorithm used for the certificate's signature. +type: keyword + -- *`tls.client_certificate.alternative_names`*:: + -- -type: array - Subject Alternative Names for this certificate. +type: array + -- *`tls.client_certificate.raw`*:: + -- -type: keyword - The raw certificate in PEM format. +type: keyword + -- [float] -== subject fields +=== subject Subject represented by this certificate. @@ -7164,50 +7164,50 @@ Subject represented by this certificate. *`tls.client_certificate.subject.country`*:: + -- -type: keyword - Country code. +type: keyword + -- *`tls.client_certificate.subject.organization`*:: + -- -type: keyword - Organization name. +type: keyword + -- *`tls.client_certificate.subject.organizational_unit`*:: + -- -type: keyword - Unit within organization. +type: keyword + -- *`tls.client_certificate.subject.province`*:: + -- -type: keyword - Province or region within country. +type: keyword + -- *`tls.client_certificate.subject.common_name`*:: + -- -type: keyword - Name or host name identified by the certificate. +type: keyword + -- [float] -== issuer fields +=== issuer Entity that issued and signed this certificate. @@ -7215,78 +7215,78 @@ Entity that issued and signed this certificate. *`tls.client_certificate.issuer.country`*:: + -- -type: keyword - Country code. +type: keyword + -- *`tls.client_certificate.issuer.organization`*:: + -- -type: keyword - Organization name. +type: keyword + -- *`tls.client_certificate.issuer.organizational_unit`*:: + -- -type: keyword - Unit within organization. +type: keyword + -- *`tls.client_certificate.issuer.province`*:: + -- -type: keyword - Province or region within country. +type: keyword + -- *`tls.client_certificate.issuer.common_name`*:: + -- -type: keyword - Name or host name identified by the certificate. +type: keyword + -- *`tls.client_certificate.fingerprint.md5`*:: + -- -type: keyword - Certificate's MD5 fingerprint. +type: keyword + -- *`tls.client_certificate.fingerprint.sha1`*:: + -- -type: keyword - Certificate's SHA-1 fingerprint. +type: keyword + -- *`tls.client_certificate.fingerprint.sha256`*:: + -- -type: keyword - Certificate's SHA-256 fingerprint. +type: keyword + -- [float] -== server_certificate fields +=== server_certificate Certificate provided by the server for authentication. @@ -7294,88 +7294,88 @@ Certificate provided by the server for authentication. *`tls.server_certificate.version`*:: + -- -type: long - X509 format version. +type: long + -- *`tls.server_certificate.serial_number`*:: + -- -type: keyword - The certificate's serial number. +type: keyword + -- *`tls.server_certificate.not_before`*:: + -- -type: date - Date before which the certificate is not valid. +type: date + -- *`tls.server_certificate.not_after`*:: + -- -type: date - Date after which the certificate expires. +type: date + -- *`tls.server_certificate.public_key_algorithm`*:: + -- -type: keyword - The algorithm used for this certificate's public key. One of RSA, DSA or ECDSA. +type: keyword + -- *`tls.server_certificate.public_key_size`*:: + -- -type: long - Size of the public key. +type: long + -- *`tls.server_certificate.signature_algorithm`*:: + -- -type: keyword - The algorithm used for the certificate's signature. +type: keyword + -- *`tls.server_certificate.alternative_names`*:: + -- -type: array - Subject Alternative Names for this certificate. +type: array + -- *`tls.server_certificate.raw`*:: + -- -type: keyword - The raw certificate in PEM format. +type: keyword + -- [float] -== subject fields +=== subject Subject represented by this certificate. @@ -7383,50 +7383,50 @@ Subject represented by this certificate. *`tls.server_certificate.subject.country`*:: + -- -type: keyword - Country code. +type: keyword + -- *`tls.server_certificate.subject.organization`*:: + -- -type: keyword - Organization name. +type: keyword + -- *`tls.server_certificate.subject.organizational_unit`*:: + -- -type: keyword - Unit within organization. +type: keyword + -- *`tls.server_certificate.subject.province`*:: + -- -type: keyword - Province or region within country. +type: keyword + -- *`tls.server_certificate.subject.common_name`*:: + -- -type: keyword - Name or host name identified by the certificate. +type: keyword + -- [float] -== issuer fields +=== issuer Entity that issued and signed this certificate. @@ -7434,112 +7434,112 @@ Entity that issued and signed this certificate. *`tls.server_certificate.issuer.country`*:: + -- -type: keyword - Country code. +type: keyword + -- *`tls.server_certificate.issuer.organization`*:: + -- -type: keyword - Organization name. +type: keyword + -- *`tls.server_certificate.issuer.organizational_unit`*:: + -- -type: keyword - Unit within organization. +type: keyword + -- *`tls.server_certificate.issuer.province`*:: + -- -type: keyword - Province or region within country. +type: keyword + -- *`tls.server_certificate.issuer.common_name`*:: + -- -type: keyword - Name or host name identified by the certificate. +type: keyword + -- *`tls.server_certificate.fingerprint.md5`*:: + -- -type: keyword - Certificate's MD5 fingerprint. +type: keyword + -- *`tls.server_certificate.fingerprint.sha1`*:: + -- -type: keyword - Certificate's SHA-1 fingerprint. +type: keyword + -- *`tls.server_certificate.fingerprint.sha256`*:: + -- -type: keyword - Certificate's SHA-256 fingerprint. +type: keyword + -- *`tls.server_certificate_chain`*:: + -- -type: array - Chain of trust for the server certificate. +type: array + -- *`tls.client_certificate_chain`*:: + -- -type: array - Chain of trust for the client certificate. +type: array + -- *`tls.alert_types`*:: + -- -type: keyword - An array containing the TLS alert type for every alert received. +type: keyword + -- [float] -== fingerprints fields +=== fingerprints Fingerprints for this TLS session. [float] -== ja3 fields +=== ja3 JA3 TLS client fingerprint @@ -7547,21 +7547,21 @@ JA3 TLS client fingerprint *`tls.fingerprints.ja3.hash`*:: + -- -type: keyword - The JA3 fingerprint hash for the client side. +type: keyword + -- *`tls.fingerprints.ja3.str`*:: + -- -type: keyword - The JA3 string used to calculate the hash. +type: keyword + -- [[exported-fields-trans_event]] @@ -7574,11 +7574,11 @@ These fields contain data about the transaction itself. *`status`*:: + -- -required: True - The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol. +required: True + -- *`method`*:: @@ -7600,42 +7600,42 @@ The logical resource that this transaction refers to. For HTTP, this is the URL *`path`*:: + -- -required: True - The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key. +required: True + -- *`query`*:: + -- -type: keyword - The query in a human readable format. For HTTP, it will typically be something like `GET /users/_search?name=test`. For MySQL, it is something like `SELECT id from users where name=test`. +type: keyword + -- *`params`*:: + -- -type: text - The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request. +type: text + -- *`notes`*:: + -- -type: alias +Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting. -alias to: error.message -Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting. +type: alias +alias to: error.message -- @@ -7649,24 +7649,24 @@ These fields contain measurements related to the transaction. *`bytes_in`*:: + -- -type: alias +The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers. -alias to: source.bytes -The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers. +type: alias +alias to: source.bytes -- *`bytes_out`*:: + -- -type: alias +The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers. -alias to: destination.bytes -The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers. +type: alias +alias to: destination.bytes -- diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 0d72550fd56..186e47eebae 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -34,10 +34,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -52,15 +52,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -69,11 +69,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -97,10 +97,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cloud]] @@ -113,11 +113,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -221,11 +221,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -237,58 +237,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -297,65 +297,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -365,234 +365,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -600,81 +600,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -683,61 +683,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -746,234 +746,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -981,19 +981,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -1002,32 +1002,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -1036,203 +1036,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -1241,136 +1241,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -1379,95 +1379,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. --- +type: keyword + +example: boston-dc + +-- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -1475,23 +1475,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -1500,299 +1500,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -1800,124 +1800,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -1925,30 +1925,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -1957,48 +1957,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -2010,91 +2006,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -2103,227 +2103,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -2332,23 +2332,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -2356,71 +2356,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -2429,101 +2429,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -2533,14 +2533,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -2550,234 +2550,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -2786,78 +2786,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -2866,234 +2866,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -3101,111 +3101,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -3214,73 +3214,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -3289,111 +3289,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-eventlog]] @@ -3594,34 +3594,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -3635,71 +3635,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kubernetes-processor]] @@ -3713,111 +3713,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-process]] @@ -3847,24 +3847,24 @@ Fields from the Windows Event Log. *`log.file.path`*:: + -- -type: keyword +The name of the file the event was read from when Winlogbeat is reading directly from an .evtx file. -required: False -The name of the file the event was read from when Winlogbeat is reading directly from an .evtx file. +type: keyword +required: False -- *`event.code`*:: + -- -type: keyword +The code for this log message (Windows event ID). -required: False -The code for this log message (Windows event ID). +type: keyword +required: False -- @@ -3878,7 +3878,7 @@ The XML representation of the event is useful for troubleshooting purposes. The -- [float] -== winlog fields +=== winlog All fields specific to the Windows Event Log are defined here. @@ -3887,167 +3887,167 @@ All fields specific to the Windows Event Log are defined here. *`winlog.api`*:: + -- -required: True - The event log API type used to read the record. The possible values are "wineventlog" for the Windows Event Log API or "eventlogging" for the Event Logging API. The Event Logging API was designed for Windows Server 2003 or Windows 2000 operating systems. In Windows Vista, the event logging infrastructure was redesigned. On Windows Vista or later operating systems, the Windows Event Log API is used. Winlogbeat automatically detects which API to use for reading event logs. +required: True + -- *`winlog.activity_id`*:: + -- -type: keyword +A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. -required: False -A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity. +type: keyword +required: False -- *`winlog.computer_name`*:: + -- -type: keyword +The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. -required: True -The name of the computer that generated the record. When using Windows event forwarding, this name can differ from `agent.hostname`. +type: keyword +required: True -- *`winlog.event_data`*:: + -- -type: object +The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. -required: False -The event-specific data. This field is mutually exclusive with `user_data`. If you are capturing event data on versions prior to Windows Vista, the parameters in `event_data` are named `param1`, `param2`, and so on, because event log parameters are unnamed in earlier versions of Windows. +type: object +required: False -- *`winlog.event_id`*:: + -- -type: keyword +The event identifier. The value is specific to the source of the event. -required: True -The event identifier. The value is specific to the source of the event. +type: keyword +required: True -- *`winlog.keywords`*:: + -- -type: keyword +The keywords are used to classify an event. -required: False -The keywords are used to classify an event. +type: keyword +required: False -- *`winlog.channel`*:: + -- -type: keyword +The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. -required: True -The name of the channel from which this record was read. This value is one of the names from the `event_logs` collection in the configuration. +type: keyword +required: True -- *`winlog.record_id`*:: + -- -type: keyword +The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. -required: True -The record ID of the event log record. The first record written to an event log is record number 1, and other records are numbered sequentially. If the record number reaches the maximum value (2^32^ for the Event Logging API and 2^64^ for the Windows Event Log API), the next record number will be 0. +type: keyword +required: True -- *`winlog.related_activity_id`*:: + -- -type: keyword +A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. -required: False -A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their `activity_id` identifier. +type: keyword +required: False -- *`winlog.opcode`*:: + -- -type: keyword +The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. -required: False -The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. +type: keyword +required: False -- *`winlog.provider_guid`*:: + -- -type: keyword +A globally unique identifier that identifies the provider that logged the event. -required: False -A globally unique identifier that identifies the provider that logged the event. +type: keyword +required: False -- *`winlog.process.pid`*:: + -- -type: long +The process_id of the Client Server Runtime Process. -required: False -The process_id of the Client Server Runtime Process. +type: long +required: False -- *`winlog.provider_name`*:: + -- -type: keyword +The source of the event log record (the application or service that logged the record). -required: True -The source of the event log record (the application or service that logged the record). +type: keyword +required: True -- *`winlog.task`*:: + -- -type: keyword +The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. -required: False -The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged. The category used by the Event Logging API (on pre Windows Vista operating systems) is written to this field. +type: keyword +required: False -- @@ -4063,63 +4063,63 @@ required: False *`winlog.user_data`*:: + -- -type: object +The event specific data. This field is mutually exclusive with `event_data`. -required: False -The event specific data. This field is mutually exclusive with `event_data`. +type: object +required: False -- *`winlog.user.identifier`*:: + -- -type: keyword +The Windows security identifier (SID) of the account associated with this event. -example: S-1-5-21-3541430928-2051711210-1391384369-1001 +If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. -required: False -The Windows security identifier (SID) of the account associated with this event. +type: keyword -If Winlogbeat cannot resolve the SID to a name, then the `user.name`, `user.domain`, and `user.type` fields will be omitted from the event. If you discover Winlogbeat not