fields.asciidoc

Exported fields

AMQP fields

AMQP specific event fields.

amqp.reply-code

type: long

example: 404

AMQP reply code to an error, similar to http reply-code

amqp.reply-text

type: keyword

Text explaining the error.

amqp.class-id

type: long

Failing method class.

amqp.method-id

type: long

Failing method ID.

amqp.exchange

type: keyword

Name of the exchange.

amqp.exchange-type

type: keyword

example: fanout

Exchange type.

amqp.passive

type: boolean

If set, do not create exchange/queue.

amqp.durable

type: boolean

If set, request a durable exchange/queue.

amqp.exclusive

type: boolean

If set, request an exclusive queue.

amqp.auto-delete

type: boolean

If set, auto-delete queue when unused.

amqp.no-wait

type: boolean

If set, the server will not respond to the method.

amqp.consumer-tag

Identifier for the consumer, valid within the current channel.

amqp.delivery-tag

type: long

The server-assigned and channel-specific delivery tag.

amqp.message-count

type: long

The number of messages in the queue, which will be zero for newly-declared queues.

amqp.consumer-count

type: long

The number of consumers of a queue.

amqp.routing-key

type: keyword

Message routing key.

amqp.no-ack

type: boolean

If set, the server does not expect acknowledgements for messages.

amqp.no-local

type: boolean

If set, the server will not send messages to the connection that published them.

amqp.if-unused

type: boolean

Delete only if unused.

amqp.if-empty

type: boolean

Delete only if empty.

amqp.queue

type: keyword

The queue name identifies the queue within the vhost.

amqp.redelivered

type: boolean

Indicates that the message has been previously delivered to this or another client.

amqp.multiple

type: boolean

Acknowledge multiple messages.

amqp.arguments

type: object

Optional additional arguments passed to some methods. Can be of various types.

amqp.mandatory

type: boolean

Indicates mandatory routing.

amqp.immediate

type: boolean

Request immediate delivery.

amqp.content-type

type: keyword

example: text/plain

MIME content type.

amqp.content-encoding

type: keyword

MIME content encoding.

amqp.headers

type: object

Message header field table.

amqp.delivery-mode

type: keyword

Non-persistent (1) or persistent (2).

amqp.priority

type: long

Message priority, 0 to 9.

amqp.correlation-id

type: keyword

Application correlation identifier.

amqp.reply-to

type: keyword

Address to reply to.

amqp.expiration

type: keyword

Message expiration specification.

amqp.message-id

type: keyword

Application message identifier.

amqp.timestamp

type: keyword

Message timestamp.

amqp.type

type: keyword

Message type name.

amqp.user-id

type: keyword

Creating user id.

amqp.app-id

type: keyword

Creating application id.

Beat fields

Contains common beat fields available in all event types.

beat.name

The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the name option in the configuration file.

beat.hostname

The hostname as returned by the operating system on which the Beat is running.

beat.timezone

The timezone as returned by the operating system on which the Beat is running.

beat.version

The version of the beat that generated this event.

@timestamp

type: date

example: August 26th 2016, 12:35:53.332

format: date

required: True

The timestamp when the event log record was generated.

tags

Arbitrary tags that can be set per Beat and per transaction type.

fields

type: object

Contains user configurable fields.

error fields

Error fields containing additional info in case of errors.

error.type

type: keyword

Error type.

Cassandra fields

Cassandra v4/3 specific event fields.

cassandra fields

Information about the Cassandra request and response.

request fields

Cassandra request.

headers fields

Cassandra request headers.

cassandra.request.headers.version

type: long

The version of the protocol.

cassandra.request.headers.flags

type: keyword

Flags applying to this frame.

cassandra.request.headers.stream

type: keyword

A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.

cassandra.request.headers.op

type: keyword

An operation type that distinguishes the actual message.

cassandra.request.headers.length

type: long

A integer representing the length of the body of the frame (a frame is limited to 256MB in length).

cassandra.request.query

type: keyword

The CQL query which client send to cassandra.

response fields

Cassandra response.

headers fields

Cassandra response headers, the structure is as same as request’s header.

cassandra.response.headers.version

type: long

The version of the protocol.

cassandra.response.headers.flags

type: keyword

Flags applying to this frame.

cassandra.response.headers.stream

type: keyword

A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.

cassandra.response.headers.op

type: keyword

An operation type that distinguishes the actual message.

cassandra.response.headers.length

type: long

A integer representing the length of the body of the frame (a frame is limited to 256MB in length).

result fields

Details about the returned result.

cassandra.response.result.type

type: keyword

Cassandra result type.

rows fields

Details about the rows.

cassandra.response.result.rows.num_rows

type: long

Representing the number of rows present in this result.

meta fields

Composed of result metadata.

cassandra.response.result.rows.meta.keyspace

type: keyword

Only present after set Global_tables_spec, the keyspace name.

cassandra.response.result.rows.meta.table

type: keyword

Only present after set Global_tables_spec, the table name.

cassandra.response.result.rows.meta.flags

type: keyword

Provides information on the formatting of the remaining information.

cassandra.response.result.rows.meta.col_count

type: long

Representing the number of columns selected by the query that produced this result.

cassandra.response.result.rows.meta.pkey_columns

type: long

Representing the PK columns index and counts.

cassandra.response.result.rows.meta.paging_state

type: keyword

The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.

cassandra.response.result.keyspace

type: keyword

Indicating the name of the keyspace that has been set.

schema_change fields

The result to a schema_change message.

cassandra.response.result.schema_change.change

type: keyword

Representing the type of changed involved.

cassandra.response.result.schema_change.keyspace

type: keyword

This describes which keyspace has changed.

cassandra.response.result.schema_change.table

type: keyword

This describes which table has changed.

cassandra.response.result.schema_change.object

type: keyword

This describes the name of said affected object (either the table, user type, function, or aggregate name).

cassandra.response.result.schema_change.target

type: keyword

Target could be "FUNCTION" or "AGGREGATE", multiple arguments.

cassandra.response.result.schema_change.name

type: keyword

The function/aggregate name.

cassandra.response.result.schema_change.args

type: keyword

One string for each argument type (as CQL type).

prepared fields

The result to a PREPARE message.

cassandra.response.result.prepared.prepared_id

type: keyword

Representing the prepared query ID.

req_meta fields

This describes the request metadata.

