AMQP specific event fields.
amqp.reply-code
-
type: long
example: 404
AMQP reply code to an error, similar to http reply-code
amqp.reply-text
-
type: keyword
Text explaining the error.
amqp.class-id
-
type: long
Failing method class.
amqp.method-id
-
type: long
Failing method ID.
amqp.exchange
-
type: keyword
Name of the exchange.
amqp.exchange-type
-
type: keyword
example: fanout
Exchange type.
amqp.passive
-
type: boolean
If set, do not create exchange/queue.
amqp.durable
-
type: boolean
If set, request a durable exchange/queue.
amqp.exclusive
-
type: boolean
If set, request an exclusive queue.
amqp.auto-delete
-
type: boolean
If set, auto-delete queue when unused.
amqp.no-wait
-
type: boolean
If set, the server will not respond to the method.
amqp.consumer-tag
-
Identifier for the consumer, valid within the current channel.
amqp.delivery-tag
-
type: long
The server-assigned and channel-specific delivery tag.
amqp.message-count
-
type: long
The number of messages in the queue, which will be zero for newly-declared queues.
amqp.consumer-count
-
type: long
The number of consumers of a queue.
amqp.routing-key
-
type: keyword
Message routing key.
amqp.no-ack
-
type: boolean
If set, the server does not expect acknowledgements for messages.
amqp.no-local
-
type: boolean
If set, the server will not send messages to the connection that published them.
amqp.if-unused
-
type: boolean
Delete only if unused.
amqp.if-empty
-
type: boolean
Delete only if empty.
amqp.queue
-
type: keyword
The queue name identifies the queue within the vhost.
amqp.redelivered
-
type: boolean
Indicates that the message has been previously delivered to this or another client.
amqp.multiple
-
type: boolean
Acknowledge multiple messages.
amqp.arguments
-
type: object
Optional additional arguments passed to some methods. Can be of various types.
amqp.mandatory
-
type: boolean
Indicates mandatory routing.
amqp.immediate
-
type: boolean
Request immediate delivery.
amqp.content-type
-
type: keyword
example: text/plain
MIME content type.
amqp.content-encoding
-
type: keyword
MIME content encoding.
amqp.headers
-
type: object
Message header field table.
amqp.delivery-mode
-
type: keyword
Non-persistent (1) or persistent (2).
amqp.priority
-
type: long
Message priority, 0 to 9.
amqp.correlation-id
-
type: keyword
Application correlation identifier.
amqp.reply-to
-
type: keyword
Address to reply to.
amqp.expiration
-
type: keyword
Message expiration specification.
amqp.message-id
-
type: keyword
Application message identifier.
amqp.timestamp
-
type: keyword
Message timestamp.
amqp.type
-
type: keyword
Message type name.
amqp.user-id
-
type: keyword
Creating user id.
amqp.app-id
-
type: keyword
Creating application id.
Contains common beat fields available in all event types.
beat.name
-
The name of the Beat sending the log messages. If the Beat name is set in the configuration file, then that value is used. If it is not set, the hostname is used. To set the Beat name, use the
name
option in the configuration file. beat.hostname
-
The hostname as returned by the operating system on which the Beat is running.
beat.timezone
-
The timezone as returned by the operating system on which the Beat is running.
beat.version
-
The version of the beat that generated this event.
@timestamp
-
type: date
example: August 26th 2016, 12:35:53.332
format: date
required: True
The timestamp when the event log record was generated.
tags
-
Arbitrary tags that can be set per Beat and per transaction type.
fields
-
type: object
Contains user configurable fields.
Error fields containing additional info in case of errors.
error.type
-
type: keyword
Error type.
Cassandra v4/3 specific event fields.
Information about the Cassandra request and response.
Cassandra request.
Cassandra request headers.
cassandra.request.headers.version
-
type: long
The version of the protocol.
cassandra.request.headers.flags
-
type: keyword
Flags applying to this frame.
cassandra.request.headers.stream
-
type: keyword
A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.
cassandra.request.headers.op
-
type: keyword
An operation type that distinguishes the actual message.
cassandra.request.headers.length
-
type: long
A integer representing the length of the body of the frame (a frame is limited to 256MB in length).
cassandra.request.query
-
type: keyword
The CQL query which client send to cassandra.
Cassandra response.
Cassandra response headers, the structure is as same as request’s header.
cassandra.response.headers.version
-
type: long
The version of the protocol.
cassandra.response.headers.flags
-
type: keyword
Flags applying to this frame.
cassandra.response.headers.stream
-
type: keyword
A frame has a stream id. If a client sends a request message with the stream id X, it is guaranteed that the stream id of the response to that message will be X.
cassandra.response.headers.op
-
type: keyword
An operation type that distinguishes the actual message.
cassandra.response.headers.length
-
type: long
A integer representing the length of the body of the frame (a frame is limited to 256MB in length).
Details about the returned result.
cassandra.response.result.type
-
type: keyword
Cassandra result type.
Details about the rows.
cassandra.response.result.rows.num_rows
-
type: long
Representing the number of rows present in this result.
Composed of result metadata.
cassandra.response.result.rows.meta.keyspace
-
type: keyword
Only present after set Global_tables_spec, the keyspace name.
cassandra.response.result.rows.meta.table
-
type: keyword
Only present after set Global_tables_spec, the table name.
cassandra.response.result.rows.meta.flags
-
type: keyword
Provides information on the formatting of the remaining information.
cassandra.response.result.rows.meta.col_count
-
type: long
Representing the number of columns selected by the query that produced this result.
cassandra.response.result.rows.meta.pkey_columns
-
type: long
Representing the PK columns index and counts.
cassandra.response.result.rows.meta.paging_state
-
type: keyword
The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.
cassandra.response.result.keyspace
-
type: keyword
Indicating the name of the keyspace that has been set.
The result to a schema_change message.
cassandra.response.result.schema_change.change
-
type: keyword
Representing the type of changed involved.
cassandra.response.result.schema_change.keyspace
-
type: keyword
This describes which keyspace has changed.
cassandra.response.result.schema_change.table
-
type: keyword
This describes which table has changed.
cassandra.response.result.schema_change.object
-
type: keyword
This describes the name of said affected object (either the table, user type, function, or aggregate name).
cassandra.response.result.schema_change.target
-
type: keyword
Target could be "FUNCTION" or "AGGREGATE", multiple arguments.
cassandra.response.result.schema_change.name
-
type: keyword
The function/aggregate name.
cassandra.response.result.schema_change.args
-
type: keyword
One string for each argument type (as CQL type).
The result to a PREPARE message.
cassandra.response.result.prepared.prepared_id
-
type: keyword
Representing the prepared query ID.
This describes the request metadata.
cassandra.response.result.prepared.req_meta.keyspace
-
type: keyword
Only present after set Global_tables_spec, the keyspace name.
cassandra.response.result.prepared.req_meta.table
-
type: keyword
Only present after set Global_tables_spec, the table name.
cassandra.response.result.prepared.req_meta.flags
-
type: keyword
Provides information on the formatting of the remaining information.
cassandra.response.result.prepared.req_meta.col_count
-
type: long
Representing the number of columns selected by the query that produced this result.
cassandra.response.result.prepared.req_meta.pkey_columns
-
type: long
Representing the PK columns index and counts.
cassandra.response.result.prepared.req_meta.paging_state
-
type: keyword
The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.