resolving SIDs, review the log for clues as to what the problem may be. +example: S-1-5-21-3541430928-2051711210-1391384369-1001 +required: False -- *`winlog.user.domain`*:: + -- -type: keyword +The domain that the account associated with this event is a member of. -required: False -The domain that the account associated with this event is a member of. +type: keyword +required: False -- *`winlog.user.type`*:: + -- -type: keyword +The type of account associated with this event. -required: False -The type of account associated with this event. +type: keyword +required: False -- *`winlog.version`*:: + -- +The version number of the event's definition. + type: long required: False -The version number of the event's definition. - -- diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 732464b0d9e..4d57d1d1cda 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -33,10 +33,10 @@ Contains common beat fields available in all event types. *`agent.hostname`*:: + -- -type: keyword - Hostname of the agent. +type: keyword + -- *`beat.timezone`*:: @@ -51,15 +51,15 @@ alias to: event.timezone *`fields`*:: + -- -type: object - Contains user configurable fields. +type: object + -- [float] -== error fields +=== error Error fields containing additional info in case of errors. @@ -68,11 +68,11 @@ Error fields containing additional info in case of errors. *`error.type`*:: + -- -type: keyword - Error type. +type: keyword + -- *`beat.name`*:: @@ -96,10 +96,10 @@ alias to: agent.hostname *`timeseries.instance`*:: + -- -type: keyword - Time series instance id +type: keyword + -- [[exported-fields-cloud]] @@ -112,11 +112,11 @@ Metadata from cloud providers added by the add_cloud_metadata processor. *`cloud.project.id`*:: + -- -example: project-x - Name of the project in Google Cloud. +example: project-x + -- *`meta.cloud.provider`*:: @@ -220,11 +220,11 @@ alias to: container.name *`docker.container.labels`*:: + -- -type: object - Image labels. +type: object + -- [[exported-fields-ecs]] @@ -236,58 +236,58 @@ ECS Fields. *`@timestamp`*:: + -- +Date/time when the event originated. +This is the date/time extracted from the event, typically representing when the event was generated by the source. +If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. +Required field for all events. + type: date example: 2016-05-23T08:05:34.853Z required: True -Date/time when the event originated. -This is the date/time extracted from the event, typically representing when the event was generated by the source. -If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. -Required field for all events. - -- *`labels`*:: + -- -type: object - -example: {'application': 'foo-bar', 'env': 'production'} - Custom key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: `docker` and `k8s` labels. +type: object + +example: {'application': 'foo-bar', 'env': 'production'} + -- *`message`*:: + -- -type: text - -example: Hello World - For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. +type: text + +example: Hello World + -- *`tags`*:: + -- +List of keywords used to tag each event. + type: keyword example: ["production", "env2"] -List of keywords used to tag each event. - -- [float] -== agent fields +=== agent The agent fields contain the data about the software entity, if any, that collects, detects, or observes events on a host, or takes measurements on a host. Examples include Beats. Agents may also run on observers. ECS agent.* fields shall be populated with details of the agent running on the host or observer where the event happened or the measurement was taken. @@ -296,65 +296,65 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha *`agent.ephemeral_id`*:: + -- +Ephemeral identifier of this agent (if one exists). +This id normally changes across restarts, but `agent.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this agent (if one exists). -This id normally changes across restarts, but `agent.id` does not. - -- *`agent.id`*:: + -- +Unique identifier of this agent (if one exists). +Example: For Beats this would be beat.id. + type: keyword example: 8a4f500d -Unique identifier of this agent (if one exists). -Example: For Beats this would be beat.id. - -- *`agent.name`*:: + -- -type: keyword - -example: foo - Custom name of the agent. This is a name that can be given to an agent. This can be helpful if for example two Filebeat instances are running on the same host but a human readable separation is needed on which Filebeat instance data is coming from. If no name is given, the name is often left empty. +type: keyword + +example: foo + -- *`agent.type`*:: + -- +Type of the agent. +The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. + type: keyword example: filebeat -Type of the agent. -The agent type stays always the same and should be given by the agent used. In case of Filebeat the agent would always be Filebeat also if two Filebeat instances are run on the same machine. - -- *`agent.version`*:: + -- +Version of the agent. + type: keyword example: 6.0.0-rc2 -Version of the agent. - -- [float] -== client fields +=== client A client is defined as the initiator of a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the client is the initiator of the TCP connection that sends the SYN packet(s). For other protocols, the client is generally the initiator or requestor in the network transaction. Some systems use the term "originator" to refer the client in TCP connections. The client fields describe details about the system acting as the client in the network event. Client fields are usually populated in conjunction with server fields. Client fields are generally not populated for packet-level events. @@ -364,234 +364,234 @@ Client / server representations can add semantic context to an exchange, which i *`client.address`*:: + -- -type: keyword - Some event client addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`client.bytes`*:: + -- +Bytes sent from the client to the server. + type: long example: 184 format: bytes -Bytes sent from the client to the server. - -- *`client.domain`*:: + -- -type: keyword - Client domain. +type: keyword + -- *`client.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`client.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`client.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`client.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`client.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`client.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`client.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`client.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`client.ip`*:: + -- -type: ip - IP address of the client. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`client.mac`*:: + -- -type: keyword - MAC address of the client. +type: keyword + -- *`client.packets`*:: + -- +Packets sent from the client to the server. + type: long example: 12 -Packets sent from the client to the server. - -- *`client.port`*:: + -- -type: long - Port of the client. +type: long + -- *`client.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`client.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`client.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`client.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`client.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`client.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`client.