cassandra.response.result.prepared.req_meta.keyspace

type: keyword

Only present after set Global_tables_spec, the keyspace name.

cassandra.response.result.prepared.req_meta.table

type: keyword

Only present after set Global_tables_spec, the table name.

cassandra.response.result.prepared.req_meta.flags

type: keyword

Provides information on the formatting of the remaining information.

cassandra.response.result.prepared.req_meta.col_count

type: long

Representing the number of columns selected by the query that produced this result.

cassandra.response.result.prepared.req_meta.pkey_columns

type: long

Representing the PK columns index and counts.

cassandra.response.result.prepared.req_meta.paging_state

type: keyword

The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.

resp_meta fields

This describes the metadata for the result set.

cassandra.response.result.prepared.resp_meta.keyspace

type: keyword

Only present after set Global_tables_spec, the keyspace name.

cassandra.response.result.prepared.resp_meta.table

type: keyword

Only present after set Global_tables_spec, the table name.

cassandra.response.result.prepared.resp_meta.flags

type: keyword

Provides information on the formatting of the remaining information.

cassandra.response.result.prepared.resp_meta.col_count

type: long

Representing the number of columns selected by the query that produced this result.

cassandra.response.result.prepared.resp_meta.pkey_columns

type: long

Representing the PK columns index and counts.

cassandra.response.result.prepared.resp_meta.paging_state

type: keyword

The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.

cassandra.response.supported

type: object

Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message.

authentication fields

Indicates that the server requires authentication, and which authentication mechanism to use.

cassandra.response.authentication.class

type: keyword

Indicates the full class name of the IAuthenticator in use

cassandra.response.warnings

type: keyword

The text of the warnings, only occur when Warning flag was set.

event fields

Event pushed by the server. A client will only receive events for the types it has REGISTERed to.

cassandra.response.event.type

type: keyword

Representing the event type.

cassandra.response.event.change

type: keyword

The message corresponding respectively to the type of change followed by the address of the new/removed node.

cassandra.response.event.host

type: keyword

Representing the node ip.

cassandra.response.event.port

type: long

Representing the node port.

schema_change fields

The events details related to schema change.

cassandra.response.event.schema_change.change

type: keyword

Representing the type of changed involved.

cassandra.response.event.schema_change.keyspace

type: keyword

This describes which keyspace has changed.

cassandra.response.event.schema_change.table

type: keyword

This describes which table has changed.

cassandra.response.event.schema_change.object

type: keyword

This describes the name of said affected object (either the table, user type, function, or aggregate name).

cassandra.response.event.schema_change.target

type: keyword

Target could be "FUNCTION" or "AGGREGATE", multiple arguments.

cassandra.response.event.schema_change.name

type: keyword

The function/aggregate name.

cassandra.response.event.schema_change.args

type: keyword

One string for each argument type (as CQL type).

error fields

Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow.

cassandra.response.error.code

type: long

The error code of the Cassandra response.

cassandra.response.error.msg

type: keyword

The error message of the Cassandra response.

cassandra.response.error.type

type: keyword

The error type of the Cassandra response.

details fields

The details of the error.

cassandra.response.error.details.read_consistency

type: keyword

Representing the consistency level of the query that triggered the exception.

cassandra.response.error.details.required

type: long

Representing the number of nodes that should be alive to respect consistency level.

cassandra.response.error.details.alive

type: long

Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered).

cassandra.response.error.details.received

type: long

Representing the number of nodes having acknowledged the request.

cassandra.response.error.details.blockfor

type: long

Representing the number of replicas whose acknowledgement is required to achieve consistency level.

cassandra.response.error.details.write_type

type: keyword

Describe the type of the write that timed out.

cassandra.response.error.details.data_present

type: boolean

It means the replica that was asked for data had responded.

cassandra.response.error.details.keyspace

type: keyword

The keyspace of the failed function.

cassandra.response.error.details.table

type: keyword

The keyspace of the failed function.

cassandra.response.error.details.stmt_id

type: keyword

Representing the unknown ID.

cassandra.response.error.details.num_failures

type: keyword

Representing the number of nodes that experience a failure while executing the request.

cassandra.response.error.details.function

type: keyword

The name of the failed function.

cassandra.response.error.details.arg_types

type: keyword

One string for each argument type (as CQL type) of the failed function.

Cloud provider metadata fields

Metadata from cloud providers added by the add_cloud_metadata processor.

meta.cloud.provider

example: ec2

Name of the cloud provider. Possible values are ec2, gce, or digitalocean.

meta.cloud.instance_id

Instance ID of the host machine.

meta.cloud.instance_name

Instance name of the host machine.

meta.cloud.machine_type

example: t2.medium

Machine type of the host machine.

meta.cloud.availability_zone

example: us-east-1c

Availability zone in which this host is running.

meta.cloud.project_id

example: project-x

Name of the project in Google Cloud.

meta.cloud.region

Region in which this host is running.

Common fields

These fields contain data about the environment in which the transaction or flow was captured.

server

The name of the server that served the transaction.

client_server

The name of the server that initiated the transaction.

client_service

The name of the logical service that initiated the transaction.

ip

format: dotted notation.

The IP address of the server that served the transaction.

client_ip

format: dotted notation.

The IP address of the server that initiated the transaction.

real_ip

format: Dotted notation.

If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default X-Forwarded-For. Unless this field is disabled, it always has a value, and it matches the client_ip for non proxy clients.

client_geoip fields

The GeoIP information of the client.

client_geoip.location

type: geo_point

example: {'lat': 51, 'lon': 9}

The GeoIP location of the client_ip address. This field is available only if you define a GeoIP Processor as a pipeline in the Ingest GeoIP processor plugin or using Logstash.

client_port

format: dotted notation.

The layer 4 port of the process that initiated the transaction.

transport

example: udp

The transport protocol used for the transaction. If not specified, then tcp is assumed.

type

required: True

The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.

port

format: dotted notation.

The layer 4 port of the process that served the transaction.

proc

The name of the process that served the transaction.

cmdline

The command-line of the process that served the transaction.

client_proc

The name of the process that initiated the transaction.

client_cmdline

The command-line of the process that initiated the transaction.

release

The software release of the service serving the transaction. This can be the commit id or a semantic version.