This describes the metadata for the result set.
cassandra.response.result.prepared.resp_meta.keyspace
-
type: keyword
Only present after set Global_tables_spec, the keyspace name.
cassandra.response.result.prepared.resp_meta.table
-
type: keyword
Only present after set Global_tables_spec, the table name.
cassandra.response.result.prepared.resp_meta.flags
-
type: keyword
Provides information on the formatting of the remaining information.
cassandra.response.result.prepared.resp_meta.col_count
-
type: long
Representing the number of columns selected by the query that produced this result.
cassandra.response.result.prepared.resp_meta.pkey_columns
-
type: long
Representing the PK columns index and counts.
cassandra.response.result.prepared.resp_meta.paging_state
-
type: keyword
The paging_state is a bytes value that should be used in QUERY/EXECUTE to continue paging and retrieve the remainder of the result for this query.
cassandra.response.supported
-
type: object
Indicates which startup options are supported by the server. This message comes as a response to an OPTIONS message.
Indicates that the server requires authentication, and which authentication mechanism to use.
cassandra.response.authentication.class
-
type: keyword
Indicates the full class name of the IAuthenticator in use
cassandra.response.warnings
-
type: keyword
The text of the warnings, only occur when Warning flag was set.
Event pushed by the server. A client will only receive events for the types it has REGISTERed to.
cassandra.response.event.type
-
type: keyword
Representing the event type.
cassandra.response.event.change
-
type: keyword
The message corresponding respectively to the type of change followed by the address of the new/removed node.
cassandra.response.event.host
-
type: keyword
Representing the node ip.
cassandra.response.event.port
-
type: long
Representing the node port.
The events details related to schema change.
cassandra.response.event.schema_change.change
-
type: keyword
Representing the type of changed involved.
cassandra.response.event.schema_change.keyspace
-
type: keyword
This describes which keyspace has changed.
cassandra.response.event.schema_change.table
-
type: keyword
This describes which table has changed.
cassandra.response.event.schema_change.object
-
type: keyword
This describes the name of said affected object (either the table, user type, function, or aggregate name).
cassandra.response.event.schema_change.target
-
type: keyword
Target could be "FUNCTION" or "AGGREGATE", multiple arguments.
cassandra.response.event.schema_change.name
-
type: keyword
The function/aggregate name.
cassandra.response.event.schema_change.args
-
type: keyword
One string for each argument type (as CQL type).
Indicates an error processing a request. The body of the message will be an error code followed by a error message. Then, depending on the exception, more content may follow.
cassandra.response.error.code
-
type: long
The error code of the Cassandra response.
cassandra.response.error.msg
-
type: keyword
The error message of the Cassandra response.
cassandra.response.error.type
-
type: keyword
The error type of the Cassandra response.
The details of the error.
cassandra.response.error.details.read_consistency
-
type: keyword
Representing the consistency level of the query that triggered the exception.
cassandra.response.error.details.required
-
type: long
Representing the number of nodes that should be alive to respect consistency level.
cassandra.response.error.details.alive
-
type: long
Representing the number of replicas that were known to be alive when the request had been processed (since an unavailable exception has been triggered).
cassandra.response.error.details.received
-
type: long
Representing the number of nodes having acknowledged the request.
cassandra.response.error.details.blockfor
-
type: long
Representing the number of replicas whose acknowledgement is required to achieve consistency level.
cassandra.response.error.details.write_type
-
type: keyword
Describe the type of the write that timed out.
cassandra.response.error.details.data_present
-
type: boolean
It means the replica that was asked for data had responded.
cassandra.response.error.details.keyspace
-
type: keyword
The keyspace of the failed function.
cassandra.response.error.details.table
-
type: keyword
The keyspace of the failed function.
cassandra.response.error.details.stmt_id
-
type: keyword
Representing the unknown ID.
cassandra.response.error.details.num_failures
-
type: keyword
Representing the number of nodes that experience a failure while executing the request.
cassandra.response.error.details.function
-
type: keyword
The name of the failed function.
cassandra.response.error.details.arg_types
-
type: keyword
One string for each argument type (as CQL type) of the failed function.
Metadata from cloud providers added by the add_cloud_metadata processor.
meta.cloud.provider
-
example: ec2
Name of the cloud provider. Possible values are ec2, gce, or digitalocean.
meta.cloud.instance_id
-
Instance ID of the host machine.
meta.cloud.instance_name
-
Instance name of the host machine.
meta.cloud.machine_type
-
example: t2.medium
Machine type of the host machine.
meta.cloud.availability_zone
-
example: us-east-1c
Availability zone in which this host is running.
meta.cloud.project_id
-
example: project-x
Name of the project in Google Cloud.
meta.cloud.region
-
Region in which this host is running.
These fields contain data about the environment in which the transaction or flow was captured.
server
-
The name of the server that served the transaction.
client_server
-
The name of the server that initiated the transaction.
client_service
-
The name of the logical service that initiated the transaction.
ip
-
format: dotted notation.
The IP address of the server that served the transaction.
client_ip
-
format: dotted notation.
The IP address of the server that initiated the transaction.
real_ip
-
format: Dotted notation.
If the server initiating the transaction is a proxy, this field contains the original client IP address. For HTTP, for example, the IP address extracted from a configurable HTTP header, by default
X-Forwarded-For
. Unless this field is disabled, it always has a value, and it matches theclient_ip
for non proxy clients.
The GeoIP information of the client.
client_geoip.location
-
type: geo_point
example: {'lat': 51, 'lon': 9}
The GeoIP location of the
client_ip
address. This field is available only if you define a GeoIP Processor as a pipeline in the Ingest GeoIP processor plugin or using Logstash. client_port
-
format: dotted notation.
The layer 4 port of the process that initiated the transaction.
transport
-
example: udp
The transport protocol used for the transaction. If not specified, then tcp is assumed.
type
-
required: True
The type of the transaction (for example, HTTP, MySQL, Redis, or RUM) or "flow" in case of flows.
port
-
format: dotted notation.
The layer 4 port of the process that served the transaction.
proc
-
The name of the process that served the transaction.
cmdline
-
The command-line of the process that served the transaction.
client_proc
-
The name of the process that initiated the transaction.
client_cmdline
-
The command-line of the process that initiated the transaction.
release
-
The software release of the service serving the transaction. This can be the commit id or a semantic version.
DHCPv4 event fields
dhcpv4.transaction_id
-
type: keyword
Transaction ID, a random number chosen by the client, used by the client and server to associate messages and responses between a client and a server.
dhcpv4.seconds
-
type: long
Number of seconds elapsed since client began address acquisition or renewal process.
dhcpv4.flags
-
type: keyword
Flags are set by the client to indicate how the DHCP server should its reply — either unicast or broadcast.
dhcpv4.client_ip
-
type: ip
The current IP address of the client.
dhcpv4.assigned_ip
-
type: ip
The IP address that the DHCP server is assigning to the client. This field is also known as "your" IP address.
dhcpv4.server_ip
-
type: ip
The IP address of the DHCP server that the client should use for the next step in the bootstrap process.
dhcpv4.relay_ip
-
type: ip
The relay IP address used by the client to contact the server (i.e. a DHCP relay server).
dhcpv4.client_mac
-
type: keyword
The client’s MAC address (layer two).
dhcpv4.server_name
-
type: keyword
The name of the server sending the message. Optional. Used in DHCPOFFER or DHCPACK messages.
dhcpv4.op_code
-
type: keyword
example: bootreply
The message op code (bootrequest or bootreply).
dhcpv4.hops
-
type: long
The number of hops the DHCP message went through.
dhcpv4.hardware_type
-
type: keyword
The type of hardware used for the local network (Ethernet, LocalTalk, etc).
dhcpv4.option.message_type
-
type: keyword
example: ack
The specific type of DHCP message being sent (e.g. discover, offer, request, decline, ack, nak, release, inform).