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== cloud fields +=== cloud Fields related to the cloud or infrastructure the events are coming from. @@ -599,81 +599,81 @@ Fields related to the cloud or infrastructure the events are coming from. *`cloud.account.id`*:: + -- +The cloud account or organization id used to identify different entities in a multi-tenant environment. +Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. + type: keyword example: 666777888999 -The cloud account or organization id used to identify different entities in a multi-tenant environment. -Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. - -- *`cloud.availability_zone`*:: + -- +Availability zone in which this host is running. + type: keyword example: us-east-1c -Availability zone in which this host is running. - -- *`cloud.instance.id`*:: + -- +Instance ID of the host machine. + type: keyword example: i-1234567890abcdef0 -Instance ID of the host machine. - -- *`cloud.instance.name`*:: + -- -type: keyword - Instance name of the host machine. +type: keyword + -- *`cloud.machine.type`*:: + -- +Machine type of the host machine. + type: keyword example: t2.medium -Machine type of the host machine. - -- *`cloud.provider`*:: + -- +Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + type: keyword example: aws -Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. - -- *`cloud.region`*:: + -- +Region in which this host is running. + type: keyword example: us-east-1 -Region in which this host is running. - -- [float] -== container fields +=== container Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime. @@ -682,61 +682,61 @@ These fields help correlate data based containers from any runtime. *`container.id`*:: + -- -type: keyword - Unique container id. +type: keyword + -- *`container.image.name`*:: + -- -type: keyword - Name of the image the container was built on. +type: keyword + -- *`container.image.tag`*:: + -- -type: keyword - Container image tag. +type: keyword + -- *`container.labels`*:: + -- -type: object - Image labels. +type: object + -- *`container.name`*:: + -- -type: keyword - Container name. +type: keyword + -- *`container.runtime`*:: + -- +Runtime managing this container. + type: keyword example: docker -Runtime managing this container. - -- [float] -== destination fields +=== destination Destination fields describe details about the destination of a packet/event. Destination fields are usually populated in conjunction with source fields. @@ -745,234 +745,234 @@ Destination fields are usually populated in conjunction with source fields. *`destination.address`*:: + -- -type: keyword - Some event destination addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`destination.bytes`*:: + -- +Bytes sent from the destination to the source. + type: long example: 184 format: bytes -Bytes sent from the destination to the source. - -- *`destination.domain`*:: + -- -type: keyword - Destination domain. +type: keyword + -- *`destination.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`destination.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`destination.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`destination.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`destination.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`destination.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`destination.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`destination.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`destination.ip`*:: + -- -type: ip - IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`destination.mac`*:: + -- -type: keyword - MAC address of the destination. +type: keyword + -- *`destination.packets`*:: + -- +Packets sent from the destination to the source. + type: long example: 12 -Packets sent from the destination to the source. - -- *`destination.port`*:: + -- -type: long - Port of the destination. +type: long + -- *`destination.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`destination.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`destination.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`destination.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`destination.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`destination.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`destination.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== ecs fields +=== ecs Meta-information specific to ECS. @@ -980,19 +980,19 @@ Meta-information specific to ECS. *`ecs.version`*:: + -- +ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. +When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. + type: keyword example: 1.0.0 required: True -ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. -When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. - -- [float] -== error fields +=== error These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error. @@ -1001,32 +1001,32 @@ Use them for errors that happen while fetching events or in cases where the even *`error.code`*:: + -- -type: keyword - Error code describing the error. +type: keyword + -- *`error.id`*:: + -- -type: keyword - Unique identifier for the error. +type: keyword + -- *`error.message`*:: + -- -type: text - Error message. +type: text + -- [float] -== event fields +=== event The event fields are used for context information about the log or metric event itself. A log is defined as an event containing details of something that happened. Log events must include the time at which the thing happened. Examples of log events include a process starting on a host, a network packet being sent from a source to a destination, or a network connection between a client and a server being initiated or closed. A metric is defined as an event containing one or more numerical or categorical measurements and the time at which the measurement was taken. Examples of metric events include memory pressure measured on a host, or vulnerabilities measured on a scanned host. @@ -1035,203 +1035,203 @@ A log is defined as an event containing details of something that happened. Log *`event.action`*:: + -- +The action captured by the event. +This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. + type: keyword example: user-password-change -The action captured by the event. -This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. - -- *`event.category`*:: + -- +Event category. +This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: user-management -Event category. -This contains high-level information about the contents of the event. It is more generic than `event.action`, in the sense that typically a category contains multiple actions. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.created`*:: + -- -type: date - event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. +type: date + -- *`event.dataset`*:: + -- +Name of the dataset. +The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. + type: keyword example: stats -Name of the dataset. -The concept of a `dataset` (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. - -- *`event.duration`*:: + -- +Duration of the event in nanoseconds. +If event.start and event.end are known this value should be the difference between the end and start time. + type: long format: duration -Duration of the event in nanoseconds. -If event.start and event.end are known this value should be the difference between the end and start time. - -- *`event.end`*:: + -- -type: date - event.end contains the date when the event ended or when the activity was last observed. +type: date + -- *`event.hash`*:: + -- +Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. + type: keyword example: 123456789012345678901234567890ABCD -Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. - -- *`event.id`*:: + -- +Unique ID to describe the event. + type: keyword example: 8a4f500d -Unique ID to describe the event. - -- *`event.kind`*:: + -- +The kind of the event. +This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: state -The kind of the event. -This gives information about what type of information the event contains, without being specific to the contents of the event. Examples are `event`, `state`, `alarm`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.module`*:: + -- +Name of the module this data is coming from. +This information is coming from the modules used in Beats or Logstash. + type: keyword example: mysql -Name of the module this data is coming from. -This information is coming from the modules used in Beats or Logstash. - -- *`event.original`*:: + -- +Raw text message of entire event. Used to demonstrate log integrity. +This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. + type: keyword example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232 -Raw text message of entire event. Used to demonstrate log integrity. -This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. - -- *`event.outcome`*:: + -- +The