DHCPv4 fields

DHCPv4 event fields

dhcpv4.transaction_id

type: keyword

Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server.

dhcpv4.seconds

type: long

Number of seconds elapsed since client began address acquisition or renewal process.

dhcpv4.flags

type: keyword

Flags are set by the client to indicate how the DHCP server should its reply — either unicast or broadcast.

dhcpv4.client_ip

type: ip

The current IP address of the client.

dhcpv4.assigned_ip

type: ip

The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address.

dhcpv4.server_ip

type: ip

The IP address of the DHCP server that the client should use for the next step in the bootstrap process.

dhcpv4.relay_ip

type: ip

The relay IP address used by the client to contact the server (i.e. a DHCP relay server).

dhcpv4.client_mac

type: keyword

The client’s MAC address (layer two).

dhcpv4.server_name

type: keyword

The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages.

dhcpv4.op_code

type: keyword

example: bootreply

The message op code (bootrequest or bootreply).

dhcpv4.hops

type: long

The number of hops the DHCP message went through.

dhcpv4.hardware_type

type: keyword

The type of hardware used for the local network (Ethernet, LocalTalk, etc).

dhcpv4.option.message_type

type: keyword

example: ack

The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform).

dhcpv4.option.parameter_request_list

type: keyword

This option is used by a DHCP client to request values for specified configuration parameters.

dhcpv4.option.requested_ip_address

type: ip

This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned.

dhcpv4.option.server_identifier

type: ip

IP address of the individual DHCP server which handled this message.

dhcpv4.option.broadcast_address

type: ip

This option specifies the broadcast address in use on the client’s subnet.

dhcpv4.option.max_dhcp_message_size

type: long

This option specifies the maximum length DHCP message that the client is willing to accept.

dhcpv4.option.class_identifier

type: keyword

This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client’s hardware configuration.

dhcpv4.option.domain_name

type: keyword

This option specifies the domain name that client should use when resolving hostnames via the Domain Name System.

dhcpv4.option.dns_servers

type: ip

The domain name server option specifies a list of Domain Name System servers available to the client.

dhcpv4.option.vendor_identifying_options

type: object

A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925.

dhcpv4.option.subnet_mask

type: ip

The subnet mask that the client should use on the currnet network.

dhcpv4.option.utc_time_offset_sec

type: long

The time offset field specifies the offset of the client’s subnet in seconds from Coordinated Universal Time (UTC).

dhcpv4.option.router

type: ip

The router option specifies a list of IP addresses for routers on the client’s subnet.

dhcpv4.option.time_servers

type: ip

The time server option specifies a list of RFC 868 time servers available to the client.

dhcpv4.option.ntp_servers

type: ip

This option specifies a list of IP addresses indicating NTP servers available to the client.

dhcpv4.option.hostname

type: keyword

This option specifies the name of the client.

dhcpv4.option.ip_address_lease_time_sec

type: long

This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.

dhcpv4.option.message

type: text

This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters.

dhcpv4.option.renewal_time_sec

type: long

This option specifies the time interval from address assignment until the client transitions to the RENEWING state.

dhcpv4.option.rebinding_time_sec

type: long

This option specifies the time interval from address assignment until the client transitions to the REBINDING state.

dhcpv4.option.boot_file_name

type: keyword

This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options.

DNS fields

DNS-specific event fields.

dns.id

type: long

The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.

dns.op_code

example: QUERY

The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.

dns.flags.authoritative

type: boolean

A DNS flag specifying that the responding server is an authority for the domain name used in the question.

dns.flags.recursion_available

type: boolean

A DNS flag specifying whether recursive query support is available in the name server.

dns.flags.recursion_desired

type: boolean

A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.

dns.flags.authentic_data

type: boolean

A DNS flag specifying that the recursive server considers the response authentic.

dns.flags.checking_disabled

type: boolean

A DNS flag specifying that the client disables the server signature validation of the query.

dns.flags.truncated_response

type: boolean

A DNS flag specifying that only the first 512 bytes of the reply were returned.

dns.response_code

example: NOERROR

The DNS status code.

dns.question.name

example: www.google.com.

The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \t, \r, and \n respectively.

dns.question.type

example: AAAA

The type of records being queried.

dns.question.class

example: IN

The class of of records being queried.

dns.question.etld_plus_one

example: amazon.co.uk.

The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.

dns.answers

type: object

An array containing a dictionary about each answer section returned by the server.

dns.answers_count

type: long

The number of resource records contained in the dns.answers field.

dns.answers.name

example: example.com.

The domain name to which this resource record pertains.

dns.answers.type

example: MX

The type of data contained in this resource record.

dns.answers.class

example: IN

The class of DNS data contained in this resource record.

dns.answers.ttl

type: long

The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.

dns.answers.data

The data describing the resource. The meaning of this data depends on the type and class of the resource record.

dns.authorities

type: object

An array containing a dictionary for each authority section from the answer.

dns.authorities_count

type: long

The number of resource records contained in the dns.authorities field. The dns.authorities field may or may not be included depending on the configuration of Packetbeat.

dns.authorities.name

example: example.com.

The domain name to which this resource record pertains.

dns.authorities.type

example: NS

The type of data contained in this resource record.

dns.authorities.class

example: IN

The class of DNS data contained in this resource record.

dns.additionals

type: object

An array containing a dictionary for each additional section from the answer.

dns.additionals_count

type: long

The number of resource records contained in the dns.additionals field. The dns.additionals field may or may not be included depending on the configuration of Packetbeat.

dns.additionals.name

example: example.com.

The domain name to which this resource record pertains.

dns.additionals.type

example: NS

The type of data contained in this resource record.

dns.additionals.class

example: IN

The class of DNS data contained in this resource record.

dns.additionals.ttl

type: long

The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.

dns.additionals.data

The data describing the resource. The meaning of this data depends on the type and class of the resource record.

dns.opt.version

example: 0

The EDNS version.

dns.opt.do

type: boolean

If set, the transaction uses DNSSEC.

dns.opt.ext_rcode

example: BADVERS

Extended response code field.

dns.opt.udp_size

type: long

Requestor’s UDP payload size (in bytes).

Docker fields

Docker stats collected from Docker.

docker.container.id

type: keyword

Unique container id.

docker.container.image

type: keyword

Name of the image the container was built on.

docker.container.name

type: keyword

Container name.

docker.container.labels

type: object

Image labels.