dhcpv4.option.parameter_request_list
-
type: keyword
This option is used by a DHCP client to request values for specified configuration parameters.
dhcpv4.option.requested_ip_address
-
type: ip
This option is used in a client request (DHCPDISCOVER) to allow the client to request that a particular IP address be assigned.
dhcpv4.option.server_identifier
-
type: ip
IP address of the individual DHCP server which handled this message.
dhcpv4.option.broadcast_address
-
type: ip
This option specifies the broadcast address in use on the client’s subnet.
dhcpv4.option.max_dhcp_message_size
-
type: long
This option specifies the maximum length DHCP message that the client is willing to accept.
dhcpv4.option.class_identifier
-
type: keyword
This option is used by DHCP clients to optionally identify the vendor type and configuration of a DHCP client. Vendors may choose to define specific vendor class identifiers to convey particular configuration or other identification information about a client. For example, the identifier may encode the client’s hardware configuration.
dhcpv4.option.domain_name
-
type: keyword
This option specifies the domain name that client should use when resolving hostnames via the Domain Name System.
dhcpv4.option.dns_servers
-
type: ip
The domain name server option specifies a list of Domain Name System servers available to the client.
dhcpv4.option.vendor_identifying_options
-
type: object
A DHCP client may use this option to unambiguously identify the vendor that manufactured the hardware on which the client is running, the software in use, or an industry consortium to which the vendor belongs. This field is described in RFC 3925.
dhcpv4.option.subnet_mask
-
type: ip
The subnet mask that the client should use on the currnet network.
dhcpv4.option.utc_time_offset_sec
-
type: long
The time offset field specifies the offset of the client’s subnet in seconds from Coordinated Universal Time (UTC).
dhcpv4.option.router
-
type: ip
The router option specifies a list of IP addresses for routers on the client’s subnet.
dhcpv4.option.time_servers
-
type: ip
The time server option specifies a list of RFC 868 time servers available to the client.
dhcpv4.option.ntp_servers
-
type: ip
This option specifies a list of IP addresses indicating NTP servers available to the client.
dhcpv4.option.hostname
-
type: keyword
This option specifies the name of the client.
dhcpv4.option.ip_address_lease_time_sec
-
type: long
This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer.
dhcpv4.option.message
-
type: text
This option is used by a DHCP server to provide an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate the why the client declined the offered parameters.
dhcpv4.option.renewal_time_sec
-
type: long
This option specifies the time interval from address assignment until the client transitions to the RENEWING state.
dhcpv4.option.rebinding_time_sec
-
type: long
This option specifies the time interval from address assignment until the client transitions to the REBINDING state.
dhcpv4.option.boot_file_name
-
type: keyword
This option is used to identify a bootfile when the 'file' field in the DHCP header has been used for DHCP options.
DNS-specific event fields.
dns.id
-
type: long
The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response.
dns.op_code
-
example: QUERY
The DNS operation code that specifies the kind of query in the message. This value is set by the originator of a query and copied into the response.
dns.flags.authoritative
-
type: boolean
A DNS flag specifying that the responding server is an authority for the domain name used in the question.
dns.flags.recursion_available
-
type: boolean
A DNS flag specifying whether recursive query support is available in the name server.
dns.flags.recursion_desired
-
type: boolean
A DNS flag specifying that the client directs the server to pursue a query recursively. Recursive query support is optional.
dns.flags.authentic_data
-
type: boolean
A DNS flag specifying that the recursive server considers the response authentic.
dns.flags.checking_disabled
-
type: boolean
A DNS flag specifying that the client disables the server signature validation of the query.
dns.flags.truncated_response
-
type: boolean
A DNS flag specifying that only the first 512 bytes of the reply were returned.
dns.response_code
-
example: NOERROR
The DNS status code.
dns.question.name
-
example: www.google.com.
The domain name being queried. If the name field contains non-printable characters (below 32 or above 126), then those characters are represented as escaped base 10 integers (\DDD). Back slashes and quotes are escaped. Tabs, carriage returns, and line feeds are converted to \t, \r, and \n respectively.
dns.question.type
-
example: AAAA
The type of records being queried.
dns.question.class
-
example: IN
The class of of records being queried.
dns.question.etld_plus_one
-
example: amazon.co.uk.
The effective top-level domain (eTLD) plus one more label. For example, the eTLD+1 for "foo.bar.golang.org." is "golang.org.". The data for determining the eTLD comes from an embedded copy of the data from http://publicsuffix.org.
dns.answers
-
type: object
An array containing a dictionary about each answer section returned by the server.
dns.answers_count
-
type: long
The number of resource records contained in the
dns.answers
field. dns.answers.name
-
example: example.com.
The domain name to which this resource record pertains.
dns.answers.type
-
example: MX
The type of data contained in this resource record.
dns.answers.class
-
example: IN
The class of DNS data contained in this resource record.
dns.answers.ttl
-
type: long
The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
dns.answers.data
-
The data describing the resource. The meaning of this data depends on the type and class of the resource record.
dns.authorities
-
type: object
An array containing a dictionary for each authority section from the answer.
dns.authorities_count
-
type: long
The number of resource records contained in the
dns.authorities
field. Thedns.authorities
field may or may not be included depending on the configuration of Packetbeat. dns.authorities.name
-
example: example.com.
The domain name to which this resource record pertains.
dns.authorities.type
-
example: NS
The type of data contained in this resource record.
dns.authorities.class
-
example: IN
The class of DNS data contained in this resource record.
dns.additionals
-
type: object
An array containing a dictionary for each additional section from the answer.
dns.additionals_count
-
type: long
The number of resource records contained in the
dns.additionals
field. Thedns.additionals
field may or may not be included depending on the configuration of Packetbeat. dns.additionals.name
-
example: example.com.
The domain name to which this resource record pertains.
dns.additionals.type
-
example: NS
The type of data contained in this resource record.
dns.additionals.class
-
example: IN
The class of DNS data contained in this resource record.
dns.additionals.ttl
-
type: long
The time interval in seconds that this resource record may be cached before it should be discarded. Zero values mean that the data should not be cached.
dns.additionals.data
-
The data describing the resource. The meaning of this data depends on the type and class of the resource record.
dns.opt.version
-
example: 0
The EDNS version.
dns.opt.do
-
type: boolean
If set, the transaction uses DNSSEC.
dns.opt.ext_rcode
-
example: BADVERS
Extended response code field.
dns.opt.udp_size
-
type: long
Requestor’s UDP payload size (in bytes).
Docker stats collected from Docker.
docker.container.id
-
type: keyword
Unique container id.
docker.container.image
-
type: keyword
Name of the image the container was built on.
docker.container.name
-
type: keyword
Container name.
docker.container.labels
-
type: object
Image labels.
ECS fields.
The agent fields contain the data about the agent/client/shipper that created the event.
agent.version
-
type: keyword
example: 6.0.0-rc2
Version of the agent.
agent.name
-
type: keyword
example: filebeat
Name of the agent.
agent.id
-
type: keyword
example: 8a4f500d
Unique identifier of this agent (if one exists). Example: For Beats this would be beat.id.
agent.ephemeral_id
-
type: keyword
example: 8a4f500f
Ephemeral identifier of this agent (if one exists). This id normally changes across restarts, but
agent.id
does not.