outcome of the event. +If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. + type: keyword example: success -The outcome of the event. -If the event describes an action, this fields contains the outcome of that action. Examples outcomes are `success` and `failure`. Warning: In future versions of ECS, we plan to provide a list of acceptable values for this field, please use with caution. - -- *`event.risk_score`*:: + -- -type: float - Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +type: float + -- *`event.risk_score_norm`*:: + -- -type: float - Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. +type: float + -- *`event.severity`*:: + -- +Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. + type: long example: 7 -Severity describes the original severity of the event. What the different severity values mean can very different between use cases. It's up to the implementer to make sure severities are consistent across events. - -- *`event.start`*:: + -- -type: date - event.start contains the date when the event started or when the activity was first observed. +type: date + -- *`event.timezone`*:: + -- -type: keyword - This field should be populated when the event's timestamp does not include timezone information already (e.g. default Syslog timestamps). It's optional otherwise. Acceptable timezone formats are: a canonical ID (e.g. "Europe/Amsterdam"), abbreviated (e.g. "EST") or an HH:mm differential (e.g. "-05:00"). +type: keyword + -- *`event.type`*:: + -- -type: keyword - Reserved for future usage. Please avoid using this field for user data. +type: keyword + -- [float] -== file fields +=== file A file is defined as a set of information that has been created on, or has existed on a filesystem. File objects can be associated with host events, network events, and/or file events (e.g., those produced by File Integrity Monitoring [FIM] products or services). File fields provide details about the affected file associated with the event or metric. @@ -1240,136 +1240,136 @@ File objects can be associated with host events, network events, and/or file eve *`file.ctime`*:: + -- -type: date - Last time file metadata changed. +type: date + -- *`file.device`*:: + -- -type: keyword - Device that is the source of the file. +type: keyword + -- *`file.extension`*:: + -- +File extension. +This should allow easy filtering by file extensions. + type: keyword example: png -File extension. -This should allow easy filtering by file extensions. - -- *`file.gid`*:: + -- -type: keyword - Primary group ID (GID) of the file. +type: keyword + -- *`file.group`*:: + -- -type: keyword - Primary group name of the file. +type: keyword + -- *`file.inode`*:: + -- -type: keyword - Inode representing the file in the filesystem. +type: keyword + -- *`file.mode`*:: + -- +Mode of the file in octal representation. + type: keyword example: 416 -Mode of the file in octal representation. - -- *`file.mtime`*:: + -- -type: date - Last time file content was modified. +type: date + -- *`file.owner`*:: + -- -type: keyword - File owner's username. +type: keyword + -- *`file.path`*:: + -- -type: keyword - Path to the file. +type: keyword + -- *`file.size`*:: + -- -type: long - File size in bytes (field is only added when `type` is `file`). +type: long + -- *`file.target_path`*:: + -- -type: keyword - Target path for symlinks. +type: keyword + -- *`file.type`*:: + -- -type: keyword - File type (file, dir, or symlink). +type: keyword + -- *`file.uid`*:: + -- -type: keyword - The user ID (UID) or security identifier (SID) of the file owner. +type: keyword + -- [float] -== geo fields +=== geo Geo fields can carry data about a specific location related to an event. This geolocation information can be derived from techniques such as Geo IP, or be user-supplied. @@ -1378,95 +1378,95 @@ This geolocation information can be derived from techniques such as Geo IP, or b *`geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- [float] -== group fields +=== group The group fields are meant to represent groups that are relevant to the event. @@ -1474,23 +1474,23 @@ The group fields are meant to represent groups that are relevant to the event. *`group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- [float] -== host fields +=== host A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes. @@ -1499,299 +1499,299 @@ ECS host.* fields should be populated with details about the host on which the e *`host.architecture`*:: + -- +Operating system architecture. + type: keyword example: x86_64 -Operating system architecture. - -- *`host.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`host.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`host.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`host.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`host.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`host.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`host.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`host.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`host.hostname`*:: + -- -type: keyword - Hostname of the host. It normally contains what the `hostname` command returns on the host machine. +type: keyword + -- *`host.id`*:: + -- -type: keyword - Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. +type: keyword + -- *`host.ip`*:: + -- -type: ip - Host ip address. +type: ip + -- *`host.mac`*:: + -- -type: keyword - Host mac address. +type: keyword + -- *`host.name`*:: + -- -type: keyword - Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. +type: keyword + -- *`host.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`host.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`host.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`host.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`host.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`host.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`host.type`*:: + -- -type: keyword - Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. +type: keyword + -- *`host.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`host.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`host.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`host.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`host.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`host.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`host.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== http fields +=== http Fields related to HTTP activity. Use the `url` field set to store the url of the request. @@ -1799,124 +1799,124 @@ Fields related to HTTP activity. Use the `url` field set to store the url of the *`http.request.body.bytes`*:: + -- +Size in bytes of the request body. + type: long example: 887 format: bytes -Size in bytes of the request body. - -- *`http.request.body.content`*:: + -- +The full HTTP request body. + type: keyword example: Hello world -The full HTTP request body. - -- *`http.request.bytes`*:: + -- +Total size in bytes of the request (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the request (body and headers). - -- *`http.request.method`*:: + -- +HTTP request method. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: get, post, put -HTTP request method. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`http.request.referrer`*:: + -- +Referrer for this HTTP request. + type: keyword example: https://blog.example.com/ -Referrer for this HTTP request. - -- *`http.response.body.bytes`*:: + -- +Size in bytes of the response body. + type: long example: 887 format: bytes -Size in bytes of the response body. - -- *`http.response.body.content`*:: + -- +The full HTTP response body. + type: keyword example: Hello world -The full HTTP response body. - -- *`http.response.bytes`*:: + -- +Total size in bytes of the response (body and headers). + type: long example: 1437 format: bytes -Total size in bytes of the response (body and headers). - -- *`http.response.status_code`*:: + -- +HTTP response status code. + type: long example: 404 -HTTP response status code. - -- *`http.version`*:: + -- +HTTP version. + type: keyword example: 1.1 -HTTP version. - -- [float] -== log fields +=== log Fields which are specific to log events. @@ -1924,30 +1924,30 @@ Fields which are specific to log events. *`log.level`*:: + -- +Original log level of the log event. +Some examples are `warn`, `error`, `i`. + type: keyword example: err -Original log level of the log event. -Some examples are `warn`, `error`, `i`. - -- *`log.original`*:: + -- -type: keyword - -example: Sep 19 08:26:10 localhost My log - This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the `message` field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can't be queried but the value can be retrieved from `_source`. +type: keyword + +example: Sep 19 08:26:10 localhost My log + -- [float] -== network fields +=== network The network is defined as the communication path over which a host or network event happens. The network.