ECS fields

ECS fields.

agent fields

The agent fields contain the data about the agent/client/shipper that created the event.

agent.version

type: keyword

example: 6.0.0-rc2

Version of the agent.

agent.name

type: keyword

example: filebeat

Name of the agent.

agent.id

type: keyword

example: 8a4f500d

Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.

agent.ephemeral_id

type: keyword

example: 8a4f500f

Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but agent.id does not.

base fields

The base set contains all fields which are on the top level. These fields are common across all types of events.

base.@timestamp

type: date

example: 2016-05-23T08:05:34.853Z

required: True

Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.

base.tags

type: keyword

example: ["production", "env2"]

List of keywords used to tag each event.

base.labels

type: object

example: {'key2': 'value2', 'key1': 'value1'}

Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example: docker and k8s labels.

base.message

type: text

example: Hello World

For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.

cloud fields

Fields related to the cloud or infrastructure the events are coming from.

cloud.provider

type: keyword

example: ec2

Name of the cloud provider. Example values are ec2, gce, or digitalocean.

cloud.availability_zone

type: keyword

example: us-east-1c

Availability zone in which this host is running.

cloud.region

type: keyword

example: us-east-1

Region in which this host is running.

cloud.instance.id

type: keyword

example: i-1234567890abcdef0

Instance ID of the host machine.

cloud.instance.name

type: keyword

Instance name of the host machine.

cloud.machine.type

type: keyword

example: t2.medium

Machine type of the host machine.

cloud.account.id

type: keyword

example: 666777888999

The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.

container fields

Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.

container.runtime

type: keyword

example: docker

Runtime managing this container.

container.id

type: keyword

Unique container id.

container.image.name

type: keyword

Name of the image the container was built on.

container.image.tag

type: keyword

Container image tag.

container.name

type: keyword

Container name.

container.labels

type: object

Image labels.

destination fields

Destination fields describe details about the destination of a packet/event.

destination.ip

type: ip

IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.

destination.hostname

type: keyword

Hostname of the destination.

destination.port

type: long

Port of the destination.

destination.mac

type: keyword

MAC address of the destination.

destination.domain

type: keyword

Destination domain.

destination.subdomain

type: keyword

Destination subdomain.

device fields

Device fields are used to provide additional information about the device that is the source of the information. This could be a firewall, network device, etc.

device.mac

type: keyword

MAC address of the device

device.ip

type: ip

IP address of the device.

device.hostname

type: keyword

Hostname of the device.

device.vendor

type: text

Device vendor information.

device.version

type: keyword

Device version.

device.serial_number

type: keyword

Device serial number.

device.timezone.offset.sec

type: long

example: -5400

Timezone offset of the host in seconds. Number of seconds relative to UTC. If the offset is -01:30 the value will be -5400.

device.type

type: keyword

example: firewall

The type of the device the data is coming from. There is no predefined list of device types. Some examples are endpoint, firewall, ids, ips, proxy.

error fields

These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.

error.id

type: keyword

Unique identifier for the error.

error.message

type: text

Error message.

error.code

type: keyword

Error code describing the error.

event fields

The event fields are used for context information about the data itself.

event.id

type: keyword

example: 8a4f500d

Unique ID to describe the event.

event.category

type: keyword

example: metrics

Event category. This can be a user defined category.

event.type

type: keyword

example: nginx-stats-metrics

A type given to this kind of event which can be used for grouping. This is normally defined by the user.

event.action

type: keyword

example: reject

The action captured by the event. The type of action will vary from system to system but is likely to include actions by security services, such as blocking or quarantining; as well as more generic actions such as login events, file i/o or proxy forwarding events. The value is normally defined by the user.

event.module

type: keyword

example: mysql

Name of the module this data is coming from. This information is coming from the modules used in Beats or Logstash.

event.dataset

type: keyword

example: stats

Name of the dataset. The concept of a dataset (fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name.

event.severity

type: long

example: 7

Severity describes the severity of the event. What the different severity values mean can very different between use cases. It’s up to the implementer to make sure severities are consistent across events.

event.original

type: keyword

example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232

Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source.

Field is not indexed.

event.hash

type: keyword

example: 123456789012345678901234567890ABCD

Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.

event.version

type: keyword

example: 0.1.0

required: True

The version field contains the version an event for ECS adheres to. This field should be provided as part of each event to make it possible to detect to which ECS version an event belongs. event.version is a required field and must exist in all events. It describes which ECS version the event adheres to. The current version is 0.1.0.

event.duration

type: long

Duration of the event in nanoseconds.

event.created

type: date

event.created contains the date when the event was created. This timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical. @timestamp must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created. In case the two timestamps are identical, @timestamp should be used.

event.risk_score

type: float

Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.

event.risk_score_norm

type: float

Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.

file fields

File fields provide details about each file.

file.path

type: text

Path to the file.

file.path.raw

type: keyword

Path to the file. This is a non-analyzed field that is useful for aggregations.

file.target_path

type: text

Target path for symlinks.

file.target_path.raw

type: keyword

Path to the file. This is a non-analyzed field that is useful for aggregations.

file.extension

type: keyword

example: png

File extension. This should allow easy filtering by file extensions.

file.type

type: keyword

File type (file, dir, or symlink).

file.device

type: keyword

Device that is the source of the file.

file.inode

type: keyword

Inode representing the file in the filesystem.

file.uid

type: keyword

The user ID (UID) or security identifier (SID) of the file owner.

file.owner

type: keyword

File owner’s username.

file.gid

type: keyword

Primary group ID (GID) of the file.

file.group

type: keyword

Primary group name of the file.

file.mode

type: keyword

example: 416

Mode of the file in octal representation.

file.size

type: long

File size in bytes (field is only added when type is file).

file.mtime

type: date

Last time file content was modified.

file.ctime

type: date

Last time file metadata changed.

geo fields

Geo fields can carry data about a specific location related to an event or geo information for an IP field.

geo.continent_name

type: keyword

Name of the continent.

geo.country_iso_code

type: keyword

Country ISO code.

geo.location

type: geo_point

Longitude and latitude.

geo.region_name

type: keyword

Region name.

geo.city_name

type: keyword

City name.

host fields

Host fields provide information related to a host. A host can be a physical machine, a virtual machine, or a Docker container. Normally the host information is related to the machine on which the event was generated/collected, but they can be used differently if needed.