The base set contains all fields which are on the top level. These fields are common across all types of events.
base.@timestamp
-
type: date
example: 2016-05-23T08:05:34.853Z
required: True
Date/time when the event originated. For log events this is the date/time when the event was generated, and not when it was read. Required field for all events.
base.tags
-
type: keyword
example: ["production", "env2"]
List of keywords used to tag each event.
base.labels
-
type: object
example: {'key2': 'value2', 'key1': 'value1'}
Key/value pairs. Can be used to add meta information to events. Should not contain nested objects. All values are stored as keyword. Example:
docker
andk8s
labels. base.message
-
type: text
example: Hello World
For log events the message field contains the log message. In other use cases the message field can be used to concatenate different values which are then freely searchable. If multiple messages exist, they can be combined into one message.
Fields related to the cloud or infrastructure the events are coming from.
cloud.provider
-
type: keyword
example: ec2
Name of the cloud provider. Example values are ec2, gce, or digitalocean.
cloud.availability_zone
-
type: keyword
example: us-east-1c
Availability zone in which this host is running.
cloud.region
-
type: keyword
example: us-east-1
Region in which this host is running.
cloud.instance.id
-
type: keyword
example: i-1234567890abcdef0
Instance ID of the host machine.
cloud.instance.name
-
type: keyword
Instance name of the host machine.
cloud.machine.type
-
type: keyword
example: t2.medium
Machine type of the host machine.
cloud.account.id
-
type: keyword
example: 666777888999
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.
container.runtime
-
type: keyword
example: docker
Runtime managing this container.
container.id
-
type: keyword
Unique container id.
container.image.name
-
type: keyword
Name of the image the container was built on.
container.image.tag
-
type: keyword
Container image tag.
container.name
-
type: keyword
Container name.
container.labels
-
type: object
Image labels.
Destination fields describe details about the destination of a packet/event.
destination.ip
-
type: ip
IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.
destination.hostname
-
type: keyword
Hostname of the destination.
destination.port
-
type: long
Port of the destination.
destination.mac
-
type: keyword
MAC address of the destination.
destination.domain
-
type: keyword
Destination domain.
destination.subdomain
-
type: keyword
Destination subdomain.
Device fields are used to provide additional information about the device that is the source of the information. This could be a firewall, network device, etc.
device.mac
-
type: keyword
MAC address of the device
device.ip
-
type: ip
IP address of the device.
device.hostname
-
type: keyword
Hostname of the device.
device.vendor
-
type: text
Device vendor information.
device.version
-
type: keyword
Device version.
device.serial_number
-
type: keyword
Device serial number.
device.timezone.offset.sec
-
type: long
example: -5400
Timezone offset of the host in seconds. Number of seconds relative to UTC. If the offset is -01:30 the value will be -5400.
device.type
-
type: keyword
example: firewall
The type of the device the data is coming from. There is no predefined list of device types. Some examples are
endpoint
,firewall
,ids
,ips
,proxy
.
These fields can represent errors of any kind. Use them for errors that happen while fetching events or in cases where the event itself contains an error.
error.id
-
type: keyword
Unique identifier for the error.
error.message
-
type: text
Error message.
error.code
-
type: keyword
Error code describing the error.
The event fields are used for context information about the data itself.
event.id
-
type: keyword
example: 8a4f500d
Unique ID to describe the event.
event.category
-
type: keyword
example: metrics
Event category. This can be a user defined category.
event.type
-
type: keyword
example: nginx-stats-metrics
A type given to this kind of event which can be used for grouping. This is normally defined by the user.
event.action
-
type: keyword
example: reject
The action captured by the event. The type of action will vary from system to system but is likely to include actions by security services, such as blocking or quarantining; as well as more generic actions such as login events, file i/o or proxy forwarding events. The value is normally defined by the user.
event.module
-
type: keyword
example: mysql
Name of the module this data is coming from. This information is coming from the modules used in Beats or Logstash.
event.dataset
-
type: keyword
example: stats
Name of the dataset. The concept of a
dataset
(fileset / metricset) is used in Beats as a subset of modules. It contains the information which is currently stored in metricset.name and metricset.module or fileset.name. event.severity
-
type: long
example: 7
Severity describes the severity of the event. What the different severity values mean can very different between use cases. It’s up to the implementer to make sure severities are consistent across events.
event.original
-
type: keyword
example: Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232
Raw text message of entire event. Used to demonstrate log integrity. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from
_source
.Field is not indexed.
event.hash
-
type: keyword
example: 123456789012345678901234567890ABCD
Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity.
event.version
-
type: keyword
example: 0.1.0
required: True
The version field contains the version an event for ECS adheres to. This field should be provided as part of each event to make it possible to detect to which ECS version an event belongs. event.version is a required field and must exist in all events. It describes which ECS version the event adheres to. The current version is 0.1.0.
event.duration
-
type: long
Duration of the event in nanoseconds.
event.created
-
type: date
event.created contains the date when the event was created. This timestamp is distinct from @timestamp in that @timestamp contains the processed timestamp. For logs these two timestamps can be different as the timestamp in the log line and when the event is read for example by Filebeat are not identical.
@timestamp
must contain the timestamp extracted from the log line, event.created when the log line is read. The same could apply to package capturing where @timestamp contains the timestamp extracted from the network package and event.created when the event was created. In case the two timestamps are identical, @timestamp should be used. event.risk_score
-
type: float
Risk score or priority of the event (e.g. security solutions). Use your system’s original value here.
event.risk_score_norm
-
type: float
Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
File fields provide details about each file.
file.path
-
type: text
Path to the file.
file.path.raw
type: keyword
Path to the file. This is a non-analyzed field that is useful for aggregations.
file.target_path
-
type: text
Target path for symlinks.
file.target_path.raw
type: keyword
Path to the file. This is a non-analyzed field that is useful for aggregations.
file.extension
-
type: keyword
example: png
File extension. This should allow easy filtering by file extensions.
file.type
-
type: keyword
File type (file, dir, or symlink).
file.device
-
type: keyword
Device that is the source of the file.
file.inode
-
type: keyword
Inode representing the file in the filesystem.
file.uid
-
type: keyword
The user ID (UID) or security identifier (SID) of the file owner.
file.owner
-
type: keyword
File owner’s username.
file.gid
-
type: keyword
Primary group ID (GID) of the file.
file.group
-
type: keyword
Primary group name of the file.
file.mode
-
type: keyword
example: 416
Mode of the file in octal representation.
file.size
-
type: long
File size in bytes (field is only added when
type
isfile
). file.mtime
-
type: date
Last time file content was modified.
file.ctime
-
type: date
Last time file metadata changed.
Geo fields can carry data about a specific location related to an event or geo information for an IP field.
geo.continent_name
-
type: keyword
Name of the continent.
geo.country_iso_code
-
type: keyword
Country ISO code.
geo.location
-
type: geo_point
Longitude and latitude.
geo.region_name
-
type: keyword
Region name.
geo.city_name
-
type: keyword
City name.
Host fields provide information related to a host. A host can be a physical machine, a virtual machine, or a Docker container. Normally the host information is related to the machine on which the event was generated/collected, but they can be used differently if needed.
host.timezone.offset.sec
-
type: long
example: -5400
Timezone offset of the host in seconds. Number of seconds relative to UTC. If the offset is -01:30 the value will be -5400.
host.name
-
type: keyword
host.name is the hostname of the host. It can contain what
hostname
returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. host.id
-
type: keyword
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of
beat.name
. host.ip
-
type: ip
Host ip address.
host.mac
-
type: keyword
Host mac address.
host.type
-
type: keyword
Type of host. For Cloud providers this can be the machine type like
t2.medium
. If vm, this could be the container, for example, or other information meaningful in your environment. host.os.platform
-
type: keyword
example: darwin
Operating system platform (centos, ubuntu, windows, etc.)
host.os.name
-
type: keyword
example: Mac OS X
Operating system name.
host.os.family
-
type: keyword
example: debian
OS family (redhat, debian, freebsd, windows, etc.)
host.os.version
-
type: keyword
example: 10.12.6
Operating system version.
host.architecture
-
type: keyword
example: x86_64
Operating system architecture.
