Common Journalbeat fields
editCommon Journalbeat fields
editContains common fields available in all event types.
coredump fields
editFields used by systemd-coredump kernel helper.
-
coredump.unit -
type: keyword
Annotations of messages containing coredumps from system units.
-
coredump.user_unit -
type: keyword
Annotations of messages containing coredumps from user units.
journald fields
editFields provided by journald.
object fields
editFields to log on behalf of a different program.
audit fields
editAudit fields of event.
-
journald.object.audit.login_uid -
type: long
example: 1000
required: False
The login UID of the object process.
-
journald.object.audit.session -
type: long
example: 3
required: False
The audit session of the object process.
-
journald.object.cmd -
type: keyword
example: /lib/systemd/systemd --user
required: False
The command line of the process.
-
journald.object.name -
type: keyword
example: /lib/systemd/systemd
required: False
Name of the executable.
-
journald.object.executable -
type: keyword
example: /lib/systemd/systemd
required: False
Path to the the executable.
-
journald.object.uid -
type: long
required: False
UID of the object process.
-
journald.object.gid -
type: long
required: False
GID of the object process.
-
journald.object.pid -
type: long
required: False
PID of the object process.
systemd fields
editSystemd fields of event.
-
journald.object.systemd.owner_uid -
type: long
required: False
The UID of the owner.
-
journald.object.systemd.session -
type: keyword
required: False
The ID of the systemd session.
-
journald.object.systemd.unit -
type: keyword
required: False
The name of the systemd unit.
-
journald.object.systemd.user_unit -
type: keyword
required: False
The name of the systemd user unit.
kernel fields
editFields to log on behalf of a different program.
-
journald.kernel.device -
type: keyword
required: False
The kernel device name.
-
journald.kernel.subsystem -
type: keyword
required: False
The kernel subsystem name.
-
journald.kernel.device_symlinks -
type: keyword
required: False
Additional symlink names pointing to the device node in /dev.
-
journald.kernel.device_node_path -
type: keyword
required: False
The device node path of this device in /dev.
-
journald.kernel.device_name -
type: keyword
required: False
The kernel device name as it shows up in the device tree below /sys.
code fields
editFields of the code generating the event.
-
journald.code.file -
type: keyword
example: ../src/core/manager.c
required: False
The name of the source file where the log is generated.
-
journald.code.function -
type: keyword
example: job_log_status_message
required: False
The name of the function which generated the log message.
-
journald.code.line -
type: long
example: 123
required: False
The line number of the code which generated the log message.
process fields
editFields to log on behalf of a different program.
audit fields
editAudit fields of event.
-
journald.process.audit.loginuid -
type: long
example: 1000
required: False
The login UID of the source process.
-
journald.process.audit.session -
type: long
example: 3
required: False
The audit session of the source process.
-
journald.process.cmd -
type: keyword
example: /lib/systemd/systemd --user
required: False
The command line of the process.
-
journald.process.name -
type: keyword
example: /lib/systemd/systemd
required: False
Name of the executable.
-
journald.process.executable -
type: keyword
example: /lib/systemd/systemd
required: False
Path to the the executable.
-
journald.process.pid -
type: long
example: 1
required: False
The ID of the process which logged the message.
-
journald.process.gid -
type: long
example: 1
required: False
The ID of the group which runs the process.
-
journald.process.uid -
type: long
example: 1
required: False
The ID of the user which runs the process.
-
journald.process.capabilites -
required: False
The effective capabilites of the process.
systemd fields
editFields of systemd.
-
systemd.invocation_id -
type: keyword
example: 8450f1672de646c88cd133aadd4f2d70
required: False
The invocation ID for the runtime cycle of the unit the message was generated in.
-
systemd.cgroup -
type: keyword
example: /user.slice/user-1234.slice/session-2.scope
required: False
The control group path in the systemd hierarchy.
-
systemd.owner_uid -
type: long
required: False
The owner UID of the systemd user unit or systemd session.
-
systemd.session -
type: keyword
required: False
The ID of the systemd session.
-
systemd.slice -
type: keyword
example: user-1234.slice
required: False
The systemd slice unit.
-
systemd.user_slice -
type: keyword
required: False
The systemd user slice unit.
-
systemd.unit -
type: keyword
example: nginx.service
required: False
The name of the systemd unit.
-
systemd.user_unit -
type: keyword
example: user-1234.slice
required: False
The name of the systemd user unit.
-
systemd.transport -
type: keyword
example: syslog
required: True
How the log message was received by journald.
host fields
editFields of the host.
-
host.boot_id -
type: keyword
example: dd8c974asdf01dbe2ef26d7fasdf264c9
required: False
The boot ID for the boot the log was generated in.
syslog fields
editFields of the code generating the event.
-
syslog.priority -
type: long
example: 1
required: False
The priority of the message. A syslog compatibility field.
-
syslog.facility -
type: long
example: 1
required: False
The facility of the message. A syslog compatibility field.
-
syslog.identifier -
type: keyword
example: su
required: False
The identifier of the message. A syslog compatibility field.
-
custom -
type: nested
required: False
Arbitrary fields coming from processes.
-
read_timestamp -
type: alias
alias to: event.created
-
container.log.tag -
type: keyword
User defined tag of a container.