* fields should be populated with details about the network activity associated with an event. @@ -1956,48 +1956,44 @@ The network.* fields should be populated with details about the network activity *`network.application`*:: + -- +A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: aim -A name given to an application level protocol. This can be arbitrarily assigned for things like microservices, but also apply to things like skype, icq, facebook, twitter. This would be used in situations where the vendor or service can be decoded such as from the source/dest IP owners, ports, or wire format. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.bytes`*:: + -- +Total bytes transferred in both directions. +If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. + type: long example: 368 format: bytes -Total bytes transferred in both directions. -If `source.bytes` and `destination.bytes` are known, `network.bytes` is their sum. - -- *`network.community_id`*:: + -- +A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. +Learn more at https://github.com/corelight/community-id-spec. + type: keyword example: 1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0= -A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows. -Learn more at https://github.com/corelight/community-id-spec. - -- *`network.direction`*:: + -- -type: keyword - -example: inbound - Direction of the network traffic. Recommended values are: * inbound @@ -2009,91 +2005,95 @@ Recommended values are: When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter. +type: keyword + +example: inbound + -- *`network.forwarded_ip`*:: + -- +Host IP address when the source IP address is the proxy. + type: ip example: 192.1.1.2 -Host IP address when the source IP address is the proxy. - -- *`network.iana_number`*:: + -- +IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. + type: keyword example: 6 -IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number. - -- *`network.name`*:: + -- +Name given by operators to sections of their network. + type: keyword example: Guest Wifi -Name given by operators to sections of their network. - -- *`network.packets`*:: + -- +Total packets transferred in both directions. +If `source.packets` and `destination.packets` are known, `network.packets` is their sum. + type: long example: 24 -Total packets transferred in both directions. -If `source.packets` and `destination.packets` are known, `network.packets` is their sum. - -- *`network.protocol`*:: + -- +L7 Network protocol name. ex. http, lumberjack, transport protocol. +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: http -L7 Network protocol name. ex. http, lumberjack, transport protocol. -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.transport`*:: + -- +Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: tcp -Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- *`network.type`*:: + -- +In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc +The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". + type: keyword example: ipv4 -In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc -The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS". - -- [float] -== observer fields +=== observer An observer is defined as a special network, security, or application device used to detect, observe, or create network, security, or application-related events and metrics. This could be a custom hardware appliance or a server that has been configured to run special network, security, or application software. Examples include firewalls, intrusion detection/prevention systems, network monitoring sensors, web application firewalls, data loss prevention systems, and APM servers. The observer.* fields shall be populated with details of the system, if any, that detects, observes and/or creates a network, security, or application event or metric. Message queues and ETL components used in processing events or metrics are not considered observers in ECS. @@ -2102,227 +2102,227 @@ This could be a custom hardware appliance or a server that has been configured t *`observer.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`observer.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`observer.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`observer.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`observer.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`observer.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`observer.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`observer.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`observer.hostname`*:: + -- -type: keyword - Hostname of the observer. +type: keyword + -- *`observer.ip`*:: + -- -type: ip - IP address of the observer. +type: ip + -- *`observer.mac`*:: + -- -type: keyword - MAC address of the observer +type: keyword + -- *`observer.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`observer.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`observer.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`observer.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`observer.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`observer.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`observer.serial_number`*:: + -- -type: keyword - Observer serial number. +type: keyword + -- *`observer.type`*:: + -- +The type of the observer the data is coming from. +There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. + type: keyword example: firewall -The type of the observer the data is coming from. -There is no predefined list of observer types. Some examples are `forwarder`, `firewall`, `ids`, `ips`, `proxy`, `poller`, `sensor`, `APM server`. - -- *`observer.vendor`*:: + -- -type: keyword - observer vendor information. +type: keyword + -- *`observer.version`*:: + -- -type: keyword - Observer version. +type: keyword + -- [float] -== organization fields +=== organization The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations. @@ -2331,23 +2331,23 @@ These fields help you arrange or filter data stored in an index by one or multip *`organization.id`*:: + -- -type: keyword - Unique identifier for the organization. +type: keyword + -- *`organization.name`*:: + -- -type: keyword - Organization name. +type: keyword + -- [float] -== os fields +=== os The OS fields contain information about the operating system. @@ -2355,71 +2355,71 @@ The OS fields contain information about the operating system. *`os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- [float] -== process fields +=== process These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The `process.pid` often stays in the metric itself and is copied to the global field for correlation. @@ -2428,101 +2428,101 @@ These fields can help you correlate metrics information with a process id/name f *`process.args`*:: + -- +Array of process arguments. +May be filtered to protect sensitive information. + type: keyword example: ['ssh', '-l', 'user', '10.0.0.16'] -Array of process arguments. -May be filtered to protect sensitive information. - -- *`process.executable`*:: + -- +Absolute path to the process executable. + type: keyword example: /usr/bin/ssh -Absolute path to the process executable. - -- *`process.name`*:: + -- +Process name. +Sometimes called program name or similar. + type: keyword example: ssh -Process name. -Sometimes called program name or similar. - -- *`process.pid`*:: + -- -type: long - Process id. +type: long + -- *`process.ppid`*:: + -- -type: long - Process parent id. +type: long + -- *`process.start`*:: + -- +The time the process started. + type: date example: 2016-05-23T08:05:34.853Z -The time the process started. - -- *`process.thread.id`*:: + -- +Thread ID. + type: long example: 4242 -Thread ID. - -- *`process.title`*:: + -- -type: keyword - Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. +type: keyword + -- *`process.working_directory`*:: + -- +The working directory of the process. + type: keyword example: /home/alice -The working directory of the process. - -- [float] -== related fields +=== related This field set is meant to facilitate pivoting around a piece of data. Some pieces of information can be seen in many places in an ECS event. To facilitate searching for them, store an array of all seen values to their corresponding field in `related.