Fields related to HTTP requests and responses.
http.request.method
-
type: keyword
example: GET, POST, PUT
Http request method.
http.response.status_code
-
type: long
example: 404
Http response status code.
http.response.body
-
type: text
example: Hello world
The full http response body.
http.version
-
type: keyword
example: 1.1
Http version.
Fields which are specific to log events.
log.level
-
type: keyword
example: ERR
Log level of the log event. Some examples are
WARN
,ERR
,INFO
. log.original
-
type: keyword
example: Sep 19 08:26:10 localhost My log
This is the original log message and contains the full log message before splitting it up in multiple parts. In contrast to the
message
field which can contain an extracted part of the log message, this field contains the original, full log message. It can have already some modifications applied like encoding or new lines removed to clean up the log message. This field is not indexed and doc_values are disabled so it can’t be queried but the value can be retrieved from_source
.Field is not indexed.
Fields related to network data.
network.name
-
type: text
example: Guest Wifi
Name given by operators to sections of their network.
network.name.raw
type: keyword
Name given by operators to sections of their network.
network.protocol
-
type: keyword
example: http
Network protocol name.
network.direction
-
type: keyword
example: inbound
Direction of the network traffic. Recommended values are: * inbound * outbound * unknown
network.forwarded_ip
-
type: ip
example: 192.1.1.2
Host IP address when the source IP address is the proxy.
network.inbound.bytes
-
type: long
example: 184
Network inbound bytes.
network.inbound.packets
-
type: long
example: 12
Network inbound packets.
network.outbound.bytes
-
type: long
example: 184
Network outbound bytes.
network.outbound.packets
-
type: long
example: 12
Network outbound packets.
network.total.bytes
-
type: long
example: 368
Network total bytes. The sum of inbound.bytes + outbound.bytes.
network.total.packets
-
type: long
example: 24
Network outbound packets. The sum of inbound.packets + outbound.packets
The organization fields enrich data with information about the company or entity the data is associated with. These fields help you arrange or filter data stored in an index by one or multiple organizations.
organization.name
-
type: text
Organization name.
organization.id
-
type: keyword
Unique identifier for the organization.
The OS fields contain information about the operating system. These fields are often used inside other prefixes, such as host.os.
or user_agent.os.
.
os.platform
-
type: keyword
example: darwin
Operating system platform (such centos, ubuntu, windows).
os.name
-
type: keyword
example: Mac OS X
Operating system name.
os.family
-
type: keyword
example: debian
OS family (such as redhat, debian, freebsd, windows).
os.version
-
type: keyword
example: 10.12.6-rc2
Operating system version as a raw string.
os.kernel
-
type: keyword
example: 4.4.0-112-generic
Operating system kernel version as a raw string.
These fields contain information about a process. These fields can help you correlate metrics information with a process id/name from a log message. The process.pid
often stays in the metric itself and is copied to the global field for correlation.
process.args
-
type: keyword
example: ['-l', 'user', '10.0.0.16']
Process arguments. May be filtered to protect sensitive information.
process.name
-
type: keyword
example: ssh
Process name. Sometimes called program name or similar.
process.pid
-
type: long
Process id.
process.ppid
-
type: long
Process parent id.
process.title
-
type: keyword
Process title. The proctitle, often the same as process name.
The service fields describe the service for or from which the data was collected. These fields help you find and correlate logs for a specific service and version.
service.id
-
type: keyword
example: d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6
Unique identifier of the running service. This id should uniquely identify this service. This makes it possible to correlate logs and metrics for one specific service. Example: If you are experiencing issues with one redis instance, you can filter on that id to see metrics and logs for that single instance.
service.name
-
type: keyword
example: elasticsearch
Name of the service data is collected from. The name can be used to group and correlate logs and metrics from one service. Example: If logs or metrics are collected from Redis,
service.name
would beredis
. service.type
-
type: keyword
Service type.
service.state
-
type: keyword
Current state of the service.
service.version
-
type: keyword
example: 3.2.4
Version of the service the data was collected from. This allows to look at a data set only for a specific version of a service.
service.ephemeral_id
-
type: keyword
example: 8a4f500f
Ephemeral identifier of this service (if one exists). This id normally changes across restarts, but
service.id
does not.
URL fields provide a complete URL, with scheme, host, and path. The URL object can be reused in other prefixes, such as host.url.*
for example. Keep the structure consistent whenever you use URL fields.
url.href
-
type: text
Full url. The field is stored as keyword.
url.href
is a [multi field](https://www.elastic.co/guide/en/ elasticsearch/reference/6.2/ multi-fields.html#_multi_fields_with_multiple_analyzers). The data is stored as keywordurl.href
and testurl.href.analyzed
. These fields enable you to run a query against part of the url still works splitting up the URL at ingest time.href
is an analyzed field so the parsed information can be accessed throughhref.analyzed
in queries.url.href.raw
type: keyword
The full URL. This is a non-analyzed field that is useful for aggregations.
url.scheme
-
type: keyword
example: https
Scheme of the request, such as "https". Note: The
:
is not part of the scheme. url.hostname
-
type: keyword
example: elastic.co
Hostname of the request, such as "elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the
hostname
field. url.port
-
type: integer
example: 443
Port of the request, such as 443.
url.path
-
type: text
Path of the request, such as "/search".
url.path.raw
type: keyword
URL path. A non-analyzed field that is useful for aggregations.
url.query
-
type: text
The query field describes the query string of the request, such as "q=elasticsearch". The
?
is excluded from the query string. If a URL contains no?
, there is no query field. If there is a?
but no query, the query field exists with an empty string. Theexists
query can be used to differentiate between the two cases.url.query.raw
type: keyword
URL query part. A non-analyzed field that is useful for aggregations.
url.fragment
-
type: keyword
Portion of the url after the
, such as "top". The
is not part of the fragment.
url.username
-
type: keyword
Username of the request.
url.password
-
type: keyword
Password of the request.
The user fields describe information about the user that is relevant to the event. Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them.
user.id
-
type: keyword
One or multiple unique identifiers of the user.
user.name
-
type: keyword
Name of the user. The field is a keyword, and will not be tokenized.
user.email
-
type: keyword
User email address.
user.hash
-
type: keyword
Unique user hash to correlate information for a user in anonymized form. Useful if
user.id
oruser.name
contain confidential information and cannot be used.
The user_agent fields normally come from a browser request. They often show up in web service logs coming from the parsed user agent string.
user_agent.original
-
type: text
Unparsed version of the user_agent.
user_agent.device
-
type: keyword
Name of the physical device.
user_agent.version
-
type: keyword
Version of the physical device.
user_agent.major
-
type: long
Major version of the user agent.
user_agent.minor
-
type: long
Minor version of the user agent.
user_agent.patch
-
type: keyword
Patch version of the user agent.
user_agent.name
-
type: keyword
example: Chrome
Name of the user agent.
user_agent.os.name
-
type: keyword
Name of the operating system.
user_agent.os.version
-
type: keyword
Version of the operating system.
user_agent.os.major
-
type: long
Major version of the operating system.
user_agent.os.minor
-
type: long
Minor version of the operating system.
These fields contain data about the flow itself.
start_time
-
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the first packet for the flow has been seen.
last_time
-
type: date
example: 2015-01-24 14:06:05.071000
format: YYYY-MM-DDTHH:MM:SS.milliZ
required: True
The time, the most recent processed packet for the flow has been seen.
final
-
Indicates if event is last event in flow. If final is false, the event reports an intermediate flow state only.
flow_id
-
Internal flow id based on connection meta data and address.
vlan
-
Innermost VLAN address used in network packets.
outer_vlan
-
Second innermost VLAN address used in network packets.
