diff --git a/auditbeat/_meta/fields.common.yml b/auditbeat/_meta/fields.common.yml index b82bf993cd7..a8139be76cf 100644 --- a/auditbeat/_meta/fields.common.yml +++ b/auditbeat/_meta/fields.common.yml @@ -66,6 +66,27 @@ type: keyword description: Audit user name. + - name: effective + type: group + description: Effective user information. + fields: + - name: id + type: keyword + description: Effective user ID. + - name: name + type: keyword + description: Effective user name. + - name: group + type: group + description: Effective group information. + fields: + - name: id + type: keyword + description: Effective group ID. + - name: name + type: keyword + description: Effective group name. + - name: filesystem type: group description: Filesystem user information. diff --git a/auditbeat/docs/fields.asciidoc b/auditbeat/docs/fields.asciidoc index cc0e3990d99..6119cef354d 100644 --- a/auditbeat/docs/fields.asciidoc +++ b/auditbeat/docs/fields.asciidoc @@ -2720,6 +2720,54 @@ type: keyword -- +[float] +=== effective + +Effective user information. + + +*`user.effective.id`*:: ++ +-- +Effective user ID. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Effective user name. + +type: keyword + +-- + +[float] +=== group + +Effective group information. + + +*`user.effective.group.id`*:: ++ +-- +Effective group ID. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Effective group name. + +type: keyword + +-- + [float] === filesystem @@ -2940,7 +2988,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -3028,7 +3076,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -3075,7 +3123,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -3106,7 +3154,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -3172,7 +3220,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3269,7 +3317,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -3314,7 +3362,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -3323,7 +3371,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -3388,7 +3436,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -3690,7 +3738,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -3721,7 +3769,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -3787,7 +3835,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3884,7 +3932,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -3929,7 +3977,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -3938,7 +3986,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -4003,7 +4051,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -4216,7 +4264,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -4268,7 +4316,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -4359,7 +4407,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -4508,7 +4556,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -4524,7 +4574,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -4958,7 +5008,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -5113,7 +5163,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -5187,7 +5237,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5221,7 +5271,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -5292,7 +5342,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -5459,7 +5509,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -5587,7 +5637,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -5784,7 +5834,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -5818,7 +5868,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -5877,7 +5927,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -5906,7 +5956,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -5977,7 +6027,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -5986,7 +6036,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6051,7 +6101,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -6099,7 +6149,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -6156,7 +6206,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -6180,7 +6230,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -6295,7 +6345,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -6319,7 +6369,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -6792,7 +6842,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6951,7 +7001,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -6980,7 +7030,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -7088,7 +7138,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -7121,7 +7171,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -7150,7 +7200,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -7404,7 +7454,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -7516,7 +7566,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -7547,7 +7597,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -7614,7 +7664,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -7715,7 +7765,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -7746,7 +7796,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -7813,7 +7863,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -7887,7 +7937,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -7970,7 +8020,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -7982,7 +8032,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -8009,7 +8059,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -8083,7 +8133,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -8166,7 +8216,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -8178,7 +8228,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -8205,7 +8255,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -8242,7 +8292,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -8275,7 +8325,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -8286,7 +8336,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -8499,7 +8549,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -8530,7 +8580,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -8596,7 +8646,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -8693,7 +8743,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -8738,7 +8788,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -8747,7 +8797,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8812,7 +8862,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8961,7 +9011,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -8992,7 +9042,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -9058,7 +9108,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -9155,7 +9205,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -9200,7 +9250,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -9209,7 +9259,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -9274,7 +9324,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -9506,7 +9556,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -9561,7 +9611,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -9616,7 +9666,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -9783,7 +9833,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9942,7 +9992,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -9986,7 +10036,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -10030,7 +10080,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -10197,7 +10247,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -10326,7 +10376,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -10361,7 +10411,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -10381,7 +10431,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -10408,7 +10458,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -10442,7 +10492,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -10500,119 +10550,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -10623,125 +10560,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -10750,7 +10574,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -10815,7 +10639,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -10839,119 +10663,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -10986,7 +10697,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -11015,7 +10726,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -11044,7 +10755,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -11326,7 +11037,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -11493,7 +11204,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/auditbeat/include/fields.go b/auditbeat/include/fields.go index 6d115d5f0a9..ef9ed0218a0 100644 --- a/auditbeat/include/fields.go +++ b/auditbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index a91bf1dab4e..24a42478d73 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -523,6 +523,54 @@ type: keyword Name of the group. +type: keyword + +-- + +[float] +=== effective + +Effective user information. + + +*`user.effective.id`*:: ++ +-- +Effective user ID. + +type: keyword + +-- + +*`user.effective.name`*:: ++ +-- +Effective user name. + +type: keyword + +-- + +[float] +=== group + +Effective group information. + + +*`user.effective.group.id`*:: ++ +-- +Effective group ID. + +type: keyword + +-- + +*`user.effective.group.name`*:: ++ +-- +Effective group name. + type: keyword -- @@ -38997,7 +39045,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -39085,7 +39133,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -39132,7 +39180,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -39163,7 +39211,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -39229,7 +39277,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -39326,7 +39374,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -39371,7 +39419,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -39380,7 +39428,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -39445,7 +39493,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -39747,7 +39795,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -39778,7 +39826,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -39844,7 +39892,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -39941,7 +39989,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -39986,7 +40034,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -39995,7 +40043,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -40060,7 +40108,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -40273,7 +40321,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -40325,7 +40373,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -40416,7 +40464,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -40565,7 +40613,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -40581,7 +40631,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -41015,7 +41065,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -41170,7 +41220,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -41244,7 +41294,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -41278,7 +41328,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -41349,7 +41399,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -41516,7 +41566,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -41644,7 +41694,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -41841,7 +41891,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -41875,7 +41925,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -41934,7 +41984,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -41963,7 +42013,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -42034,7 +42084,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -42043,7 +42093,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -42108,7 +42158,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -42156,7 +42206,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -42213,7 +42263,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -42237,7 +42287,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -42352,7 +42402,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -42376,7 +42426,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -42849,7 +42899,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -43008,7 +43058,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -43037,7 +43087,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -43145,7 +43195,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -43178,7 +43228,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -43207,7 +43257,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -43461,7 +43511,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -43573,7 +43623,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -43604,7 +43654,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -43671,7 +43721,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -43772,7 +43822,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -43803,7 +43853,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -43870,7 +43920,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -43944,7 +43994,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -44027,7 +44077,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -44039,7 +44089,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -44066,7 +44116,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -44140,7 +44190,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -44223,7 +44273,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -44235,7 +44285,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -44262,7 +44312,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -44299,7 +44349,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -44332,7 +44382,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -44343,7 +44393,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -44556,7 +44606,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -44587,7 +44637,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -44653,7 +44703,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -44750,7 +44800,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -44795,7 +44845,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -44804,7 +44854,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -44869,7 +44919,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -45018,7 +45068,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -45049,7 +45099,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -45115,7 +45165,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -45212,7 +45262,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -45257,7 +45307,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -45266,7 +45316,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -45331,7 +45381,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -45563,7 +45613,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -45618,7 +45668,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -45673,7 +45723,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -45840,7 +45890,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -45999,7 +46049,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -46043,7 +46093,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -46087,7 +46137,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -46254,7 +46304,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -46383,7 +46433,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -46418,7 +46468,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -46438,7 +46488,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -46465,7 +46515,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -46499,7 +46549,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -46557,119 +46607,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -46680,125 +46617,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -46807,7 +46631,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -46872,7 +46696,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -46896,119 +46720,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -47043,7 +46754,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -47072,7 +46783,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -47101,7 +46812,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -47383,7 +47094,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -47550,7 +47261,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/filebeat/include/fields.go b/filebeat/include/fields.go index 0338b6b03d7..35f2495d356 100644 --- a/filebeat/include/fields.go +++ b/filebeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/filebeat/module/auditd/_meta/fields.yml b/filebeat/module/auditd/_meta/fields.yml index ef655fc2fd2..e84497723a8 100644 --- a/filebeat/module/auditd/_meta/fields.yml +++ b/filebeat/module/auditd/_meta/fields.yml @@ -36,6 +36,27 @@ description: > Name of the group. + - name: effective + type: group + description: Effective user information. + fields: + - name: id + type: keyword + description: Effective user ID. + - name: name + type: keyword + description: Effective user name. + - name: group + type: group + description: Effective group information. + fields: + - name: id + type: keyword + description: Effective group ID. + - name: name + type: keyword + description: Effective group name. + - name: filesystem type: group fields: diff --git a/filebeat/module/auditd/fields.go b/filebeat/module/auditd/fields.go index 1d26f923d6b..ab6f0d1ad93 100644 --- a/filebeat/module/auditd/fields.go +++ b/filebeat/module/auditd/fields.go @@ -32,5 +32,5 @@ func init() { // AssetAuditd returns asset data. // This is the base64 encoded gzipped contents of module/auditd. func AssetAuditd() string { - return "eJzsWk+P27YTve+nGOR3+fUQN6ceXKBAgSJAgDQF2u2hpwVNjuTBUhyFHNqrfvqClOS/km1pHeSyPgRYWZz33swjOaTzHp6xWYKKhsQ8AAiJxSW8+zU/ePcAYDBoT7UQuyX88gAA8DubaBEK9lArH8iVXQCwXIbFA0BYs5cnza6gcgniIz4AFITWhOVDjvEenKpwCTGgzw8ApKlxCaXnWHdPjkYcjhL0FTlld1/0o5+x2bI3B88H+Pefxy4KsAeRBgxuSCOwg+2a9BpkjZkfUIAafcHp9TI/5lVAv0EDSgttSJrFOcmckzOGh/oONR4S6yOQOXo8LvKK0PT5w2HSWUUrVFuE6OhrRCCDTqgg9AG42EleDPJJ/05ghC+qqpOdlF2hl2l8/0oWyoiJtuWS3DHBQYY5u4t75u3v0zxl3ycaGSu5Jf0RmiBY/VhbJcknw/lr2U3M4hV+6fMlZ6nYsxpwY0EWW5JvlvxWlhwi+ObIMUfy1u3Wfngz45sZv6cZg9qgeTPjmxm/lxmPukYz2hKPIHzMxoTCc5Ujn/TjMODdHtByedX3F3SdIn8mF19a/BR6AV9YQFnb4YPyCIZ1rNAJGlijR1ihVjEcJ1rW2LQvN05VpEE5AxvlG1g1XXjcoJPMeHHjHGVrnlQ8s9yVsn3ceTojBpA1hXQoyCcBazo6n35LZjc7z+WjQ+0p/clnQXOMHHVk+uL23lQdbndUF/DY2yQR18rBClv+Q2S90ghFlOhxF5n3KtMjoGxq8t38kwb0WrkSA/zf0vPpNIJUdc4HKs8sPwxnIRUsYLhzvQKGQOy+QcXuyzUVbM91AZ/kpFAghKDOgmYdwicFWzWHwQYlBPwa0enhJc+yK6eJ21usnap9eHCxWo1tCyRYTUxiwmlDppU1BwByoLqkjuNMh0mj2iUGyBnSSjB01wX5K47Sr+7Couwpr8VAVAr9WxTgX/T8fqUCmp9BwUbZmLeLD1ChcgFIenMU5IPkoMP6RJpJO1dBjkaVP/4DsbseObwV8dG5NINrz6VXVQAemRvqw/RUtwKVL/Ne0a837eYNWlk7AmWMHxRO9STNf2LFgjkchpRyJUfaNTuHWpL8tPkNk/E1n/VSF2bTDXzq3GldmD/2Xgn4zDr5F2XL/rnPwwjm/WS2qIMqh8ut9TCysqRO15Faybq9cxzq7CoqvWp5dVeW53D1SL86jlZ71ilx5yNvwnsF4DxEf7aFXQNsF1mOonlWTj1q9uYpwcxCVjoBzAAukc/mxHADDCON5WE0zU7IoZOnAW9dVrNXFDh6jYsSeXE13iWJx8SiE988UeAnzeYu1K5GvJWcZa0GyjeD1IVIt5LxWBK7O9XvcrCbi0fS3MtQF0JNzND9rHQ94Bi1o1f/1x9EV2h5C9t0rHQs7WaDqVmDnxYvsIrSfheErIUV5u6F62iVoBlpKLxeT1yX1hxkkcaRoE49+JzFafLCn/e1kVuVWxDPT5s3Ic7CUjPl5ePEa0QOnKknAM+CLMJMsfvfbF6juAgzJR/AzwLGmbKxKFJjvcHXqMaZovfgs2DnljrfP79G79wit8CzIHmm1vzDz2u08kytLfAsSM3V6W3BrX34zJMGvkzthntAfEEdRa3sHNiB/1pxc35Hxt4CW4XTY+I1xApDUOUcicHriVhdv9KdgWdAmjD1kGowCLkc90bc/wIAAP//rWY+6g==" + return "eJzsWk+P27YTve+nGOR3+fUQNaceXKBAgTRAgDQF2vTQ04ImRzKxFEchR/aqn74gJfmPTNkW10Eu68MCK5vz3hs+kjO038ITdisQrdKsHgBYs8EVvPk1PnjzAKDQS6cb1mRX8MsDAMDvpFqDUJKDRjivbTUEAEOVLx4A/IYcP0qypa5WwK7FB4BSo1F+9RBjvAUralxB69HFBwDcNbiCylHbDE9ORhyPYnS1tsLs3xhHP2G3I6eOnif4j68vQxQgB8wdKNxqiUAWdhstN8AbjPxAe2jQlRQ+XsXHtPbotqhASNZbzV1xTjLm5Izhsb5jjcfExghanTyeF3lFaHj9YTHorFvDujEIrdVfWwSt0LIuNToPVO4lF0k+4e8CRvgs6ibYSZg1Ol7G969goYgYaBuqtD0lmGQYs1vcM29/T/MUfR9oRKzglvCP7zxj/WNjBAefpPPXs1uYxSv8wutzzFJ5YJVwI5YlBq/iVUeeAP42DhtWgg3qRHivuGjiGQvPC72E+vF9kQh9lse84CFMKvw0LXPpmo3e+2MmY99q4U/hT1OXvZQvYvQZPHNcqQ32y+J1E/xWm2CK4OseOLcH0s7uqw14NeOrGb+nGb3Yono146sZv5cZT/oUNduEzSB8iMaE0lEdI086QEh4dwQ0VC0rQk91TZE/ads+9/ghdAGfiUEYM+CDcAiKZFujZVSwQYewRilaPykfN9j1H+6sqLUEYRVshetg3Q3hcYuWI+PL1e/RkWPUo2jPLHdl2j7sPR0RPfBG+9CGxt7TqIHOx/fB7GrvuVjPNk6Hf+ksaIwRo84sX9zdm6rF3Z5qAV9GmwTiUlhYY88/RdYJiVC23DrcR6aDyvAIdDS1dsP64w7kRtgKPfzf6KfpMoIw6xRbeEfEP6SzECbMo7/zfHn0XpP9BjN2X65hwg5cC/jIk4kC1gjiLGjUwTSZsHV3HCwpwePXFq1Mb3mGbLVM3MFi/VIdw4Nt6/XcsaAZ64VJDDh9yLCzxgCgLYghqfM4y2HCqH6LAW2VloLRDxdU8S1qedzdmViYKa8iEVX78VPaw7/o6O1aeFQ/g4CtMG08Lt5BjcJ60Dyao9TOcwya1sfcLTq5Sm31rPIv/0A7XMgd38O51tqwghtHlRO1h2lbvT/V3i1PdS9QuCqeFeN+0x/eIIUxM1BKuaRw3SzS/CfWxBjDoQ8pF3yiXZK1ofG2VTz80mRcQ2e11IXVdAOfJlZaF9aPuVcCPpEM/kXekXsa8zCDeT+ZPWpSZXq6pUwjC6PFdB9pBG/6W+5UZVfryome13BJfg7XzNSr82iNIxkSdz7yJrwXAOYhurMj7Bpgv8lSy5KycupQklOPASYLWcgAkAFcIZ2tiblrxXRheRxNkmVt0fJjwluX1RwUeWqdxKJCKq7GuyTxlFhr2XWP2tOjJHUXalcj3krOkBSJ6csgdSHSrWQcVprsnebvcrCbJ09zdy9DXQi1MEP3s9L1gHPUTj76v7ERXaOhHexCW2mJ+8MGQ7EGPxXPsG65f8+zNgbWGKsXalojGNVMQeHkZuG+tCHPRRinGWWowXM2p8UbfzzXZm5VbkE87zZvQszCEpnyYjvxEpGJnnoBcBZk6TPFHr6zeYni0mdKPoLPAsZM2fsvR1+iGjNFH8CzYHOnOt4/v0Rv7iT3wFmQlKk1fvHzEq2UqbUHzoKUVE9vC26twzM7DXxeWg2PgPiMsmWxNjmwiR/z3JzfmbG3wNZ+2iZeQ6zRe1HlSPROLsQa6pWhB86AVH5pk6rQs7b9LxVuw/0vAAD//zgi5vg=" } diff --git a/heartbeat/docs/fields.asciidoc b/heartbeat/docs/fields.asciidoc index 61466a75a75..9b6f545c738 100644 --- a/heartbeat/docs/fields.asciidoc +++ b/heartbeat/docs/fields.asciidoc @@ -435,7 +435,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -523,7 +523,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -570,7 +570,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -601,7 +601,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -667,7 +667,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -764,7 +764,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -809,7 +809,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -818,7 +818,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -883,7 +883,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1185,7 +1185,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -1216,7 +1216,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -1282,7 +1282,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -1379,7 +1379,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -1424,7 +1424,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -1433,7 +1433,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -1498,7 +1498,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1711,7 +1711,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -1763,7 +1763,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -1854,7 +1854,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -2003,7 +2003,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -2019,7 +2021,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -2453,7 +2455,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -2608,7 +2610,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -2682,7 +2684,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -2716,7 +2718,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -2787,7 +2789,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -2954,7 +2956,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3082,7 +3084,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3279,7 +3281,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3313,7 +3315,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -3372,7 +3374,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -3401,7 +3403,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -3472,7 +3474,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -3481,7 +3483,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -3546,7 +3548,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -3594,7 +3596,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -3651,7 +3653,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -3675,7 +3677,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -3790,7 +3792,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -3814,7 +3816,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -4287,7 +4289,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -4446,7 +4448,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -4475,7 +4477,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4583,7 +4585,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -4616,7 +4618,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -4645,7 +4647,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4899,7 +4901,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5011,7 +5013,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -5042,7 +5044,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -5109,7 +5111,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5210,7 +5212,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -5241,7 +5243,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -5308,7 +5310,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5382,7 +5384,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5465,7 +5467,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -5477,7 +5479,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -5504,7 +5506,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -5578,7 +5580,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5661,7 +5663,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -5673,7 +5675,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -5700,7 +5702,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -5737,7 +5739,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -5770,7 +5772,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5781,7 +5783,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -5994,7 +5996,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -6025,7 +6027,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -6091,7 +6093,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6188,7 +6190,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6233,7 +6235,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6242,7 +6244,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6307,7 +6309,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -6456,7 +6458,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -6487,7 +6489,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -6553,7 +6555,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6650,7 +6652,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6695,7 +6697,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6704,7 +6706,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6769,7 +6771,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -7001,7 +7003,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7056,7 +7058,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -7111,7 +7113,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7278,7 +7280,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7437,7 +7439,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7481,7 +7483,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7525,7 +7527,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7692,7 +7694,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7821,7 +7823,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -7856,7 +7858,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -7876,7 +7878,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -7903,7 +7905,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -7937,7 +7939,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -7995,119 +7997,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -8118,125 +8007,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -8245,7 +8021,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8310,7 +8086,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8334,119 +8110,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -8481,7 +8144,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -8510,7 +8173,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -8539,7 +8202,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -8821,7 +8484,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -8988,7 +8651,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/heartbeat/include/fields.go b/heartbeat/include/fields.go index 9b102054d26..1dd45bd419e 100644 --- a/heartbeat/include/fields.go +++ b/heartbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/journalbeat/docs/fields.asciidoc b/journalbeat/docs/fields.asciidoc index a772f2cf951..ac69dbffe99 100644 --- a/journalbeat/docs/fields.asciidoc +++ b/journalbeat/docs/fields.asciidoc @@ -988,7 +988,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -1076,7 +1076,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -1123,7 +1123,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -1154,7 +1154,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -1220,7 +1220,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -1317,7 +1317,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -1362,7 +1362,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -1371,7 +1371,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -1436,7 +1436,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1738,7 +1738,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -1769,7 +1769,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -1835,7 +1835,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -1932,7 +1932,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -1977,7 +1977,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -1986,7 +1986,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -2051,7 +2051,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -2264,7 +2264,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -2316,7 +2316,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -2407,7 +2407,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -2556,7 +2556,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -2572,7 +2574,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -3006,7 +3008,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -3161,7 +3163,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -3235,7 +3237,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -3269,7 +3271,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -3340,7 +3342,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -3507,7 +3509,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -3635,7 +3637,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3832,7 +3834,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3866,7 +3868,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -3925,7 +3927,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -3954,7 +3956,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4025,7 +4027,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -4034,7 +4036,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -4099,7 +4101,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -4147,7 +4149,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -4204,7 +4206,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -4228,7 +4230,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -4343,7 +4345,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -4367,7 +4369,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -4840,7 +4842,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -4999,7 +5001,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -5028,7 +5030,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -5136,7 +5138,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -5169,7 +5171,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -5198,7 +5200,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -5452,7 +5454,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5564,7 +5566,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -5595,7 +5597,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -5662,7 +5664,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5763,7 +5765,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -5794,7 +5796,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -5861,7 +5863,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5935,7 +5937,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -6018,7 +6020,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -6030,7 +6032,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -6057,7 +6059,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -6131,7 +6133,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -6214,7 +6216,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -6226,7 +6228,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -6253,7 +6255,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -6290,7 +6292,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -6323,7 +6325,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -6334,7 +6336,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -6547,7 +6549,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -6578,7 +6580,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -6644,7 +6646,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6741,7 +6743,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6786,7 +6788,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6795,7 +6797,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6860,7 +6862,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -7009,7 +7011,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -7040,7 +7042,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -7106,7 +7108,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -7203,7 +7205,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -7248,7 +7250,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -7257,7 +7259,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -7322,7 +7324,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -7554,7 +7556,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7609,7 +7611,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -7664,7 +7666,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7831,7 +7833,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7990,7 +7992,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -8034,7 +8036,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -8078,7 +8080,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -8245,7 +8247,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -8374,7 +8376,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -8409,7 +8411,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -8429,7 +8431,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -8456,7 +8458,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -8490,7 +8492,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -8548,119 +8550,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -8671,125 +8560,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -8798,7 +8574,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8863,7 +8639,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8887,119 +8663,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -9034,7 +8697,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -9063,7 +8726,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -9092,7 +8755,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -9374,7 +9037,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -9541,7 +9204,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/journalbeat/include/fields.go b/journalbeat/include/fields.go index 99016ad19cd..91caae0e532 100644 --- a/journalbeat/include/fields.go +++ b/journalbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/libbeat/_meta/fields.ecs.yml b/libbeat/_meta/fields.ecs.yml index f00f113af62..e3bfd964a51 100644 --- a/libbeat/_meta/fields.ecs.yml +++ b/libbeat/_meta/fields.ecs.yml @@ -1,5 +1,5 @@ # WARNING! Do not edit this file directly, it was generated by the ECS project, -# based on ECS version 1.7.0+exp. +# based on ECS version 1.7.0. # Please visit https://github.com/elastic/ecs to suggest changes to ECS fields. - key: ecs @@ -66,7 +66,8 @@ fields: - name: build.original level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Extended build information for the agent. This field is intended to contain any build information that a data source @@ -135,7 +136,8 @@ example: 15169 - name: organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -181,7 +183,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -197,7 +200,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Client domain. - name: geo.city_name level: core @@ -230,7 +234,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -287,7 +292,8 @@ description: Port of the client. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -331,11 +337,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -376,7 +384,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -596,7 +605,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -612,7 +622,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Destination domain. - name: geo.city_name level: core @@ -645,7 +656,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -701,7 +713,8 @@ description: Port of the destination. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -745,11 +758,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -790,7 +805,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -945,7 +961,8 @@ default_field: false - name: pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -988,7 +1005,8 @@ example: IN - name: answers.data level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The data describing the resource. The meaning of this data depends on the type and class of the resource record.' @@ -1047,7 +1065,8 @@ example: IN - name: question.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The name being queried. If the name field contains non-printable characters (below 32 or above 126), @@ -1166,16 +1185,19 @@ description: Error message. - name: stack_trace level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text norms: false default_field: false description: The stack trace of this error in plain text. + index: false - name: type level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: The type of the error, for example the class name of the exception. example: java.lang.NullPointerException - name: event @@ -1563,7 +1585,8 @@ example: sda - name: directory level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Directory where the file is located. It should include the drive letter, when appropriate. example: /home/alice @@ -1657,7 +1680,8 @@ example: alice - name: path level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -1707,7 +1731,8 @@ default_field: false - name: pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -1727,7 +1752,8 @@ example: 16384 - name: target_path level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -1771,7 +1797,8 @@ default_field: false - name: x509.issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -1877,7 +1904,8 @@ default_field: false - name: x509.subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -1956,7 +1984,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -2089,7 +2118,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -2112,7 +2142,8 @@ example: Quebec - name: hostname level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' @@ -2151,7 +2182,8 @@ example: debian - name: os.full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2167,7 +2199,8 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2210,11 +2243,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2255,7 +2290,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2285,7 +2321,8 @@ example: 887 - name: request.body.content level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2327,7 +2364,8 @@ default_field: false - name: request.referrer level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Referrer for this HTTP request. example: https://blog.example.com/ - name: response.body.bytes @@ -2338,7 +2376,8 @@ example: 887 - name: response.body.content level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2424,7 +2463,8 @@ fields: - name: file.path level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. @@ -2445,7 +2485,8 @@ example: error - name: logger level: core - type: wildcard + type: keyword + ignore_above: 1024 description: The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. example: org.elasticsearch.bootstrap.Bootstrap @@ -2791,7 +2832,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -2899,7 +2941,8 @@ example: debian - name: os.full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2915,7 +2958,8 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -2983,7 +3027,8 @@ description: Unique identifier for the organization. - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3004,7 +3049,8 @@ example: debian - name: full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3020,7 +3066,8 @@ example: 4.4.0-112-generic - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3185,7 +3232,8 @@ default_field: false - name: original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3269,7 +3317,8 @@ default_field: false - name: command_line level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3297,7 +3346,8 @@ default_field: false - name: executable level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3336,7 +3386,8 @@ description: SHA512 hash. - name: name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3410,7 +3461,8 @@ default_field: false - name: parent.command_line level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3438,7 +3490,8 @@ default_field: false - name: parent.executable level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3481,7 +3534,8 @@ default_field: false - name: parent.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3532,7 +3586,8 @@ default_field: false - name: parent.pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3578,13 +3633,15 @@ default_field: false - name: parent.thread.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Thread name. example: thread-0 default_field: false - name: parent.title level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3602,7 +3659,8 @@ default_field: false - name: parent.working_directory level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3651,7 +3709,8 @@ default_field: false - name: pe.original_file_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Internal name of the file, provided at compile-time. example: MSPAINT.EXE default_field: false @@ -3692,12 +3751,14 @@ example: 4242 - name: thread.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Thread name. example: thread-0 - name: title level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3714,7 +3775,8 @@ example: 1325 - name: working_directory level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3741,7 +3803,8 @@ default_field: false - name: data.strings level: core - type: wildcard + type: keyword + ignore_above: 1024 description: 'Content when writing string types. Populated as an array when writing string data to the registry. For single @@ -3767,13 +3830,15 @@ default_field: false - name: key level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Hive-relative path of keys. example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe default_field: false - name: path level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Full path, including hive, key and value example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -3958,7 +4023,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -3974,7 +4040,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Server domain. - name: geo.city_name level: core @@ -4007,7 +4074,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -4064,7 +4132,8 @@ description: Port of the server. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4108,11 +4177,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4153,7 +4224,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4287,7 +4359,8 @@ example: 15169 - name: as.organization.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4303,7 +4376,8 @@ example: 184 - name: domain level: core - type: wildcard + type: keyword + ignore_above: 1024 description: Source domain. - name: geo.city_name level: core @@ -4336,7 +4410,8 @@ example: '{ "lon": -73.614830, "lat": 45.505918 }' - name: geo.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'User-defined description of a location, at the level of granularity they care about. @@ -4393,7 +4468,8 @@ description: Port of the source. - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -4437,11 +4513,13 @@ For example, an LDAP or Active Directory domain name.' - name: user.email level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: User email address. - name: user.full_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4482,7 +4560,8 @@ description: Unique identifier of the user. - name: user.name level: core - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -4656,7 +4735,8 @@ default_field: false - name: client.issuer level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name of subject of the issuer of the x.509 certificate presented by the client. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -4694,7 +4774,8 @@ default_field: false - name: client.subject level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name of subject of the x.509 certificate presented by the client. example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -4732,7 +4813,8 @@ default_field: false - name: client.x509.issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -4838,7 +4920,8 @@ default_field: false - name: client.x509.subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -4951,7 +5034,8 @@ default_field: false - name: server.issuer level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Subject of the issuer of the x.509 certificate presented by the server. example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -4980,7 +5064,8 @@ default_field: false - name: server.subject level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Subject of the x.509 certificate presented by the server. example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com default_field: false @@ -5009,7 +5094,8 @@ default_field: false - name: server.x509.issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -5115,7 +5201,8 @@ default_field: false - name: server.x509.subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false @@ -5204,7 +5291,8 @@ fields: - name: domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain @@ -5234,7 +5322,8 @@ The `#` is not part of the fragment.' - name: full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5246,7 +5335,8 @@ example: https://www.elastic.co:443/search?q=elasticsearch#top - name: original level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5266,7 +5356,8 @@ description: Password of the request. - name: path level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Path of the request, such as "/search". - name: port level: extended @@ -5287,7 +5378,8 @@ the two cases.' - name: registered_domain level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: 'The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". @@ -5345,82 +5437,6 @@ provide an array that includes all of them.' type: group fields: - - name: changes.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - default_field: false - - name: changes.email - level: extended - type: wildcard - description: User email address. - default_field: false - - name: changes.full_name - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: User's full name, if available. - example: Albert Einstein - default_field: false - - name: changes.group.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - default_field: false - - name: changes.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: changes.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - default_field: false - - name: changes.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - default_field: false - - name: changes.id - level: core - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - default_field: false - - name: changes.name - level: core - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - example: albert - default_field: false - - name: changes.roles - level: extended - type: keyword - ignore_above: 1024 - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - default_field: false - name: domain level: extended type: keyword @@ -5428,89 +5444,15 @@ description: 'Name of the directory the user is a member of. For example, an LDAP or Active Directory domain name.' - - name: effective.domain + - name: email level: extended type: keyword ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - default_field: false - - name: effective.email - level: extended - type: wildcard description: User email address. - default_field: false - - name: effective.full_name - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: User's full name, if available. - example: Albert Einstein - default_field: false - - name: effective.group.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - default_field: false - - name: effective.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: effective.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - default_field: false - - name: effective.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - default_field: false - - name: effective.id - level: core - type: keyword - ignore_above: 1024 - description: Unique identifier of the user. - default_field: false - - name: effective.name - level: core - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: Short name or login of the user. - example: albert - default_field: false - - name: effective.roles + - name: full_name level: extended type: keyword ignore_above: 1024 - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - default_field: false - - name: email - level: extended - type: wildcard - description: User email address. - - name: full_name - level: extended - type: wildcard multi_fields: - name: text type: text @@ -5550,92 +5492,17 @@ ignore_above: 1024 description: Unique identifier of the user. - name: name - level: core - type: wildcard - multi_fields: - - name: text - type: text - norms: false - default_field: false - description: Short name or login of the user. - example: albert - - name: roles - level: extended - type: keyword - ignore_above: 1024 - description: Array of user roles at the time of the event. - example: '["kibana_admin", "reporting_user"]' - default_field: false - - name: target.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the user is a member of. - - For example, an LDAP or Active Directory domain name.' - default_field: false - - name: target.email - level: extended - type: wildcard - description: User email address. - default_field: false - - name: target.full_name - level: extended - type: wildcard - multi_fields: - - name: text - type: text - norms: false - description: User's full name, if available. - example: Albert Einstein - default_field: false - - name: target.group.domain - level: extended - type: keyword - ignore_above: 1024 - description: 'Name of the directory the group is a member of. - - For example, an LDAP or Active Directory domain name.' - default_field: false - - name: target.group.id - level: extended - type: keyword - ignore_above: 1024 - description: Unique identifier for the group on the system/platform. - default_field: false - - name: target.group.name - level: extended - type: keyword - ignore_above: 1024 - description: Name of the group. - default_field: false - - name: target.hash - level: extended - type: keyword - ignore_above: 1024 - description: 'Unique user hash to correlate information for a user in anonymized - form. - - Useful if `user.id` or `user.name` contain confidential information and cannot - be used.' - default_field: false - - name: target.id level: core type: keyword ignore_above: 1024 - description: Unique identifier of the user. - default_field: false - - name: target.name - level: core - type: wildcard multi_fields: - name: text type: text norms: false + default_field: false description: Short name or login of the user. example: albert - default_field: false - - name: target.roles + - name: roles level: extended type: keyword ignore_above: 1024 @@ -5664,7 +5531,8 @@ example: Safari - name: original level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5680,7 +5548,8 @@ example: debian - name: os.full level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5696,7 +5565,8 @@ example: 4.4.0-112-generic - name: os.name level: extended - type: wildcard + type: keyword + ignore_above: 1024 multi_fields: - name: text type: text @@ -5928,7 +5798,8 @@ default_field: false - name: issuer.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of issuing certificate authority. example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -6034,7 +5905,8 @@ default_field: false - name: subject.distinguished_name level: extended - type: wildcard + type: keyword + ignore_above: 1024 description: Distinguished name (DN) of the certificate subject entity. example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net default_field: false diff --git a/metricbeat/docs/fields.asciidoc b/metricbeat/docs/fields.asciidoc index d89ba565b7b..b7dcdbf79ae 100644 --- a/metricbeat/docs/fields.asciidoc +++ b/metricbeat/docs/fields.asciidoc @@ -9984,7 +9984,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -10072,7 +10072,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -10119,7 +10119,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -10150,7 +10150,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -10216,7 +10216,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -10313,7 +10313,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -10358,7 +10358,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -10367,7 +10367,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -10432,7 +10432,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -10734,7 +10734,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -10765,7 +10765,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -10831,7 +10831,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -10928,7 +10928,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -10973,7 +10973,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -10982,7 +10982,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -11047,7 +11047,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -11260,7 +11260,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -11312,7 +11312,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -11403,7 +11403,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -11552,7 +11552,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -11568,7 +11570,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -12002,7 +12004,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -12157,7 +12159,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -12231,7 +12233,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -12265,7 +12267,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -12336,7 +12338,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -12503,7 +12505,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -12631,7 +12633,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -12828,7 +12830,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -12862,7 +12864,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -12921,7 +12923,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -12950,7 +12952,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -13021,7 +13023,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -13030,7 +13032,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -13095,7 +13097,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -13143,7 +13145,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -13200,7 +13202,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -13224,7 +13226,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -13339,7 +13341,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -13363,7 +13365,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -13836,7 +13838,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -13995,7 +13997,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -14024,7 +14026,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -14132,7 +14134,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -14165,7 +14167,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -14194,7 +14196,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -14448,7 +14450,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -14560,7 +14562,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -14591,7 +14593,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -14658,7 +14660,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -14759,7 +14761,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -14790,7 +14792,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -14857,7 +14859,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -14931,7 +14933,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -15014,7 +15016,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -15026,7 +15028,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -15053,7 +15055,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -15127,7 +15129,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -15210,7 +15212,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -15222,7 +15224,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -15249,7 +15251,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -15286,7 +15288,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -15319,7 +15321,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -15330,7 +15332,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -15543,7 +15545,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -15574,7 +15576,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -15640,7 +15642,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -15737,7 +15739,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -15782,7 +15784,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -15791,7 +15793,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -15856,7 +15858,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -16005,7 +16007,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -16036,7 +16038,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -16102,7 +16104,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -16199,7 +16201,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -16244,7 +16246,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -16253,7 +16255,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -16318,7 +16320,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -16550,7 +16552,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -16605,7 +16607,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -16660,7 +16662,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -16827,7 +16829,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -16986,7 +16988,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -17030,7 +17032,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -17074,7 +17076,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -17241,7 +17243,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -17370,7 +17372,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -17405,7 +17407,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -17425,7 +17427,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -17452,7 +17454,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -17486,7 +17488,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -17544,119 +17546,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -17667,125 +17556,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -17794,7 +17570,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -17859,7 +17635,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -17883,119 +17659,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -18030,7 +17693,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -18059,7 +17722,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -18088,7 +17751,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -18370,7 +18033,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -18537,7 +18200,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/packetbeat/docs/fields.asciidoc b/packetbeat/docs/fields.asciidoc index 3efbcdf8a4c..92b2641a051 100644 --- a/packetbeat/docs/fields.asciidoc +++ b/packetbeat/docs/fields.asciidoc @@ -2202,7 +2202,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -2290,7 +2290,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -2337,7 +2337,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -2368,7 +2368,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -2434,7 +2434,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -2531,7 +2531,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -2576,7 +2576,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -2585,7 +2585,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -2650,7 +2650,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -2952,7 +2952,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -2983,7 +2983,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -3049,7 +3049,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3146,7 +3146,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -3191,7 +3191,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -3200,7 +3200,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -3265,7 +3265,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -3478,7 +3478,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -3530,7 +3530,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -3621,7 +3621,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -3770,7 +3770,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -3786,7 +3788,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -4220,7 +4222,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -4375,7 +4377,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -4449,7 +4451,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -4483,7 +4485,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -4554,7 +4556,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -4721,7 +4723,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -4849,7 +4851,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -5046,7 +5048,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -5080,7 +5082,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -5139,7 +5141,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -5168,7 +5170,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -5239,7 +5241,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -5248,7 +5250,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -5313,7 +5315,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -5361,7 +5363,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -5418,7 +5420,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -5442,7 +5444,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -5557,7 +5559,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -5581,7 +5583,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -6054,7 +6056,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6213,7 +6215,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -6242,7 +6244,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -6350,7 +6352,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -6383,7 +6385,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -6412,7 +6414,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -6666,7 +6668,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -6778,7 +6780,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -6809,7 +6811,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -6876,7 +6878,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -6977,7 +6979,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -7008,7 +7010,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -7075,7 +7077,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -7149,7 +7151,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -7232,7 +7234,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -7244,7 +7246,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -7271,7 +7273,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -7345,7 +7347,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -7428,7 +7430,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -7440,7 +7442,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -7467,7 +7469,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -7504,7 +7506,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -7537,7 +7539,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -7548,7 +7550,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -7761,7 +7763,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -7792,7 +7794,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -7858,7 +7860,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -7955,7 +7957,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -8000,7 +8002,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -8009,7 +8011,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8074,7 +8076,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8223,7 +8225,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -8254,7 +8256,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -8320,7 +8322,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -8417,7 +8419,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -8462,7 +8464,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -8471,7 +8473,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8536,7 +8538,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8768,7 +8770,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -8823,7 +8825,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -8878,7 +8880,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -9045,7 +9047,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9204,7 +9206,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -9248,7 +9250,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -9292,7 +9294,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -9459,7 +9461,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -9588,7 +9590,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -9623,7 +9625,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -9643,7 +9645,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -9670,7 +9672,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -9704,7 +9706,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -9762,119 +9764,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -9885,125 +9774,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -10012,7 +9788,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -10077,7 +9853,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -10101,119 +9877,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -10248,7 +9911,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -10277,7 +9940,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -10306,7 +9969,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -10588,7 +10251,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -10755,7 +10418,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/packetbeat/include/fields.go b/packetbeat/include/fields.go index 4ad105c1418..91def40abf3 100644 --- a/packetbeat/include/fields.go +++ b/packetbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/winlogbeat/docs/fields.asciidoc b/winlogbeat/docs/fields.asciidoc index 4c1c567a8e1..a40e6a8a2ad 100644 --- a/winlogbeat/docs/fields.asciidoc +++ b/winlogbeat/docs/fields.asciidoc @@ -294,7 +294,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -382,7 +382,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -429,7 +429,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -460,7 +460,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -526,7 +526,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -623,7 +623,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -668,7 +668,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -677,7 +677,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -742,7 +742,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1044,7 +1044,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -1075,7 +1075,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -1141,7 +1141,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -1238,7 +1238,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -1283,7 +1283,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -1292,7 +1292,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -1357,7 +1357,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1570,7 +1570,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -1622,7 +1622,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -1713,7 +1713,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -1862,7 +1862,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -1878,7 +1880,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -2312,7 +2314,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -2467,7 +2469,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -2541,7 +2543,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -2575,7 +2577,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -2646,7 +2648,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -2813,7 +2815,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -2941,7 +2943,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3138,7 +3140,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3172,7 +3174,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -3231,7 +3233,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -3260,7 +3262,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -3331,7 +3333,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -3340,7 +3342,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -3405,7 +3407,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -3453,7 +3455,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -3510,7 +3512,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -3534,7 +3536,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -3649,7 +3651,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -3673,7 +3675,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -4146,7 +4148,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -4305,7 +4307,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -4334,7 +4336,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4442,7 +4444,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -4475,7 +4477,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -4504,7 +4506,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4758,7 +4760,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -4870,7 +4872,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -4901,7 +4903,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -4968,7 +4970,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5069,7 +5071,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -5100,7 +5102,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -5167,7 +5169,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5241,7 +5243,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5324,7 +5326,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -5336,7 +5338,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -5363,7 +5365,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -5437,7 +5439,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5520,7 +5522,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -5532,7 +5534,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -5559,7 +5561,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -5596,7 +5598,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -5629,7 +5631,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5640,7 +5642,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -5853,7 +5855,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -5884,7 +5886,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -5950,7 +5952,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6047,7 +6049,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6092,7 +6094,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6101,7 +6103,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6166,7 +6168,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -6315,7 +6317,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -6346,7 +6348,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -6412,7 +6414,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6509,7 +6511,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6554,7 +6556,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6563,7 +6565,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6628,7 +6630,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -6860,7 +6862,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -6915,7 +6917,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -6970,7 +6972,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7137,7 +7139,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7296,7 +7298,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7340,7 +7342,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7384,7 +7386,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7551,7 +7553,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7680,7 +7682,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -7715,7 +7717,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -7735,7 +7737,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -7762,7 +7764,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -7796,7 +7798,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -7854,119 +7856,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -7977,125 +7866,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -8104,7 +7880,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8169,7 +7945,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8193,119 +7969,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -8340,7 +8003,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -8369,7 +8032,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -8398,7 +8061,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -8680,7 +8343,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -8847,7 +8510,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/winlogbeat/include/fields.go b/winlogbeat/include/fields.go index 1ddb94cc05c..81f2c120cc8 100644 --- a/winlogbeat/include/fields.go +++ b/winlogbeat/include/fields.go @@ -32,5 +32,5 @@ func init() { // AssetBuildFieldsFieldsCommonYml returns asset data. // This is the base64 encoded gzipped contents of build/fields/fields.common.yml. func AssetBuildFieldsFieldsCommonYml() string { - return "" + return "" } diff --git a/x-pack/functionbeat/docs/fields.asciidoc b/x-pack/functionbeat/docs/fields.asciidoc index 23935bffe35..ddbd6b3d780 100644 --- a/x-pack/functionbeat/docs/fields.asciidoc +++ b/x-pack/functionbeat/docs/fields.asciidoc @@ -290,7 +290,7 @@ Examples include Beats. Agents may also run on observers. ECS agent.* fields sha Extended build information for the agent. This field is intended to contain any build information that a data source may provide, no specific formatting is required. -type: wildcard +type: keyword example: metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC] @@ -378,7 +378,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -425,7 +425,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -456,7 +456,7 @@ format: bytes -- Client domain. -type: wildcard +type: keyword -- @@ -522,7 +522,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -619,7 +619,7 @@ The highest registered client domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -664,7 +664,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -673,7 +673,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -738,7 +738,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1040,7 +1040,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -1071,7 +1071,7 @@ format: bytes -- Destination domain. -type: wildcard +type: keyword -- @@ -1137,7 +1137,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -1234,7 +1234,7 @@ The highest registered destination domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -1279,7 +1279,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -1288,7 +1288,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -1353,7 +1353,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -1566,7 +1566,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -1618,7 +1618,7 @@ example: IN The data describing the resource. The meaning of this data depends on the type and class of the resource record. -type: wildcard +type: keyword example: 10.10.10.10 @@ -1709,7 +1709,7 @@ example: IN The name being queried. If the name field contains non-printable characters (below 32 or above 126), those characters should be represented as escaped base 10 integers (\DDD). Back slashes and quotes should be escaped. Tabs, carriage returns, and line feeds should be converted to \t, \r, and \n respectively. -type: wildcard +type: keyword example: www.example.com @@ -1858,7 +1858,9 @@ type: text -- The stack trace of this error in plain text. -type: wildcard +type: keyword + +Field is not indexed. -- @@ -1874,7 +1876,7 @@ type: text -- The type of the error, for example the class name of the exception. -type: wildcard +type: keyword example: java.lang.NullPointerException @@ -2308,7 +2310,7 @@ example: sda -- Directory where the file is located. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice @@ -2463,7 +2465,7 @@ example: alice -- Full path to the file, including the file name. It should include the drive letter, when appropriate. -type: wildcard +type: keyword example: /home/alice/example.png @@ -2537,7 +2539,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -2571,7 +2573,7 @@ example: 16384 -- Target path for symlinks. -type: wildcard +type: keyword -- @@ -2642,7 +2644,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -2809,7 +2811,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -2937,7 +2939,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3134,7 +3136,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -3168,7 +3170,7 @@ example: Quebec Hostname of the host. It normally contains what the `hostname` command returns on the host machine. -type: wildcard +type: keyword -- @@ -3227,7 +3229,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -3256,7 +3258,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -3327,7 +3329,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -3336,7 +3338,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -3401,7 +3403,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -3449,7 +3451,7 @@ format: bytes -- The full HTTP request body. -type: wildcard +type: keyword example: Hello world @@ -3506,7 +3508,7 @@ example: image/gif -- Referrer for this HTTP request. -type: wildcard +type: keyword example: https://blog.example.com/ @@ -3530,7 +3532,7 @@ format: bytes -- The full HTTP response body. -type: wildcard +type: keyword example: Hello world @@ -3645,7 +3647,7 @@ The details specific to your event source are typically not logged under `log.