host.timezone.offset.sec

type: long

example: -5400

Timezone offset of the host in seconds. Number of seconds relative to UTC. If the offset is -01:30 the value will be -5400.

host.name

type: keyword

host.name is the hostname of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.

host.id

type: keyword

Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.

host.ip

type: ip

Host ip address.

host.mac

type: keyword

Host mac address.

host.type

type: keyword

Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.

host.os.platform

type: keyword

example: darwin

Operating system platform (centos, ubuntu, windows, etc.)

host.os.name

type: keyword

example: Mac OS X

Operating system name.

host.os.family

type: keyword

example: debian

OS family (redhat, debian, freebsd, windows, etc.)

host.os.version

type: keyword

example: 10.12.6

Operating system version.

host.architecture

type: keyword

example: x86_64

Operating system architecture.

http fields

Fields related to HTTP requests and responses.

http.request.method

type: keyword

example: GET, POST, PUT

Http request method.

http.response.status_code

type: long

example: 404

Http response status code.

http.response.body

type: text

example: Hello world

The full http response body.

http.version

type: keyword

example: 1.1

Http version.

log fields

Fields which are specific to log events.

log.level

type: keyword

example: ERR

Log level of the log event. Some examples are WARN, ERR, INFO.

log.original

type: keyword

example: Sep 19 08:26:10 localhost My log

This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the message field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can’t be queried but the value can be retrieved from _source.

Field is not indexed.

network fields

Fields related to network data.

network.name

type: text

example: Guest Wifi

Name given by operators to sections of their network.

network.name.raw

type: keyword

Name given by operators to sections of their network.

network.protocol

type: keyword

example: http

Network protocol name.

network.direction

type: keyword

example: inbound

Direction of the network traffic. Recommended values are: * inbound * outbound * unknown

network.forwarded_ip

type: ip

example: 192.1.1.2

Host IP address when the source IP address is the proxy.

network.inbound.bytes

type: long

example: 184

Network inbound bytes.

network.inbound.packets

type: long

example: 12

Network inbound packets.

network.outbound.bytes

type: long

example: 184

Network outbound bytes.

network.outbound.packets

type: long

example: 12

Network outbound packets.

network.total.bytes

type: long

example: 368

Network total bytes. The sum of inbound.bytes + outbound.bytes.

network.total.packets

type: long

example: 24

Network outbound packets. The sum of inbound.packets + outbound.packets

organization fields

The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.

organization.name

type: text

Organization name.

organization.id

type: keyword

Unique identifier for the organization.

os fields

The OS fields contain information about the operating system. These fields are often used inside other prefixes, such as host.os. or user_agent.os..

os.platform

type: keyword

example: darwin

Operating system platform (such centos, ubuntu, windows).

os.name

type: keyword

example: Mac OS X

Operating system name.

os.family

type: keyword

example: debian

OS family (such as redhat, debian, freebsd, windows).

os.version

type: keyword

example: 10.12.6-rc2

Operating system version as a raw string.

os.kernel

type: keyword

example: 4.4.0-112-generic

Operating system kernel version as a raw string.

process fields

These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The process.pid often stays in the metric itself and is copied to the global field for correlation.

process.args

type: keyword

example: ['-l', 'user', '10.0.0.16']

Process arguments. May be filtered to protect sensitive information.

process.name

type: keyword

example: ssh

Process name. Sometimes called program name or similar.

process.pid

type: long

Process id.

process.ppid

type: long

Process parent id.

process.title

type: keyword

Process title. The proctitle, often the same as process name.

service fields

The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.

service.id

type: keyword

example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6

Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.

service.name

type: keyword

example: elasticsearch

Name of the service data is collected from. The name can be used to group and correlate logs and metrics from one service. Example: If logs or metrics are collected from Redis, service.name would be redis.

service.type

type: keyword

Service type.

service.state

type: keyword

Current state of the service.

service.version

type: keyword

example: 3.2.4

Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.

service.ephemeral_id

type: keyword

example: 8a4f500f

Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but service.id does not.

url fields

URL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as host.url.* for example. Keep the structure consistent whenever you use URL fields.

url.href

type: text

example: https://elastic.co:443/search?q=elasticsearch#top

Full url. The field is stored as keyword. url.href is a [multi field](https://www.elastic.co/guide/en/ elasticsearch/reference/6.2/ multi-fields.html#_multi_fields_with_multiple_analyzers). The data is stored as keyword url.href and test url.href.analyzed. These fields enable you to run a query against part of the url still works splitting up the URL at ingest time. href is an analyzed field so the parsed information can be accessed through href.analyzed in queries.

url.href.raw

type: keyword

The full URL. This is a non-analyzed field that is useful for aggregations.

url.scheme

type: keyword

example: https

Scheme of the request, such as "https". Note: The : is not part of the scheme.

url.hostname

type: keyword

example: elastic.co

Hostname of the request, such as "elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the hostname field.

url.port

type: integer

example: 443

Port of the request, such as 443.

url.path

type: text

Path of the request, such as "/search".

url.path.raw

type: keyword

URL path. A non-analyzed field that is useful for aggregations.

url.query

type: text

The query field describes the query string of the request, such as "q=elasticsearch". The ? is excluded from the query string. If a URL contains no ?, there is no query field. If there is a ? but no query, the query field exists with an empty string. The exists query can be used to differentiate between the two cases.

url.query.raw

type: keyword

URL query part. A non-analyzed field that is useful for aggregations.

url.fragment

type: keyword

Portion of the url after the , such as "top". The is not part of the fragment.

url.username

type: keyword

Username of the request.

url.password

type: keyword

Password of the request.

user fields

The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.

user.id

type: keyword

One or multiple unique identifiers of the user.

user.name

type: keyword

Name of the user. The field is a keyword, and will not be tokenized.

user.email

type: keyword

User email address.

user.hash

type: keyword

Unique user hash to correlate information for a user in anonymized form. Useful if user.id or user.name contain confidential information and cannot be used.

user_agent fields

The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.

user_agent.original

type: text

Unparsed version of the user_agent.

user_agent.device

type: keyword

Name of the physical device.

user_agent.version

type: keyword

Version of the physical device.

user_agent.major

type: long

Major version of the user agent.

user_agent.minor

type: long

Minor version of the user agent.

user_agent.patch

type: keyword

Patch version of the user agent.

user_agent.name

type: keyword

example: Chrome

Name of the user agent.

user_agent.os.name

type: keyword

Name of the operating system.

user_agent.os.version

type: keyword

Version of the operating system.

user_agent.os.major

type: long

Major version of the operating system.

user_agent.os.minor

type: long

Minor version of the operating system.