Properties of the source host
source.mac
-
Source MAC address as indicated by first packet seen for the current flow.
source.ip
-
Innermost IPv4 source address as indicated by first packet seen for the current flow.
source.ip_location
-
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma. source.outer_ip
-
Second innermost IPv4 source address as indicated by first packet seen for the current flow.
source.outer_ip_location
-
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
outer_ip_source
IP address. The field is a string containing the latitude and longitude separated by a comma. source.ipv6
-
Innermost IPv6 source address as indicated by first packet seen for the current flow.
source.ipv6_location
-
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma. source.outer_ipv6
-
Second innermost IPv6 source address as indicated by first packet seen for the current flow.
source.outer_ipv6_location
-
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
outer_ipv6_source
IP address. The field is a string containing the latitude and longitude separated by a comma. source.port
-
Source port number as indicated by first packet seen for the current flow.
Object with source to destination flow measurements.
source.stats.net_packets_total
-
type: long
Total number of packets
source.stats.net_bytes_total
-
type: long
Total number of bytes
Properties of the destination host
dest.mac
-
Destination MAC address as indicated by first packet seen for the current flow.
dest.ip
-
Innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.ip_location
-
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma. dest.outer_ip
-
Second innermost IPv4 destination address as indicated by first packet seen for the current flow.
dest.outer_ip_location
-
type: geo_point
example: 40.715, -74.011
The GeoIP location of the
outer_ip_dest
IP address. The field is a string containing the latitude and longitude separated by a comma. dest.ipv6
-
Innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.ipv6_location
-
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma. dest.outer_ipv6
-
Second innermost IPv6 destination address as indicated by first packet seen for the current flow.
dest.outer_ipv6_location
-
type: geo_point
example: 60.715, -76.011
The GeoIP location of the
outer_ipv6_dest
IP address. The field is a string containing the latitude and longitude separated by a comma. dest.port
-
Destination port number as indicated by first packet seen for the current flow.
Object with destination to source flow measurements.
dest.stats.net_packets_total
-
type: long
Total number of packets
dest.stats.net_bytes_total
-
type: long
Total number of bytes
icmp_id
-
ICMP id used in ICMP based flow.
connection_id
-
optional TCP connection id
Info collected for the host machine.
host.os.kernel
-
type: keyword
The operating system’s kernel version.
HTTP-specific event fields.
Information about the HTTP request and response.
HTTP request
http.request.params
-
The query parameters or form values. The query parameters are available in the Request-URI and the form values are set in the HTTP body when the content-type is set to
x-www-form-urlencoded
. http.request.headers
-
type: object
A map containing the captured header fields from the request. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.
http.request.body
-
type: text
The body of the HTTP request.
HTTP response
http.response.code
-
example: 404
The HTTP status code.
http.response.phrase
-
example: Not found.
The HTTP status phrase.
http.response.headers
-
type: object
A map containing the captured header fields from the response. Which headers to capture is configurable. If headers with the same header name are present in the message, they will be separated by commas.
ICMP specific event fields.
icmp.version
-
The version of the ICMP protocol.
icmp.request.message
-
type: keyword
A human readable form of the request.
icmp.request.type
-
type: long
The request type.
icmp.request.code
-
type: long
The request code.
icmp.response.message
-
type: keyword
A human readable form of the response.
icmp.response.type
-
type: long
The response type.
icmp.response.code
-
type: long
The response code.
Kubernetes metadata added by the kubernetes processor
kubernetes.pod.name
-
type: keyword
Kubernetes pod name
kubernetes.pod.uid
-
type: keyword
Kubernetes Pod UID
kubernetes.namespace
-
type: keyword
Kubernetes namespace
kubernetes.node.name
-
type: keyword
Kubernetes node name
kubernetes.labels
-
type: object
Kubernetes labels map
kubernetes.annotations
-
type: object
Kubernetes annotations map
kubernetes.container.name
-
type: keyword
Kubernetes container name
kubernetes.container.image
-
type: keyword
Kubernetes container image
Memcached-specific event fields
memcache.protocol_type
-
type: keyword
The memcache protocol implementation. The value can be "binary" for binary-based, "text" for text-based, or "unknown" for an unknown memcache protocol type.
memcache.request.line
-
type: keyword
The raw command line for unknown commands ONLY.
memcache.request.command
-
type: keyword
The memcache command being requested in the memcache text protocol. For example "set" or "get". The binary protocol opcodes are translated into memcache text protocol commands.
memcache.response.command
-
type: keyword
Either the text based protocol response message type or the name of the originating request if binary protocol is used.
memcache.request.type
-
type: keyword
The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth".
memcache.response.type
-
type: keyword
The memcache command classification. This value can be "UNKNOWN", "Load", "Store", "Delete", "Counter", "Info", "SlabCtrl", "LRUCrawler", "Stats", "Success", "Fail", or "Auth". The text based protocol will employ any of these, whereas the binary based protocol will mirror the request commands only (see
memcache.response.status
for binary protocol). memcache.response.error_msg
-
type: keyword
The optional error message in the memcache response (text based protocol only).
memcache.request.opcode
-
type: keyword
The binary protocol message opcode name.
memcache.response.opcode
-
type: keyword
The binary protocol message opcode name.
memcache.request.opcode_value
-
type: long
The binary protocol message opcode value.
memcache.response.opcode_value
-
type: long
The binary protocol message opcode value.
memcache.request.opaque
-
type: long
The binary protocol opaque header value used for correlating request with response messages.
memcache.response.opaque
-
type: long
The binary protocol opaque header value used for correlating request with response messages.
memcache.request.vbucket
-
type: long
The vbucket index sent in the binary message.
memcache.response.status
-
type: keyword
The textual representation of the response error code (binary protocol only).
memcache.response.status_code
-
type: long
The status code value returned in the response (binary protocol only).
memcache.request.keys
-
type: array
The list of keys sent in the store or load commands.
memcache.response.keys
-
type: array
The list of keys returned for the load command (if present).
memcache.request.count_values
-
type: long
The number of values found in the memcache request message. If the command does not send any data, this field is missing.
memcache.response.count_values
-
type: long
The number of values found in the memcache response message. If the command does not send any data, this field is missing.
memcache.request.values
-
type: array
The list of base64 encoded values sent with the request (if present).
memcache.response.values
-
type: array
The list of base64 encoded values sent with the response (if present).
memcache.request.bytes
-
type: long
format: bytes
The byte count of the values being transferred.
memcache.response.bytes
-
type: long
format: bytes
The byte count of the values being transferred.
memcache.request.delta
-
type: long
The counter increment/decrement delta value.
memcache.request.initial
-
type: long
The counter increment/decrement initial value parameter (binary protocol only).
memcache.request.verbosity
-
type: long
The value of the memcache "verbosity" command.
memcache.request.raw_args
-
type: keyword
The text protocol raw arguments for the "stats …" and "lru crawl …" commands.
memcache.request.source_class
-
type: long
The source class id in 'slab reassign' command.
memcache.request.dest_class
-
type: long
The destination class id in 'slab reassign' command.
memcache.request.automove
-
type: keyword
The automove mode in the 'slab automove' command expressed as a string. This value can be "standby"(=0), "slow"(=1), "aggressive"(=2), or the raw value if the value is unknown.
memcache.request.flags
-
type: long
The memcache command flags sent in the request (if present).
memcache.response.flags
-
type: long
The memcache message flags sent in the response (if present).
memcache.request.exptime
-
type: long
The data expiry time in seconds sent with the memcache command (if present). If the value is <30 days, the expiry time is relative to "now", or else it is an absolute Unix time in seconds (32-bit).
memcache.request.sleep_us
-
type: long
The sleep setting in microseconds for the 'lru_crawler sleep' command.
memcache.response.value
-
type: long
The counter value returned by a counter operation.
memcache.request.noreply
-
type: boolean
Set to true if noreply was set in the request. The
memcache.response
field will be missing. memcache.request.quiet
-
type: boolean
Set to true if the binary protocol message is to be treated as a quiet message.
memcache.request.cas_unique
-
type: long
The CAS (compare-and-swap) identifier if present.
memcache.response.cas_unique
-
type: long
The CAS (compare-and-swap) identifier to be used with CAS-based updates (if present).
memcache.response.stats
-
type: array
The list of statistic values returned. Each entry is a dictionary with the fields "name" and "value".
memcache.response.version
-
type: keyword
The returned memcache version string.
