forked from elastic/ecs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlog.yml
163 lines (135 loc) · 5.68 KB
/
log.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
---
- name: log
title: Log
group: 2
short: Details about the event's logging mechanism.
description: >
Details about the event's logging mechanism or logging transport.
The log.* fields are typically populated with details about the logging
mechanism used to create and/or transport the event.
For example, syslog details belong under `log.syslog.*`.
The details specific to your event source are typically not logged under `log.*`,
but rather in `event.*` or in other ECS fields.
type: group
fields:
- name: level
level: core
type: keyword
short: Log level of the log event.
description: >
Original log level of the log event.
If the source of the event provides a log level or textual severity,
this is the one that goes in `log.level`. If your source doesn't specify
one, you may put your event transport's severity here (e.g. Syslog severity).
Some examples are `warn`, `err`, `i`, `informational`.
example: error
- name: file.path
level: extended
type: keyword
short: Full path to the log file this event came from.
description: >
Full path to the log file this event came from, including the file name.
It should include the drive letter, when appropriate.
If the event wasn't read from a log file, do not populate this field.
example: "/var/log/fun-times.log"
- name: original
level: core
type: keyword
example: "Sep 19 08:26:10 localhost My log"
index: false
doc_values: false
short: Original log message with light interpretation only (encoding, newlines).
description: >
This is the original log message and contains the full log message
before splitting it up in multiple parts.
In contrast to the `message` field which can contain an extracted part
of the log message, this field contains the original, full log message.
It can have already some modifications applied like encoding or new
lines removed to clean up the log message.
This field is not indexed and doc_values are disabled so it can't be
queried but the value can be retrieved from `_source`.
- name: logger
level: core
type: keyword
example: org.elasticsearch.bootstrap.Bootstrap
short: Name of the logger.
description: >
The name of the logger inside an application. This is usually the name of the class which initialized the logger, or can be a custom name.
- name: origin.file.name
level: extended
type: keyword
example: Bootstrap.java
short: The code file which originated the log event.
description: >
The name of the file containing the source code which originated the log event.
Note that this field is not meant to capture the log file.
The correct field to capture the log file is `log.file.path`.
- name: origin.file.line
level: extended
type: integer
example: 42
short: The line number of the file which originated the log event.
description: >
The line number of the file containing the source code which originated the log event.
- name: origin.function
level: extended
type: keyword
example: init
short: The function which originated the log event.
description: >
The name of the function or method which originated the log event.
- name: syslog
level: extended
type: object
short: Syslog metadata
description: >
The Syslog metadata of the event, if the event was transmitted via Syslog.
Please see RFCs 5424 or 3164.
- name: syslog.severity.code
level: extended
type: long
example: 3
short: Syslog numeric severity of the event.
description: >
The Syslog numeric severity of the log event, if available.
If the event source publishing via Syslog provides a different numeric severity
value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`.
If the event source does not specify a distinct severity,
you can optionally copy the Syslog severity to `event.severity`.
- name: syslog.severity.name
level: extended
type: keyword
example: Error
short: Syslog text-based severity of the event.
description: >
The Syslog numeric severity of the log event, if available.
If the event source publishing via Syslog provides a different severity
value (e.g. firewall, IDS), your source's text severity should go to `log.level`.
If the event source does not specify a distinct severity,
you can optionally copy the Syslog severity to `log.level`.
- name: syslog.facility.code
format: string
level: extended
type: long
example: 23
short: Syslog numeric facility of the event.
description: >
The Syslog numeric facility of the log event, if available.
According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
- name: syslog.facility.name
level: extended
type: keyword
example: local7
short: Syslog text-based facility of the event.
description: >
The Syslog text-based facility of the log event, if available.
- name: syslog.priority
format: string
level: extended
type: long
example: 135
short: Syslog priority of the event.
description: >
Syslog numeric priority of the event, if available.
According to RFCs 5424 and 3164, the priority is 8 * facility + severity.
This number is therefore expected to contain a value between 0 and 191.