Flow Event fields

These fields contain data about the flow itself.

start_time

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the first packet for the flow has been seen.

last_time

type: date

example: 2015-01-24 14:06:05.071000

format: YYYY-MM-DDTHH:MM:SS.milliZ

required: True

The time, the most recent processed packet for the flow has been seen.

final

Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.

flow_id

Internal flow id based on connection meta data and address.

vlan

Innermost VLAN address used in network packets.

outer_vlan

Second innermost VLAN address used in network packets.

source fields

Properties of the source host

source.mac

Source MAC address as indicated by first packet seen for the current flow.

source.ip

Innermost IPv4 source address as indicated by first packet seen for the current flow.

source.ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ip

Second innermost IPv4 source address as indicated by first packet seen for the current flow.

source.outer_ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.ipv6

Innermost IPv6 source address as indicated by first packet seen for the current flow.

source.ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.outer_ipv6

Second innermost IPv6 source address as indicated by first packet seen for the current flow.

source.outer_ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_source IP address. The field is a string containing the latitude and longitude separated by a comma.

source.port

Source port number as indicated by first packet seen for the current flow.

stats fields

Object with source to destination flow measurements.

source.stats.net_packets_total

type: long

Total number of packets

source.stats.net_bytes_total

type: long

Total number of bytes

dest fields

Properties of the destination host

dest.mac

Destination MAC address as indicated by first packet seen for the current flow.

dest.ip

Innermost IPv4 destination address as indicated by first packet seen for the current flow.

dest.ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ip

Second innermost IPv4 destination address as indicated by first packet seen for the current flow.

dest.outer_ip_location

type: geo_point

example: 40.715, -74.011

The GeoIP location of the outer_ip_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.ipv6

Innermost IPv6 destination address as indicated by first packet seen for the current flow.

dest.ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.outer_ipv6

Second innermost IPv6 destination address as indicated by first packet seen for the current flow.

dest.outer_ipv6_location

type: geo_point

example: 60.715, -76.011

The GeoIP location of the outer_ipv6_dest IP address. The field is a string containing the latitude and longitude separated by a comma.

dest.port

Destination port number as indicated by first packet seen for the current flow.

stats fields

Object with destination to source flow measurements.

dest.stats.net_packets_total

type: long

Total number of packets

dest.stats.net_bytes_total

type: long

Total number of bytes

icmp_id

ICMP id used in ICMP based flow.

connection_id

optional TCP connection id

Host fields

Info collected for the host machine.

host.os.kernel

type: keyword

The operating system’s kernel version.

HTTP fields

HTTP-specific event fields.

http fields

Information about the HTTP request and response.

request fields

HTTP request

http.request.params

The query parameters or form values. The query parameters are available in the Request-URI and the form values are set in the HTTP body when the content-type is set to x-www-form-urlencoded.

http.request.headers

type: object

A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.

http.request.body

type: text

The body of the HTTP request.

response fields

HTTP response

http.response.code

example: 404

The HTTP status code.

http.response.phrase

example: Not found.

The HTTP status phrase.

http.response.headers

type: object

A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.

ICMP fields

ICMP specific event fields.

icmp.version

The version of the ICMP protocol.

icmp.request.message

type: keyword

A human readable form of the request.

icmp.request.type

type: long

The request type.

icmp.request.code

type: long

The request code.

icmp.response.message

type: keyword

A human readable form of the response.

icmp.response.type

type: long

The response type.

icmp.response.code

type: long

The response code.

Kubernetes fields

Kubernetes metadata added by the kubernetes processor

kubernetes.pod.name

type: keyword

Kubernetes pod name

kubernetes.pod.uid

type: keyword

Kubernetes Pod UID

kubernetes.namespace

type: keyword

Kubernetes namespace

kubernetes.node.name

type: keyword

Kubernetes node name

kubernetes.labels

type: object

Kubernetes labels map

kubernetes.annotations

type: object

Kubernetes annotations map

kubernetes.container.name

type: keyword

Kubernetes container name

kubernetes.container.image

type: keyword

Kubernetes container image

Memcache fields

Memcached-specific event fields

memcache.protocol_type

type: keyword

The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.

memcache.request.line

type: keyword

The raw command line for unknown commands ONLY.

memcache.request.command

type: keyword

The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.

memcache.response.command

type: keyword

Either the text based protocol response message type or the name of the originating request if binary protocol is used.

memcache.request.type

type: keyword

The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".

memcache.response.type

type: keyword

The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see memcache.response.status for binary protocol).

memcache.response.error_msg

type: keyword

The optional error message in the memcache response (text based protocol only).

memcache.request.opcode

type: keyword

The binary protocol message opcode name.

memcache.response.opcode

type: keyword

The binary protocol message opcode name.

memcache.request.opcode_value

type: long

The binary protocol message opcode value.

memcache.response.opcode_value

type: long

The binary protocol message opcode value.

memcache.request.opaque

type: long

The binary protocol opaque header value used for correlating request with response messages.

memcache.response.opaque

type: long

The binary protocol opaque header value used for correlating request with response messages.

memcache.request.vbucket

type: long

The vbucket index sent in the binary message.

memcache.response.status

type: keyword

The textual representation of the response error code (binary protocol only).

memcache.response.status_code

type: long

The status code value returned in the response (binary protocol only).

memcache.request.keys

type: array

The list of keys sent in the store or load commands.

memcache.response.keys

type: array

The list of keys returned for the load command (if present).

memcache.request.count_values

type: long

The number of values found in the memcache request message. If the command does not send any data, this field is missing.

memcache.response.count_values

type: long

The number of values found in the memcache response message. If the command does not send any data, this field is missing.

memcache.request.values

type: array

The list of base64 encoded values sent with the request (if present).

memcache.response.values

type: array

The list of base64 encoded values sent with the response (if present).

memcache.request.bytes

type: long

format: bytes

The byte count of the values being transferred.

memcache.response.bytes

type: long

format: bytes

The byte count of the values being transferred.

memcache.request.delta

type: long

The counter increment/decrement delta value.