MongoDB-specific event fields. These fields mirror closely the fields for the MongoDB wire protocol. The higher level fields (for example, query
and resource
) apply to MongoDB events as well.
mongodb.error
-
If the MongoDB request has resulted in an error, this field contains the error message returned by the server.
mongodb.fullCollectionName
-
The full collection name. The full collection name is the concatenation of the database name with the collection name, using a dot (.) for the concatenation. For example, for the database foo and the collection bar, the full collection name is foo.bar.
mongodb.numberToSkip
-
type: long
Sets the number of documents to omit - starting from the first document in the resulting dataset - when returning the result of the query.
mongodb.numberToReturn
-
type: long
The requested maximum number of documents to be returned.
mongodb.numberReturned
-
type: long
The number of documents in the reply.
mongodb.startingFrom
-
Where in the cursor this reply is starting.
mongodb.query
-
A JSON document that represents the query. The query will contain one or more elements, all of which must match for a document to be included in the result set. Possible elements include $query, $orderby, $hint, $explain, and $snapshot.
mongodb.returnFieldsSelector
-
A JSON document that limits the fields in the returned documents. The returnFieldsSelector contains one or more elements, each of which is the name of a field that should be returned, and the integer value 1.
mongodb.selector
-
A BSON document that specifies the query for selecting the document to update or delete.
mongodb.update
-
A BSON document that specifies the update to be performed. For information on specifying updates, see the Update Operations documentation from the MongoDB Manual.
mongodb.cursorId
-
The cursor identifier returned in the OP_REPLY. This must be the value that was returned from the database.
OncRPC specific event fields.
rpc.xid
-
RPC message transaction identifier.
rpc.call_size
-
type: long
RPC call size with argument.
rpc.reply_size
-
type: long
RPC reply size with argument.
rpc.status
-
RPC message reply status.
rpc.time
-
type: long
RPC message processing time.
rpc.time_str
-
RPC message processing time in human readable form.
rpc.auth_flavor
-
RPC authentication flavor.
rpc.cred.uid
-
type: long
RPC caller’s user id, in case of auth-unix.
rpc.cred.gid
-
type: long
RPC caller’s group id, in case of auth-unix.
rpc.cred.gids
-
RPC caller’s secondary group ids, in case of auth-unix.
rpc.cred.stamp
-
type: long
Arbitrary ID which the caller machine may generate.
rpc.cred.machinename
-
The name of the caller’s machine.
MySQL-specific event fields.
mysql.iserror
-
type: boolean
If the MySQL query returns an error, this field is set to true.
mysql.affected_rows
-
type: long
If the MySQL command is successful, this field contains the affected number of rows of the last statement.
mysql.insert_id
-
If the INSERT query is successful, this field contains the id of the newly inserted row.
mysql.num_fields
-
If the SELECT query is successful, this field is set to the number of fields returned.
mysql.num_rows
-
If the SELECT query is successful, this field is set to the number of rows returned.
mysql.query
-
The row mysql query as read from the transaction’s request.
mysql.error_code
-
type: long
The error code returned by MySQL.
mysql.error_message
-
The error info message returned by MySQL.
NFS v4/3 specific event fields.
nfs.version
-
type: long
NFS protocol version number.
nfs.minor_version
-
type: long
NFS protocol minor version number.
nfs.tag
-
NFS v4 COMPOUND operation tag.
nfs.opcode
-
NFS operation name, or main operation name, in case of COMPOUND calls.
nfs.status
-
NFS operation reply status.
PostgreSQL-specific event fields.
pgsql.query
-
The row pgsql query as read from the transaction’s request.
pgsql.iserror
-
type: boolean
If the PgSQL query returns an error, this field is set to true.
pgsql.error_code
-
type: long
The PostgreSQL error code.
pgsql.error_message
-
The PostgreSQL error message.
pgsql.error_severity
-
The PostgreSQL error severity.
pgsql.num_fields
-
If the SELECT query if successful, this field is set to the number of fields returned.
pgsql.num_rows
-
If the SELECT query if successful, this field is set to the number of rows returned.
These fields contain the raw transaction data.
request
-
type: text
For text protocols, this is the request as seen on the wire (application layer only). For binary protocols this is our representation of the request.
response
-
type: text
For text protocols, this is the response as seen on the wire (application layer only). For binary protocols this is our representation of the request.
Redis-specific event fields.
redis.return_value
-
The return value of the Redis command in a human readable format.
redis.error
-
If the Redis command has resulted in an error, this field contains the error message returned by the Redis server.
Thrift-RPC specific event fields.
thrift.params
-
The RPC method call parameters in a human readable format. If the IDL files are available, the parameters use names whenever possible. Otherwise, the IDs from the message are used.
thrift.service
-
The name of the Thrift-RPC service as defined in the IDL files.
thrift.return_value
-
The value returned by the Thrift-RPC call. This is encoded in a human readable format.
thrift.exceptions
-
If the call resulted in exceptions, this field contains the exceptions in a human readable format.
TLS-specific event fields.
tls.version
-
type: keyword
example: TLS 1.3
The version of the TLS protocol used.
tls.handshake_completed
-
type: boolean
Whether the TLS negotiation has been successful and the session has transitioned to encrypted mode.
tls.resumed
-
type: boolean
If the TLS session has been resumed from a previous session.
tls.resumption_method
-
type: keyword
If the session has been resumed, the underlying method used. One of "id" for TLS session ID or "ticket" for TLS ticket extension.
tls.client_certificate_requested
-
type: boolean
Whether the server has requested the client to authenticate itself using a client certificate.
tls.client_hello.version
-
type: keyword
The version of the TLS protocol by which the client wishes to communicate during this session.
tls.client_hello.supported_ciphers
-
type: array
List of ciphers the client is willing to use for this session. See https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
tls.client_hello.supported_compression_methods
-
type: array
The list of compression methods the client supports. See https://www.iana.org/assignments/comp-meth-ids/comp-meth-ids.xhtml
The hello extensions provided by the client.
tls.client_hello.extensions.server_name_indication
-
type: keyword
List of hostnames
tls.client_hello.extensions.application_layer_protocol_negotiation
-
type: keyword
List of application-layer protocols the client is willing to use.
tls.client_hello.extensions.session_ticket
-
type: keyword
Length of the session ticket, if provided, or an empty string to advertise support for tickets.
tls.client_hello.extensions.supported_versions
-
type: keyword
List of TLS versions that the client is willing to use.
tls.server_hello.version
-
type: keyword
The version of the TLS protocol that is used for this session. It is the highest version supported by the server not exceeding the version requested in the client hello.
tls.server_hello.selected_cipher
-
type: keyword
The cipher suite selected by the server from the list provided by in the client hello.
tls.server_hello.selected_compression_method
-
type: keyword
The compression method selected by the server from the list provided in the client hello.
