IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Auditd fields Azure fields »
Elastic Docs Filebeat Reference [7.5] Exported fields

AWS fields

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

AWS fields

edit

Module for handling logs from AWS.

aws

edit

Fields from AWS logs.

elb

edit

Fields for AWS ELB logs.

aws.elb.name

The name of the load balancer.

type: keyword

aws.elb.type

The type of the load balancer for v2 Load Balancers.

type: keyword

aws.elb.target_group.arn

The ARN of the target group handling the request.

type: keyword

aws.elb.listener

The ELB listener that received the connection.

type: keyword

aws.elb.protocol

The protocol of the load balancer (http or tcp).

type: keyword

aws.elb.request_processing_time.sec

The total time in seconds since the connection or request is received until it is sent to a registered backend.

type: float

aws.elb.backend_processing_time.sec

The total time in seconds since the connection is sent to the backend till the backend starts responding.

type: float

aws.elb.response_processing_time.sec

The total time in seconds since the response is received from the backend till it is sent to the client.

type: float

aws.elb.connection_time.ms

The total time of the connection in milliseconds, since it is opened till it is closed.

type: long

aws.elb.tls_handshake_time.ms

The total time for the TLS handshake to complete in milliseconds once the connection has been established.

type: long

aws.elb.backend.ip

The IP address of the backend processing this connection.

type: keyword

aws.elb.backend.port

The port in the backend processing this connection.

type: keyword

aws.elb.backend.http.response.status_code

The status code from the backend (status code sent to the client from ELB is stored in http.response.status_code

type: keyword

aws.elb.ssl_cipher

The SSL cipher used in TLS/SSL connections.

type: keyword

aws.elb.ssl_protocol

The SSL protocol used in TLS/SSL connections.

type: keyword

aws.elb.chosen_cert.arn

The ARN of the chosen certificate presented to the client in TLS/SSL connections.

type: keyword

aws.elb.chosen_cert.serial

The serial number of the chosen certificate presented to the client in TLS/SSL connections.

type: keyword

aws.elb.incoming_tls_alert

The integer value of TLS alerts received by the load balancer from the client, if present.

type: keyword

aws.elb.tls_named_group

The TLS named group.

type: keyword

aws.elb.trace_id

The contents of the X-Amzn-Trace-Id header.

type: keyword

aws.elb.matched_rule_priority

The priority value of the rule that matched the request, if a rule matched.

type: keyword

aws.elb.action_executed

The action executed when processing the request (forward, fixed-response, authenticate…​). It can contain several values.

type: keyword

aws.elb.redirect_url

The URL used if a redirection action was executed.

type: keyword

aws.elb.error.reason

The error reason if the executed action failed.

type: keyword

s3access

edit

Fields for AWS S3 server access logs.

aws.s3access.bucket_owner

The canonical user ID of the owner of the source bucket.

type: keyword

aws.s3access.bucket

The name of the bucket that the request was processed against.

type: keyword

aws.s3access.remote_ip

The apparent internet address of the requester.

type: ip

aws.s3access.requester

The canonical user ID of the requester, or a - for unauthenticated requests.

type: keyword

aws.s3access.request_id

A string generated by Amazon S3 to uniquely identify each request.

type: keyword

aws.s3access.operation

The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.

type: keyword

aws.s3access.key

The "key" part of the request, URL encoded, or "-" if the operation does not take a key parameter.

type: keyword

aws.s3access.request_uri

The Request-URI part of the HTTP request message.

type: keyword

aws.s3access.http_status

The numeric HTTP status code of the response.

type: long

aws.s3access.error_code

The Amazon S3 Error Code, or "-" if no error occurred.

type: keyword

aws.s3access.bytes_sent

The number of response bytes sent, excluding HTTP protocol overhead, or "-" if zero.

type: long

aws.s3access.object_size

The total size of the object in question.

type: long

aws.s3access.total_time

The number of milliseconds the request was in flight from the server’s perspective.

type: long

aws.s3access.turn_around_time

The number of milliseconds that Amazon S3 spent processing your request.

type: long

aws.s3access.referrer

The value of the HTTP Referrer header, if present.

type: keyword

aws.s3access.user_agent

The value of the HTTP User-Agent header.

type: keyword

aws.s3access.version_id

The version ID in the request, or "-" if the operation does not take a versionId parameter.

type: keyword

aws.s3access.host_id

The x-amz-id-2 or Amazon S3 extended request ID.

type: keyword

aws.s3access.signature_version

The signature version, SigV2 or SigV4, that was used to authenticate the request or a - for unauthenticated requests.

type: keyword

aws.s3access.cipher_suite

The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or a - for HTTP.

type: keyword

aws.s3access.authentication_type

The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or a - for unauthenticated requests.

type: keyword

aws.s3access.host_header

The endpoint used to connect to Amazon S3.

type: keyword

aws.s3access.tls_version

The Transport Layer Security (TLS) version negotiated by the client.

type: keyword

« Auditd fields Azure fields »