memcache.request.initial

type: long

The counter increment/decrement initial value parameter (binary protocol only).

memcache.request.verbosity

type: long

The value of the memcache "verbosity" command.

memcache.request.raw_args

type: keyword

The text protocol raw arguments for the "stats …​" and "lru crawl …​" commands.

memcache.request.source_class

type: long

The source class id in 'slab reassign' command.

memcache.request.dest_class

type: long

The destination class id in 'slab reassign' command.

memcache.request.automove

type: keyword

The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.

memcache.request.flags

type: long

The memcache command flags sent in the request (if present).

memcache.response.flags

type: long

The memcache message flags sent in the response (if present).

memcache.request.exptime

type: long

The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).

memcache.request.sleep_us

type: long

The sleep setting in microseconds for the 'lru_crawler sleep' command.

memcache.response.value

type: long

The counter value returned by a counter operation.

memcache.request.noreply

type: boolean

Set to true if noreply was set in the request. The memcache.response field will be missing.

memcache.request.quiet

type: boolean

Set to true if the binary protocol message is to be treated as a quiet message.

memcache.request.cas_unique

type: long

The CAS (compare-and-swap) identifier if present.

memcache.response.cas_unique

type: long

The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).

memcache.response.stats

type: array

The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".

memcache.response.version

type: keyword

The returned memcache version string.

MongoDb fields

MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, query and resource) apply to MongoDB events as well.

mongodb.error

If the MongoDB request has resulted in an error, this field contains the error message returned by the server.

mongodb.fullCollectionName

The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.

mongodb.numberToSkip

type: long

Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.

mongodb.numberToReturn

type: long

The requested maximum number of documents to be returned.

mongodb.numberReturned

type: long

The number of documents in the reply.

mongodb.startingFrom

Where in the cursor this reply is starting.

mongodb.query

A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.

mongodb.returnFieldsSelector

A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.

mongodb.selector

A BSON document that specifies the query for selecting the document to update or delete.

mongodb.update

A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.

mongodb.cursorId

The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.

rpc fields

OncRPC specific event fields.

rpc.xid

RPC message transaction identifier.

rpc.call_size

type: long

RPC call size with argument.

rpc.reply_size

type: long

RPC reply size with argument.

rpc.status

RPC message reply status.

rpc.time

type: long

RPC message processing time.

rpc.time_str

RPC message processing time in human readable form.

rpc.auth_flavor

RPC authentication flavor.

rpc.cred.uid

type: long

RPC caller’s user id, in case of auth-unix.

rpc.cred.gid

type: long

RPC caller’s group id, in case of auth-unix.

rpc.cred.gids

RPC caller’s secondary group ids, in case of auth-unix.

rpc.cred.stamp

type: long

Arbitrary ID which the caller machine may generate.

rpc.cred.machinename

The name of the caller’s machine.

MySQL fields

MySQL-specific event fields.

mysql.iserror

type: boolean

If the MySQL query returns an error, this field is set to true.

mysql.affected_rows

type: long

If the MySQL command is successful, this field contains the affected number of rows of the last statement.

mysql.insert_id

If the INSERT query is successful, this field contains the id of the newly inserted row.

mysql.num_fields

If the SELECT query is successful, this field is set to the number of fields returned.

mysql.num_rows

If the SELECT query is successful, this field is set to the number of rows returned.

mysql.query

The row mysql query as read from the transaction’s request.

mysql.error_code

type: long

The error code returned by MySQL.

mysql.error_message

The error info message returned by MySQL.

NFS fields

NFS v4/3 specific event fields.

nfs.version

type: long

NFS protocol version number.

nfs.minor_version

type: long

NFS protocol minor version number.

nfs.tag

NFS v4 COMPOUND operation tag.

nfs.opcode

NFS operation name, or main operation name, in case of COMPOUND calls.

nfs.status

NFS operation reply status.

PostgreSQL fields

PostgreSQL-specific event fields.

pgsql.query

The row pgsql query as read from the transaction’s request.

pgsql.iserror

type: boolean

If the PgSQL query returns an error, this field is set to true.

pgsql.error_code

type: long

The PostgreSQL error code.

pgsql.error_message

The PostgreSQL error message.

pgsql.error_severity

The PostgreSQL error severity.

pgsql.num_fields

If the SELECT query if successful, this field is set to the number of fields returned.

pgsql.num_rows

If the SELECT query if successful, this field is set to the number of rows returned.

Raw fields

These fields contain the raw transaction data.

request

type: text

For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.

response

type: text

For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.

Redis fields

Redis-specific event fields.

redis.return_value

The return value of the Redis command in a human readable format.

redis.error

If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.

Thrift-RPC fields

Thrift-RPC specific event fields.

thrift.params

The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.

thrift.service

The name of the Thrift-RPC service as defined in the IDL files.

thrift.return_value

The value returned by the Thrift-RPC call. This is encoded in a human readable format.

thrift.exceptions

If the call resulted in exceptions, this field contains the exceptions in a human readable format.

TLS fields

TLS-specific event fields.

tls.version

type: keyword

example: TLS 1.3

The version of the TLS protocol used.

tls.handshake_completed

type: boolean

Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.

tls.resumed

type: boolean

If the TLS session has been resumed from a previous session.

tls.resumption_method

type: keyword

If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.

tls.client_certificate_requested

type: boolean

Whether the server has requested the client to authenticate itself using a client certificate.

tls.client_hello.version

type: keyword

The version of the TLS protocol by which the client wishes to communicate during this session.

tls.client_hello.supported_ciphers

type: array

List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

tls.client_hello.supported_compression_methods

type: array

The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml

extensions fields

The hello extensions provided by the client.

tls.client_hello.extensions.server_name_indication

type: keyword

List of hostnames

tls.client_hello.extensions.application_layer_protocol_negotiation

type: keyword

List of application-layer protocols the client is willing to use.

tls.client_hello.extensions.session_ticket

type: keyword

Length of the session ticket, if provided, or an empty string to advertise support for tickets.

tls.client_hello.extensions.supported_versions

type: keyword

List of TLS versions that the client is willing to use.

tls.server_hello.version

type: keyword

The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.

tls.server_hello.selected_cipher

type: keyword

The cipher suite selected by the server from the list provided by in the client hello.

tls.server_hello.selected_compression_method

type: keyword

The compression method selected by the server from the list provided in the client hello.