The hello extensions provided by the server.
tls.server_hello.extensions.application_layer_protocol_negotiation
-
type: array
Negotiated application layer protocol
tls.server_hello.extensions.session_ticket
-
type: keyword
Used to announce that a session ticket will be provided by the server. Always an empty string.
tls.server_hello.extensions.supported_versions
-
type: keyword
Negotiated TLS version to be used.
Certificate provided by the client for authentication.
tls.client_certificate.version
-
type: long
X509 format version.
tls.client_certificate.serial_number
-
type: keyword
The certificate’s serial number.
tls.client_certificate.not_before
-
type: date
Date before which the certificate is not valid.
tls.client_certificate.not_after
-
type: date
Date after which the certificate expires.
tls.client_certificate.public_key_algorithm
-
type: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
tls.client_certificate.public_key_size
-
type: long
Size of the public key.
tls.client_certificate.signature_algorithm
-
type: keyword
The algorithm used for the certificate’s signature.
tls.client_certificate.alternative_names
-
type: array
Subject Alternative Names for this certificate.
tls.client_certificate.raw
-
type: keyword
The raw certificate in PEM format.
Subject represented by this certificate.
tls.client_certificate.subject.country
-
type: keyword
Country code.
tls.client_certificate.subject.organization
-
type: keyword
Organization name.
tls.client_certificate.subject.organizational_unit
-
type: keyword
Unit within organization.
tls.client_certificate.subject.province
-
type: keyword
Province or region within country.
tls.client_certificate.subject.common_name
-
type: keyword
Name or host name identified by the certificate.
Entity that issued and signed this certificate.
tls.client_certificate.issuer.country
-
type: keyword
Country code.
tls.client_certificate.issuer.organization
-
type: keyword
Organization name.
tls.client_certificate.issuer.organizational_unit
-
type: keyword
Unit within organization.
tls.client_certificate.issuer.province
-
type: keyword
Province or region within country.
tls.client_certificate.issuer.common_name
-
type: keyword
Name or host name identified by the certificate.
tls.client_certificate.fingerprint.md5
-
type: keyword
Certificate’s MD5 fingerprint.
tls.client_certificate.fingerprint.sha1
-
type: keyword
Certificate’s SHA-1 fingerprint.
tls.client_certificate.fingerprint.sha256
-
type: keyword
Certificate’s SHA-256 fingerprint.
Certificate provided by the server for authentication.
tls.server_certificate.version
-
type: long
X509 format version.
tls.server_certificate.serial_number
-
type: keyword
The certificate’s serial number.
tls.server_certificate.not_before
-
type: date
Date before which the certificate is not valid.
tls.server_certificate.not_after
-
type: date
Date after which the certificate expires.
tls.server_certificate.public_key_algorithm
-
type: keyword
The algorithm used for this certificate’s public key. One of RSA, DSA or ECDSA.
tls.server_certificate.public_key_size
-
type: long
Size of the public key.
tls.server_certificate.signature_algorithm
-
type: keyword
The algorithm used for the certificate’s signature.
tls.server_certificate.alternative_names
-
type: array
Subject Alternative Names for this certificate.
tls.server_certificate.raw
-
type: keyword
The raw certificate in PEM format.
Subject represented by this certificate.
tls.server_certificate.subject.country
-
type: keyword
Country code.
tls.server_certificate.subject.organization
-
type: keyword
Organization name.
tls.server_certificate.subject.organizational_unit
-
type: keyword
Unit within organization.
tls.server_certificate.subject.province
-
type: keyword
Province or region within country.
tls.server_certificate.subject.common_name
-
type: keyword
Name or host name identified by the certificate.
Entity that issued and signed this certificate.
tls.server_certificate.issuer.country
-
type: keyword
Country code.
tls.server_certificate.issuer.organization
-
type: keyword
Organization name.
tls.server_certificate.issuer.organizational_unit
-
type: keyword
Unit within organization.
tls.server_certificate.issuer.province
-
type: keyword
Province or region within country.
tls.server_certificate.issuer.common_name
-
type: keyword
Name or host name identified by the certificate.
tls.server_certificate.fingerprint.md5
-
type: keyword
Certificate’s MD5 fingerprint.
tls.server_certificate.fingerprint.sha1
-
type: keyword
Certificate’s SHA-1 fingerprint.
tls.server_certificate.fingerprint.sha256
-
type: keyword
Certificate’s SHA-256 fingerprint.
tls.server_certificate_chain
-
type: array
Chain of trust for the server certificate.
tls.client_certificate_chain
-
type: array
Chain of trust for the client certificate.
tls.alert_types
-
type: keyword
An array containing the TLS alert type for every alert received.
Fingerprints for this TLS session.
JA3 TLS client fingerprint
tls.fingerprints.ja3.hash
-
type: keyword
The JA3 fingerprint hash for the client side.
tls.fingerprints.ja3.str
-
type: keyword
The JA3 string used to calculate the hash.
These fields contain data about the transaction itself.
direction
-
required: True
Indicates whether the transaction is inbound (emitted by server) or outbound (emitted by the client). Values can be in or out. No defaults.
status
-
required: True
The high level status of the transaction. The way to compute this value depends on the protocol, but the result has a meaning independent of the protocol.
method
-
The command/verb/method of the transaction. For HTTP, this is the method name (GET, POST, PUT, and so on), for SQL this is the verb (SELECT, UPDATE, DELETE, and so on).
resource
-
The logical resource that this transaction refers to. For HTTP, this is the URL path up to the last slash (/). For example, if the URL is
/users/1
, the resource is/users
. For databases, the resource is typically the table name. The field is not filled for all transaction types. path
-
required: True
The path the transaction refers to. For HTTP, this is the URL. For SQL databases, this is the table name. For key-value stores, this is the key.
query
-
type: keyword
The query in a human readable format. For HTTP, it will typically be something like
GET /users/_search?name=test
. For MySQL, it is something likeSELECT id from users where name=test
. params
-
type: text
The request parameters. For HTTP, these are the POST or GET parameters. For Thrift-RPC, these are the parameters from the request.
notes
-
Messages from Packetbeat itself. This field usually contains error messages for interpreting the raw data. This information can be helpful for troubleshooting.
These fields contain measurements related to the transaction.
responsetime
-
type: long
The wall clock time it took to complete the transaction. The precision is in milliseconds.
cpu_time
-
type: long
The CPU time it took to complete the transaction.
bytes_in
-
type: long
format: bytes
The number of bytes of the request. Note that this size is the application layer message length, without the length of the IP or TCP headers.
bytes_out
-
type: long
format: bytes
The number of bytes of the response. Note that this size is the application layer message length, without the length of the IP or TCP headers.
dnstime
-
type: long
The time it takes to query the name server for a given request. This is typically used for RUM (real-user-monitoring) but can also have values for server-to-server communication when DNS is used for service discovery. The precision is in microseconds.
connecttime
-
type: long
The time it takes for the TCP connection to be established for the given transaction. The precision is in microseconds.
loadtime
-
type: long
The time it takes for the content to be loaded. This is typically used for RUM (real-user-monitoring) but it can make sense in other cases as well. The precision is in microseconds.
domloadtime
-
type: long
In RUM (real-user-monitoring), the total time it takes for the DOM to be loaded. In terms of the W3 Navigation Timing API, this is the difference between
domContentLoadedEnd
anddomContentLoadedStart
.