`. @@ -2532,14 +2532,14 @@ A concrete example is IP addresses, which can be under host, observer, source, d *`related.ip`*:: + -- -type: ip - All of the IPs seen on your event. +type: ip + -- [float] -== server fields +=== server A Server is defined as the responder in a network connection for events regarding sessions, connections, or bidirectional flow records. For TCP events, the server is the receiver of the initial SYN packet(s) of the TCP connection. For other protocols, the server is generally the responder in the network transaction. Some systems actually use the term "responder" to refer the server in TCP connections. The server fields describe details about the system acting as the server in the network event. Server fields are usually populated in conjunction with client fields. Server fields are generally not populated for packet-level events. @@ -2549,234 +2549,234 @@ Client / server representations can add semantic context to an exchange, which i *`server.address`*:: + -- -type: keyword - Some event server addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`server.bytes`*:: + -- +Bytes sent from the server to the client. + type: long example: 184 format: bytes -Bytes sent from the server to the client. - -- *`server.domain`*:: + -- -type: keyword - Server domain. +type: keyword + -- *`server.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`server.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`server.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`server.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`server.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`server.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`server.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`server.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`server.ip`*:: + -- -type: ip - IP address of the server. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`server.mac`*:: + -- -type: keyword - MAC address of the server. +type: keyword + -- *`server.packets`*:: + -- +Packets sent from the server to the client. + type: long example: 12 -Packets sent from the server to the client. - -- *`server.port`*:: + -- -type: long - Port of the server. +type: long + -- *`server.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`server.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`server.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`server.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`server.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`server.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`server.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== service fields +=== service The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version. @@ -2785,78 +2785,78 @@ These fields help you find and correlate logs for a specific service and version *`service.ephemeral_id`*:: + -- +Ephemeral identifier of this service (if one exists). +This id normally changes across restarts, but `service.id` does not. + type: keyword example: 8a4f500f -Ephemeral identifier of this service (if one exists). -This id normally changes across restarts, but `service.id` does not. - -- *`service.id`*:: + -- -type: keyword - -example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 - Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance. +type: keyword + +example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 + -- *`service.name`*:: + -- -type: keyword - -example: elasticsearch-metrics - Name of the service data is collected from. The name of the service is normally user given. This allows if two instances of the same service are running on the same machine they can be differentiated by the `service.name`. Also it allows for distributed services that run on multiple hosts to correlate the related instances based on the name. In the case of Elasticsearch the service.name could contain the cluster name. For Beats the service.name is by default a copy of the `service.type` field if no name is specified. +type: keyword + +example: elasticsearch-metrics + -- *`service.state`*:: + -- -type: keyword - Current state of the service. +type: keyword + -- *`service.type`*:: + -- -type: keyword - -example: elasticsearch - The type of the service data is collected from. The type can be used to group and correlate logs and metrics from one service type. Example: If logs or metrics are collected from Elasticsearch, `service.type` would be `elasticsearch`. +type: keyword + +example: elasticsearch + -- *`service.version`*:: + -- +Version of the service the data was collected from. +This allows to look at a data set only for a specific version of a service. + type: keyword example: 3.2.4 -Version of the service the data was collected from. -This allows to look at a data set only for a specific version of a service. - -- [float] -== source fields +=== source Source fields describe details about the source of a packet/event. Source fields are usually populated in conjunction with destination fields. @@ -2865,234 +2865,234 @@ Source fields are usually populated in conjunction with destination fields. *`source.address`*:: + -- -type: keyword - Some event source addresses are defined ambiguously. The event will sometimes list an IP, a domain or a unix socket. You should always store the raw address in the `.address` field. Then it should be duplicated to `.ip` or `.domain`, depending on which one it is. +type: keyword + -- *`source.bytes`*:: + -- +Bytes sent from the source to the destination. + type: long example: 184 format: bytes -Bytes sent from the source to the destination. - -- *`source.domain`*:: + -- -type: keyword - Source domain. +type: keyword + -- *`source.geo.city_name`*:: + -- +City name. + type: keyword example: Montreal -City name. - -- *`source.geo.continent_name`*:: + -- +Name of the continent. + type: keyword example: North America -Name of the continent. - -- *`source.geo.country_iso_code`*:: + -- +Country ISO code. + type: keyword example: CA -Country ISO code. - -- *`source.geo.country_name`*:: + -- +Country name. + type: keyword example: Canada -Country name. - -- *`source.geo.location`*:: + -- +Longitude and latitude. + type: geo_point example: { "lon": -73.614830, "lat": 45.505918 } -Longitude and latitude. - -- *`source.geo.name`*:: + -- -type: keyword - -example: boston-dc - User-defined description of a location, at the level of granularity they care about. Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. +type: keyword + +example: boston-dc + -- *`source.geo.region_iso_code`*:: + -- +Region ISO code. + type: keyword example: CA-QC -Region ISO code. - -- *`source.geo.region_name`*:: + -- +Region name. + type: keyword example: Quebec -Region name. - -- *`source.ip`*:: + -- -type: ip - IP address of the source. Can be one or multiple IPv4 or IPv6 addresses. +type: ip + -- *`source.mac`*:: + -- -type: keyword - MAC address of the source. +type: keyword + -- *`source.packets`*:: + -- +Packets sent from the source to the destination. + type: long example: 12 -Packets sent from the source to the destination. - -- *`source.port`*:: + -- -type: long - Port of the source. +type: long + -- *`source.user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`source.user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`source.user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`source.user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`source.user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`source.user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`source.user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== url fields +=== url URL fields provide support for complete or partial URLs, and supports the breaking down into scheme, domain, path, and so on. @@ -3100,111 +3100,111 @@ URL fields provide support for complete or partial URLs, and supports the breaki *`url.domain`*:: + -- +Domain of the url, such as "www.elastic.co". +In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. + type: keyword example: www.elastic.co -Domain of the url, such as "www.elastic.co". -In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. - -- *`url.fragment`*:: + -- -type: keyword - Portion of the url after the `#`, such as "top". The `#` is not part of the fragment. +type: keyword + -- *`url.full`*:: + -- +If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. + type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top -If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. - -- *`url.original`*:: + -- -type: keyword - -example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch - Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. +type: keyword + +example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch + -- *`url.password`*:: + -- -type: keyword - Password of the request. +type: keyword + -- *`url.path`*:: + -- -type: keyword - Path of the request, such as "/search". +type: keyword + -- *`url.port`*:: + -- +Port of the request, such as 443. + type: long example: 443 -Port of the request, such as 443. - -- *`url.query`*:: + -- -type: keyword - The query field describes the query string of the request, such as "q=elasticsearch". The `?` is excluded from the query string. If a URL contains no `?`, there is no query field. If there is a `?` but no query, the query field exists with an empty string. The `exists` query can be used to differentiate between the two cases. +type: keyword + -- *`url.scheme`*:: + -- +Scheme of the request, such as "https". +Note: The `:` is not part of the scheme. + type: keyword example: https -Scheme of the request, such as "https". -Note: The `:` is not part of the scheme. - -- *`url.username`*:: + -- -type: keyword - Username of the request. +type: keyword + -- [float] -== user fields +=== user The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. @@ -3213,73 +3213,73 @@ Fields can have one entry or multiple entries. If a user has more than one id, p *`user.email`*:: + -- -type: keyword - User email address. +type: keyword + -- *`user.full_name`*:: + -- +User's full name, if available. + type: keyword example: Albert Einstein -User's full name, if available. - -- *`user.group.id`*:: + -- -type: keyword - Unique identifier for the group on the system/platform. +type: keyword + -- *`user.group.name`*:: + -- -type: keyword - Name of the group. +type: keyword + -- *`user.hash`*:: + -- -type: keyword - Unique user hash to correlate information for a user in anonymized form. Useful if `user.id` or `user.name` contain confidential information and cannot be used. +type: keyword + -- *`user.id`*:: + -- -type: keyword - One or multiple unique identifiers of the user. +type: keyword + -- *`user.name`*:: + -- +Short name or login of the user. + type: keyword example: albert -Short name or login of the user. - -- [float] -== user_agent fields +=== user_agent The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string. @@ -3288,111 +3288,111 @@ They often show up in web service logs coming from the parsed user agent string. *`user_agent.device.name`*:: + -- +Name of the device. + type: keyword example: iPhone -Name of the device. - -- *`user_agent.name`*:: + -- +Name of the user agent. + type: keyword example: Safari -Name of the user agent. - -- *`user_agent.original`*:: + -- +Unparsed version of the user_agent. + type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 -Unparsed version of the user_agent. - -- *`user_agent.os.family`*:: + -- +OS family (such as redhat, debian, freebsd, windows). + type: keyword example: debian -OS family (such as redhat, debian, freebsd, windows). - -- *`user_agent.os.full`*:: + -- +Operating system name, including the version or code name. + type: keyword example: Mac OS Mojave -Operating system name, including the version or code name. - -- *`user_agent.os.kernel`*:: + -- +Operating system kernel version as a raw string. + type: keyword example: 4.4.0-112-generic -Operating system kernel version as a raw string. - -- *`user_agent.os.name`*:: + -- +Operating system name, without the version. + type: keyword example: Mac OS X -Operating system name, without the version. - -- *`user_agent.os.platform`*:: + -- +Operating system platform (such centos, ubuntu, windows). + type: keyword example: darwin -Operating system platform (such centos, ubuntu, windows). - -- *`user_agent.os.version`*:: + -- +Operating system version as a raw string. + type: keyword example: 10.14.1 -Operating system version as a raw string. - -- *`user_agent.version`*:: + -- +Version of the user agent. + type: keyword example: 12.0 -Version of the user agent. - -- [[exported-fields-functionbeat]] @@ -3411,34 +3411,34 @@ Info collected for the host machine. *`host.containerized`*:: + -- -type: boolean - If the host is a container. +type: boolean + -- *`host.os.build`*:: + -- -type: keyword +OS build information. -example: 18D109 -OS build information. +type: keyword +example: 18D109 -- *`host.os.codename`*:: + -- -type: keyword +OS codename, if any. -example: stretch -OS codename, if any. +type: keyword +example: stretch -- @@ -3452,71 +3452,71 @@ Metadata from Jolokia Discovery added by the jolokia provider. *`jolokia.agent.version`*:: + -- -type: keyword - Version number of jolokia agent. +type: keyword + -- *`jolokia.agent.id`*:: + -- -type: keyword - Each agent has a unique id which can be either provided during startup of the agent in form of a configuration parameter or being autodetected. If autodected, the id has several parts: The IP, the process id, hashcode of the agent and its type. +type: keyword + -- *`jolokia.server.product`*:: + -- -type: keyword - The container product if detected. +type: keyword + -- *`jolokia.server.version`*:: + -- -type: keyword - The container's version (if detected). +type: keyword + -- *`jolokia.server.vendor`*:: + -- -type: keyword - The vendor of the container the agent is running in. +type: keyword + -- *`jolokia.url`*:: + -- -type: keyword - The URL how this agent can be contacted. +type: keyword + -- *`jolokia.secured`*:: + -- -type: boolean - Whether the agent was configured for authentication or not. +type: boolean + -- [[exported-fields-kubernetes-processor]] @@ -3530,111 +3530,111 @@ Kubernetes metadata added by the kubernetes processor *`kubernetes.pod.name`*:: + -- -type: keyword - Kubernetes pod name +type: keyword + -- *`kubernetes.pod.uid`*:: + -- -type: keyword - Kubernetes Pod UID +type: keyword + -- *`kubernetes.namespace`*:: + -- -type: keyword - Kubernetes namespace +type: keyword + -- *`kubernetes.node.name`*:: + -- -type: keyword - Kubernetes node name +type: keyword + -- *`kubernetes.labels`*:: + -- -type: object - Kubernetes labels map +type: object + -- *`kubernetes.annotations`*:: + -- -type: object - Kubernetes annotations map +type: object + -- *`kubernetes.replicaset.name`*:: + -- -type: keyword - Kubernetes replicaset name +type: keyword + -- *`kubernetes.deployment.name`*:: + -- -type: keyword - Kubernetes deployment name +type: keyword + -- *`kubernetes.statefulset.name`*:: + -- -type: keyword - Kubernetes statefulset name +type: keyword + -- *`kubernetes.container.name`*:: + -- -type: keyword - Kubernetes container name +type: keyword + -- *`kubernetes.container.image`*:: + -- -type: keyword - Kubernetes container image +type: keyword + -- [[exported-fields-process]]