extensions fields

The hello extensions provided by the server.

tls.server_hello.extensions.application_layer_protocol_negotiation

type: array

Negotiated application layer protocol

tls.server_hello.extensions.session_ticket

type: keyword

Used to announce that a session ticket will be provided by the server. Always an empty string.

tls.server_hello.extensions.supported_versions

type: keyword

Negotiated TLS version to be used.

client_certificate fields

Certificate provided by the client for authentication.

tls.client_certificate.version

type: long

X509 format version.

tls.client_certificate.serial_number

type: keyword

The certificate’s serial number.

tls.client_certificate.not_before

type: date

Date before which the certificate is not valid.

tls.client_certificate.not_after

type: date

Date after which the certificate expires.

tls.client_certificate.public_key_algorithm

type: keyword

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

tls.client_certificate.public_key_size

type: long

Size of the public key.

tls.client_certificate.signature_algorithm

type: keyword

The algorithm used for the certificate’s signature.

tls.client_certificate.alternative_names

type: array

Subject Alternative Names for this certificate.

tls.client_certificate.raw

type: keyword

The raw certificate in PEM format.

subject fields

Subject represented by this certificate.

tls.client_certificate.subject.country

type: keyword

Country code.

tls.client_certificate.subject.organization

type: keyword

Organization name.

tls.client_certificate.subject.organizational_unit

type: keyword

Unit within organization.

tls.client_certificate.subject.province

type: keyword

Province or region within country.

tls.client_certificate.subject.common_name

type: keyword

Name or host name identified by the certificate.

issuer fields

Entity that issued and signed this certificate.

tls.client_certificate.issuer.country

type: keyword

Country code.

tls.client_certificate.issuer.organization

type: keyword

Organization name.

tls.client_certificate.issuer.organizational_unit

type: keyword

Unit within organization.

tls.client_certificate.issuer.province

type: keyword

Province or region within country.

tls.client_certificate.issuer.common_name

type: keyword

Name or host name identified by the certificate.

tls.client_certificate.fingerprint.md5

type: keyword

Certificate’s MD5 fingerprint.

tls.client_certificate.fingerprint.sha1

type: keyword

Certificate’s SHA-1 fingerprint.

tls.client_certificate.fingerprint.sha256

type: keyword

Certificate’s SHA-256 fingerprint.

server_certificate fields

Certificate provided by the server for authentication.

tls.server_certificate.version

type: long

X509 format version.

tls.server_certificate.serial_number

type: keyword

The certificate’s serial number.

tls.server_certificate.not_before

type: date

Date before which the certificate is not valid.

tls.server_certificate.not_after

type: date

Date after which the certificate expires.

tls.server_certificate.public_key_algorithm

type: keyword

The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.

tls.server_certificate.public_key_size

type: long

Size of the public key.

tls.server_certificate.signature_algorithm

type: keyword

The algorithm used for the certificate’s signature.

tls.server_certificate.alternative_names

type: array

Subject Alternative Names for this certificate.

tls.server_certificate.raw

type: keyword

The raw certificate in PEM format.

subject fields

Subject represented by this certificate.

tls.server_certificate.subject.country

type: keyword

Country code.

tls.server_certificate.subject.organization

type: keyword

Organization name.

tls.server_certificate.subject.organizational_unit

type: keyword

Unit within organization.

tls.server_certificate.subject.province

type: keyword

Province or region within country.

tls.server_certificate.subject.common_name

type: keyword

Name or host name identified by the certificate.

issuer fields

Entity that issued and signed this certificate.

tls.server_certificate.issuer.country

type: keyword

Country code.

tls.server_certificate.issuer.organization

type: keyword

Organization name.

tls.server_certificate.issuer.organizational_unit

type: keyword

Unit within organization.

tls.server_certificate.issuer.province

type: keyword

Province or region within country.

tls.server_certificate.issuer.common_name

type: keyword

Name or host name identified by the certificate.

tls.server_certificate.fingerprint.md5

type: keyword

Certificate’s MD5 fingerprint.

tls.server_certificate.fingerprint.sha1

type: keyword

Certificate’s SHA-1 fingerprint.

tls.server_certificate.fingerprint.sha256

type: keyword

Certificate’s SHA-256 fingerprint.

tls.server_certificate_chain

type: array

Chain of trust for the server certificate.

tls.client_certificate_chain

type: array

Chain of trust for the client certificate.

tls.alert_types

type: keyword

An array containing the TLS alert type for every alert received.

fingerprints fields

Fingerprints for this TLS session.

ja3 fields

JA3 TLS client fingerprint

tls.fingerprints.ja3.hash

type: keyword

The JA3 fingerprint hash for the client side.

tls.fingerprints.ja3.str

type: keyword

The JA3 string used to calculate the hash.

Transaction Event fields

These fields contain data about the transaction itself.

direction

required: True

Indicates whether the transaction is inbound (emitted by server) or outbound (emitted by the client). Values can be in or out. No defaults.

status

required: True

The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.

method

The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).

resource

The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is /users/1, the resource is /users. For databases, the resource is typically the table name. The field is not filled for all transaction types.

path

required: True

The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.

query

type: keyword

The query in a human readable format. For HTTP, it will typically be something like GET /users/_search?name=test. For MySQL, it is something like SELECT id from users where name=test.

params

type: text

The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.

notes

Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.

Measurements (Transactions) fields

These fields contain measurements related to the transaction.

responsetime

type: long

The wall clock time it took to complete the transaction. The precision is in milliseconds.

cpu_time

type: long

The CPU time it took to complete the transaction.

bytes_in

type: long

format: bytes

The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.

bytes_out

type: long

format: bytes

The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.

dnstime

type: long

The time it takes to query the name server for a given request. This is typically used for RUM (real-user-monitoring) but can also have values for server-to-server communication when DNS is used for service discovery. The precision is in microseconds.

connecttime

type: long

The time it takes for the TCP connection to be established for the given transaction. The precision is in microseconds.

loadtime

type: long

The time it takes for the content to be loaded. This is typically used for RUM (real-user-monitoring) but it can make sense in other cases as well. The precision is in microseconds.

domloadtime

type: long

In RUM (real-user-monitoring), the total time it takes for the DOM to be loaded. In terms of the W3 Navigation Timing API, this is the difference between domContentLoadedEnd and domContentLoadedStart.