*` Full path to the log file this event came from, including the file name. It should include the drive letter, when appropriate. If the event wasn't read from a log file, do not populate this field. -type: wildcard +type: keyword example: /var/log/fun-times.log @@ -3669,7 +3671,7 @@ example: error -- The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name. -type: wildcard +type: keyword example: org.elasticsearch.bootstrap.Bootstrap @@ -4142,7 +4144,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -4301,7 +4303,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -4330,7 +4332,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4438,7 +4440,7 @@ type: keyword -- Organization name. -type: wildcard +type: keyword -- @@ -4471,7 +4473,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -4500,7 +4502,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -4754,7 +4756,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -4866,7 +4868,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -4897,7 +4899,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -4964,7 +4966,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5065,7 +5067,7 @@ example: true Full command line that started the process, including the absolute path to the executable, and all arguments. Some arguments may be filtered to protect sensitive information. -type: wildcard +type: keyword example: /usr/bin/ssh -l user 10.0.0.16 @@ -5096,7 +5098,7 @@ example: c2c455d9f99375d -- Absolute path to the process executable. -type: wildcard +type: keyword example: /usr/bin/ssh @@ -5163,7 +5165,7 @@ type: keyword Process name. Sometimes called program name or similar. -type: wildcard +type: keyword example: ssh @@ -5237,7 +5239,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5320,7 +5322,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -5332,7 +5334,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -5359,7 +5361,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -5433,7 +5435,7 @@ example: 0c6803c4e922103c4dca5963aad36ddf -- Internal name of the file, provided at compile-time. -type: wildcard +type: keyword example: MSPAINT.EXE @@ -5516,7 +5518,7 @@ format: string -- Thread name. -type: wildcard +type: keyword example: thread-0 @@ -5528,7 +5530,7 @@ example: thread-0 Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. -type: wildcard +type: keyword -- @@ -5555,7 +5557,7 @@ example: 1325 -- The working directory of the process. -type: wildcard +type: keyword example: /home/alice @@ -5592,7 +5594,7 @@ example: ZQBuAC0AVQBTAAAAZQBuAAAAAAA= Content when writing string types. Populated as an array when writing string data to the registry. For single string registry types (REG_SZ, REG_EXPAND_SZ), this should be an array with one string. For sequences of string with REG_MULTI_SZ, this array will be variable length. For numeric data, such as REG_DWORD and REG_QWORD, this should be populated with the decimal representation (e.g `"1"`). -type: wildcard +type: keyword example: ["C:\rta\red_ttp\bin\myapp.exe"] @@ -5625,7 +5627,7 @@ example: HKLM -- Hive-relative path of keys. -type: wildcard +type: keyword example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe @@ -5636,7 +5638,7 @@ example: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Optio -- Full path, including hive, key and value -type: wildcard +type: keyword example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger @@ -5849,7 +5851,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -5880,7 +5882,7 @@ format: bytes -- Server domain. -type: wildcard +type: keyword -- @@ -5946,7 +5948,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6043,7 +6045,7 @@ The highest registered server domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6088,7 +6090,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6097,7 +6099,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6162,7 +6164,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -6311,7 +6313,7 @@ example: 15169 -- Organization name. -type: wildcard +type: keyword example: Google LLC @@ -6342,7 +6344,7 @@ format: bytes -- Source domain. -type: wildcard +type: keyword -- @@ -6408,7 +6410,7 @@ User-defined description of a location, at the level of granularity they care ab Could be the name of their data centers, the floor number, if this describes a local physical entity, city names. Not typically used in automated geolocation. -type: wildcard +type: keyword example: boston-dc @@ -6505,7 +6507,7 @@ The highest registered source domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -6550,7 +6552,7 @@ type: keyword -- User email address. -type: wildcard +type: keyword -- @@ -6559,7 +6561,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -6624,7 +6626,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -6856,7 +6858,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Distinguished name of subject of the issuer of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -6911,7 +6913,7 @@ example: www.elastic.co -- Distinguished name of subject of the x.509 certificate presented by the client. -type: wildcard +type: keyword example: CN=myclient, OU=Documentation Team, DC=example, DC=com @@ -6966,7 +6968,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7133,7 +7135,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7292,7 +7294,7 @@ example: 0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0 -- Subject of the issuer of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com @@ -7336,7 +7338,7 @@ example: 1970-01-01T00:00:00.000Z -- Subject of the x.509 certificate presented by the server. -type: wildcard +type: keyword example: CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com @@ -7380,7 +7382,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -7547,7 +7549,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net @@ -7676,7 +7678,7 @@ URL fields provide support for complete or partial URLs, and supports the breaki Domain of the url, such as "www.elastic.co". In some cases a URL may refer to an IP and/or port directly, without a domain name. In this case, the IP address would go to the `domain` field. -type: wildcard +type: keyword example: www.elastic.co @@ -7711,7 +7713,7 @@ type: keyword -- If full URLs are important to your use case, they should be stored in `url.full`, whether this field is reconstructed or present in the event source. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top @@ -7731,7 +7733,7 @@ Unmodified original url as seen in the event source. Note that in network monitoring, the observed URL may be a full URL, whereas in access logs, the URL is often just represented as a path. This field is meant to represent the URL as it was observed, complete or not. -type: wildcard +type: keyword example: https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch @@ -7758,7 +7760,7 @@ type: keyword -- Path of the request, such as "/search". -type: wildcard +type: keyword -- @@ -7792,7 +7794,7 @@ The highest registered url domain, stripped of the subdomain. For example, the registered domain for "foo.example.com" is "example.com". This value can be determined precisely with a list like the public suffix list (http://publicsuffix.org). Trying to approximate this by simply taking the last two labels will not work well for TLDs such as "co.uk". -type: wildcard +type: keyword example: example.com @@ -7850,119 +7852,6 @@ The user fields describe information about the user that is relevant to the even Fields can have one entry or multiple entries. If a user has more than one id, provide an array that includes all of them. -*`user.changes.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.changes.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.changes.full_name.text`*:: -+ --- -type: text - --- - -*`user.changes.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.changes.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.changes.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.changes.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.changes.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.changes.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.changes.name.text`*:: -+ --- -type: text - --- - -*`user.changes.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.domain`*:: + -- @@ -7973,125 +7862,12 @@ type: keyword -- -*`user.effective.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.effective.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.effective.full_name.text`*:: -+ --- -type: text - --- - -*`user.effective.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.effective.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.effective.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.effective.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.effective.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.effective.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.effective.name.text`*:: -+ --- -type: text - --- - -*`user.effective.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - *`user.email`*:: + -- User email address. -type: wildcard +type: keyword -- @@ -8100,7 +7876,7 @@ type: wildcard -- User's full name, if available. -type: wildcard +type: keyword example: Albert Einstein @@ -8165,7 +7941,7 @@ type: keyword -- Short name or login of the user. -type: wildcard +type: keyword example: albert @@ -8189,119 +7965,6 @@ example: ["kibana_admin", "reporting_user"] -- -*`user.target.domain`*:: -+ --- -Name of the directory the user is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.email`*:: -+ --- -User email address. - -type: wildcard - --- - -*`user.target.full_name`*:: -+ --- -User's full name, if available. - -type: wildcard - -example: Albert Einstein - --- - -*`user.target.full_name.text`*:: -+ --- -type: text - --- - -*`user.target.group.domain`*:: -+ --- -Name of the directory the group is a member of. -For example, an LDAP or Active Directory domain name. - -type: keyword - --- - -*`user.target.group.id`*:: -+ --- -Unique identifier for the group on the system/platform. - -type: keyword - --- - -*`user.target.group.name`*:: -+ --- -Name of the group. - -type: keyword - --- - -*`user.target.hash`*:: -+ --- -Unique user hash to correlate information for a user in anonymized form. -Useful if `user.id` or `user.name` contain confidential information and cannot be used. - -type: keyword - --- - -*`user.target.id`*:: -+ --- -Unique identifier of the user. - -type: keyword - --- - -*`user.target.name`*:: -+ --- -Short name or login of the user. - -type: wildcard - -example: albert - --- - -*`user.target.name.text`*:: -+ --- -type: text - --- - -*`user.target.roles`*:: -+ --- -Array of user roles at the time of the event. - -type: keyword - -example: ["kibana_admin", "reporting_user"] - --- - [float] === user_agent @@ -8336,7 +7999,7 @@ example: Safari -- Unparsed user_agent string. -type: wildcard +type: keyword example: Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1 @@ -8365,7 +8028,7 @@ example: debian -- Operating system name, including the version or code name. -type: wildcard +type: keyword example: Mac OS Mojave @@ -8394,7 +8057,7 @@ example: 4.4.0-112-generic -- Operating system name, without the version. -type: wildcard +type: keyword example: Mac OS X @@ -8676,7 +8339,7 @@ example: US -- Distinguished name (DN) of issuing certificate authority. -type: wildcard +type: keyword example: C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA @@ -8843,7 +8506,7 @@ example: US -- Distinguished name (DN) of the certificate subject entity. -type: wildcard +type: keyword example: C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net diff --git a/x-pack/functionbeat/include/fields.go b/x-pack/functionbeat/include/fields.go index 1d474f93090..80172cdee11 100644 --- a/x-pack/functionbeat/include/fields.go +++ b/x-pack/functionbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" } diff --git a/x-pack/heartbeat/include/fields.go b/x-pack/heartbeat/include/fields.go index 88beb265d8e..1e767c518c4 100644 --- a/x-pack/heartbeat/include/fields.go +++ b/x-pack/heartbeat/include/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFieldsYml returns asset data. // This is the base64 encoded gzipped contents of fields.yml. func AssetFieldsYml() string { - return "" + return "" }